TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – April 29th, 2026

2026-04-29 · Read original ↗

ATT&CK techniques detected

36 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
“- deleted - chats / https : / / www. infosecurity - magazine. com / news / apple - ios - notification - bug - deleted / bitwarden cli hijacked to steal your aws, github, and ssh secrets bitwarden cli version 2026. 4. 0, distributed via npm, was compromised through a hijacked gith…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“- supply - chain - attacks - ransomware / https : / / www. helpnetsecurity. com / 2026 / 03 / 31 / axios - npm - backdoored - supply - chain - attack / https : / / www. helpnetsecurity. com / 2026 / 04 / 02 / supply - chain - hacks - data - theft / https : / / www. helpnetsecurit…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“ai coding assistant configuration files like ` ~ /. claude. json `. a notable aspect of the attack was the weaponization of stolen github tokens to enumerate repositories, create new branches, commit malicious workflow files, execute them, and then delete the evidence. stolen dat…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“cyberpress. org / canisterworm - hits - containers / https : / / cyberpress. org / checkmarx - kics - compromised - to - inject - malicious - code / https : / / cyberpress. org / malicious - pypi - sdk - targets / https : / / cyberpress. org / namastex - packages - drop - caniste…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“- axios - npm - supply - chain - compromise / https : / / www. hendryadrian. com / how - we - caught - the - axios - supply - chain - attack / https : / / www. hendryadrian. com / namastex - ai - npm - packages - hit - with - teampcp - style - canisterworm - malware / https : / /…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“gbhackers. com / namastex - npm - packages / https : / / gbhackers. com / pypi - telnyx - python - sdk / https : / / gbhackers. com / xinference - pypi - breach - exposes - developers / https : / / hackread. com / ai - firm - mercor - breach - hackers - 4tb - data / https : / / h…”
T1190Exploit Public-Facing Application
98%
“/ en _ us / research / 26 / c / teampcp - telnyx - attack - marks - a - shift - in - tactics. html https : / / www. wiz. io / blog / axios - npm - compromised - in - supply - chain - attack https : / / www. wiz. io / blog / tracking - teampcp - investigating - post - compromise -…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“agents / https : / / orca. security / resources / blog / checkmarx - supply - chain - compromise - ci - cd - secrets / https : / / securityboulevard. com / 2026 / 04 / supply - chain - attacks - surge - in - march - 2026 / https : / / socradar. io / blog / trivy - cisco - breach …”
T1195.001Compromise Software Dependencies and Development Tools
97%
“exposure. severity : critical threat details and iocs mitigation advice - scan all developer workstations and ci / cd environments for the npm package ` @ bitwarden / cli `. if version ` 2026. 4. 0 ` is found, immediately run ` npm uninstall - g @ bitwarden / cli ` and ` npm cach…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“https : / / buaq. net / go - 407432. html https : / / buaq. net / go - 407462. html https : / / buaq. net / go - 407711. html https : / / buaq. net / go - 408167. html https : / / buaq. net / go - 412150. html https : / / buaq. net / go - 412245. html https : / / checkmarx. com /…”
T1195.001Compromise Software Dependencies and Development Tools
94%
“##press. com / european - commission - cloud - breach / https : / / thehackernews. com / 2026 / 03 / axios - supply - chain - attack - pushes - cross. html https : / / thehackernews. com / 2026 / 04 / bitwarden - cli - compromised - in - ongoing. html https : / / thehackernews. c…”
T1003.001LSASS Memory
93%
“##c ) or applocker, to restrict executable files, scripts, and installers to only approved software on workstations and servers. - implement a network segmentation strategy using host - based firewalls and network access control lists ( acls ) to prevent client workstations from …”
T1195.001Compromise Software Dependencies and Development Tools
89%
“- shell - arsenal / https : / / tracebit. com / blog / detecting - cicd - supply - chain - attacks - with - canary - credentials https : / / vaultproof. dev / blog / trivy - supply - chain - attack https : / / www. catonetworks. com / blog / teampcp - supply - chain - attack / ht…”
T1195.001Compromise Software Dependencies and Development Tools
87%
“/ teampcp - moves - from - oss - to - aws - environments / https : / / www. securityweek. com / telnyx - targeted - in - growing - teampcp - supply - chain - attack / https : / / www. techrepublic. com / article / news - meta - pauses - work - with - mercor - after - data - breac…”
T1195.001Compromise Software Dependencies and Development Tools
83%
“- a - post - axios - world / https : / / www. infosecurity - magazine. com / news / teampcp - exploit - stolen - supply / https : / / www. kaspersky. com / blog / why - hackers - target - developers / 55630 / https : / / www. mend. io / blog / malicious - xinference - pypi - team…”
T1525Implant Internal Image
82%
“to register a malicious oauth client with specially crafted metadata. exploitation can lead to stored cross - site scripting ( xss ), privilege escalation, and server - side request forgery ( ssrf ) attacks. the vulnerability is network - exploitable, requires low privileges, and…”
T1587Develop Capabilities
78%
“- deleted - chats / https : / / www. infosecurity - magazine. com / news / apple - ios - notification - bug - deleted / bitwarden cli hijacked to steal your aws, github, and ssh secrets bitwarden cli version 2026. 4. 0, distributed via npm, was compromised through a hijacked gith…”
T1190Exploit Public-Facing Application
69%
