Inside the NuGet hackers' toolset
RL discovered two packages containing scripts that complete a typosquatting toolchain. Here's how it worked.
Threat Research
Inside the NuGet hackers' toolset
Malicious NuGet package targets Stripe
Threat actors targeted developers with a bogus package — a shift away from the recent crypto development hack focus.
Inside the fake crypto developer recruitment hack
Here’s a more-in-depth technical analysis of the packages involved in the "graphalgo" campaign.
Fake recruiter campaign targets crypto devs
A new branch of a fake job recruitment campaign, dubbed "graphalgo," is targeting developers with a RAT.
Inside the EmEditor supply chain compromise
By combining early infrastructure detection with supply chain security controls you can give your defenders a leg up.
Unpacking the packer ‘pkr_mtsi’
This RL Researcher’s Notebook highlights the packer’s evolution — and offers a YARA rule to detect all versions.
NuGet malware targets Nethereum tools
Highlighting an alarming trend, RL has discovered malicious packages targeting crypto wallets and OAuth tokens to steal funds.
VS Code extensions contain trojan-laden image
RL researchers have identified 19 malicious extensions on the VS Code Marketplace — the majority containing a malicious file posing as a PNG.
New Shai-hulud worm spreads: What to know
Shai-hulud 2.0 malware has spread to 795 npm packages — and been downloaded more than 100M times.
Bootstrap script exposes PyPI to domain takeovers
Proving the road to takeover is paved with setuptools alternatives, the script for a popular Python package for building and installing PyPI packages leaves them vulnerable.
How PowerShell Gallery simplifies attacks
PowerShell Gallery’s Install-Module command presents one key link in the kill chain of a possible attack.
Tracking an evolving Discord-based RAT family
RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules.
Shai-hulud npm attack: What you need to know
RL researchers detected the first self-replicating worm that compromised npm packages with cloud token-stealing malware. Here's what you need to know.
Ethereum contracts push malware on npm
RL discovered how the crypto contracts were abused — and how this incident is tied to a larger campaign to promote malicious packages on top repositories.
Threat actors claim VS Code extension names
RL has discovered a loophole on VS Code Marketplace that allows threat actors to reuse legitimate, removed package names for malicious purposes.