Named campaigns

critical

Self-propagating worm that compromised 100+ npm packages between mid-September 2024. Initial vector was a credential-stealing payload in `ctrl`, `tinycolor`, and several `ngx-bootstrap` packages — the stealer exfiltrated maintainer npm tokens, which the worm then used to publish trojanized versions of every package those maintainers controlled. Several Crowdstrike and other security-vendor-adjacent packages were affected. The campaign name comes from a string in the worm payload referencing Dune's giant sandworms. Affected developers should treat any machine that installed an affected version during the campaign window as fully compromised: rotate npm tokens, GitHub PATs, AWS credentials, and any other secrets stored on disk.

critical

Nation-state compromise of SolarWinds' Orion build pipeline. The attackers injected the SUNBURST backdoor into signed Orion updates distributed to ~18,000 organizations. Distinct from npm/PyPI-style supply chain attacks: the malicious code was in a closed-source enterprise product, not a public package registry. Catalogued here because it's the canonical "vendor build system compromise" — a class of attack the OSV MAL- feed doesn't track directly.

critical

Compromise of the 3CX Electron-based desktop client distributed to millions of users. North Korea's Lazarus Group is the attributed actor; the campaign chained through an earlier compromise of a Trading Technologies installer (X_TRADER), demonstrating a cascading-supply-chain pattern.