Connect with us

CyberSecurity

Cybercriminals Exploit Axios JavaScript Library in Sophisticated Npm Package Supply Chain Attack

Published

on

Cybercriminals have executed a sophisticated supply chain attack targeting one of JavaScript’s most widely-used libraries. The Axios npm package, which sees over 100 million weekly downloads, became the vehicle for distributing malicious remote access trojans to developer environments worldwide.

Understanding the Npm Package Attack Vector

This npm package attack demonstrates the evolving threat landscape facing open source maintainers. Attackers compromised Jason Saayman’s maintainer account, strategically positioning themselves to inject malicious dependencies into the trusted Axios library.

The sophisticated nature of this operation becomes clear when examining the attackers’ methodology. They staged the malicious dependency “plain-crypto-js” a full day before executing the account takeover. This premeditation suggests extensive reconnaissance and planning by the threat actors.

In addition to compromising the npm account, the attackers altered Saayman’s email address for persistence and simultaneously hijacked his GitHub account. This multi-vector approach ensured maximum control over the compromised infrastructure.

Technical Analysis of the Malicious Payload

The threat actors published two compromised versions: v1.14.1 and v0.30.4, both containing the plain-crypto-js dependency designed to deploy cross-platform remote access trojans. Unlike legitimate Axios releases published through GitHub Actions with OIDC provenance signing, these malicious versions were published directly via npm CLI using stolen credentials.

Research from OpenSourceMalware reveals the attack’s technical sophistication. The malware employs obfuscation techniques, anti-analysis capabilities, and self-deletion mechanisms to evade modern security detection systems.

This means that organizations relying on traditional security measures may struggle to identify compromised systems. The attackers clearly understood modern detection capabilities and engineered their payload accordingly.

Attribution and Threat Actor Profile

The Google Threat Intelligence Group has attributed this npm package attack to UNC1069, a financially motivated threat actor with North Korean connections active since 2018. This attribution stems from the use of WAVESHAPER.V2, an evolved version of malware previously associated with this group.

However, the sophistication level raises questions about potential state sponsorship. The multi-stage architecture, platform-specific payloads, and comprehensive remote access trojan capabilities suggest significant resource investment beyond typical cybercriminal operations.

Therefore, security professionals should consider this attack within the broader context of nation-state cyber operations targeting software supply chains.

Immediate Response and Detection Strategies

Security teams must implement comprehensive detection strategies following this npm package attack. The blast radius could be extensive given Axios’s widespread adoption across developer environments and CI/CD pipelines.

Critical response actions include examining lockfiles (package-lock.json, yarn.lock, or pnpm-lock.yaml) for the presence of plain-crypto-js or the compromised Axios versions. Organizations should also hunt for indicators of compromise across developer machines and CI/CD infrastructure.

As a result, credential rotation and system remediation become essential for any potentially exposed environments. The three-hour window between attack initiation and npm administration response provided ample opportunity for widespread distribution.

Long-term Implications for Open Source Security

This incident highlights the vulnerability of open source software dependencies in modern development environments. Avital Harel from Upwind notes that “build pipelines are becoming the new front line” in cybersecurity battles.

Attackers recognize that compromising software build and distribution systems allows them to “inherit trust at scale.” This represents a fundamental shift in threat vectors that organizations must address through enhanced supply chain security measures.

Building on this understanding, security professionals need to focus more attention on CI/CD systems, package dependencies, and developer environments. These components increasingly represent high-value targets for sophisticated threat actors seeking maximum impact from their operations.

The npm package attack against Axios serves as a wake-up call for the entire software development community. Organizations must implement comprehensive supply chain security frameworks to protect against similar threats in the future.

CyberSecurity

Discord Rolls Out End-to-End Encrypted Voice and Video Calls for All Users

Published

on

Discord Enables End-to-End Encrypted Voice and Video Calls for Every User

In a significant move for user privacy, Discord has now enabled end-to-end encrypted voice and video calls for all its hundreds of millions of users. This means that conversations on the platform are now private, with no one—not even Discord—able to listen in. The update arrives at a time when other major tech companies have been scaling back similar privacy features.

What Is End-to-End Encryption on Discord?

End-to-end encryption ensures that only the participants in a call can access the audio or video data. Even Discord’s servers cannot decrypt the stream. This is a major step up from standard encryption, where the service provider holds the keys. For users, this means their Discord voice call privacy is now significantly stronger.

