XeniCore

Blog

  • Shai-Hulud: When Trust in npm Becomes the Attack Surface

    Modern JavaScript development runs on an assumption that rarely gets questioned:
    dependencies are safe by default.

    Every npm install pulls code written by strangers, maintained at unknown cadence, and executed automatically in trusted environments. The Shai-Hulud npm campaigns did not exploit a vulnerability in npm itself. They exploited belief – belief that widely used ecosystems self-regulate.

    This was not a smash-and-grab operation.
    It was a slow poisoning of trust, designed to persist quietly inside developer workflows and CI/CD pipelines.

    (more…)

  • MongoBleed: A Critical MongoDB Vulnerability Shaking Database Security

    On December 12, 2025, the MongoDB Security Engineering team disclosed a high-severity security flaw in the core MongoDB Server product — a vulnerability that quickly earned the nickname “MongoBleed.” In the weeks that followed, this issue transitioned from academic concern to active exploitation, making it one of the most important database security stories heading into 2026.

    (more…)

  • Silk Typhoon: The APT That Weaponised Trust – A Deep Dive into China’s Premier Supply Chain Attack Group

    In the pantheon of nation-state cyber threats, few groups have demonstrated the systematic evolution of attack methods as thoroughly as Silk Typhoon. From their explosive debut with the 2021 Microsoft Exchange zero-day campaign that compromised over 60,000 organisations globally, to their recent infiltration of the US Treasury Department, this Chinese state-sponsored Advanced Persistent Threat (APT) group has consistently redefined the boundaries of supply chain warfare.

    What distinguishes Silk Typhoon — also known as Hafnium, APT27, and Murky Panda — across different threat intelligence communities is not merely its technical sophistication but also its strategic patience and architectural understanding of modern digital trust relationships. Unlike opportunistic cybercriminal groups or even other nation-state actors who focus on individual high-value targets, Silk Typhoon has mastered the art of leveraging trust infrastructure to achieve scalable, persistent access across entire sectors simultaneously.

    To understand why this group represents the future of nation-state cyber operations, we must examine their evolution from opportunistic vulnerability exploitation to systematic compromise of trust infrastructure — and why their methodology poses an existential challenge to the foundational assumptions of enterprise cybersecurity.

    (more…)

  • The Trusted Path to Breach: How China’s APT Turned Cybersecurity Infrastructure Against the US Treasury

    In our ongoing examination of supply chain compromises—from the Shai-Hulud worm’s ecosystem-wide assault on npm to the systematic exploitation of GitHub Personal Access Tokens—we’ve consistently observed how attackers weaponise the trust relationships that underpin modern digital infrastructure. On December 30, 2024, this pattern reached a new zenith when the US Treasury Department disclosed that Chinese state-sponsored actors had compromised its systems through BeyondTrust, a cybersecurity vendor specifically tasked with protecting privileged access.

    This breach represents more than another supply chain compromise – it exemplifies the sophisticated evolution of Advanced Persistent Threat (APT) operations where security infrastructure itself becomes the attack vector. The incident, attributed to the Chinese APT group known as Silk Typhoon, demonstrates how threat actors have moved beyond breaking through security perimeters to systematically exploiting the very tools designed to enforce them.

    (more…)

  • The Master Key Vulnerability: How GitHub PATs Became the Crown Jewel of Cloud Compromise

    In our recent analysis of the Shai-Hulud worm’s devastating impact on the npm ecosystem, we observed how supply chain attacks have evolved from opportunistic package poisoning to systematic ecosystem compromise. At the heart of that attack—and increasingly at the centre of modern cloud breaches – lies a deceptively simple credential: the GitHub Personal Access Token (PAT).

    These tokens, designed to streamline developer workflows and enable seamless automation, have become the skeleton key that unlocks entire organisational infrastructures. From the SolarWinds compromise to recent attacks on major cloud service providers, GitHub PATs consistently appear as both the initial attack vector and the mechanism for persistent access.

    This isn’t coincidental. GitHub PATs represent a perfect storm of high privilege, broad scope, and minimal oversight, making them irresistible targets for sophisticated threat actors. To understand why these tokens have become the crown jewel of cloud compromise, we must examine how their design philosophy— prioritising developer convenience over security boundaries—creates systemic vulnerabilities that extend far beyond GitHub itself.

