The PolySwarm Blog

Verticals Targeted: Software Development
Regions Targeted: Global
Related Families: Miasma, Mini Shai-Hulud

Executive Summary

Miasma is a software supply chain malware campaign targeting developer ecosystems, CI/CD pipelines, GitHub repositories, and open-source package registries. Earlier this month, researchers identified a compromise affecting at least 32 packages and more than 90 malicious package versions published under the @redhat-cloud-services npm namespace. Collectively, the affected packages averaged approximately 80,000 weekly downloads. The campaign abused GitHub Actions OpenID Connect (OIDC) trusted publishing workflows to distribute malicious packages with valid provenance attestations, demonstrating how legitimate software supply chain trust mechanisms can be weaponized following compromise of upstream development infrastructure. Miasma harvests GitHub credentials, cloud identities, CI/CD secrets, SSH keys, and other sensitive developer assets that could facilitate compromise of additional repositories, software packages, and development environments. The campaign highlights the increasing sophistication of attacks targeting software development infrastructure rather than traditional end-user systems.

Verticals Targeted: Technology, Artificial Intelligence, Cloud, Software Development
Regions Targeted: US, Europe, Global
Related Threat Actors: TeamPCP
Related Families: Mini Shai-Hulud

Executive Summary

A coordinated software supply chain campaign linked to TeamPCP has demonstrated how modern CI/CD ecosystems can be weaponized to distribute malicious code, harvest developer credentials, and potentially enable broader downstream compromise. Recent operations tied to the actor targeted trusted software distribution infrastructure across GitHub Actions, PyPI, Docker Hub, VS Code/OpenVSX, and npm ecosystems through poisoned packages, malicious workflows, and compromised release mechanisms.

Verticals Targeted: Government, Scientific Research, Manufacturing, Retail, Education
Regions Targeted: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China
Related Families: QUIC RAT

Executive Summary

A large-scale supply chain compromise involving the widely used DAEMON Tools software platform has exposed organizations and consumers to malicious payload deployment through digitally signed installers distributed from the vendor’s legitimate infrastructure. The attack, active since at least April 8, 2026, involved trojanized versions of DAEMON Tools containing embedded backdoors capable of downloading and executing additional malware. While thousands of infection attempts were observed globally, the operation appears selectively targeted, with advanced payloads deployed against a small subset of victims.

Verticals Targeted: Business Process Outsourcing (BPO)
Regions Targeted: Not Specified
Related Families: None

Executive Summary

Airstalk is a new Windows malware family deployed by a suspected nation-state actor in supply chain attacks, leveraging AirWatch API for covert C2 to exfiltrate browser data. Available in PowerShell and .NET variants, the malware highlights evolving threats to third-party vendors.

Related Families: Wacatac

Executive Summary

Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages to deliver Wacatac.