RL Blog | ReversingLabs | Threat Research

June 12, 2026

Device code phishing bypasses password stealing

The Microsoft 365 phishing campaign persuades victims to complete a real authentication process that authorizes an attacker-controlled device.

June 11, 2026

How to defend ARM64 cloud infrastructure from ITScape

RL has documented CVE-2026-46316, and developed two YARA rules to help detect exploits of the multi-tenant cloud vulnerability.

Social Engineering Attacks Target One Tutorial at a Time

June 9, 2026

Phishing attacks leverage TikTok, Instagram Reels

RL has discovered two social engineering attack techniques targeting users via short-form videos. Here’s how they work.

Thousands of developer projects compromised in npm hack

June 4, 2026

How 56 npm packages used binding.gyp to steal secrets

The attack is notable for its breadth, flooding npm with malicious package versions.

June 1, 2026

31 Red Hat npm packages backdoored in 72 seconds

RL has discovered a new supply chain attack affecting 9.8M total downloads across Red Hat's Hybrid Cloud Console JavaScript ecosystem.

May 26, 2026

Researcher's Notebook: Hunting Megalodon Fossils

Analyzing C2 responses from compromised GitHub Actions linked a current threat to an earlier one, showing the value of retrohunting.

May 20, 2026

Hackers Abuse Parental Controls to Hijack Google Accounts

Learn how attackers are re-casting adults as minors to bypass recovery and lock users out.

How DirtyFrag rose from the Linux privilege escalation exploit

May 12, 2026

How Dirty Frag rose from the Copy Fail exploit

RL documented 163 samples of the Linux exploit's new variants, active malware — and developed YARA rules.

May 1, 2026

Copy Fail Flaw: 5 YARA Rules for Detection

Here’s what you need to know about the Linux kernel privilege escalation — and how to use YARA rules to get on top of it.

Claude AI adds PromptMink malware to crypto trading agent

April 29, 2026

Claude adds malware to crypto agent

PromptMink has evolved into a malicious dependency in a package that allows access to crypto wallets and funds.

Graphalgo supply chain campaign respawned.

April 9, 2026

Graphalgo fake recruiter campaign returns

An attack targeting crypto developers has been respawned — with an LLC and new techniques.

March 27, 2026

The TeamPCP supply chain attack evolves

The malicious campaign started with Trivy and Checkmarx and has shifted to LiteLLM — and now telnix. Here's how.

Malicious npm packages use fake install logs to load RAT

March 24, 2026

Fake install logs in npm packages load RAT

The final-stage malware in the Ghost campaign is a RAT designed to steal crypto wallets and sensitive data.

February 26, 2026

Inside the NuGet hackers' toolset

RL discovered two packages containing scripts that complete a typosquatting toolchain. Here's how it worked.

February 25, 2026

Malicious NuGet package targets Stripe

Threat actors targeted developers with a bogus package — a shift away from the recent crypto development hack focus.

Threat Research

Device code phishing bypasses password stealing

How to defend ARM64 cloud infrastructure from ITScape

Phishing attacks leverage TikTok, Instagram Reels

How 56 npm packages used binding.gyp to steal secrets

31 Red Hat npm packages backdoored in 72 seconds

Researcher's Notebook: Hunting Megalodon Fossils

Hackers Abuse Parental Controls to Hijack Google Accounts

How Dirty Frag rose from the Copy Fail exploit

Copy Fail Flaw: 5 YARA Rules for Detection

Claude adds malware to crypto agent

Graphalgo fake recruiter campaign returns

The TeamPCP supply chain attack evolves

Fake install logs in npm packages load RAT

Inside the NuGet hackers' toolset

Malicious NuGet package targets Stripe

Spectra Assure Free Trial

Spectra Assure Free Trial