Case Studies: Historical Grid
XcodeGhost (2015)
4,000 Infected iOS Apps: When China Poisoned the Developer Toolchain Itself
In 2015, Chinese attackers distributed a counterfeit version of Apple's Xcode through domestic file-sharing sites, causing thousands of iOS developers to unknowingly compile malware into their own apps. Over 4,000 infected apps — including WeChat — passed Apple's code-signing process and reached end users worldwide. The case proved developer toolchain compromise is more dangerous than direct payload delivery — the developer becomes an unwitting distributor at scale.
Event-Stream npm Poisoning (2018)
Ownership Transfer as an Attack Vector: The npm Compromise That Foreshadowed This Week
In November 2018, a malicious contributor convinced the maintainer of event-stream — 2 million weekly downloads — to transfer package ownership, then quietly added a dependency containing a cryptocurrency stealer targeting Copay Bitcoin wallet users. The package sat undetected for two months. The case first demonstrated that npm ownership transfer itself was an attack vector, directly foreshadowing UNC1069's social engineering of the Axios maintainer this week.
Moonlight Maze (1996–1999)
The First State Cyber Espionage Campaign — Russia's Multi-Year Infiltration of US Military Networks
From 1996 to 1999, Russian state actors systematically exfiltrated terabytes from US military, NASA, and DoE networks in what became the first publicly attributed state-sponsored cyber espionage campaign — Moonlight Maze. Investigators traced the attack through telephone records and sustained international cooperation, establishing the attribution framework still applied in state-nexus cases today.
Operation APT1 / Comment Crew (2006–2013)
The Mandiant Report That Named Names: China's PLA Stole Terabytes From 141 US Organizations
In February 2013, Mandiant publicly attributed years of systematic IP theft to China's PLA Unit 61398 — designating them APT1. The Comment Crew maintained persistent access to 141 US organizations across 20 industries for an average of 356 days per victim, stealing terabytes of intellectual property. The report pioneered the modern threat-actor attribution methodology that every state-nexus investigation now follows.
— Page 2 —