Impacted packages per year log scale
Open sourceCommercial
Research / Supply-chain attack compendium
278 attacks, in one place.
Cases where an official project or vendor distribution point shipped malicious code — package registries, signed installers, hijacked release tooling. Filter by ecosystem, vector, or insertion point; jump by year.
Subscribe via RSSAttacks278
Campaigns18
Open source172
Commercial106
Spanning1975–2026
Average dwell time per year days, log scale
Open sourceCommercial
Initial vector
- Distribution9835%
- Package registry9835%
- Revision control5219%
- Other155%
- Build/CI145%
- Dependency graph10%
Payload Insertion Phase
- Distribution21176%
- Source2710%
- CI/CD218%
- Dependency104%
- Manufacturing73%
- Runtime10%
- Update10%
2026
2026-05-22
laravel-lang Packagist packages re-tagged from a compromised org credential
Between 2026-05-22 22:32 UTC and 2026-05-23 00:00 UTC an attacker with push access to the Laravel-Lang organization rewrote every tag in lang, attributes, actions, and http-statuses to commits that eager-loaded src/helpers.php through composer's autoload. The dropper fetched a PHP stage 2 from flipboxstudio.info, which executed an ELF binary and exfiltrated runner environment data to the same host.
2026-05-18
Megalodon mass-backdoored GitHub CI workflows
Between 11:36 and 17:48 UTC on 2026-05-18 an unidentified actor pushed 5,718 commits across 5,561 GitHub repositories, dropping a base64-encoded bash payload into a .github/workflows file and exfiltrating CI credentials to 216.126.225.129:8443.
2026-05-14
node-ipc npm account shipped credential stealer
Three malicious node-ipc npm releases were published on 2026-05-14 after the dormant `atiertant` co-maintainer account was recovered via an expired email domain. The obfuscated payload harvested developer, cloud, SSH, and CI/CD secrets and exfiltrated them over DNS TXT queries.
2026-05-11
Shai-Hulud hits npm and PyPI
Shai-Hulud: Here We Go Again was a May 2026 TeamPCP campaign affecting roughly 169 to 170+ npm package names, plus 2 PyPI packages, with combined reported download volume above 200 million per week.
2026-05-08
bfunky/http-parser Packagist package backdoored with host stealer
An attacker pushed an Analytics.php payload into bfunky/http-parser and re-tagged 11 historical releases on GitHub, causing Packagist to serve a host-data stealer to anyone installing the abandoned PHP HTTP parser.
2026-05-07
TeamPCP backdoored the Cemu 2.6 Linux release assets
TeamPCP used a compromised co-author account to replace the Linux release assets of Cemu 2.6 on GitHub with builds that ran a Python credential stealer at startup. The swap stood for five days and produced about 21,000 downloads.
2026-05-06
JDownloader CMS served trojanized installer
Attackers changed selected JDownloader website links to malicious third-party files. The real installers and RSA-signed in-app updater were not modified.
2026-04-30
Lightning PyPI wheel shipped Shai-Hulud stealer
lightning 2.6.2 and 2.6.3 bundled a hidden _runtime directory. Importing the package launched a Bun-backed JavaScript stealer tied to Mini Shai-Hulud.
2026-04-30
Intercom PHP SDK hit by Mini Shai-Hulud
The Mini Shai-Hulud campaign expanded into the PHP ecosystem by compromising the official intercom/intercom-php package on Packagist. Attackers compromised a maintainer account to overwrite existing legitimate versions.
2026-04-30
Intercom Node SDK hit by Mini Shai-Hulud
The Mini Shai-Hulud/TeamPCP campaign compromised the official intercom-client package on npm.
2026-04-29
SAP CAP packages hit by Mini Shai-Hulud
Mini Shai-Hulud compromised SAP ecosystem npm packages mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service through two release paths: a stolen static npm token for mbt and an abused GitHub Actions OIDC publishing flow for cap-js/cds-dbs.
2026-04-24
elementary-data PyPI and GHCR releases forged
An attacker exploited a GitHub Actions script-injection flaw in elementary-data's issue-update workflow to forge release state, tag v0.23.3 at an orphan commit, and dispatch the legitimate release pipeline.
2026-04-22
Xinference PyPI release stole credentials
TeamPCP compromised three consecutive xinference PyPI releases, 2.6.0 through 2.6.2, by adding an import-time two-stage Python credential stealer to xinference/__init__.py.
2026-04-22
Bitwarden CLI hit by Shai-Hulud
The official Bitwarden CLI npm package (@bitwarden/cli) version 2026.4.0 was compromised during the broader Checkmarx/TeamPCP supply-chain campaign after attackers abused a GitHub Actions path in Bitwarden's CI/CD pipeline.
2026-04-21
pgserve npm CanisterSprawl credential stealer
On April 21, 2026, malicious pgserve npm versions 1.1.11, 1.1.12, and 1.1.13 added a postinstall loader that harvested developer and CI secrets, encrypted them with RSA-4096 and AES-256, and exfiltrated to an Internet Computer Protocol canister.
2026-04-09
CPUID installers delivered STX RAT
CPUID's official download flow redirected HWMonitor and CPU-Z users to attacker infrastructure. Trojanized HWMonitor 1.63 sideloaded cryptbase.dll and unpacked STX RAT.
2026-04-08
DAEMON Tools installer delivered QUIC RAT
Official signed DAEMON Tools Lite installers were trojanized from April 2026. The backdoor profiled machines, then selectively delivered a minimal backdoor and QUIC RAT.
2026-04-07
VeloraDEX SDK installed macOS backdoor
@velora-dex/sdk 9.4.1 was published directly to npm with no matching source commit. Importing it fetched a macOS backdoor and registered launchctl persistence.
2026-03-31
Axios npm account shipped RAT
A compromised axios maintainer account published malicious npm versions 1.14.1 and 0.30.4 on March 31, 2026. Both releases injected plain-crypto-js 4.2.1, whose install path delivered a multi-platform RAT and exposed machines that installed the brief releases.
2026-03-27
Telnyx PyPI release hid WAV stealer
TeamPCP compromised Telnyx Python SDK releases 4.87.1 and 4.87.2 by adding import-time malware to the PyPI artifacts.
