Threat Research Round-Up Q4 2025

In Q4 2025, attackers increasingly targeted the most trusted parts of the software supply chain: package registries, developer tools, and automation designed for speed, not scrutiny.

In this Threat Research Round-Up, RL researchers break down five real-world campaigns uncovered in the closing months of 2025 across NuGet, PyPI, PowerShell Gallery, and VS Code. 

The incidents show how attackers are exploiting the implicit trust of the open source development community to evade traditional controls, from malicious NuGet packages that  harvest OAuth tokens; to fake VS Code extensions disguised as image assets; to bootstrap scripts enabling domain takeovers and a new Shai Hulud npm worm variant. 

Key takeaways from the Q4 Threat Research Round-Up include:

• How attackers weaponized trust across package ecosystems and developer tools
  
• Why metadata-only scanning failed to surface malicious behavior
  
• The common tradecraft connecting NuGet, PyPI, PowerShell Gallery, and VS Code attacks
  
• What deeper binary and package intelligence reveals earlier in the attack chain
  
• Practical steps to reduce software supply chain risk heading into 2026

Watch Now