Malicious npm Packages, Salesloft GitHub Breach, Malvertising Commit Trick – Cybersecurity News [September 08, 2025]
This week’s cyber reports reveal escalating threats on trusted platforms. A significant phishing attack on npm spread malware to millions, while a compromise of Salesloft’s GitHub account impacted the Drift application. Researchers also uncovered a malvertising campaign using fake GitHub commits and detailed the stealthy EggStreme framework, highlighting how attackers are exploiting familiar workflows with increasing sophistication and success.
Protect your organization from escalating phishing and supply chain attacks by strengthening email security with SPF, DKIM, and DMARC.
Compromised “npm Packages” Spread Malware to Millions of Users
A huge supply chain breach has rocked the npm ecosystem after attackers took control of several popular packages through a convincing phishing scam. It all started when a maintainer received a fake email pretending to be from npm support, which asked them to update their two factor authentication details. Using a fake login page to intercept the credentials, the attackers quickly pushed out malicious versions of libraries like chalk, debug, and ansi-regex, which together get billions of downloads every week.
Hidden inside these rogue packages was malware designed to hijack cryptocurrency transactions by swapping wallet addresses. The code was specifically built to run in browsers, targeting APIs like “window.fetch” and “XMLHttpRequest” to put end users with connected crypto wallets at risk. The attack soon spread, compromising more packages from another maintainer, including duckdb and prebid. Even though the scammers only made off with about $600, the sheer scale of the attack is a major cause for concern, highlighting just how vulnerable trusted ecosystems are to simple phishing attacks.
Salesloft GitHub Breach Leads to Drift Supply Chain Incident
Salesloft has shared how the recent data breach in its Drift application started, and it all began with attackers getting into its GitHub account. According to investigators from Mandiant, the hacker, tracked as UNC6395, was inside the system from March through June 2025. It’s still not clear how they first broke in. During that time, they downloaded code, added a guest user, and set up new workflows. They also poked around the Salesloft and Drift environments, but it doesn’t look like they did anything more than that initial exploration. So far, 22 companies have confirmed that this supply chain breach impacted them.
The attackers later found their way into Drift’s Amazon Web Services environment, where they stole access tokens tied to customer accounts to get at their data. In response, Salesloft has taken Drift completely offline, changed its credentials, and improved security between the two platforms. Customers are being told to revoke any API keys connected to Drift. While Salesforce has restored its integrations with Salesloft’s other technologies, Drift will remain offline until the cleanup is complete.
Malvertising Campaign Uses GitHub Commit Trick to Spread Malware
A pretty clever malvertising campaign is using paid search ads and a sneaky GitHub trick to spread malware that’s disguised as legitimate software. Attackers use a method called Phantom Commit Injection, embedding fake commits into URLs to make them look like they are from GitHub while actually redirecting to a malicious domain. If you click on it, you’re prompted to download a large installer that’s specifically designed to slip past online security checks. What makes this malware so tricky is a technique called GPUGate, which uses your computer’s graphics card to decrypt itself. This helps it hide from the virtual machines and security sandboxes that analysts use because those systems often lack a real GPU.
Once it’s running, the malware quickly gets administrator rights, disables Microsoft Defender, and sets up scheduled tasks to make sure it stays hidden. Its main goal is to steal your information and deliver other harmful software, and there’s even evidence linking its infrastructure to the Atomic macOS Stealer, hinting at a cross platform approach. Security researchers warn that this campaign shows a growing trend where attackers exploit trusted developer platforms to get malware past both users and advanced security defences.
EggStreme Malware Framework Enables Stealthy Espionage
Researchers have uncovered a new malware framework they’re calling EggStreme, which was used in a targeted attack on a military company. This sneaky software uses a multi-stage, fileless approach to stay hidden. The malware injects malicious code directly into memory and relies on DLL sideloading to run its harmful payloads. Its core component is a powerful backdoor named “EggStremeAgent”, which is capable of snooping around networks, stealing data, and logging keystrokes. The operation kicks off with a loader called EggStremeFuel, which profiles the system and prepares it for the main backdoor.
To make things even harder for defenders, EggStreme communicates using the gRPC protocol and includes an extra implant, EggStremeWizard, that offers a reverse shell and backup command servers. The attackers also use the Stowaway proxy tool to move around internally, ensuring all malicious code runs in memory, leaving almost no forensic trace. With its layered design, keylogger, and advanced evasion techniques, EggStreme is a sophisticated threat built for long term spying in high value environments.
Phishing Attacks Exploit Axios and Microsoft Direct Send for Scale
Researchers are warning about a big jump in phishing scams that are using the Axios HTTP client with Microsoft’s Direct Send feature to launch very effective attacks. We’ve seen a 240% spike in Axios activity recently, first hitting finance and healthcare sectors before spreading to everyone else. By pairing these tools, attackers can easily fake trusted email senders and sail right past security gateways, succeeding almost 70% of the time. This lets them steal session tokens, snatch multi-factor authentication codes as they’re entered, and compromise Azure tokens for large scale credential theft. These emails often trick people with subjects about compensation, using PDFs with malicious QR codes that lead to fake Microsoft login pages.
This whole campaign shows just how sophisticated phishing has become, running like a professional operation. Attackers use Axios to intercept and modify web traffic, which helps them blend in with legitimate activity and lowers the bar for launching attacks. To make things worse, advanced phishing kits are being used to simulate different Multi Factor Authentication (MFA) methods and even block security vendors. It’s a wakeup call on how important it is for organizations to restrict Direct Send, tighten their anti-spoofing policies, and train users to spot these dangerous emails before they can cause any harm.