2026-03-25
IoliteLabs Solidity extensions shipped backdoor
A dormant IoliteLabs Visual Studio Marketplace publisher account was used to update three Solidity extensions to version 0.1.8 after nearly eight years of inactivity, with no matching source repository commits.
2026-03-24
LiteLLM PyPI release stole credentials
TeamPCP compromised LiteLLM PyPI releases 1.82.7 and 1.82.8 with a credential-stealing payload that evolved from a proxy-module trigger to a wheel-level .pth file executed by Python at interpreter startup.
2026-03-23
Checkmarx vs TeamPCP
TeamPCP repeatedly compromised Checkmarx-controlled developer tooling in 2026, including GitHub Actions, OpenVSX extensions, Docker images, VS Code extensions, and the Jenkins AST Scanner plugin.
2026-03-21
OpenGov form builder carried CanisterWorm
@opengov/form-builder 0.12.3 added a postinstall backdoor during TeamPCP's CanisterWorm campaign. The worm used npm tokens stolen through the second Trivy compromise.
2026-03-19
Trivy release actions shipped malware
After incomplete containment of the February Trivy takeover, compromised credentials were used to publish malicious Trivy v0.69.4 artifacts, force-push most trivy-action version tags, and replace setup-trivy tags with credential-stealing commits.
2026-03-17
BuddyBoss updates backdoored WordPress sites
Attackers used stolen BuddyBoss infrastructure secrets to publish backdoored Platform and Theme updates through the trusted Caseproof update path. Hundreds of WordPress sites exposed credentials, databases, and payment keys.
2026-03-15
bittensor-wallet package stole private keys
A registry-only malicious release of bittensor-wallet 4.0.2 was uploaded to PyPI and later yanked. The backdoor was compiled into the Rust wallet code so wallet decryption paths exposed coldkey and hotkey material directly to the payload.
2026-03-08
ForceMemo force-pushed Python malware
ForceMemo was a GitHub account-takeover campaign that force-pushed similar malware into hundreds of Python repositories across Django apps, ML research, Streamlit dashboards, Flask APIs, and projects installed directly from GitHub.
2026-03-05
kubernetes-el workflow poisoned its repo
A Pwn Request flaw let attacker-controlled PR code run with kubernetes-el repository privileges. The stolen token defaced the repo and replaced kubernetes.el with a destructive shell command.
2026-03-04
Apifox CDN script stole developer secrets
A compromised Apifox CDN analytics script ran inside the Electron desktop client. The injected JavaScript stole tokens, developer credentials, and system data, then fetched remote payloads for command execution.
2026-03-03
Xygeni v5 tag pointed at C2 backdoor
Compromised Xygeni maintainer and GitHub App credentials moved the mutable v5 tag to a backdoored commit. Workflows pinned to xygeni-action@v5 received a C2 reverse shell.
2026-03-03
Glassworm hid credential theft in Unicode
The March 2026 Glassworm wave used invisible PUA Unicode, Solana dead drops, staged loaders, and compromised official repositories to hide credential theft inside JavaScript packages, VS Code extensions, and GitHub source trees.
2026-02-28
Trivy repository takeover installed hackerbot-claw
The hackerbot-claw account exploited a pull_request_target workflow in aquasecurity/trivy to run untrusted fork code with repository privileges.
2026-02-17
Cline CLI installed openclaw
An unauthorized party used an exposed npm publish token to publish cline@2.3.0. The release was byte-identical to cline@2.2.3 except for a postinstall script that ran npm install -g openclaw@latest.
2026-01-20
eScan antivirus updates delivered GuptiMiner
Attackers used eScan's legitimate update infrastructure to ship a trojanized Reload.exe. The payload disabled updates, planted persistence, and contacted C2 infrastructure.
2025
2025-12-19
EmEditor download button served malware
EmEditor's official Download Now path was altered in December 2025. The redirected MSI installed EmEditor while launching PowerShell stages for credential theft and profiling.
2025-11-23
Sha1-Hulud worm spread across npm packages
Sha1-Hulud "Second Coming" was a broad npm worm wave that compromised hundreds of packages beyond the separately tracked Zapier and ENS ecosystems, including major scoped groups such as @asyncapi, @posthog, @postman, @voiceflow, and @browserbasehq.
2025-09-14
Shai-Hulud npm worm stole developer secrets
The September 2025 Shai-Hulud npm worm campaign compromised official npm packages and used install-time JavaScript to steal developer and cloud credentials, publish secrets into attacker-controlled GitHub repositories, and attempt self-propagation through stolen npm tokens.
2025-09-08
Qix phishing shipped wallet drainers
The Qix npm phishing campaign began with a fake npmjs.help login flow and poisoned at least 18 heavily depended-on JavaScript packages on September 8, 2025. Follow-on reporting tied the same wave to DuckDB, Prebid, proto-tinker-wc, and @coveops/abi.
2025-08-26
Nx packages shipped s1ngularity credential stealer
The s1ngularity incident began with a vulnerable Nx GitHub Actions workflow that combined pull_request_target privileges with shell injection in pull-request metadata. The attacker used it to publish malicious nx, @nrwl/nx, and @nx package versions.
2025-08-08
Essential Plugin WordPress.org portfolio backdoor
After the Essential Plugin, formerly WP Online Support, portfolio was sold on Flippa, the new owner gained WordPress.org commit access and planted a dormant PHP backdoor across the plugin family.
2025-07-28
num2words maintainer phishing shipped malware
A pypj.org phishing page stole PyPI credentials and led to malicious num2words releases. Versions 0.5.15 and 0.5.16 appeared on PyPI without matching upstream GitHub releases.
2025-07-25
Amazon Q extension prompt injection
A threat actor used an overbroad GitHub token in AWS CodeBuild to commit malicious prompt-injection code into Amazon Q Developer for VS Code 1.84.0. The code shipped through the official extension release, but a syntax error prevented execution.
2025-07-18
npnjs.com phishing backdoored npm packages
The npnjs.com campaign used a lookalike npm login domain to phish maintainers and publish malicious releases across JavaScript tooling packages in July 2025.
