Home · Live brief · Weekly 2026-W23
Technology / software supply chain — four concurrent worm/supply-chain threats in one week
Entities: IronWorm
Part of run 2026-W23-9118e7bd (weekly · Claude Sonnet 4.6)
Simultaneously active this week: Miasma npm credential collectors, IronWorm eBPF rootkit worm, two concurrent npm dependency confusion campaigns (Microsoft 45 packages + Sonatype 176 packages, daily 2026-06-01), the claude-code-action GitHub Actions flaw (arbitrary code execution from a single malicious issue, fixed in v1.0.94; daily 2026-06-05), and Polyfill.io domain reactivation surfacing native browser credential prompts on sites still loading the legacy CDN reference (daily 2026-06-07). The combined picture is a meaningful escalation of the npm/GitHub Actions attack surface: credential theft, kernel-rootkit persistence, and CI/CD pipeline compromise are now simultaneous, not sequential, threats in the software supply chain.