Skip to main content
Emerging ThreatsSupply Chain Attacks

Cyberattacks Exploit Known Flaws in Supply Chain, AI Tools

Vulnerable computer servers and networking equipment in a dimly lit data center.

"The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions," LayerZero said.

LayerZero and the KelpDAO $290 million heist

LayerZero Labs blamed the theft that hit KelpDAO on a targeted compromise of RPC infrastructure, saying two LayerZero-hosted RPC nodes were taken over while a simultaneous DDoS knocked a third node offline. KelpDAO, in a post on X, said, "Two RPC nodes hosted by LayerZero were compromised. A simultaneous DDoS attack was launched against the third RPC node. This was an attack on LayerZero's infrastructure. Kelp's own systems were not involved in building or operating that infrastructure." The exploit has been reported to have resulted in $290 million in stolen value. The Arbitrum Security Council has temporarily frozen 30,766 ETH held at an Arbitrum One address connected to the KelpDAO exploit.

MajorDoMo RCEs, zero-credential chains, and other active exploits

VulnCheck warned of active attempts to exploit two remote-code-execution flaws in the MajorDoMo smart-home platform: CVE-2026-27175, a critical command-injection bug first seen exploited on April 13, and CVE-2026-27174, an unauthenticated RCE via the PHP console detected on April 18. VulnCheck said CVE-2026-27175 was used to drop a PHP webshell delivering persistent backdoor access, while CVE-2026-27174 led to Metasploit php/meterpreter/reverse_tcp staged payloads. Other active exploit observations cited by VulnCheck and collaborators include CVE-2025-22952 (an SSRF in Elestio Memos), CVE-2024-57046 (an authentication bypass in NETGEAR DGN2200 routers), and a zero-credential RCE chain in Apache ActiveMQ that strings CVE-2026-34197 with CVE-2024-32114 to remove authentication from the Jolokia endpoint on affected ActiveMQ versions 6.0.0 through 6.1.1.

Supply chain malware surge in npm and compromised packages

Security teams flagged a wave of malicious npm packages — including ixpresso-core, forge-jsx, @genoma-ui/components, @needl-ai/common, rrweb-v1, several "biginteger" variants, and a cluster under the @fairwords scope — that steal sensitive data, implant SSH backdoors by adding attacker keys to ~/.ssh/authorized_keys, deliver information stealers, and spread the XWorm RAT. The @fairwords packages were reported to self-propagate using victims' npm tokens and attempt cross-ecosystem propagation to PyPI via .pth injection. New js-logger-pack builds were observed polling Hugging Face repositories for updates and using them as data-exfiltration destinations. Other legitimate packages were reported compromised: @velora-dex/sdk (v9.4.1) decoded and executed a Base64 payload that fetched a shell script to install a Go-based RAT called minirat on macOS, and mgc (1.2.1–1.2.4) was injected with a dropper that fetched platform-specific RATs from GitHub Gists.

AI prompt injection, Claude desktop browser access, and data concerns

Forcepoint disclosed 10 new indirect prompt-injection payloads designed to poison web content so LLM-based agents execute malicious instructions for fraud, data destruction, API key theft, and denial-of-service. Forcepoint summarized the attack sequence: an attacker poisons web content, hides the payload from human view, waits for an AI agent to ingest the page, exploits the LLM's inability to distinguish trusted instructions from attacker content, and triggers a real-world action with a covert exfiltration return channel. Separately, web privacy expert Alexander Hanff reported the Claude desktop app places Native Messaging manifest files in preset Chromium-based browser locations (Brave, Google Chrome, Microsoft Edge, Vivaldi), effectively pre-authorizing Claude to interact with browsers even before they are installed — an issue described as a dark pattern that the source said violates E.U. privacy laws.

ProxySmart, SIM farms, and industrial-scale mobile proxy operations

Infrawatch identified a Belarus-based turnkey footprint tied to ProxySmart control panels in 17 countries and 94 phone-farm locations across 19 U.S. states and other countries in Europe and South America. The analysis linked 87 ProxySmart instances to at least 24 commercial proxy providers and 35 cellular providers. ProxySmart offers an end-to-end platform — device management, automated IP rotation, customer provisioning, anti-bot countermeasures, and payment handling — accessible via a self-hosted web control panel; phones are enrolled via an unsigned Android APK and modems are managed through ModemManager. Infrawatch noted capabilities consistent with "large-scale evasion enablement," including automated IP rotation, remote device control, and network fingerprint spoofing. ProxySmart disputed the SIM-farm characterization, calling itself a "data-path proxy management platform" and listing legitimate use cases such as advertising verification and brand protection.

What this means for security teams, regulators, and open-source maintainers

  • Security teams and enterprise defenders: watch RPC and middleware integrity as high-risk attack surfaces after the LayerZero/KelpDAO incident; prioritize patching for the named CVEs (CVE-2026-27175, CVE-2026-27174, CVE-2026-34197, CVE-2024-32114) and scrutinize third-party package use and supply-chain propagation behaviors described above.
  • Regulators and policy bodies: the Ofcom probe into Telegram and the NCSC's public recommendation of passkeys and release of SilentGlass show continued regulatory focus on platform content controls and hardware/software risk mitigations; the Claude desktop findings and Forcepoint's IPI work suggest privacy and AI-safety threads regulators will track.
  • Open-source maintainers and package consumers: the npm compromises underline the need to monitor token misuse, unexpected cross-ecosystem behavior (npm→PyPI), and external polling behaviors (Hugging Face) described in the report.

For now the record is stark and repetitive: components behind applications — RPC nodes, package registries, native OS features, and large-scale proxy fleets — are repeatedly the instrument of choice. The specifics in this bulletin point to the same root: attackers are exploiting trust and overlooked controls. Whether markets, maintainers, or regulators alter those default assumptions will determine if next week's bulletin reads like this one or finally reads differently.

Original story