← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.875
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Quantitative intelligence from 2025 confirms a structural shift in the attacker economy: AI-assisted tools have compressed the average exploit window from roughly 700 days in 2020 to 44 days in 2025, with nearly one-third of disclosed vulnerabilities now exploited within 24 hours. Simultaneously, malicious package injection into public software repositories has scaled to an estimated 454,600 uploads per year, enabling non-technical actors to execute supply chain attacks that previously required specialized expertise. For boards and CISOs, the operational implication is direct: speed and volume have outpaced conventional patch and review cycles, and the assumption that complexity filters out unsophisticated attackers no longer holds.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you use the Trust Wallet browser extension or apps connected to Rakuten Mobile or Kaikatsu Club, your account or wallet details may have been exposed.
🔓
What got out
Suspected: account login details for Kaikatsu Club users
Suspected: cryptocurrency wallet keys for Trust Wallet Chrome extension users
Suspected: personal data held by Rakuten Mobile accounts
✅
Do this now
1 Remove the Trust Wallet Chrome extension and reinstall only from the official Chrome Web Store. 2 Change your password on Kaikatsu Club and Rakuten Mobile right away. 3 Turn on two-step sign-in for any accounts that offer it.
👀
Watch for these
Unexpected charges or transfers in your crypto wallet.
Sign-in alerts from places you do not recognize.
Emails asking you to confirm account changes you did not make.
🌱
Should you worry?
Most people will not be directly affected unless they use one of these specific apps or services. If you do use them, changing your password now is a simple step that removes most of the risk.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unattributed non-technical actors (AI-assisted), Shai-Hulud campaign operators (npm ecosystem)
TTP Sophistication
HIGH
11 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
npm ecosystem, PyPI, Chainguard Libraries, ChatGPT, Claude Code, Rakuten Mobile, Kaikatsu Club, Trust Wallet Chrome extension
Are You Exposed?
⚠
Your industry is targeted by Unattributed non-technical actors (AI-assisted), Shai-Hulud campaign operators (npm ecosystem) → Heightened risk
⚠
You use products/services from npm ecosystem → Assess exposure
⚠
11 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The compression of exploit windows to 44 days — with nearly a third of vulnerabilities weaponized within 24 hours — means that organizations relying on monthly patch cycles are structurally exposed for weeks at a time, creating measurable windows of liability that regulators and cyber insurers are beginning to quantify. Supply chain attacks targeting npm and PyPI at the scale described (454,600 malicious packages annually) represent a systemic risk to any organization consuming open-source dependencies in production software, including financial services platforms like Trust Wallet and telecommunications providers like Rakuten Mobile. A single compromised transitive dependency can result in credential exfiltration, CI/CD pipeline compromise, or ransomware deployment (T1486), with downstream costs spanning breach notification, regulatory penalties, and erosion of customer trust across consumer and enterprise relationships.
You Are Affected If
Your engineering or DevOps teams consume npm or PyPI packages in production builds or CI/CD pipelines
Your organization uses AI coding assistants (ChatGPT, Claude Code, or equivalent) integrated into developer workflows without established package vetting policies
Your software supply chain includes dependencies on open-source libraries without enforced SBOM generation, lockfile pinning, or hash integrity verification
You operate in financial services, telecommunications, or consumer software verticals — the sectors represented by the named affected entities (Trust Wallet, Rakuten Mobile, Kaikatsu Club)
Your CI/CD environment stores API tokens, cryptographic keys, or cloud credentials as environment variables accessible to build scripts
Board Talking Points
Attackers now exploit newly disclosed software vulnerabilities within 24 hours in nearly a third of cases, meaning our patch timelines must shrink from weeks to days or we carry measurable, quantifiable exposure windows.
Recommend immediate investment in automated dependency integrity verification for our software build pipeline and a formal review of our mean-time-to-patch targets against current exploitation speed data, with a 60-day completion target.
Organizations that do not modernize patch velocity and supply chain controls in 2026 face a growing probability of credential theft or ransomware deployment through channels — compromised open-source packages — that most existing security programs were not designed to monitor.
