Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities Sophos Managed Detection and Response (MDR) teams recently responded to a customer incident involving an infostealer infection on a macOS host. When we investigated, we found that the infostealer appeared to be a variant of AMOS (Atomic macOS), a well-known malware family we’ve written about before. The attack began with a ClickFix-style ruse, where a user was tricked into running a terminal command.

The Mini Shai-Hulud supply chain attack compromised more than 170 packages across npm and PyPI, including packages from TanStack, Mistral AI, and Guardrails AI, by hijacking legitimate CI/CD publishing workflows to distribute malicious versions that still carried apparently valid provenance signals.

In April 2026, Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework. The activity appeared in traffic associated with a third-party user connected to the customer environment.

May 19, 2026 What the 2026 Verizon DBIR Reveals About the State of Application Security Read More Natalie Tischler May 14, 2026 How to Manage Risks Within Your Applications Read More Natalie Tischler May 12, 2026 AI Coding Tools Are Creating a Security Gap We Must Close Immediately Read More Natalie Tischler.

The Mini Shai-Hulud supply chain campaign has resurfaced with its largest wave yet. Over a 48-hour window on May 11-12, 2026, attackers compromised 172 unique packages across 403 malicious versions on npm and PyPI, including high-profile scopes like @tanstack, @uipath, @mistralai, and @opensearch-project.

Mini Shai-Hulud is back. Like I said before, we were yet to see the full scale of the attack. The npm campaign we covered in April, when it targeted SAP packages, has now turned into a much larger compromise. Our Malware Team detected 373 malicious package-version entries across 169 npm package names. The basic goal is still the same: steal credentials from developer machines and CI/CD runners, then use those credentials to reach more packages. What changed is the scale and the release path.

Organizations around the world are increasingly vulnerable to ransomware attacks, which have caused over $57 billion in damages globally by 2025, according to a report by Cybersecurity Ventures. These cyberattacks can shut down entire networks, disrupt services, and inflict severe financial and reputational damage. Knowing how to prevent ransomware on networks is essential to staying protected against these threats.