2025-06-06
gluestack-ui packages shipped malware
A leaked npm token let attackers publish 17 malicious React Native ARIA and gluestack-ui packages. The code carried obfuscated RAT behavior but was contained quickly.
2025-06-01
Notepad++ updater delivered backdoors
A hosting-provider compromise let attackers selectively redirect Notepad++ update traffic in 2025. Victims received malicious update.exe chains that led to Cobalt Strike and custom backdoors.
2025-05-12
RVTools installers carried Bumblebee
RVTools reporting split between official-site compromise and lookalike-domain delivery. The trojanized installer sideloaded version.dll to launch Bumblebee.
2025-05-05
rand-user-agent carried RAT
rand-user-agent 1.0.110, 2.0.83, and 2.0.84 carried obfuscated RAT code. The payload connected to attacker C2 and exposed shell and file-upload commands.
2025-04-21
xrpl.js npm package stole wallet seeds
Five malicious versions of the official Ripple JavaScript SDK were published to npm starting 2025-04-21 at 20:53 UTC by user `mukulljangid` after a maintainer credential compromise.
2025-04-01
ViPNet updates mimicked to deploy backdoor
Targeted LZH archives imitated ViPNet security-network updates for Russian organizations in government, finance, and industry.
2025-03-11
reviewdog and tj-actions leaked CI secrets
The March 2025 GitHub Actions campaign chained a leaked SpotBugs maintainer PAT into reviewdog/action-setup, then into tj-actions/changed-files.
2025-01-27
DogWifTools Windows releases drained wallets
An attacker used an exposed GitHub token to replace DogWifTools Windows releases with RAT-laced builds. Versions 1.6.3 through 1.6.6 stole wallet material and drained Solana users.
2024
2024-12-23
Kong Ingress image shipped cryptominer
An attacker used a pull_request_target workflow weakness on an old Kong Ingress Controller branch to steal CI secrets and publish an unauthorized DockerHub image for version 3.4.0.
2024-12-19
Rspack and Vant shipped XMRig miners
The Rspack and Vant compromise used stolen npm publishing tokens to ship obfuscated XMRig cryptomining payloads through official packages on December 19, 2024.
2024-12-04
Ultralytics PyPI releases shipped cryptominer
Attackers abused Ultralytics GitHub Actions to publish four PyPI releases with cryptominer code. The trigger combined pull_request_target with branch-name injection.
2024-12-03
@solana/web3.js stole private keys
Attackers compromised an npm publish-access account and published malicious @solana/web3.js versions 1.95.6 and 1.95.7 on December 3, 2024. The injected code added credential-stealing behavior to private-key handling paths and exfiltrated material to sol-rpc.xyz.
2024-11-17
art-template sold to a shell company, then shipped the Coruna iOS exploit kit
The author sold `art-template` on 2024-11-17 to KILLER WHAL AI SDN BHD. The new owners shipped 4.13.3, 4.13.5, and 4.13.6 with a browser-bundle loader that fed the Coruna iOS exploit kit through utaq.cfww.shop to steal cryptocurrency wallets on Safari iOS 13.0-17.2.1.
2024-10-30
lottie-player prompted wallet drains
A stolen maintainer token published lottie-player 2.0.5 through 2.0.7. CDN consumers received Web3 wallet prompts that could trick users into signing asset-draining transactions.
2024-10-28
Traffic mod loaded wallet-stealing DLL
A compromised Traffic mod author account pushed fastmath.dll through Paradox Mods. Cities: Skylines II loaded the DLL, which targeted Exodus cryptocurrency wallets.
2024-10-01
sqgame downloads delivered BirdCall
ScarCruft compromised sqgame downloads for Yanbian-themed games. Android APKs carried BirdCall, while a Windows update package led to RokRAT and BirdCall.
2024-10-01
Procolored printer downloads served malware
Procolored printer software links led to infected Mega-hosted downloads for months. G DATA found XRed backdoor files and the SnipVex clipbanker/file infector.
2024-06-21
WordPress.org plugins created admin backdoors
The June 2024 WordPress.org plugin campaign inserted backdoors into several established plugins through the official plugin distribution channel.
2024-06-13
Counterfeit Android firmware shipped Triada.z
Kaspersky disclosed a 2025 Triada wave embedded in counterfeit Android smartphone firmware before sale.
2024-06-07
Conceptworld installers dropped dllFake
Conceptworld's official site served trojanized Notezilla, RecentX, and Copywhiz installers. The unsigned builds installed the real apps, then ran dllFake stealers.
2024-06-01
Knockoff phones shipped Shibai clippers
Low-cost Chinese Android phones shipped with trojanized WhatsApp and Telegram apps that used Shibai to replace cryptocurrency wallet addresses.
2024-05-01
KSystem ERP updater stole data
A Korean ERP updater was modified to launch Xctdoor through Regsvr32. ASEC linked the method to Andariel-style ERP update abuse against Korean companies.
2024-05-01
IPany VPN installer carried SlowStepper
PlushDaemon replaced IPany's official Windows VPN installer with a trojanized NSIS build. The installer deployed the real VPN and the modular SlowStepper backdoor.
2024-03-01
Top.gg Python SDK stole credentials
Attackers hijacked the GitHub account of a Top.gg maintainer using stolen browser cookies to bypass MFA. They modified the repository's requirements.txt to point to a poisoned version of the Colorama package hosted on a typosquatted domain (files.pypihosted.org).
2024-02-24
xz release tarballs hid liblzma backdoor
An attacker using the Jia Tan persona gained xz utils maintainer access after a long social-engineering campaign, then shipped official 5.6.0 and 5.6.1 release tarballs that hid a liblzma backdoor in test files and m4 build logic.
2024-02-21
JAVS Viewer installer delivered backdoor
JAVS Viewer 8.3.7 installers from the official site carried a fake fffmpeg.exe backdoor. Courtroom recording environments were told to reimage and reset credentials.
2024-02-15
Bean Battles Steam update carried trojan
A compromised Bean Battles Steam account reportedly pushed a February 2024 update that installed a trojan and targeted Steam and Discord accounts.