PCI DSS v4.0 — Trust Wallet Chrome extension compromise and npm/PyPI credential harvesting directly implicate payment credential and cryptographic key exposure; Requirement 6 (secure systems development) and Requirement 12.3 (targeted risk analysis) apply to organizations in the payments and cryptocurrency verticals
DORA (EU Digital Operational Resilience Act) — Financial services entities subject to DORA operating on compromised open-source dependencies or affected by supply chain attacks against financial infrastructure (Trust Wallet, Kaikatsu Club) face ICT third-party risk management obligations under Articles 28-30
NIST SP 800-161r1 (Cybersecurity Supply Chain Risk Management) — directly applicable to any U.S. federal contractor or agency consuming npm/PyPI dependencies in software delivery; the CWEs and TTPs described map to documented C-SCRM failure modes
Technical Analysis
The 2025 threat landscape, as synthesized by Chainguard research and consistent with industry threat reporting, describes an inflection point driven by two intersecting forces: AI-accelerated exploitation and industrialized supply chain poisoning.
On the exploitation side, according to 2025 threat intelligence aggregates (confidence: directional, source tier T3), the median time-to-exploitation for newly disclosed CVEs has collapsed from approximately 700 days in 2020 to 44 days in 2025.
More critically, based on the same threat intelligence sources, 28.3% of CVEs are now exploited within 24 hours of public disclosure, a figure that effectively nullifies patch-before-exploitation windows for organizations without automated remediation pipelines.
AI-assisted coding tools appear to be the primary accelerant: they lower the skill floor for weaponizing disclosed vulnerabilities, enable rapid variant generation, and produce malware variants that reportedly evade traditional static analysis tooling by altering signatures at scale. The MITRE ATT&CK techniques mapped to this cluster reflect this reality: T1203 (exploitation for client execution), T1059 (command and scripting interpreter abuse), T1562.001 (impair defenses), and T1486 (data encrypted for impact) suggest a full kill chain from initial access through impact.
On the supply chain side, the npm and PyPI ecosystems are the primary battlegrounds. According to 2025 threat intelligence aggregates (confidence: directional, source tier T3), an estimated 454,600 malicious packages were uploaded to public repositories in 2025. Attack techniques observed across named campaigns include layered dependency confusion, where attackers nest malicious payloads inside transitive dependencies to evade shallow review, and backdoored GPT-proxy packages that present as AI utility libraries while silently relaying traffic to attacker infrastructure. According to Aikido's 2026 analysis of the GPT-proxy backdoor campaign, some variants specifically target Chinese LLM infrastructure endpoints. A separate campaign cluster focused on credential harvesting: packages designed to exfiltrate cryptographic keys, CI/CD pipeline secrets, and API tokens from developer environments, mapped to T1552.001 (credentials in files) and T1195.001 /T1195.002 (supply chain compromise at the dependency and software levels).
Named affected entities, Rakuten Mobile, Kaikatsu Club, and the Trust Wallet Chrome extension, span telecommunications, consumer loyalty platforms, and cryptocurrency tooling, indicating broad targeting rather than sector-specific campaigns. The Shai-Hulud campaign, specifically attributed to npm ecosystem operations, represents a named threat cluster within this broader trend. CWEs mapped to the threat cluster (CWE-1104, CWE-494, CWE-829, CWE-693) collectively describe the same root failure: organizations consuming third-party code without adequate integrity verification, provenance validation, or dependency auditing.
Confidence note: Quantitative figures cited (454,600 packages, 44-day exploit window, 28.3% 24-hour exploitation rate) derive from secondary aggregation sources rated T3. These figures are directionally credible and consistent with observed trends, but should be validated against NVD, CISA, or the Chainguard primary publication before use in formal risk reporting or board presentations.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to CISO and legal if SBOM audit identifies a confirmed malicious package that was executed in a production build environment, any CI/CD secrets (cloud provider keys, signing certificates, API tokens) were exposed to postinstall scripts from unverified packages, or if the Trust Wallet Chrome extension or any Rakuten/Kaikatsu Club-adjacent dependency is present in environments handling PII, PHI, or payment card data triggering breach notification obligations under GDPR, CCPA, or PCI-DSS.
