Threat-Intel

⚠️ Active Incident — March 31, 2026. If you ran npm install or npm update between March 30 evening UTC and March 31, check your systems now. See remediation steps below. 🔄 Developing Story — Attribution now resolved: Google GTIG has formally attributed this attack to UNC1069 (also tracked as Sapphire Sleet by Microsoft), a North Korea-nexus threat actor linked to BlueNoroff/Lazarus Group. The attack is confirmed unrelated to the concurrent TeamPCP campaign. Malicious versions have been taken down by npm. Full scope of affected organizations is still being assessed. This article will be updated as new information becomes available. Last updated: April 2, 2026 19:00 UTC. ...

🔄 Developing Story — Last updated: April 2, 2026 16:30 UTC. Anthropic has confirmed the leak and is issuing DMCA takedown notices. Security researchers have surfaced alarming findings including an undisclosed stealth mode, autonomous background agent, and a Sentry contradiction. R2 map file no longer visible via CDN browse. No CVEs assigned. No patched npm version. See Updates section below. Updates April 2, 2026 — 16:30 UTC R2 map file no longer visible via CDN; lawsuit deposition detail; Sentry contradiction; official hardening guide. ...