2024-02-01
Polyfill.io CDN served malicious redirects
After the popular polyfill.io domain was acquired by Funnull, the CDN began serving malicious JavaScript to selected visitors.
2023
2023-12-25
Downfall Steam build carried Epsilon
A compromised Table 9 Studio account replaced the standalone Steam build of Downfall with Epsilon Stealer on Christmas Day 2023.
2023-12-14
Ledger Connect Kit shipped wallet drainer
A phished former Ledger employee's npm session let attackers publish Connect Kit 1.1.5, 1.1.6, and 1.1.7. The browser payload rerouted EVM signing through a wallet drainer.
2023-10-20
CyberLink installer served LambLoad
Diamond Sleet modified CyberLink's Promeo installer and signed it with a valid CyberLink certificate. LambLoad reached more than 100 devices before Microsoft and CyberLink responded.
2023-10-01
Off-brand Android devices shipped BADBOX
BADBOX and BADBOX 2.0 turned off-brand AOSP devices into fraud nodes, with many devices preinfected before consumers connected them.
2023-08-18
Android tablet firmware embedded Keenadu
Kaspersky found Keenadu embedded in signed Android tablet firmware, including Alldocube images, after a malicious library entered the firmware build chain.
2023-07-08
Fake Dependabot commits poisoned GitHub repositories
In July 2023, attackers used stolen GitHub personal access tokens to push malicious commits into hundreds of public and private repositories while making the commits appear to come from Dependabot.
2023-05-01
Fracturiser mod campaign stole player credentials
Fracturiser spread through compromised Minecraft mod and modpack publishing accounts in 2023, turning trusted CurseForge and Bukkit distribution paths into malware delivery channels.
2022
2022-12-25
PyTorch nightly builds pulled malicious dependency
PyTorch nightly builds were compromised when a malicious torchtriton package was uploaded to PyPI and won dependency resolution over the intended internal package hosted on PyTorch's nightly index.
2022-12-07
3CX app updates delivered multi-stage malware
Attackers compromised 3CX's build process and shipped malware through signed Desktop App updates for Windows and macOS to a customer base spanning hundreds of thousands of organizations.
2022-09-27
Comm100 installer delivered backdoor
A validly signed Comm100 Live Chat Windows installer downloaded from the vendor website carried a JavaScript backdoor. The payload staged remote shell code and follow-on loaders against customers in several sectors.
2022-08-24
JuiceLedger phished PyPI maintainers
JuiceLedger phished PyPI maintainers and published malicious releases under real package names. The known legitimate-package compromises were exotel 0.1.6 and spam 2.0.2 and 4.0.2.
2022-08-06
FishPig Magento extensions delivered ReKoobe
FishPig's paid Magento 2 extension distribution was compromised in 2022, and altered extension code downloaded the ReKoobe Linux backdoor from FishPig infrastructure when a logged-in Magento staff user visited the FishPig control panel.
2022-05-19
hautelook/phpass hijacked through GitHub organization
Attackers re-registered the deleted hautelook GitHub organization and recreated its phpass repository. Packagist then served code from the hostile replacement path.
2022-05-14
ctx PyPI account stole environment variables
An attacker re-registered the expired maintainer email domain for ctx and reset its PyPI account. Malicious releases exfiltrated environment variables to Heroku.
2022-03-07
node-ipc maintainer shipped protestware
The node-ipc maintainer published protestware releases that targeted Russian and Belarusian IP ranges. The code wrote political messages and, in some paths, overwrote files with heart symbols.
2022-02-20
Diamond software delivered Fantasy wiper
Agrius likely abused an Israeli diamond-industry software update channel to deploy Fantasy. The wiper spread with Sandals and destroyed data in South Africa, Israel, and Hong Kong.
2022-01-04
faker.js and colors.js sabotage broke apps
The faker.js and colors.js sabotage was a paired maintainer protest that broke two widely used npm libraries in early January 2022.
2021
2021-11-23
MiMi installers carried Iron Tiger backdoors
Iron Tiger compromised MiMi's official desktop installers. Windows builds carried HyperBro, while macOS and Linux installers delivered rshell for cross-platform remote access.
2021-11-04
rc npm releases carried malware
Attackers published rc 1.2.9, 1.3.9, and 2.3.9 with malicious postinstall code. The same account-takeover wave also hit coa.
2021-11-04
coa npm hijack shipped malware
Attackers compromised maintainer credentials for the coa command-line argument parser and published malicious versions with Windows-focused password-stealing malware.
2021-11-01
X_TRADER software delivered VEILEDSIGNAL backdoor
A compromised installer for the retired X_TRADER financial software, available on Trading Technologies' official website and signed with their certificate, contained the VEILEDSIGNAL backdoor.
2021-10-22
ua-parser-js hijack shipped malware
The maintainer's npm account was compromised, allowing attackers to publish malicious versions of ua-parser-js, a library embedded across millions of weekly installs.
2021-09-17
SushiSwap MISO redirected auction proceeds
A contractor with MISO front-end access changed an auction payout address in September 2021. The malicious commit redirected 864.8 ETH before the funds were returned.
2021-09-02
AccessPress add-ons created backdoors
AccessPress Themes' own download site was breached, turning legitimate WordPress themes and plugins into backdoored vendor ZIPs while the WordPress.org copies remained clean.
2021-07-02
Kaseya VSA delivered REvil ransomware
REvil exploited Kaseya VSA on-premises servers on July 2, 2021 and used the remote monitoring platform to push ransomware through managed service providers into downstream customer networks.
2021-04-20
Passwordstate update delivered Moserpass
Click Studios' Passwordstate in-place updater served a malformed upgrade that loaded Moserpass. The malware harvested system data and selected password records.
2021-03-28
PHP source received backdoor commits
Attackers pushed two malicious php-src commits through git.php.net HTTPS authentication. The backdoor checked for a `User-Agentt: zerodium` header and could execute PHP code.
2021-03-27
Gigaset update service delivered malware
Older Gigaset Android phones received malware through the pre-installed Update app after an external update service server was compromised. Reports began around late March and early April 2021, with Gigaset saying the infection was stopped on April 7.