1
Step 1: Assess exposure, audit your software bill of materials (SBOM) for direct and transitive dependencies on npm and PyPI packages; flag any packages introduced or updated in the past 90 days that lack verified publisher provenance
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: establishing IR capability and asset visibility before an incident occurs
NIST SI-2 (Flaw Remediation)
NIST CM-8 (System Component Inventory)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run 'npm audit --json > npm_audit.json' and 'pip-audit --output-format json > pip_audit.json' against each project. For SBOM generation without enterprise tooling, use Syft (free, Anchore): 'syft dir:. -o spdx-json > sbom.json'. Cross-reference package names and versions against the OSS Index (Sonatype) free API. Flag any package where the publisher account was created within the last 90 days or where the package name closely resembles a known internal package (dependency confusion indicator) using a simple Python diff script against your internal package registry list.
Preserve Evidence
Before auditing, snapshot current state to establish a forensic baseline: capture 'pip freeze > pip_freeze_baseline.txt' and 'npm list --all --json > npm_tree_baseline.json' from each build environment. Preserve CI/CD pipeline logs showing when each dependency version was first introduced — specifically npm/PyPI install logs with timestamps from the past 90 days. For PyPI, check ~/.cache/pip/ and for npm check node_modules/.package-lock.json for install timestamps that may reveal when a malicious package update was pulled. If using GitHub Actions, preserve .github/workflows/ YAML files and the Actions run logs from the same 90-day window.
2
Step 2: Review controls, verify that your CI/CD pipeline enforces dependency integrity checks (lockfile pinning, hash verification, package signing via Sigstore or equivalent); confirm that secrets scanning tools cover CI/CD environment variables, not just source code
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: implementing preventive controls and hardening the environment to reduce IR burden
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SA-12 (Supply Chain Protection)
NIST CM-3 (Configuration Change Control)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Enforce lockfile integrity with 'npm ci' (not 'npm install') in all pipeline stages — 'npm ci' fails if package-lock.json is missing or mismatched, blocking silent dependency substitution. For PyPI, use 'pip install --require-hashes -r requirements.txt' with hashes pre-computed via 'pip-compile --generate-hashes'. Integrate Sigstore cosign (free) for verifying signed package artifacts: 'cosign verify-blob --certificate <cert> --signature <sig> <artifact>'. For secrets scanning covering CI/CD environment variables, deploy Gitleaks (free) with a pre-commit hook and add a pipeline stage running 'gitleaks detect --source . --report-format json'. Trufflehog (free) can scan GitHub Actions secrets exposure: 'trufflehog github --repo <url>'.
Preserve Evidence
Before modifying pipeline configuration, preserve the current state of all CI/CD pipeline definition files (e.g., .github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile, .circleci/config.yml) with 'git log --all --full-history -- .github/workflows/ > pipeline_git_history.txt'. Capture the current package-lock.json and requirements.txt with their git commit hashes. For the Shai-Hulud campaign specifically, examine CI/CD environment variable stores for any recently added variables containing base64-encoded strings, webhook URLs, or cloud provider credentials — these are the exfiltration artifacts malicious packages in this campaign inject into the build environment via postinstall scripts.
3
Step 3: Update threat model, incorporate the Shai-Hulud campaign TTP cluster and AI-assisted exploitation acceleration into your threat register; update mean-time-to-patch targets to reflect a 44-day (or sub-24-hour for critical CVEs) exploitation window rather than legacy assumptions
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: updating IR policies, playbooks, and threat intelligence to reflect current adversary capability
NIST RA-3 (Risk Assessment)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST IR-8 (Incident Response Plan)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Document the Shai-Hulud TTP cluster against the MITRE ATT&CK Supply Chain Compromise technique (T1195) and its sub-technique Compromise Software Dependencies and Development Tools (T1195.001). Map AI-assisted exploit acceleration to T1588.006 (Obtain Capabilities: Vulnerabilities) and T1190 (Exploit Public-Facing Application) with the updated 44-day window as a threat register parameter. Use the free MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) to create a layer file documenting these TTPs. Update your SLA policy document to define 'critical' patches as requiring deployment within 24 hours for any CVE appearing in CISA KEV, and 14 days for High severity CVEs given the compressed 44-day mean exploitation window.
