Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The pace is not slowing down. Between May 18 and June 1, 2026, four distinct supply chain campaigns swept through npm, PyPI, Crates.io, GitHub Actions, and Composer.

Most security teams check the EDR box, check the proxy box, and move on. Against supply chain malware, neither provides meaningful protection because they were built for a different problem. Traditional malware has a way of sneaking onto a machine, whereas supply chain malware gets invited. The developer runs npm install, and the malicious code lands with full permission to execute. That inversion breaks both tools at the design level. ‍

On June 1, 2026, researchers identified malicious code embedded in at least 32 package releases published under the @redhat-cloud-services npm namespace, a set of frontend components and API clients that power the Red Hat Hybrid Cloud Console. The compromised releases carry a preinstall script that runs an obfuscated payload the moment a package is installed, harvesting developer and cloud credentials and attempting to spread itself to other packages the victim can publish.

Modern software is not written from scratch. It’s assembled. Developers pull from open-source repositories, import third-party libraries, accelerate development with AI coding assistants, and deploy across multi-stage CI/CD pipelines that span dozens of tools, services, and vendors.

In March 2026, researchers began linking a series of software supply-chain compromises to Replicating Marauder, the BlueVoyant Threat Fusion Cell (TFC) primary identifier for the actor publicly tracked elsewhere as TeamPCP. What made the campaign stand out was that trusted software was poisoned and one compromise repeatedly appeared to enable the next by exposing credentials, release paths, or Continuous Integration and Continuous Delivery or Deployment (CI/CD) trust relationships.

There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.

On May 22, 2026, we detected an active supply chain attack against Laravel-Lang. We filed a report with the maintainers immediately. The attacker published malicious version tags across three widely used repositories, injecting credential-stealing code that loads automatically via composer’s autoloader feature. What makes this particularly sneaky is that the malicious code was never committed to the official repos at all.

On 2026-05-22, an attacker rewrote every repository tag across four Composer packages in the Laravel-Lang ecosystem to point at malicious commits. The affected packages are laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. The rewrite took place on 2026-05-22 into the early hours of 2026-05-23. Every malicious commit makes the same two-file change: one entry added to composer.json, and one new file at src/helpersphp.

The rules of software security have changed. For years, the dominant threat narrative centered on stolen credentials and compromised accounts. Today, attackers have shifted strategies — and the data proves it. According to the 2026 Verizon Data Breach Investigations Report, exploitation of vulnerabilities now accounts for 31% of all initial access vectors, surpassing credential abuse, which has fallen to just 13%. Attackers aren’t just knocking on the front door anymore.

In a significant security incident unfolding on May 20, 2026, GitHub confirmed unauthorized access to its internal repositories. The breach involved the exfiltration of sensitive internal source code and organizational data, reportedly totaling around 3,800 to 4,000 private repositories. A threat actor surfaced on underground forums advertising the stolen materials for sale, complete with directory listings of compressed archives and sample verification offers.