2021-02-08
MonPass CA delivered Cobalt Strike installer
Avast disclosed in July 2021 that the official client installer for MonPass — a major Mongolian certificate authority — was backdoored on the company's download site between 2021-02-08 and 2021-03-03.
2021-01-31
Codecov Bash Uploader leaked CI secrets
Attackers modified Codecov's Bash Uploader after gaining access to a private GCP key through a flawed Docker image creation process. The one-line change exfiltrated environment variables from customer CI/CD jobs, pulling credentials, tokens, and keys from build systems.
2020
2020-11-16
VeraPort websites delivered Lazarus malware
Lazarus abused compromised South Korean websites that supported WIZVERA VeraPort. Signed impostor installers were delivered through a trusted security-software workflow.
2020-10-16
Nano extensions shipped malicious updates
After Nano Adblocker and Nano Defender changed hands, Chrome Web Store updates added malicious code that collected browsing data and abused logged-in social sessions.
2020-10-01
The Great Suspender Chrome extension hijacked
After original maintainer Dean Oemcke transferred ownership to an anonymous buyer in June 2020, the new owner published v7.1.8 to the Chrome Web Store containing tracking and remote-code-loading functionality that was never present in the open-source repository.
2020-09-01
NoxPlayer updates delivered targeted malware
BigNox's NoxPlayer update mechanism delivered tailored malware to a few Asian users. The payloads favored surveillance, not mass monetization.
2020-07-23
VGCA website served backdoored installers
Operation SignSight replaced official VGCA signing-toolkit MSI installers. The packages installed the legitimate app and the PhantomNet espionage backdoor.
2020-07-19
Twilio SDK S3 bucket served malware
An exposed S3 bucket let attackers alter Twilio's hosted TaskRouter JS SDK v1.20. The injected code loaded malvertising infrastructure from customer pages.
2020-04-01
Aisino tax software installed GoldenSpy
A Chinese bank required companies to install Aisino Intelligent Tax, which silently deployed GoldenSpy. The backdoor ran as SYSTEM and survived removal of the tax software.
2020-01-24
Free Download Manager Linux page served backdoor
Free Download Manager's Linux download page intermittently redirected users to a malicious Debian package. The package installed a DNS-controlled backdoor and credential stealer.
2019
2019-11-18
Monero CLI binaries stole wallet seeds
GetMonero briefly served malicious Linux and Windows CLI wallet binaries. The altered wallet sent private wallet seeds to attacker infrastructure, enabling theft of XMR funds.
2019-09-07
Volusion storefront script skimmed payments
A Volusion storefront JavaScript path loaded a Magecart skimmer from Google Cloud Storage. Confirmed scope landed in the low thousands of shops, with later fraud reporting tying hundreds of thousands of card records to the breach.
2019-09-04
SolarWinds Orion updates delivered SUNBURST
Attackers compromised SolarWinds' build system and inserted the Sunburst backdoor into signed Orion platform updates, reaching roughly 18,000 customers through trusted software.
2019-08-14
rest-client gem backdoor stole credentials
A reused maintainer password let attackers publish rest-client 1.6.10-1.6.13 to RubyGems. Production Rails apps could fetch Pastebin code and leak secrets.
2019-07-05
PureScript installer dependencies were sabotaged
Malicious npm releases of load-from-cwd-or-npm and rate-map targeted the PureScript npm installer, making compiler installation hang rather than stealing credentials or installing a backdoor.
2019-06-25
strong_password Ruby gem backdoor stole secrets
strong_password 0.0.7 was published on RubyGems without maintainer control. In Rails production, it fetched Pastebin code and installed a cookie-driven RCE backdoor.
2019-05-10
Picreel scripts carried Magecart skimmer
Magecart actors compromised Picreel and Alpaca Forms JavaScript in May 2019. Customer sites loaded the trusted scripts and leaked payment data to attacker infrastructure.
2019-04-30
ASUS WebStorage update served PLEAD
BlackTech abused ASUS WebStorage's HTTP update flow to deliver PLEAD in Taiwan. The legitimate signed client executed a malicious update pushed through likely router-level interception.
2019-04-13
Agama wallet dependency stole seeds
Komodo's Agama wallet pulled in a poisoned npm dependency that exported wallet seeds. Komodo and npm raced the thief, moving at-risk funds before more could be stolen.
2019-03-26
bootstrap-sass gem enabled remote execution
The popular bootstrap-sass Ruby gem had malicious version 3.2.0.3 published to RubyGems.org after a likely maintainer account compromise.
2019-03-23
electron-native-notify stole wallet seeds
`electron-native-notify` was published as useful npm code, then changed to steal Agama wallet seeds after the target adopted it.
2019-02-21
VSDC downloads delivered Bolik and KPOT
VSDC's official site was compromised again in 2019. Geofenced JavaScript replaced download links for some users with Bolik banking trojan and KPOT stealer installers.
2019-01-01
Magento extension vendors shipped license backdoors
Tigren, Meetanshi, and MGS extension downloads carried PHP license-check backdoors. Sansec found 21 affected Magento modules, with abuse active by April 2025.
2018
2018-11-03
StatCounter script stole gate.io withdrawals
Attackers injected JavaScript into StatCounter's hosted analytics script. The code waited for gate.io Bitcoin withdrawal pages and swapped destination wallets.
2018-09-09
event-stream dependency stole wallet funds
The event-stream npm package maintainership was transferred to an attacker using the handle right9ctrl.
2018-09-09
Copay wallet targeted private keys
Copay builds included the malicious event-stream dependency chain. The payload was tuned to steal wallet private keys from affected 5.0.2 through 5.1.0 releases.
2018-09-04
MEGA Chrome extension stole credentials
Attackers used MEGA's Chrome Web Store account to publish extension v3.39.4. The update requested broader permissions and stole credentials and wallet secrets.
2018-08-21
British Airways Modernizr skimmed payments
British Airways served a modified Modernizr script from its own site during checkout. Magecart skimmed payment and personal data and sent it to `baways.com`.
