appsec.fyi • 5h
Multi-Vector Supply Chain Campaign: Mastra AI, GitHub Actions, and Arch Linux AUR Compromise
A sophisticated supply chain campaign, attributed to the suspected threat actor TeamPCP, has simultaneously targeted the Mastra AI framework via npm, GitHub Actions CI/CD workflows, and the Arch Linux User Repository (AUR). The attack utilized dormant contributor account takeovers to poison the @mastra npm scope using the easy-day-js dependency and hijacked GitHub Action version tags to exfiltrate CI/CD credentials. Additionally, over 1,500 AUR packages were compromised with eBPF-based rootkit malware. This coordinated infrastructure, linked by the "Mini Shai-Hulud" worm, facilitates widespread code execution, credential theft, and persistent rootkit deployment across development, DevOps, and end-user Linux environments.
Links:appsec.fyi, microsoft.com, penligent.ai, Hexnode Blog, techjacksolutions.com, threatlocker.com, Labs, Privacyguides, Stepsecurity, bleepingcomputer.com, Daily, threat-modeling.com, gbhackers.com, Cybersecurity News, Aiweekly, Bankinfosecurity, Thehackernews, Orca, Safedep, Neuracybintel, Reddit, SecurityWeek •