Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign
After hackerbot-claw, another AI-powered campaign exploiting pull_request_target confirms the threat is here to stay. We trace the attacker back to three weeks before anyone noticed.
Hila Ramati
Hila is a threat hunting researcher at Wiz, where she focuses on identifying and investigating malicious behaviors across cloud environments. Her work focuses on uncovering misconfigurations, privilege abuse, and identity-based threats to support proactive detection and incident response.
Hila Ramati Mensajes
Axios NPM Distribution Compromised in Supply Chain Attack
A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows.
Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild
How TeamPCP are leveraging stolen secrets from the recent supply chain attacks to compromise cloud environments
React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182
We break down the exploit mechanics and detail active in-the-wild attacks observed by our team, from credential harvesting to sophisticated cloud backdoors.
Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets
Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users.
Defending against database ransomware attacks
How attackers exploit exposed databases for extortion—and the defenses that work.
IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
When common processes start asking the wrong questions
Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond
A deeper look at the npm debug/chalk supply-chain incident: deobfuscating the wallet-hijacking browser interceptor, quantifying the ~2-hour exposure with Wiz telemetry (~99% package prevalence, ~10% malware presence), and unpacking what made it spread so fast.
From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover
Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns.
SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771): Everything You Need to Know
Detect and mitigate CVE-2025-53770 and CVE-2025-53771 - critical vulnerabilities in Microsoft SharePoint Server currently under active exploitation.