Weekly review

ThreatNoir Morning Brief — July 8

2026-07-08Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — July 8, 2026

The threat landscape continues to intensify as attackers target critical infrastructure across multiple platforms. Today's review covers a sophisticated supply-chain campaign spanning two major package repositories, critical authentication bypass vulnerabilities in widely-used development tools, and emerging attack patterns that evade traditional security controls.

Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

Socket's AI scanner detected a coordinated malware campaign on July 7, 2026, consisting of 17 malicious packages published nearly simultaneously across npm and PyPI repositories. The attack targets developers and users of popular payment processing platforms including PaySafe, Skrill, and Neteller. Source: Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

The npm packages each published four malicious versions (1.0.0 through 1.0.3), with detection occurring within six minutes of publication. The affected npm packages include paysafe-checkout, paysafe-vault, neteller, skrill-payments, paysafe-js, paysafe-api, paysafe-node, paysafe-cards, paysafe-fraud, paysafe-kyc, skrill, skrill-sdk, and paysafe-payments. The PyPI ecosystem was targeted with four malicious packages: paysafe-kyc, paysafe-payments, paysafe-sdk, and paysafe-api, each publishing a single malicious version 1.0.0.

The malware employs sophisticated techniques to steal credentials and tokens from victim systems. The packages mimic legitimate Paysafe REST client implementations while exfiltrating environment variables matching patterns including KEY, SECRET, TOKEN, PASS, AUTH, and API. The stolen data is sent to command-and-control infrastructure at caliber-spinner-finishing.ngrok-free.dev. The npm variant includes sandbox evasion checks and delays exfiltration by approximately 11.7 seconds, while the PyPI variant activates universally without API key gating. The threat actor demonstrates operational maturity through use of unique obfuscation keys across versions to prevent signature-based tracking and infrastructure overlap with established cybercrime groups.

Critical Gitea Flaw Under Active Exploitation, Researchers Warn

A critical authentication bypass vulnerability in Gitea is being actively exploited in the wild, allowing attackers to bypass authentication mechanisms using a single HTTP header to access vulnerable repositories and sensitive secrets. Source: Critical Gitea Flaw Under Active Exploitation, Researchers Warn

The vulnerability, identified as CVE-2026-20896, poses significant risk to organizations relying on Gitea for source code management and repository hosting. The active exploitation indicates that threat actors have weaponized this flaw and are actively targeting Gitea instances.

'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows

A vulnerability dubbed GitLost has been discovered in GitHub's agentic workflows that enables unauthenticated attackers to extract private repository data through a novel attack vector. Source: 'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows

The attack exploits GitHub's workflow automation capabilities by allowing an attacker to craft a malicious GitHub Issue in an organization's public repository and then silently access data from the organization's private repositories. This vulnerability, tracked as CVE-2024-4122, demonstrates how automation features designed to improve developer productivity can be weaponized to bypass access controls and exfiltrate sensitive information.

The GitHub Actions Attack Pattern Your CI Security Scanners Miss

Research from ActiveState reveals a critical gap in CI/CD security tooling: traditional CI security scanners fail to detect sophisticated GitHub Actions attack chains that exploit workflow composition techniques. Source: The GitHub Actions Attack Pattern Your CI Security Scanners Miss

The attack pattern, associated with the Cordyceps malware, has been identified across more than 300 open-source repositories. The research demonstrates that passing a security scan does not guarantee pipeline security, as attackers can chain together seemingly benign Actions to achieve malicious objectives while evading detection. This finding underscores the need for organizations to implement more sophisticated governance controls over their CI/CD workflows beyond traditional scanning approaches.

Organizations should prioritize immediate patching of Gitea instances, audit their GitHub repositories and Actions workflows for signs of compromise, and implement comprehensive secrets rotation protocols across all development infrastructure. The convergence of these vulnerabilities highlights the critical importance of supply-chain security as a foundational element of enterprise security strategy.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
Domain1
  • caliber-spinner-finishing.ngrok-free.dev
    Command-and-control server for credential exfiltration
SHA-2565
  • b04daeacd1d1…
    Malicious __init__.py file from PyPI packages
  • b2ea8d69f679…
    Malicious index.js file from npm packages
  • 8a70a5c1075f…
    Malicious index.js file from npm packages
  • c6af37a6739f…
    Malicious __init__.py file from PyPI packages
  • ce09810adca7…
    Malicious index.js file from npm packages