FlagThis - Latest Cybersecurity News

In June 2026, five concurrent npm supply chain campaigns utilized typosquatting and impersonation of the postcss ecosystem—specifically targeting postcss-selector-parser—to compromise developer environments. Attackers leveraged npm lifecycle scripts to execute multi-stage payloads, including Windows-based Remote Access Trojans (RATs) and native C-based Linux rootkits. The campaigns specifically targeted high-privilege developer assets, including SSH keys, GitHub CLI credentials, and Claude Code configurations, to facilitate lateral movement and upstream supply chain contamination. One cluster is attributed to the North Korean state-sponsored actor PolinRider.