threat.wiki

Threat intelligence notes, group profiles, named-person records, and defensive guidance.

Recent entries

• node-ipc 2026 npm maintainer-account compromise
• Bitwarden / Checkmarx Shai-Hulud Third Coming campaign
• TeamPCP
• Nx Console VS Code extension compromise
• Mini Shai-Hulud npm/PyPI worm campaign
• SANDWORM_MODE AI-toolchain npm worm
• art-template Coruna-style iOS watering-hole compromise
• shopsprint/decimal Go typosquat DNS backdoor
• actions-cool GitHub Actions tag compromise
• Webworm
• Fox Tempest
• TamperedChef-style productivity malware clusters
• Handala
• APT29
• Microsoft Midnight Blizzard mailbox theft from Microsoft
• Dragonfly
• ConnectWise ScreenConnect exploitation wave
• Codecov Bash Uploader compromise
• Okta support-system compromise
• CitrixBleed session-hijack wave
• CircleCI 2023 customer secret exposure incident

Sections

• Ops — campaign timelines, compromise chains, and sequencing
• Tools — malware, payloads, implants, and attacker infrastructure
• Groups — crews, cluster names, and shared operational personas
• People — publicly identified individuals or project personas when public sourcing supports it
• Patterns — reusable defender heuristics
• Notes — taxonomy, usage, and editorial guidance