Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A significantly evolved version of the Shai-Hulud malware now tracked as Sha1-Hulud has been discovered with over 800 packages affected, now featuring persistent backdoor capabilities through compromised GitHub Actions runners and enhanced multi-cloud credential harvesting.

On November 24th, 2025, we identified a new supply chain attack in the npm ecosystem, referred to as SHA1-Hulud. We believe this is a second wave of the Shai-Hulud attack, which occurred in September 2025. Snyk will continue monitoring this active incident until it is resolved. Updates on this incident will be on our trust center.

Ransomware attacks target your backups before anything else. Recent data shows that two-thirds of organizations faced ransomware in the past two years, with attackers specifically hunting backup infrastructure to eliminate recovery options. Once your backups are gone, you’re left with two choices: Pay up or lose your data permanently.

Ransomware attacks spiked in October 2025, with more than 700 organizations sustaining attacks, according to a new report from Cyfirma. “In October 2025, ransomware activity surged globally, marking a significant resurgence after a period of mid-year stability,” the report says. “Victim counts climbed to 738, driven by renewed campaigns from leading operators and the emergence of several new groups.

Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.

The cybercrime underground continues to evolve into a mature, service-based economy that mirrors legitimate technology markets. Threat actors are increasingly adopting professionalized business models, offering malware, access, and data-theft capabilities “as a service” to a broad audience of buyers. During the first half of 2025, Bitsight observed sustained growth in Malware-as-a-Service (MaaS) and Remote Access Trojan (RAT) activity across dark web forums and marketplaces.

Whisper Leak targets remote language models, @acitons/artifact targets GitHub Actions users, and Quantum Route Redirect simplifies phishing.

Cross-domain attacks exemplify adversaries’ drive for speed and stealth. In these attacks, threat actors navigate multiple domains such as endpoint, cloud, and identity systems to maximize their reach and impact. Their goal is to exploit the weaknesses in organizations’ fast-growing and complex environments.