The feature was first introduced in 2024 but was limited. Now, it’s the default for all one-on-one and group voice and video calls, outside of stage channels. No action is required from users—the encryption is automatically applied.

Why This Matters for Privacy-Conscious Users

This update comes as a welcome contrast to recent decisions by other platforms. For example, Meta discontinued Instagram’s end-to-end encrypted messaging feature earlier this year. Similarly, TikTok announced it would not encrypt user messages after becoming a US-based company. Discord’s move reinforces its commitment to user privacy in an increasingly surveillance-conscious digital landscape.

According to Mark Smith, Discord’s vice president of core technologies, “End-to-end encryption is now standard for every voice and video call on Discord, outside of stage channels. No opt-in required.” This statement highlights the company’s proactive approach to security.

How It Compares to Other Platforms

While platforms like WhatsApp and Signal have long offered end-to-end encryption for calls, Discord’s implementation is notable because it covers a massive user base that includes gamers, communities, and professionals. The shift positions Discord as a leader in private video calls Discord among social and communication apps.

What Users Need to Do

Absolutely nothing. The feature is enabled by default for all voice and video calls. There is no toggle or setting to turn on. This makes it one of the most seamless privacy rollouts in recent memory. For those concerned about end-to-end encryption messaging platform standards, Discord’s move sets a new benchmark.

However, it’s important to note that text messages and stage channels are not yet covered by this encryption. The company has not announced plans to extend it to those areas.

Looking Ahead: The Future of Discord Security

Discord’s decision to enable Discord end-to-end encrypted voice calls for all users is a strong signal that privacy is becoming a core feature rather than an afterthought. As digital communication grows, users are demanding more control over their data. Discord is listening.

For more on how to secure your online communications, check out our guide on best practices for secure messaging. You might also be interested in top privacy tips for gamers.

In conclusion, Discord has taken a bold step forward. By making end-to-end encryption the default, it has raised the bar for Discord security update 2025 and beyond. Users can now talk freely, knowing their conversations are truly private.

Continue Reading

CyberSecurity

Ransomware Turf War Escalates as 0APT and KryBit Groups Trade Blows in Public Feud

Published

on

Ransomware Turf War: 0APT and KryBit Groups Trade Blows in Public Feud

The cybercrime underground is witnessing an unusual spectacle: a ransomware turf war between two rival groups, 0APT and KryBit, who are publicly leaking each other’s operational data. According to a new report from Halcyon, both groups are now scrambling to rebuild their infrastructure after this dramatic exchange of blows.

This clash began when 0APT, a relatively new ransomware group, posted sensitive data on its leak site targeting three rivals: the newcomer KryBit, along with established players RansomHouse and Everest Group. The leak exposed KryBit’s administrator panel, affiliate details, and victim negotiation data. Halcyon noted that the leaked information spanned from March 28 to April 12, 2026, revealing two administrators, five affiliates, and 20 potential victims. Ransom demands ranged from $40,000 to $100,000 per victim, with exfiltrated data volumes between 10GB and 250GB.

However, KryBit did not take this lying down. The group retaliated by hacking back at 0APT, stealing its data and defacing its leak site with a taunting message: “Next time, don’t play with the big boys.” The counter-leak included full access logs, PHP source code, and system files from 0APT’s infrastructure. More importantly, it revealed a stunning deception: the 190+ victims 0APT had claimed since January 2026 were entirely fabricated. No data was ever exfiltrated from any listed victim.

Halcyon’s analysis also uncovered that 0APT’s entire ransomware data leak site was running on an AnLinux-Parrot OS, pushing content via an Android phone’s internal SD card. This amateurish setup has left 0APT unable to recover, while KryBit maintains control over the defaced site.

Why This Ransomware Turf War Matters for Cybersecurity

This ransomware turf war illustrates a growing trend: cybercriminal groups are increasingly targeting each other to gain credibility and market share. Oliver Newbury, former Barclays CISO and chief strategy officer at Halcyon, explained that financial pressure is driving these conflicts. “These groups depend on credibility to survive, so when that starts to crack, rivals move fast to expose it,” he said. “We’re now seeing them disrupt each other’s operations, taking over infrastructure and undermining campaigns in real time.”

As a result, the ecosystem doesn’t shrink—it reshapes, often becoming harder to predict. For defenders, this means that while internal feuds can temporarily weaken certain groups, they also create new, more resilient adversaries.