2018-08-17
Feedify push script injected Magecart
Magecart compromised Feedify's hosted push-notification JavaScript. Customer sites loading the Feedify library also loaded a card skimmer into checkout pages.
2018-08-01
Octopus Scanner infected NetBeans builds
Octopus Scanner backdoored 26 NetBeans projects on GitHub. The malware infected build artifacts and propagated when developers built already-compromised projects.
2018-07-18
Remote support updater delivered 9002 RAT
Operation Red Signature compromised a South Korean remote-support provider's update server so selected customer IP ranges received a signed malicious update that launched 9002 RAT.
2018-07-12
eslint-scope npm malware stole tokens
An attacker compromised the npm account of an ESLint maintainer and published malicious versions of eslint-scope and eslint-config-eslint.
2018-07-07
AUR acroread PKGBUILD ran remote shell scripts
In July 2018, an attacker adopted the orphaned acroread package in the Arch User Repository and added a curl-to-shell install path that fetched remote scripts, installed a systemd timer, and collected host data.
2018-06-28
Gentoo GitHub hack modified ebuilds
An attacker gained control of Gentoo's GitHub organization administrator account (reportedly 'risacher' via password guessing).
2018-06-20
PEAR installer served Perl backdoor
The official go-pear.phar installer on pear.php.net was replaced for roughly six months. The malicious installer enabled a Perl backdoor and exposed systems that built PEAR from the official site.
2018-06-18
VSDC links served stealer chain
VSDC's official website replaced download links with attacker URLs on three days in 2018. Victims received JavaScript that staged a stealer, keylogger, and DarkVNC.
2018-06-13
Ammyy download carried Kasidet
Ammyy's official site again served a trojanized Ammyy Admin download. The SmartInstaller wrapper dropped Kasidet, using a World Cup-themed command server as cover.
2018-06-01
Infestation executable carried Winnti backdoor
Electronics Extreme distributed a trojanized Infestation executable. ESET found Winnti backdoor code launched before the game's normal runtime initialization.
2018-06-01
ASUS Live Update delivered targeted backdoors
Attackers compromised ASUS Live Update servers and signed trojanized utility builds with stolen digital certificates.
2018-05-31
VestaCP installer leaked admin passwords
VestaCP's official installer leaked admin passwords and server domains to Vesta infrastructure. Attackers later used that access path to install Linux/ChachaDDoS on customer servers.
2018-05-07
ssh-decorate PyPI releases stole SSH credentials
Malicious ssh-decorate releases on PyPI collected SSH connection credentials and posted them to an attacker-controlled endpoint.
2018-05-02
getcookies backdoor reached mailparser dependency chain
npm removed getcookies, two related cookie packages, and three mailparser releases after a community report found a request-header backdoor in the dependency chain.
2018-05-01
Able Desktop updates delivered APT malware
Able Desktop, a Mongolian business suite used by government agencies, delivered HyperBro, Korplug, and Tmanger through trojanized installers and a likely compromised update path.
2018-04-01
Webmin build infrastructure inserted backdoor
Webmin's build infrastructure was compromised in 2018, and attackers modified password_change.cgi before official releases were produced.
2018-02-15
MediaGet update delivered Dofoil cryptominer
MediaGet's update flow installed a trojanized client before the Dofoil outbreak. Microsoft tied the poisoned updater to hundreds of thousands of coin-miner attempts.
2018-02-11
Browsealoud script delivered Coinhive miner
On 2018-02-11 between 03:00 and 11:45 UTC, the official `ba.js` JavaScript file served from Texthelp's Browsealoud CDN was modified to embed an obfuscated Coinhive Monero miner that ran in visitors' browsers.
2018-02-10
Inbenta chatbot script skimmed Ticketmaster payments
Magecart modified a custom Inbenta chatbot script used by Ticketmaster UK. The script skimmed payment and account data from checkout pages for months.
2018-01-26
phpBB links served malicious packages
phpBB download links for 3.2.2 were replaced for 181 minutes on January 26, 2018. The off-site packages carried extra code that tried to load remote JavaScript.
2018-01-01
PDFescape install chain delivered coin miner
Microsoft and Comodo tied PDFescape Desktop to a 2018 multi-tier supply-chain attack in which a legitimate installer pulled a poisoned Asian-font MSI from cloned partner infrastructure and installed cryptocurrency-mining malware.
2018-01-01
Point Blank executable shipped backdoor
Point Blank downloads were reported with a signed Winnti backdoor. The same payload family appeared in Asian gaming supply-chain compromises.
2017
2017-11-21
Bitcoin Gold wallet generated weak keys
An attacker replaced Bitcoin Gold's official Windows Core wallet installer on the project's GitHub release page with builds that generated weak private keys for newly created wallets.
2017-10-19
Eltima downloads served Proton RAT
Eltima's official macOS downloads for Elmedia Player and Folx were replaced with Proton RAT wrappers. The malware stole secrets and left a backdoor.
2017-07-28
Chrome extension accounts shipped malware
Phishing stole Chrome Web Store developer credentials and pushed malicious extension updates. The campaign injected ads, redirected traffic, and collected credentials.
2017-07-18
NetSarang server tools shipped ShadowPad backdoor
Legitimate updates for NetSarang server tools, including Xmanager and Xshell, shipped with the ShadowPad backdoor. The payload gave attackers remote control and data theft capability inside sensitive organizations.
2017-05-02
HandBrake mirror delivered Proton RAT
An official HandBrake download mirror, download.handbrake.fr, was compromised while hosting the macOS release.
2017-04-13
UltraEdit updater carried WilySupply
Operation WilySupply abused UltraEdit's updater to push ue.exe to selected finance and payments targets. The dropper launched PowerShell and Meterpreter, then removed itself after opening the first foothold.
2017-04-01
MeDoc updates delivered NotPetya
The update mechanism for MeDoc, a widely used Ukrainian accounting package, was compromised and used to distribute NotPetya.
2017-03-11
CCleaner installer shipped multi-stage backdoor
Attackers compromised Piriform's build environment and inserted a backdoor into official CCleaner releases before Avast completed the acquisition.