Preserve Evidence
Before finalizing the updated threat model, gather quantitative baseline evidence from your environment: pull the last 12 months of patch deployment timestamps from your patch management system to document your actual current mean-time-to-patch. Query your dependency update history to determine how many npm/PyPI package updates occurred without human review. If you have proxy or DNS logs, search for any historical connections to known Shai-Hulud campaign infrastructure — the campaign has been associated with exfiltration over DNS and HTTPS to attacker-controlled domains registered to mimic legitimate package registry infrastructure. This baseline documents your current exposure gap against the 44-day exploitation window.
4
Step 4: Communicate findings, brief development leads and platform engineering on the layered dependency confusion technique; brief leadership on the business risk of an industrialized supply chain attack volume that has outpaced manual review capacity
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: communicating incident scope, impact, and analysis findings to appropriate stakeholders
NIST IR-4 (Incident Handling)
NIST IR-6 (Incident Reporting)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Prepare a one-page technical brief for development leads that includes: (1) a concrete example of dependency confusion using the npm/PyPI naming pattern this campaign exploits — an attacker registers 'company-internal-utils' on public PyPI after discovering the name from a leaked requirements.txt, and 'pip install' resolves the public malicious version over the internal one if registry priority is misconfigured; (2) a live demonstration using 'pip install --dry-run' showing which registry wins under current configuration. For leadership, translate the 454,600 malicious package/year figure into a per-week rate (approximately 8,742/week) to contextualize why manual review is structurally insufficient and quantify the business risk in terms of a potential software supply chain incident like the 2020 SolarWinds event.
Preserve Evidence
Collect evidence to support the brief: generate a dependency confusion risk report by diffing your internal package registry namespace against public npm and PyPI namespaces using a script querying the public registry APIs. Document any namespace collisions found — these are direct evidence of existing exposure to the layered dependency confusion vector used in the Shai-Hulud campaign. Preserve this report as a timestamped artifact for the communication record and for any subsequent regulatory or audit requirements under NIST IR-6 (Incident Reporting).
5
Step 5: Monitor developments, track Chainguard's Unchained blog (https://www.chainguard.dev/unchained) for follow-up package disclosures and supply chain threat trend updates; monitor CISA's Known Exploited Vulnerabilities catalog for CVEs entering the 24-hour exploitation cohort relevant to your asset inventory
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: continuous monitoring, threat intelligence integration, and adverse event correlation
NIST SI-4 (System Monitoring)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Automate CISA KEV monitoring with a free cron job pulling the KEV JSON feed ('curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json') and diffing against yesterday's snapshot, then alerting via email or Slack webhook when new CVEs appear that match packages in your SBOM. For Chainguard Unchained and new malicious package disclosures, configure an RSS feed aggregator (FreshRSS, free self-hosted) to consolidate Chainguard, CISA, and OSS security advisory feeds. Implement osquery on build servers with a query monitoring package installation events: 'SELECT name, version, install_time FROM deb_packages' (Linux) or equivalent, scheduled every 15 minutes, with results shipped to a central log file for daily diff review by the 2-person team.
Preserve Evidence
Establish detection baselines before new package disclosures occur: snapshot current npm and PyPI package versions in all production and CI/CD environments and store with SHA-256 hashes. For the Trust Wallet Chrome extension compromise referenced in this campaign, if your organization uses browser extensions in managed environments, export the current extension inventory from Chrome policy logs or via 'chrome://extensions' export and preserve it. Monitor outbound DNS queries from build servers for any newly observed domains — malicious packages in this campaign category frequently beacon on first install via postinstall scripts, producing DNS queries to attacker-controlled infrastructure that would appear as first-seen domains in DNS logs.
