Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

Infrastructure delivering updates for Notepad++—a widely used text editor for Windows—was compromised for six months by suspected China-state hackers who used their control to deliver backdoored versions of the app to select targets, developers said Monday.

“I deeply apologize to all users affected by this hijacking,” the author of a post published to the official notepad-plus-plus.org site wrote Monday. The post said that the attack began last June with an “infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” The attackers, whom multiple investigators tied to the Chinese government, then selectively redirected certain targeted users to malicious update servers where they received backdoored updates. Notepad++ didn’t regain control of its infrastructure until December.

The attackers used their access to install a never-before-seen payload that has been dubbed Chrysalis. Security firm Rapid 7 descrbed it as a "custom, feature-rich backdoor."

Read full article

Comments

© Getty Images

Ransomware and supply chain attacks set records in 2025, with ransomware attacks up more than 50% and supply chain attacks nearly doubling – trends that suggest further trouble ahead in 2026. Those are some of the data points from a new blog and annual threat landscape report from threat intelligence company Cyble. There were 6,604 ransomware attacks in 2025, 52% higher than the 4,346 attacks claimed by ransomware groups in 2024, according to Cyble data. And the year ended on an upswing for threat groups, with a near-record 731 ransomware attacks in December, behind only February 2025’s record totals (chart below). [caption id="attachment_108784" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] Ransomware groups remained resilient and decentralized in 2025, and ransomware affiliates were quick to gravitate toward new leaders like Qilin in the wake of law enforcement disruptions.

Supply Chain Attacks Soared in 2025

Supply chain attacks soared by 93% in 2025, according to Cyble dark web researchers, as supply chain attacks claimed by threat groups surged from 154 incidents in 2024 to 297 in 2025 (chart below). [caption id="attachment_108785" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption] “As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked,” Cyble noted. Supply chain attacks have declined since setting a record in October, but Cyble noted that “they remain above even the elevated trend that began in April 2025.” Every industry and sector tracked by Cyble was hit by a software supply chain attack in 2025, but the IT and Technology sectors were by far the most frequently hit because of the potential for expanding attacks into downstream customer environments. The sophistication of those attacks also grew. Supply chain attacks in 2025 “expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines,” Cyble said. “Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale.” Attacks on Salesforce through third-party integrations is one such example, as attackers “weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised.”

Qilin Dominated Following RansomHub’s Decline

Qilin emerged as the leading ransomware group in April after RansomHub was hit by a possible act of sabotage by rival Dragonforce. Qilin claimed another 190 victims in December, besting a resurgent Lockbit and other leaders such as newcomer Sinobi. Qilin claimed 17% of all ransomware victims in 2025, well ahead of Akira, CL0P, Play and SafePay (chart below). Cyble noted that of the top five ransomware groups in 2025, only Akira and Play also made the list in 2024, as RansomHub and Lockbit declined and Hunters apparently rebranded as World Leaks. [caption id="attachment_108788" align="aligncenter" width="936"] 2025's top ransomware groups (Cyble)[/caption] Cyble documented 57 new ransomware groups, 27 new extortion groups and more than 350 new ransomware strains in 2025. Those new strains were “largely based on the MedusaLocker, Chaos, and Makop ransomware families,” Cyble said. Among new groups, Devman, Sinobi, Warlock and Gunra have targeted critical infrastructure, particularly in Government & Law Enforcement and Energy & Utilities, at an above-average rate. RALord/Nova, Warlock, Sinobi, The Gentlemen and BlackNevas have focused on the IT, Technology, and Transportation & Logistics sectors. The U.S. was by far the most attacked country, suffering 55% of all ransomware attacks in 2025. Canada, Germany, the UK, Italy and France rounded out the top six (chart below). [caption id="attachment_108789" align="aligncenter" width="936"] 2025 ransomware attacks by country (Cyble)[/caption] Construction, professional services and manufacturing were the industries most targeted by ransomware groups, followed by healthcare and IT (chart below). [caption id="attachment_108791" align="aligncenter" width="936"] 2025 ransomware attacks by sector (Cyble)[/caption] “The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats,” Cyble concluded, listing best practices such as segmentation and strong access control and vulnerability management.

Just weeks after the devastating "Second Coming" campaign crippled thousands of development environments, the threat actor behind the Shai-Hulud worm has returned. Security researchers at Aikido have detected a new, evolved strain of the malware dubbed "The Golden Path," signaling that the most aggressive supply chain predator in the npm ecosystem is far from finished.

This latest iteration was first spotted on over the weekend, embedded within the package @vietmoney/react-big-calendar. While the initial discovery suggests the attackers may still be in a "testing" phase with limited spread, the technical refinements found in the code point to a more resilient and cross-platform threat.

Evolution of a Predator

Shai-Hulud has long utilized a Dune-inspired theatrical flair, but its latest evolution suggests a shift in branding. In this new wave, stolen data is exfiltrated to GitHub repositories featuring a cryptic new description: "Goldox-T3chs: Only Happy Girl.

Technically, "The Golden Path" is a significant upgrade. Earlier versions of the worm struggled with Windows environments when attempting to self-propagate using the bun runtime. The new strain specifically addresses this, implementing cross-platform publishing capabilities that ensure the worm can spread regardless of the victim's operating system.

Researchers also noted a shift in file nomenclature—the malware now operates via bun_installer.js and environment_source.js—and features improved error handling for TruffleHog, the secret-scanning tool the worm uses to harvest AWS, GCP, and Azure credentials. By refining its timeout logic, the malware is now less likely to crash during high-latency scans, making its "smash-and-grab" operations more reliable.

A Legacy of Disruption

This isn't Shai-Hulud’s first rodeo. The group first made headlines in September 2025 when a massive campaign hit over 500 npm packages, including those belonging to cybersecurity giant CrowdStrike.

Read: CrowdStrike Among Those Hit in NPM Attack Campaign

That initial strike was historically significant, resulting in the theft of an estimated $50 million in cryptocurrency and proving that even the most security-conscious organizations are vulnerable to upstream dependency hijacking.

In November, the "Second Coming" wave escalated the stakes by introducing a "dead man’s switch"—a destructive payload designed to wipe a user's home directory if the malware detected it had been cut off from its command-and-control (C2) servers.

Read: New Shai-Hulud Attack Hits Nearly 500 npm Packages with 100+ Million Downloads

The Supply Chain Standoff

The return of Shai-Hulud underscores a grim reality for modern DevOps: trust is a liability. By targeting the preinstall phase of npm packages, the malware executes before a developer even realizes a package is malicious.

"The differences in the code suggests that this was obfuscated again from original source, not modified in place," Aikido researchers noted. "This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."

Relying on npm’s default security is no longer sufficient. Organizations are urged to adopt "Trusted Publishing," enforce strict lockfile integrity, and utilize package-aging tools that block the installation of brand-new, unvetted releases. In the world of Shai-Hulud, the only way to survive the desert is to stop trusting the ground beneath your feet.