    (more…)

  • Shai-Hulud Weaponisation of npm’s Trust Model

    In our ongoing analysis of supply chain compromises, we’ve examined how attackers exploit the fundamental trust relationships that power modern software development. From dependency confusion attacks to compromised build systems, threat actors have consistently demonstrated that the most devastating breaches don’t break through defences—they walk through open doors marked “trusted.”

    On September 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that crystallises this threat: a self-replicating worm named “Shai-Hulud” has compromised over 500 packages in the npm ecosystem, the world’s largest JavaScript registry. This isn’t merely another supply chain attack; it’s a systematic exploitation of the trust architecture that underpins modern web development.

    The significance of this compromise extends far beyond its immediate impact. Shai-Hulud represents an evolution in supply chain attacks—from opportunistic package poisoning to automated, self-propagating ecosystem compromise. To understand why this attack succeeded so spectacularly, and how to defend against its successors, we must examine how it weaponised the very mechanisms designed to make software development seamless.

    (more…)

  • The Silent Breach: Why Stolen Tokens Are More Dangerous Than Stolen Passwords

    In our previous briefings, we dissected the campaigns of UNC6040’s vishing attacks and UNC6395’s supply chain compromise. The common thread weaving through these devastating breaches wasn’t a software zero-day or a brute-forced password; it was the abuse of a legitimate, fundamental component of the modern cloud: the OAuth token.

    This isn’t a problem limited to a few threat actors. Throughout 2024 and 2025, a wave of attacks has exploited the core logic of OAuth, allowing adversaries to bypass MFA and breach major corporations like Google, Allianz Life, and Louis Vuitton by tricking users into authorising malicious applications. The attackers don’t need to break in when they can be invited in through a legitimate, token-based handshake.

    This is the threat of the OAuth Replay Attack. It’s an attack on the very architecture of trust that connects our cloud applications. To defend against it, you must understand that the target isn’t just your password; it’s the digital key that the password unlocks.

    (more…)

  • One Breach, Many Victims: How the UNC6395 Attack Exposed the SaaS Supply Chain

    In the modern enterprise, third-party apps are the engines of productivity. We integrate them into our core platforms, such as Salesforce, granting them trusted access to our data to streamline workflows. But what happens when the keys to one of those trusted partners fall into the wrong hands?

    A threat actor tracked as UNC6395 recently provided a devastating answer. In a sophisticated supply chain attack that impacted over 700 organizations, the group compromised the Salesloft “Drift” integration, stealing its OAuth tokens. They then used these tokens to access the Salesforce environments of multiple downstream customers, exfiltrating data at scale. High-profile cybersecurity and tech companies, including Cloudflare, Zscaler, Palo Alto Networks, and SpyCloud, have all publicly confirmed being impacted by this widespread campaign.

    As Google’s Threat Intelligence Group first reported, this was not a breach of Salesforce itself. Instead, it was a masterful exploitation of the web of trust that underpins the entire SaaS ecosystem. One of the victims, Cloudflare, publicly detailed its response, confirming that the actor accessed its Salesforce “Case” objects between August 12-17, 2025, providing a rare public glimpse into the impact of such a compromise.

    (more…)

  • From Vishing to Breach: Deconstructing the Salesforce Social Engineering Campaign

    The phone rings. The caller ID might be blocked, or it might be cleverly spoofed to look internal. On the other end is a polite, knowledgeable, and helpful person claiming to be from your IT department. They need your help to install a critical “Data Loader” utility or a system update in Salesforce. They sound legitimate. They sound urgent.

    This is the opening move of a sophisticated attack by a threat group tracked as UNC6040. In this threat briefing, we’ll dissect how this group turns a simple phone call into a full-scale CRM data breach, not by hacking Salesforce, but by hacking the trust of your employees.

    This isn’t a vulnerability in the Salesforce platform itself; it’s a clever abuse of the legitimate, trusted pathways that make the modern cloud ecosystem work.

    (more…)

  • Information Stealers: The Silent Data Exfiltration Threat

    In today’s hyper-connected digital landscape, organisations face a multitude of cybersecurity threats. While ransomware attacks dominate headlines with their immediate and disruptive impact, a more insidious threat operates in the shadows: information stealers. These specialised forms of malware silently harvest sensitive data from compromised systems, often operating undetected for months or even years before their presence is discovered. By that time, the damage is already done—valuable credentials, financial data, intellectual property, and personal information have been quietly exfiltrated, leaving victims vulnerable to fraud, identity theft, and further network compromise.

    (more…)