A few patterns are becoming hard to ignore this week. Supply chains are being quietly poisoned, core tools are turning into attack surfaces, and defensive controls are getting switched off like someone forgot to pay the electricity bill.

Same story, just sharper execution.

‍

Supply Chain Attacks: North Korean Campaign

‍Over 1,700 libraries across NPM, PyPI, Go, and Rust have been compromised by North Korean state-backed actors. These aren’t obviously malicious packages either. They’re disguised as everyday developer tools like loggers, which makes them easy to miss and even easier to trust.

This campaign, known as Contagious Interview, is designed to extract SSH keys, cloud credentials, and crypto wallets directly from developer environments and CI/CD pipelines. So once it lands, it doesn’t just stay local. It spreads.

The uncomfortable part is how normal all of this looks on the surface.

What to do:
Start auditing your package dependencies properly, not just when something breaks. Enforce dependency pinning so versions don’t drift into something hostile. Block packages that attempt outbound communication post-install. If something “phones home” unexpectedly, assume it’s not doing it out of kindness.

‍

Critical Vulnerability: Google Chrome Zero-Day

‍Another Chrome zero-day has been exploited in the wild. That makes four this year, which is not a statistic you frame and hang on the wall.

Attackers were already using it before it was publicly known, which means the usual delay between “patch available” and “patch applied” is doing real damage here.

Browsers are still treated like harmless tools when they’re effectively one of the most exposed pieces of infrastructure in any organisation.

What to do:
Unpatched browsers shouldn’t be allowed anywhere near the internet. Treat Chrome like critical infrastructure, because it is. Enforce auto-updates across your environment and actually verify compliance instead of assuming it’s working.

‍

EDR Bypass: Qilin Ransomware

‍Qilin is back with something particularly useful for attackers and deeply inconvenient for everyone else. They’ve developed a driver-based technique that disables EDR solutions. Over 300 have reportedly been impacted.

Once that protection is gone, attackers can move freely while your monitoring tools sit there, blissfully unaware. If your entire detection strategy depends on EDR alone, this is where things fall apart.

What to do:
Enable tamper protection across all EDR deployments. Monitor for unusual driver loading activity, because that’s where this attack lives. If you have a SIEM, use it properly and review your DLL side-loading detection coverage. Defense shouldn’t collapse just because one control gets knocked out.