npm install is a trust exercise

What you missed today

Good evening.

A Russian IAB got sentenced today, a bug bounty platform got breached by its own benefits vendor, and npm had another bad week.

Here are the 5 things you missed today:

1. 🔓 HackerOne Got Breached Through Its HR Benefits Provider

A BOLA vulnerability in Navia, HackerOne's US benefits administrator, gave an unknown attacker access to employee data between December 22, 2025, and January 15, 2026. 287 HackerOne employees had SSNs, dates of birth, addresses, and plan enrollment data exposed. The wider Navia breach hit 2.7 million people. HackerOne says it didn't receive formal notification until March, and is still waiting for a satisfactory explanation for the delay. The irony of a bug bounty platform caught out by a third-party disclosure lag isn't subtle.

2. 🎯 Fake OpenClaw Docker Repo Is Hiding a Data-Stealing Trojan

A campaign tracked as "TroyDen's Lure Factory" spread 300+ trojanized GitHub packages behind polished lures, including a fake OpenClaw Docker deployer complete with a detailed README, a GitHub.io page, and listed contributors to fake legitimacy. The hidden payload is a LuaJIT-based Trojan that captures screenshots, geolocates victims, and exfiltrates sensitive data. If your developers are running OpenClaw deployments sourced from GitHub, verify the repo provenance before anything else.

3. 🚨 Citrix NetScaler Has Two New Vulns. One Leaks Memory. Patch Now.

CVE-2026-3055 is a CVSS 9.3 out-of-bounds read that lets an unauthenticated remote attacker leak sensitive data from memory. CVE-2026-4368 is a race condition that causes session mix-up. Both only affect appliances configured as SAML IDP or Gateway, not default builds. No active exploitation confirmed yet, but NetScaler is a perennial high-value target. Patch to 14.1-66.59 or later.

4. 🇷🇺 Russian IAB Sentenced to 81 Months for $9M in Ransomware Damage

Aleksei Volkov, 26, of St. Petersburg, was sentenced in Indiana after pleading guilty to hacking victims' networks, stealing data, deploying ransomware, and dividing ransoms with co-conspirators. He agreed to pay $9.2m in restitution. He worked as an IAB for several cybercrime groups including the Yanluowang operation, whose victims included Cisco and Walmart. Notably, Volkov left Russia and was arrested in Rome in 2024, then extradited to the US in 2025.

5. 📦 npm Ghost Campaign Uses Fake Install Logs to Steal Sudo Passwords

Seven malicious npm packages displayed convincing fake install logs, complete with progress bars and random delays, to make installation look legitimate. Mid-install, users were prompted for their sudo password to "fix a permissions issue." That password was then used to execute the final malware stage silently. The final payload delivered GhostLoader malware via a Telegram-hosted C2, targeting crypto wallets and credentials.

Bonus. CISO Tip of the Day

The HackerOne breach came through a HR benefits vendor with a BOLA flaw, not through HackerOne's core systems. Third-party processors handling employee PII need the same security review cadence as production vendors. Most breach notification timelines are contractual, not voluntary know what your vendor contracts actually require before an incident, not after.

- Alex