2017-01-01
Stylish extension exfiltrated browsing history
After SimilarWeb acquired Stylish, official browser-extension updates began silently exfiltrating complete browsing histories. The data included full URLs, search results, and account-linked tracking identifiers.
2016
2016-11-05
APN updater delivered signed backdoor
Ask Partner Network's signed updater path executed attacker-controlled payloads. Later activity used a signed APN update binary to launch a remote shell and credential theft.
2016-08-28
Transmission installer delivered Keydnap
Months after the KeRanger incident, Transmission's website was compromised again. This time, the legitimate macOS installer for version 2.92 was replaced with a malicious version containing the OSX/Keydnap backdoor.
2016-08-02
FossHub served MBR-overwriting installers
FossHub's developer and distribution infrastructure was compromised on August 2, 2016, and Windows downloads for Audacity and Classic Shell were replaced with malware that overwrote the master boot record.
2016-03-04
Transmission installer delivered KeRanger
The official Transmission BitTorrent website was compromised, and attackers replaced the macOS installer for version 2.90 with a malicious disk image.
2016-02-20
Linux Mint downloads served backdoored ISO
The Linux Mint website, specifically its WordPress installation, was compromised. Attackers modified download links on the site for the Linux Mint 17.3 Cinnamon edition ISO.
2016-02-01
Ammyy download bundled Lurk
Ammyy's official download path repeatedly delivered an unsigned NSIS wrapper that installed Ammyy Admin and malware. Lurk later gave way to Fareit after arrests of suspected Lurk operators.
2016-01-20
Android firmware shipped Triada backdoor
Triada moved from an advanced Android trojan into the firmware supply chain for low-cost Android devices.
2016-01-01
phpStudy package carried PHP DLL backdoor
phpStudy distributions for Windows carried a backdoored PHP extension DLL that executed base64 PHP code from HTTP headers. Police reporting later tied the backdoor to large-scale host control and data theft.
2015
2015-10-26
Ammyy site served banking malware
Ammyy's official website served installers that bundled Ammyy Admin with multiple malware families. The payloads included Lurk, Corebot, Buhtrap, Ranbyus, and Netwire RAT.
2015-04-09
Altair EvLog delivered Kingslayer
Attackers compromised Altair Technologies' eventid.net and EvLog update path, replacing EvLog 3.0 with a signed Kingslayer backdoor. The administrator tool gave the operation a privileged route into sensitive enterprise networks.
2015-01-01
Adups FOTA collected phone data
BLU devices shipped with ADUPS FOTA software that collected text messages, call logs, contacts, location, and app data. The update provider became a built-in surveillance channel.
2014
2014-12-17
Coolpad ROMs carried CoolReaper backdoor
Palo Alto Networks found CoolReaper in many Coolpad Android ROMs, giving the vendor silent app installation, data upload, SMS, and OTA-abuse capabilities.
2014-06-16
Star N9500 firmware shipped Uupay.D
G DATA found Star N9500 smartphones shipping with Android.Trojan.Uupay.D hidden in firmware as a fake Google Play Store app.
2014-05-27
Buffalo driver downloads delivered Bankeiya
On May 27, 2014, Buffalo Japan's official download site served ten modified Windows firmware, driver, and utility installers for wireless LAN, NAS, external disk, accelerator, and Bluetooth mouse products.
2014-02-01
Ivanti CSA shipped csrf-magic backdoor
Ivanti EPM Cloud Services Appliance carried a backdoored csrf-magic.php file that enabled unauthenticated PHP code execution. The poisoned code appears to have come from a counterfeit csrf-magic clone, not the official project.
2013
2013-11-27
GOM Player update served Miancha
GRETECH's GOM Player update path redirected Japanese users to a malicious installer. The package ran the real update and installed Miancha through a staged RAR payload.
2013-07-26
KMPlayer updater pushed fake malware release
KMPlayer's update flow offered a fake 3.7.0.87 release that installed malware. KMP Media confirmed external attack activity and warned July-August 2013 users.
2013-07-09
SimDisk auto-update delivered DDoS malware
Attackers abused SimDisk's auto-update path during the June 2013 South Korea attacks. The update installed malware used for DDoS and remote control.
2013-06-01
Dragonfly Havex ICS vendor compromises
Dragonfly/Energetic Bear compromised industrial software vendors and placed Havex malware in official downloads. The linked attacks preserve the separate MESA Imaging, eWON, and MB Connect Line distribution paths.
2013-01-29
gem-wrappers backdoor reached RubyGems.org
During a platform-level compromise of RubyGems.org (exploiting server vulnerabilities), attackers gained root filesystem access and replaced the legitimate 'gem-wrappers' gem file (v1.1.0) with a malicious version.
2012
2012-11-01
OpenX Source archive backdoored
The official OpenX Source 2.8.10 distribution archives were compromised for months, shipping a remote PHP code execution backdoor in the open-source ad server.
2012-09-22
phpMyAdmin mirror served backdoored zip
The SourceForge mirror cdnetworks-kr-1 distributed a modified phpMyAdmin-3.5.2.2-all-languages.zip archive containing the server_sync.php backdoor. The payload allowed remote PHP code execution as the web server user, and js/cross_framing_protection.js was also modified.
2012-09-01
Juniper ScreenOS firmware hid backdoors
Juniper disclosed that unauthorized code entered official ScreenOS firmware for NetScreen firewalls. CVE-2015-7755 opened hidden SSH/Telnet admin access; CVE-2015-7756 could let an observer decrypt VPN traffic.
2011
2011-06-30
vsftpd distribution site served backdoor
The official vsftpd 2.3.4 source archive was replaced with a backdoored tarball around June 30 to July 1, 2011, and removed on July 3.
2011-06-21
WordPress.org plugins created admin backdoors
On June 21, 2011, the WordPress team found suspicious unauthorized commits to three popular WordPress.org plugins: AddThis, WPtouch, and W3 Total Cache. The commits contained disguised PHP backdoors and were not made by the legitimate authors.
2010
2010-11-28
ProFTPD site served backdoored source
ProFTPD's main FTP and rsync distribution server was compromised on November 28, 2010, and the 1.3.3c source archives were replaced with backdoored copies until December 2.