Recovery Guidance
Post-containment, rotate all secrets (API keys, cloud credentials, signing certificates, webhook tokens) that were present as environment variables in any CI/CD pipeline that executed an unverified or flagged package, treating them as fully compromised regardless of whether exfiltration is confirmed — the Shai-Hulud campaign's postinstall script vector means exposure is simultaneous with install. Re-pin all dependencies to verified hashes, rebuild all production artifacts from a clean pipeline with the hardened controls from Step 2 in place, and verify artifact integrity using Sigstore or equivalent before re-deployment. Maintain enhanced monitoring of outbound DNS and HTTPS from build infrastructure and production systems for 30 days post-remediation, specifically watching for beaconing patterns (regular-interval connections to recently-registered domains) consistent with delayed-activation malicious package payloads.
Key Forensic Artifacts
npm postinstall script execution logs: check npm debug log at ~/.npm/_logs/*.log and CI/CD stdout for any 'postinstall' script execution events tied to packages flagged in the SBOM audit — malicious packages in this campaign category embed credential harvesting code in package.json 'scripts.postinstall' that executes automatically on 'npm install'
PyPI package cache and install receipts: examine ~/.cache/pip/wheels/ and site-packages/<package>.dist-info/RECORD files for packages installed from unexpected indexes; cross-reference install timestamps in RECORD files against your CI/CD pipeline run timestamps to identify packages pulled during suspicious build windows
CI/CD environment variable access logs: in GitHub Actions, retrieve the workflow run logs from the Actions tab for any job that ran 'npm install' or 'pip install' without hash verification — look for unexpected outbound HTTP requests in the runner network logs, which would indicate a postinstall script attempting to exfiltrate secrets to attacker-controlled infrastructure
DNS query logs from build servers and developer workstations: query DNS resolver logs or firewall DNS logs for first-seen domain lookups occurring within seconds of a package install event — the Shai-Hulud campaign and similar supply chain attacks use postinstall beaconing to confirm successful compromise, producing anomalous first-seen FQDN queries from build infrastructure
Chrome extension storage and network activity for Trust Wallet extension: if the Trust Wallet Chrome extension (or any flagged browser extension) is deployed in managed environments, capture the extension's IndexedDB storage at chrome://extensions > developer mode > inspect views, and review Chrome's net-internals logs (chrome://net-internals/#events) for any anomalous WebSocket or HTTPS connections to non-official Trust Wallet infrastructure that would indicate the compromised extension version was present
Detection Guidance
Detection for this threat cluster requires coverage across three layers: repository ingestion, runtime behavior, and credential telemetry.
At the repository and build layer: alert on new or updated dependencies not present in your lockfile baseline; flag packages with names closely resembling internal or popular public packages (typosquatting pattern matching); detect packages that make outbound network connections during installation or post-install script execution, this is anomalous behavior for legitimate libraries.
Chainguard's 2026 supply chain threat analysis specifically implicates packages that establish persistent relay connections; network flow logs from build agents are the primary detection surface.
At the runtime and process layer: hunt for scripting interpreter invocations (T1059 ) originating from dependency installation directories or package manager processes; look for file system enumeration (T1083 ) by processes that should have no legitimate reason to traverse home directories, .ssh folders, or CI/CD credential stores. Monitor for defense impairment signals, specifically, any process disabling or modifying endpoint agent configuration (T1562.001 ).
At the credential and secrets layer: audit CI/CD secret stores for access patterns inconsistent with pipeline execution schedules; deploy secrets scanning on all repository commits and pull requests; monitor for API token usage from geographic locations or IP ranges inconsistent with your developer base, exfiltrated tokens will be used from attacker infrastructure, not developer endpoints.
For the GPT-proxy backdoor class specifically: inspect outbound DNS and TLS connections from build and development environments for resolutions to attacker-controlled infrastructure endpoints. Legitimate AI API calls from developer tools should resolve to known provider endpoints (OpenAI, Anthropic, etc.); unexpected resolutions warrant immediate investigation.
