ctipilot.ch

Home · Live brief · Weekly 2026-W23

Technology / software supply chain — four concurrent worm/supply-chain threats in one week

high synthesis discovered 2026-06-01 05:00 UTC

Entities: IronWorm

Part of run 2026-W23-9118e7bd (weekly · Claude Sonnet 4.6)

Simultaneously active this week: Miasma npm credential collectors, IronWorm eBPF rootkit worm, two concurrent npm dependency confusion campaigns (Microsoft 45 packages + Sonatype 176 packages, daily 2026-06-01), the claude-code-action GitHub Actions flaw (arbitrary code execution from a single malicious issue, fixed in v1.0.94; daily 2026-06-05), and Polyfill.io domain reactivation surfacing native browser credential prompts on sites still loading the legacy CDN reference (daily 2026-06-07). The combined picture is a meaningful escalation of the npm/GitHub Actions attack surface: credential theft, kernel-rootkit persistence, and CI/CD pipeline compromise are now simultaneous, not sequential, threats in the software supply chain.

supply-chain infostealer cloud identity global