Interestingly, Everest Group has not retaliated against 0APT despite having its encoded publication and user data leaked. This suggests that not all groups are willing to engage in public warfare, perhaps preferring to rebuild quietly.

How the Feud Exposes Ransomware Group Vulnerabilities

The KryBit leak exposed critical operational components, including administrator panels and affiliate networks. Halcyon warned that such leaks force groups to “rotate leaked operational components to ensure impact on their activities is limited.” This means both 0APT and KryBit will likely need to rebuild, rebrand, and spin up new infrastructure over the coming weeks or months to remain active.

Moreover, the fabricated victim list from 0APT highlights a broader issue: the ransomware economy relies heavily on perceived success. Groups like 0APT may fabricate attacks to attract affiliates, but such deception can backfire spectacularly when exposed.

Data from Chainalysis in 2025 showed that crypto-payments to ransomware actors dropped 8% annually to $820 million, even as attack numbers rose 50%. This financial squeeze likely fuels conflicts like this ransomware turf war, as groups fight for a shrinking pool of ransom payments.

For more on ransomware trends, see our analysis of ransomware attacks in 2026 and how cybercrime groups are evolving their tactics.

What This Means for Businesses and Defenders

While internal feuds may seem like a net positive for cybersecurity, experts caution against complacency. “It creates instability, but not safety,” Newbury added. The disruption caused by this ransomware turf war could lead to unpredictable behavior from both groups, including more aggressive attacks or a shift to new, harder-to-track methods.

Organizations should remain vigilant: patch systems, enforce multi-factor authentication, and maintain offline backups. The chaos among ransomware groups does not eliminate the threat—it merely changes its form.

In conclusion, the 0APT vs. KryBit feud is a stark reminder that the cybercrime landscape is dynamic and ruthless. As these groups trade blows, they reveal not only each other’s weaknesses but also the fragility of the entire ransomware business model.

Continue Reading

CyberSecurity

Grafana Labs confirms code theft in GitHub breach, refuses to pay ransom

Published

on

Grafana Labs confirms code theft in GitHub breach, refuses to pay ransom

Grafana Labs, the company behind the widely used open source visualization platform, has confirmed that hackers broke into its GitHub environment and stole source code. However, the firm has decided not to give in to ransom demands.

The breach came to light through a series of social media posts by the company. According to its initial investigation, attackers exploited a stolen token credential that granted access to the GitHub repositories where Grafana’s source code is stored. Importantly, the compromised token did not provide access to customer records or financial data. The company has since revoked the token and implemented additional security measures to prevent future incidents.

Details of the Grafana Labs hack

The attackers attempted to extort Grafana Labs by demanding payment in exchange for not releasing the stolen codebase. “The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase,” the company stated.

Given that Grafana’s core software is open source, much of its code is already publicly available on platforms like GitHub. It remains unclear whether the hackers managed to steal any proprietary or confidential code that is not part of the public repository. A spokesperson for Grafana Labs did not immediately respond to requests for comment.

Why the company refused to pay

This incident stands in stark contrast to a recent hack at education technology giant Instructure, which chose to negotiate with attackers. Instructure reportedly reached an agreement to pay a ransom after hackers compromised its network twice in recent weeks, threatening to release sensitive data about staff and students.

In Grafana’s case, no customer data was compromised. The company cited long-standing advice from the FBI urging victims not to pay hackers. Law enforcement agencies argue that cooperating with cybercriminals does not guarantee the return of stolen data or prevent its future publication. Critics also point out that paying ransoms effectively funds further cyberattacks.

Ongoing investigation and security lessons

Grafana Labs has stated that its investigation is ongoing and that it will share detailed findings once the probe concludes. The company has not yet disclosed how the token credential was stolen or whether any proprietary code was accessed.

This breach serves as a reminder for organizations using GitHub to safeguard their access tokens. Security experts recommend rotating tokens regularly, using minimal necessary permissions, and monitoring for unusual activity. For more on securing GitHub environments, check out our guide on GitHub security best practices.

As cyberattacks targeting software supply chains become more common, incident response plans should include clear policies on ransom payment. The Grafana Labs hack reinforces the principle that refusing to pay can be a viable strategy, especially when customer data is not at risk. For further reading, see our analysis of ransomware response strategies for tech companies.

Continue Reading

Trending