SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 90

The latest Security Affairs Malware Newsletter paints a vivid picture of an increasingly fragmented threat landscape. While classic ransomware remains prevalent, the spotlight has shifted toward supply‑chain infiltration, as seen in the Trivy Docker image compromise that jeopardized countless CI/CD pipelines. Such attacks exploit trusted development tools, amplifying the blast radius far beyond a single organization and forcing security leaders to rethink software‑bill of materials (SBOM) strategies.

Nation‑state actors continue to innovate their command‑and‑control (C2) infrastructure, with Iranian groups deploying Telegram channels to push malware directly to identified targets. This low‑cost, widely‑available platform evades many traditional network defenses, highlighting the need for granular traffic inspection and user‑behavior analytics. Simultaneously, the emergence of BPFdoor sleeper cells within telecom backbones signals a growing interest in kernel‑level persistence mechanisms that can lie dormant for months before activation.

On the attacker‑tool front, malicious actors are increasingly leveraging everyday software ecosystems. VoidStealer demonstrates how debugging interfaces can be abused to exfiltrate Chrome secrets, while the GlassWorm Chrome extension embeds a full‑featured RAT, blurring the line between benign extensions and espionage tools. Moreover, counterfeit npm install logs now serve as a delivery vector for remote‑access trojans, targeting developers during routine package installations. These trends underscore the urgency for organizations to adopt zero‑trust principles, enforce strict code‑signing policies, and maintain continuous threat‑intelligence feeds to stay ahead of rapidly evolving malware tactics.