Hunting hypothesis: developer workstations or CI runners generating outbound connections to unfamiliar LLM API endpoints within 48 hours of a dependency update event.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
3 tools
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to Chainguard Unchained (2026-the-year-of-ai-assisted-attacks) for published package names and hashes
Malicious npm and PyPI package names, SHA hashes, and associated publisher accounts identified in Chainguard research; specific values not present in aggregated source text provided
LOW
⚙ TOOL
Pending — refer to Aikido Security blog post (gpt-proxy-backdoor-npm-pypi-chinese-llm-relay) for published indicators
GPT-proxy backdoor packages: package names, registry identifiers, and C2/relay endpoint domains published by Aikido Security; specific values not present in aggregated source text provided
LOW
⚙ TOOL
Pending — refer to The Hacker News (2026/02/malicious-npm-packages-harvest-crypto) for published indicators
Package names and associated payload hashes for npm packages harvesting cryptographic keys, CI/CD secrets, and API tokens; specific values not present in aggregated source text provided
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (3)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AI-Assisted Attacks Collapse Exploit Windows and Scale Supply Chain Threats: 202
// Attack tool: Pending — refer to Chainguard Unchained (2026-the-year-of-ai-assisted-attacks) for published package names and hashes
// Context: Malicious npm and PyPI package names, SHA hashes, and associated publisher accounts identified in Chainguard research; specific values not present in aggregated source text provided
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to Chainguard Unchained (2026-the-year-of-ai-assisted-attacks) for published package names and hashes"
or ProcessCommandLine has "Pending — refer to Chainguard Unchained (2026-the-year-of-ai-assisted-attacks) for published package names and hashes"
or InitiatingProcessCommandLine has "Pending — refer to Chainguard Unchained (2026-the-year-of-ai-assisted-attacks) for published package names and hashes"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AI-Assisted Attacks Collapse Exploit Windows and Scale Supply Chain Threats: 202
// Attack tool: Pending — refer to Aikido Security blog post (gpt-proxy-backdoor-npm-pypi-chinese-llm-relay) for published indicators
// Context: GPT-proxy backdoor packages: package names, registry identifiers, and C2/relay endpoint domains published by Aikido Security; specific values not present in aggregated source text provided
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to Aikido Security blog post (gpt-proxy-backdoor-npm-pypi-chinese-llm-relay) for published indicators"
or ProcessCommandLine has "Pending — refer to Aikido Security blog post (gpt-proxy-backdoor-npm-pypi-chinese-llm-relay) for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to Aikido Security blog post (gpt-proxy-backdoor-npm-pypi-chinese-llm-relay) for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AI-Assisted Attacks Collapse Exploit Windows and Scale Supply Chain Threats: 202
// Attack tool: malicious-npm-packages-harvest-crypto) for published indicators
// Context: Package names and associated payload hashes for npm packages harvesting cryptographic keys, CI/CD secrets, and API tokens; specific values not present in aggregated source text provided
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "malicious-npm-packages-harvest-crypto) for published indicators"
or ProcessCommandLine has "malicious-npm-packages-harvest-crypto) for published indicators"
or InitiatingProcessCommandLine has "malicious-npm-packages-harvest-crypto) for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1657
T1552.001
T1078
T1195.001
T1554
T1083
+5
AC-2
AC-6
IA-2
IA-5
CM-7
SA-9
+15
MITRE ATT&CK Mapping
T1657
Financial Theft
impact
T1552.001
Credentials In Files
credential-access
T1078
Valid Accounts
defense-evasion
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1554
Compromise Host Software Binary
persistence
T1083
File and Directory Discovery
discovery
T1195.002
Compromise Software Supply Chain
initial-access
T1562.001
Disable or Modify Tools
defense-evasion
T1566
Phishing
initial-access
T1059
Command and Scripting Interpreter
execution
T1486
Data Encrypted for Impact
impact
Guidance Disclaimer
