The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) Threat Research Center High Profile Threats Malware Malware min read Related Products Advanced DNS Security Advanced URL Filtering Cloud-Delivered Security Services Cortex Cortex Cloud Unit 42 Incident Response By: Unit 42 Published: May 1, 2026 Categories: High Profile Threats Malware Tags: Credential Harvesting GitHub Npm packages Obfuscation Payload Supply chain Worm propagation Executive Summary The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. Since that watershed moment, Unit 42 has tracked an aggressive acceleration in the frequency and technical depth of supply chain compromises.

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) Threat Research Center High Profile Threats Malware Malware min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering App-ID Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Cortex XSOAR Next-Generation Firewall Unit 42 Incident Response By: Unit 42 Published: April 17, 2026 Categories: Hacktivism High Profile Threats Malware Ransomware Tags: APK DDoS attacks GenAI Hacktivism Iran Phishing Tarnished Scorpius Wiper Updates Update April 17, 2026 As of April 17, 2026, Iran has begun restoring limited access to the internet after disconnecting from it for the past 47 days . Iran is limiting domestic access to only websites and applications mirrored on its National Information Network . Iranian Threat Groups Renew Interest in Critical Infrastructure In late March 2026, Unit 42 discovered a new cluster of threat activity we are tracking as CL-STA-1128 (aka Cyber Av3ngers, Storm-0784).