2010-03-05
Energizer charger software installed Arucer
Energizer DUO USB battery charger software for Windows installed a backdoor DLL named Arucer.dll from the official charger-monitoring software path. CERT/CC disclosed the issue on March 5, 2010.
2009
2009-11-10
UnrealIRCd tarball enabled remote execution
The official UnrealIRCd 3.2.8.1 source distribution was replaced on project mirrors around November 10, 2009 and remained exposed until June 12, 2010.
2009-06-18
SquirrelMail plugin archives stole passwords
After a SquirrelMail web-server compromise in June 2009, the project found that three official plugin archives had been modified to mail user passwords to an offsite server.
2008
2008-12-29
Samsung picture frame CD shipped malware
Samsung's SPF-85H digital picture frame shipped with a Windows driver CD whose Frame Manager XP 1.08 installer carried malware.
2008-08-14
Red Hat-signed OpenSSH RPMs were tampered
During the August 2008 Fedora and Red Hat infrastructure intrusions, an attacker got tampered OpenSSH packages for RHEL 4 and RHEL 5 signed with a legitimate Red Hat package key, though Red Hat said RHN subscribers did not receive them through official channels.
2007
2007-12-08
SquirrelMail release tarballs enabled remote file inclusion
SquirrelMail 1.4.11 and 1.4.12 release archives were modified after release through a compromised maintainer account, turning official downloads into remote file-inclusion backdoors until 1.4.13 replaced them.
2007-02-21
WordPress download enabled remote execution
Shortly after its release, the official WordPress 2.1.1 download package (`.zip`) hosted on wordpress.org was compromised by attackers who gained access to a web server.
2006
2006-08-10
Webmin mirror served backdoor
A compromised SourceForge mirror distributed a modified Webmin 1.290 archive.
2003
2003-11-05
Linux bk2cvs mirror received backdoor
An attacker attempted to insert a two-line backdoor into the Linux kernel's bk2cvs mirror by modifying kernel/exit.c outside the authoritative BitKeeper workflow.
2002
2002-11-11
tcpdump.org source tarballs trojanized
The tcpdump.org distribution site was compromised in November 2002, and source archives for tcpdump and libpcap were replaced with trojanized versions.
2002-09-28
Sendmail FTP tarball shipped trojan
The official Sendmail FTP server, ftp.sendmail.org, was compromised and the 8.12.6 .tar.gz and .tar.Z source archives were replaced with trojanized versions; HTTP downloads were not believed affected.
2002-07-30
OpenSSH tarballs shipped trojan horse
OpenSSH 3.2.2p1, 3.4p1, and 3.4 source archives on the OpenBSD FTP server were trojanized between July 30 and August 1, 2002, with copies possibly spreading through mirrors.
2002-05-17
monkey.org tarballs shipped backdoors
The monkey.org host serving Dug Song's security tools was compromised on May 14, 2002, and attackers modified the dsniff 2.3, fragroute 1.2, and fragrouter 1.6 source tarballs at 03:00 on May 17.
2002-03-14
Irssi configure script backdoored
The irssi.org server was cracked, and the official Irssi 0.8.4 source distribution served a modified configure script for about two months.
1999
1999-03-05
IBM Aptiva PCs shipped CIH virus
In early 1999, IBM accidentally shipped several thousand Aptiva consumer PCs pre-installed with the destructive CIH (Chernobyl) file virus.
1999-01-21
util-linux source archive trojanized
The util-linux 2.9g source archive was replaced on an official distribution site during the same 1999 advisory window as the tcp-wrappers compromise.
1999-01-21
tcp-wrappers tarball granted remote root
The official source code distribution tarball for tcp-wrappers version 7.6 (`tcp_wrappers_7.6.tar.gz`) was replaced with a trojaned version on several FTP distribution sites, including the primary site at the time (Eindhoven University).
1998
1998-10-22
ircII FTP tarball enabled remote access
The official FTP server (ftp.irc.org) hosting the ircII source code was compromised. The `ircii-2.8.2.tar.gz` distribution was modified; specifically, the file `ircd/s_bsd.c` had a backdoor inserted.
1998-10-01
CorelDRAW Mac CDs carried AutoStart worm
Corel recalled the second pressing of CorelDRAW 8.0 for Mac OS after CD-ROMs carried AutoStart 9805-D. The worm abused QuickTime AutoStart on classic Mac OS.
1995
1995-02-01
Microsoft Windows 95 beta disks carried Form
Microsoft sent infected Windows 95 beta media to testers in February 1995. Antivirus scanning found the Form boot-sector virus before clean disks were issued.
1994
1994-05-01
ircII source installed account backdoor
Some copies of the ircII 2.2.9 source code for UNIX systems contained a Trojan horse that created a backdoor into accounts running the IRC client.
1994-03-28
wu-ftpd tarball shipped backdoor
The source code distribution for the popular wu-ftpd FTP server was modified by an attacker to include a backdoor. This trojaned version was then uploaded to the primary distribution site.
1992
1992-01-21
Intel LANSpool disks carried Michelangelo
Intel halted LANSpool 3.01 shipments after finding Michelangelo on some official 5.25-inch floppy disks. The affected NetWare packages were replaced by virus-free LANSpool 3.02.
1988
1988-01-01
Aldus FreeHand disk shipped MacMag virus
Master copies of a promotional/training disk for Aldus FreeHand, a commercial graphics program, were infected with the MacMag virus by a contractor before duplication.
1983
1983-07-01
Ken Thompson implements compiler backdoor demo
In his 1983 Turing Award lecture (published 1984), Ken Thompson described an experiment he likely implemented years earlier at Bell Labs. He modified the Unix C compiler (`cc`) binary to insert a backdoor into the `login` program during compilation.
1975
1975-01-01
ANIMAL trojan replicated across mainframes
ANIMAL was one of the earliest documented examples of a self-replicating "trojan horse" program. Created by John Walker, it presented as a simple "20 questions" game guessing animals but secretly searched the system for other terminals and copies of itself.
Data refreshed from supplychain-attack-data at 3300044. Last generated 2026-05-23T17:51:36Z.