Featured · 2026-06-08

Four Payloads in One `npm install`: The `coindefi2026` Campaign.

Three malicious npm packages delivering a socket.io RAT with PTY shell, screen capture, and remote control, plus a browser credential stealer targeting Chrome, Brave, and 28 crypto wallet extensions.

15 min read· read →

Recent posts

2026-06-08 Four Payloads in One `npm install`: The `coindefi2026` Campaign 15 min 2026-05-22 ClickFix Edition 2: Ten Seconds of Forensic Evidence 14 min 2026-05-12 ClickFix on macOS: What Apple Events Tells You (and What It Doesn't Anymore) 12 min 2026-05-05 The 12-Minute Help Desk: Tracking the SNOW Suite 8 min