SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE
Wormed npm repos. Multi-vector APTs. KEV-listed identity RCE. If your CI/CD + SSO aren’t on the same crisis board this week, you’re already late. 😈🚨
TL;DR
- [Supply Chain] Shai-Hulud 2.0 trojanizes 640+ npm packages and 25k+ GitHub repos to exfiltrate multi-cloud creds and GitHub tokens; destructive fallback wipes dev environments.
- [Espionage] PRC-nexus APT24 runs multi-year “BADAUDIO” campaign combining watering holes, JS supply-chain compromise, and targeted phishing against government/strategic targets.
- [Vulnerabilities] CISA adds actively exploited Oracle Fusion Middleware/Identity Manager auth-bypass RCE to KEV, driving urgent patching for identity-tier systems.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Current Stories
TL;DR
-
[Supply Chain] Shai-Hulud 2.0 npm worm trojanizes ~640+ packages and 25k+ GitHub repos, stealing multi-cloud creds and GitHub tokens; destructive fallback wipes dev home dirs.
-
[APT / Espionage] PRC-nexus APT24 runs 3-year “BADAUDIO” espionage campaign using watering holes, JS supply-chain compromise of a Taiwan marketing firm (1,000+ domains), and targeted phishing.
-
[APT / Network Devices] China-aligned PlushDaemon implants routers and network devices with “EdgeStepper” to hijack DNS, intercept update traffic, and deploy multi-stage backdoors for stealthy espionage.
-
[Vulnerabilities] CISA adds actively exploited Oracle Fusion Middleware / Identity Manager auth-bypass RCE (CVE-2025-61757) to KEV, mandating rapid patching for U.S. federal agencies.
References
-
(2025-11-24) Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets
-
(2025-11-20) Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks
-
(2025-11-19) PlushDaemon compromises network devices for adversary-in-the-middle attacks
-
(2025-11-21) CISA Adds One Known Exploited Vulnerability to Catalog
-
(2025-11-21) Known Exploited Vulnerabilities Catalog | CISA
Suggested Pivots
How should we prioritize inspections of dev tools, GitHub orgs, and CI/CD runners for Shai-Hulud 2.0-style npm and token abuse?
- Why: This focuses follow-up work on the parts of our environment that can silently seed or propagate the current worm and future copycats.
- What to expect: A prioritized checklist of dev ecosystems to review, with concrete indicators (package names, scripts, workflows) to drive hunts and hardening.
Where do APT24 and PlushDaemon infrastructure and tradecraft overlap with our current DNS, web proxy, and edge-device visibility?
- Why: Both sets of operations lean on DNS and web-layer redirection plus edge implants, which often sit outside standard EDR coverage.
- What to expect: A map of telemetry and logging gaps versus observed techniques, helping frame targeted monitoring or architecture changes.
AlphaHunt Converge - Plug in your Flight Crew
Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.
Anticipate, Don’t Chase.
Emerging Stories
(Subscribers Only.. SIGN UP!)