“, clean firmware version before restoring a sanitized configuration. compliance best practices - establish a formal vulnerability management program for network infrastructure that defines specific timelines for patching critical devices based on cvss scores and threat intelligen…”
T1566.004Spearphishing Voice
68%
“campaign leveraging persistent social engineering, a custom modular malware suite, and adept internal pivoting to achieve deep network penetration. the attack began with a large email campaign followed by a microsoft teams phishing message, where attackers impersonated it helpdes…”
T1587Develop Capabilities
65%
“exposure. severity : critical threat details and iocs mitigation advice - scan all developer workstations and ci / cd environments for the npm package ` @ bitwarden / cli `. if version ` 2026. 4. 0 ` is found, immediately run ` npm uninstall - g @ bitwarden / cli ` and ` npm cach…”
T1195.002Compromise Software Supply Chain
65%
“- a - post - axios - world / https : / / www. infosecurity - magazine. com / news / teampcp - exploit - stolen - supply / https : / / www. kaspersky. com / blog / why - hackers - target - developers / 55630 / https : / / www. mend. io / blog / malicious - xinference - pypi - team…”
T1195Supply Chain Compromise
58%
“- a - post - axios - world / https : / / www. infosecurity - magazine. com / news / teampcp - exploit - stolen - supply / https : / / www. kaspersky. com / blog / why - hackers - target - developers / 55630 / https : / / www. mend. io / blog / malicious - xinference - pypi - team…”
T1587Develop Capabilities
53%
“- supply - chain - attacks - ransomware / https : / / www. helpnetsecurity. com / 2026 / 03 / 31 / axios - npm - backdoored - supply - chain - attack / https : / / www. helpnetsecurity. com / 2026 / 04 / 02 / supply - chain - hacks - data - theft / https : / / www. helpnetsecurit…”
T1587Develop Capabilities
50%
“- axios - npm - supply - chain - compromise / https : / / www. hendryadrian. com / how - we - caught - the - axios - supply - chain - attack / https : / / www. hendryadrian. com / namastex - ai - npm - packages - hit - with - teampcp - style - canisterworm - malware / https : / /…”
T1195.002Compromise Software Supply Chain
50%
“- deleted - chats / https : / / www. infosecurity - magazine. com / news / apple - ios - notification - bug - deleted / bitwarden cli hijacked to steal your aws, github, and ssh secrets bitwarden cli version 2026. 4. 0, distributed via npm, was compromised through a hijacked gith…”
T1587Develop Capabilities
48%
“gbhackers. com / namastex - npm - packages / https : / / gbhackers. com / pypi - telnyx - python - sdk / https : / / gbhackers. com / xinference - pypi - breach - exposes - developers / https : / / hackread. com / ai - firm - mercor - breach - hackers - 4tb - data / https : / / h…”
T1552.001Credentials In Files
46%
“- deleted - chats / https : / / www. infosecurity - magazine. com / news / apple - ios - notification - bug - deleted / bitwarden cli hijacked to steal your aws, github, and ssh secrets bitwarden cli version 2026. 4. 0, distributed via npm, was compromised through a hijacked gith…”
T1219Remote Access Tools
46%
“campaign leveraging persistent social engineering, a custom modular malware suite, and adept internal pivoting to achieve deep network penetration. the attack began with a large email campaign followed by a microsoft teams phishing message, where attackers impersonated it helpdes…”
T1055.001Dynamic-link Library Injection
37%
“##less ' and ' - - load - extension '. - create a high - priority alert in your edr or siem to detect and investigate any process that attempts to read the memory of the lsass process ( lsass. exe ). - hunt for executions of autohotkey ( ` autohotkey. exe ` or renamed variants ) …”
T1505.004IIS Components
37%
“campaign leveraging persistent social engineering, a custom modular malware suite, and adept internal pivoting to achieve deep network penetration. the attack began with a large email campaign followed by a microsoft teams phishing message, where attackers impersonated it helpdes…”
T1552.001Credentials In Files
36%
“exposure. severity : critical threat details and iocs mitigation advice - scan all developer workstations and ci / cd environments for the npm package ` @ bitwarden / cli `. if version ` 2026. 4. 0 ` is found, immediately run ` npm uninstall - g @ bitwarden / cli ` and ` npm cach…”
T1587Develop Capabilities
34%
“agents / https : / / orca. security / resources / blog / checkmarx - supply - chain - compromise - ci - cd - secrets / https : / / securityboulevard. com / 2026 / 04 / supply - chain - attacks - surge - in - march - 2026 / https : / / socradar. io / blog / trivy - cisco - breach …”
T1003.001LSASS Memory
33%
“##less ' and ' - - load - extension '. - create a high - priority alert in your edr or siem to detect and investigate any process that attempts to read the memory of the lsass process ( lsass. exe ). - hunt for executions of autohotkey ( ` autohotkey. exe ` or renamed variants ) …”
T1587Develop Capabilities
33%
“cyberpress. org / canisterworm - hits - containers / https : / / cyberpress. org / checkmarx - kics - compromised - to - inject - malicious - code / https : / / cyberpress. org / malicious - pypi - sdk - targets / https : / / cyberpress. org / namastex - packages - drop - caniste…”
T1195Supply Chain Compromise
33%
“- supply - chain - attacks - ransomware / https : / / www. helpnetsecurity. com / 2026 / 03 / 31 / axios - npm - backdoored - supply - chain - attack / https : / / www. helpnetsecurity. com / 2026 / 04 / 02 / supply - chain - hacks - data - theft / https : / / www. helpnetsecurit…”
T1003.001LSASS Memory
31%
“campaign leveraging persistent social engineering, a custom modular malware suite, and adept internal pivoting to achieve deep network penetration. the attack began with a large email campaign followed by a microsoft teams phishing message, where attackers impersonated it helpdes…”

Summary

These are the top threats you should know about this week.