Campaigns
The morning a supply-chain attack drops, you don't need a dashboard. You need a plan.
Campaigns are named, targeted, fleet-wide scans launched on a catalog event. Every online agent picks them up on the next long-poll. Offline agents pick them up on check-in.
Signature UX
Campaign response in 30 minutes.
The morning a supply-chain attack drops, you don't need another dashboard. You need the exposed-machine list and a plan.
- 01T+00:00
Catalog entry lands
New public campaign → signed catalog entry + ready campaign template. Freshness SLO under four hours.
- 02T+04:00
Admin launches campaign
One click, fleet-wide. Every online agent starts on next long-poll. Offline agents pick up on check-in.
- 03T+14:00
Fleet reports in
Live progress bar and exposure count. Target: 1,000 endpoints, at least 95% reported within ten minutes.
- 04T+30:00
Exposed list + rotation plan
Per-machine finding, upgrade path, and ordered credential-rotation checklist ready for the ticket.
Bundled templates
Six templates ship with the MVP.
Every historical campaign in the library is a signed template you can launch immediately, the same day you install the agent.
npm · 2025
chalk · debug takeover
The maintainer of chalk, debug and 16 other npm libraries had accounts compromised via targeted phishing on Sept 8 2025. Malicious versions were live on the registry for roughly two hours.
18 packages, 2.6B weekly downloads reach
vs code + openvsx · 2025
GlassWorm
Self-propagating worm across the VS Code Marketplace and OpenVSX extension registries. Koi Security disclosed on October 18 2025. Signature traits are invisible-Unicode obfuscation and Solana blockchain C2.
35,800 installs, self-propagating VS Code + OpenVSX worm
mcp · 2025
postmark-mcp
A malicious version of an MCP server (postmark-mcp) was documented in the wild in September 2025. The compromised release silently BCC'd every outbound email to an attacker-controlled address.
In-the-wild MCP compromise, BCC exfiltration pattern
npm · 2025
Shai-Hulud 2.0
Second wave of the Shai-Hulud npm worm. 796 packages backdoored via stolen maintainer credentials, self-propagates through the same postinstall pattern as wave 1.
796 npm packages, self-replicating worm
chrome + edge · 2024
Cyberhaven wave
Christmas Eve 2024. An attacker phished a Cyberhaven employee's Chrome Web Store credential and pushed a malicious update. 34 further extensions from the same campaign were identified over the following weeks.
35 extensions, 2.6M users, 400K on Cyberhaven itself
hugging face · 2024
Hugging Face malicious models
JFrog researchers identified roughly 100 malicious models hosted on Hugging Face in February 2024. About 25 of them delivered unsafe-deserialisation payloads that executed on model load via Python's pickle __reduce__ path.
~100 backdoored models, ~25 unsafe-deserialisation payloads