Credential-Theft — CraftedSignal Threat Feed

Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise

hello@craftedsignal.io — Mon, 04 May 2026 15:00:00 +0000

Between April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare & life sciences (19%), Financial services (18%), Professional services (11%), and Technology & software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.

Attack Chain

The attack begins with phishing emails posing as internal compliance communications, using subjects like “Internal case log issued under conduct policy”.
The emails contain a PDF attachment (e.g., “Awareness Case Log File – Tuesday 14th, April 2026.pdf”) that claims a “code of conduct review” has been initiated.
Recipients are instructed to click a “Review Case Materials” link within the PDF.
Clicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).
The landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.
After CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.
The user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.
The attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.

Impact

This campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.

Recommendation

Educate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.
Deploy the Sigma rule “Detect Suspicious PDF Opening via Uncommon Applications” to identify unusual PDF execution paths, based on the ‘file_event’ log source.
Configure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.
Enable network protection to leverage SmartScreen as a host-based web proxy.
Block access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.

Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration

hello@craftedsignal.io — Mon, 04 May 2026 11:28:56 +0000

A compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.

Attack Chain

Attacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.
Unsuspecting developers or users download and install the compromised package from the npm registry.
During installation, the malicious package executes malicious code injected by the attacker.
The malicious code collects Bitwarden credentials and other sensitive information stored in the CLI’s configuration.
The compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.
Stolen credentials and sensitive information are exfiltrated to the attacker’s server.
The attacker uses the stolen credentials to access victim’s Bitwarden vaults or other systems.
The attacker may further escalate privileges and compromise additional systems within the victim’s environment using the stolen credentials.

Impact

Successful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.

Recommendation

Monitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.
Implement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.
Deploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.
Enforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.
Regularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.

Increased npm Supply Chain Attacks Targeting SAP Developers

hello@craftedsignal.io — Sat, 02 May 2026 00:10:33 +0000

The npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string “Shai-Hulud: The Third Coming,” and the other, dubbed “Mini Shai-Hulud,” targeted the SAP developer ecosystem. The compromised packages are often part of SAP’s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.

Attack Chain

Initial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.
Malicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a “preinstall” hook.
Execution of setup.mjs: During the npm install process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.
Bun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.
Execution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.
Credential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.
Data Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.
Propagation: The malware searches for commits containing the keyword “OhNoWhatsGoingOnWithGitHub,” decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.

Impact

Compromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.

Recommendation

Rotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).
Monitor npm install processes for unexpected execution of node setup.mjs (see Attack Chain).
Implement the Sigma rule “Detect Suspicious Bun Process Execution” to identify potential execution of the Bun runtime from temporary directories.
Monitor network connections for unusual processes connecting to api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub (see IOCs) to detect potential C2 activity.
Deploy the Sigma rule “Detect Github Commit By Claude Email” to identify commits authored with the email claude@users.noreply.github.com to detect malicious commits.

Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials

hello@craftedsignal.io — Fri, 01 May 2026 00:45:31 +0000

On April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used pytorch-lightning package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.

Attack Chain

Attacker compromises the publisher account for the pytorch-lightning package on PyPI.
Attacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.
A modified __init__.py file within the package initiates a background process upon import.
The background process executes silently, without any visible output or indication of compromise to the user.
The malicious package downloads a runtime (Bun) from GitHub.
The package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.
Stolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.
The malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.

Impact

Organizations that downloaded and used versions 2.6.2 or 2.6.3 of the pytorch-lightning package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware’s ability to download and execute secondary payloads further increases the potential impact.

Recommendation

Immediately remove versions 2.6.2 and 2.6.3 of the lightning package from all systems where they are installed (see overview).
Audit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).
Rotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).
Implement the Detect Suspicious PyPI Package Installation Sigma rule to identify potential malicious packages being installed in the future (see rules).
Implement the Detect Credential Harvesting via Bun Sigma rule to catch execution of the malicious JavaScript payload (see rules).
Pin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).

Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption

hello@craftedsignal.io — Thu, 30 Apr 2026 15:00:00 +0000

In the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft’s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.

Attack Chain

Initial Email Delivery: Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.
Victim Interaction: The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.
Phishing Page Redirection: The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.
Credential Harvesting: The victim enters their username and password on the phishing page, which are then captured by the attacker.
MFA Bypass (AiTM): For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.
Account Compromise: With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim’s account.
Lateral Movement/Data Theft: The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.
Business Email Compromise: In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.

Impact

The observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft’s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.

Recommendation

Deploy the “Detect Tycoon2FA Phishing Attempts” Sigma rule to identify email campaigns associated with the Tycoon2FA platform.
Enable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.
Monitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.
Educate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).

Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages

hello@craftedsignal.io — Thu, 30 Apr 2026 14:27:36 +0000

The Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, and @cap-js/sqlite 2.2.2. These packages, with over 500,000 combined weekly downloads, are essential for SAP’s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.

Attack Chain

The attacker compromises an NPM token, possibly exposed through CircleCI.
The attacker injects a malicious preinstall script into the targeted SAP NPM packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite).
When a user installs the compromised package, the preinstall script executes.
The script fetches a Bun ZIP archive from a GitHub repository.
The script extracts the Bun archive and executes the included Bun binary.
The Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.
The stolen data is exfiltrated to public GitHub repositories with the description “A Mini Shai-Hulud has Appeared”.
The malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.

Impact

The Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.

Recommendation

Organizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) during the exposure window.
Implement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description “A Mini Shai-Hulud has Appeared”.
Monitor process execution for the execution of bun binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule Detect Bun Execution From NPM Package to detect this behavior.

Compromised SAP npm Packages Steal Developer Credentials

hello@craftedsignal.io — Wed, 29 Apr 2026 22:43:44 +0000

On April 29, 2026, security researchers discovered that multiple official SAP npm packages were compromised in a supply-chain attack, suspected to be carried out by TeamPCP. The compromised packages, including @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48), support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, commonly used in enterprise development. The attack involves injecting a malicious ‘preinstall’ script into these packages, which executes automatically during installation. This script downloads and executes a heavily obfuscated JavaScript payload designed to steal sensitive credentials from developer machines and CI/CD environments. This incident highlights the ongoing risk of supply chain attacks targeting widely used development tools.

Attack Chain

Initial Compromise: Threat actors compromise official SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.
Package Modification: The compromised npm packages are modified to include a malicious ‘preinstall’ script.
Installation Trigger: When developers install the compromised packages using npm install, the ‘preinstall’ script executes automatically.
Payload Download: The ‘preinstall’ script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub.
Execution of Information Stealer: The Bun runtime is used to execute a heavily obfuscated execution.js payload, which acts as an information stealer.
Credential Theft: The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables. It also attempts to extract secrets directly from the CI runner’s memory by scanning /proc//maps and /proc//mem.
Data Exfiltration: The stolen data is encrypted and uploaded to public GitHub repositories under the victim’s account. These repositories include the description “A Mini Shai-Hulud has Appeared”.
Lateral Movement: The malware searches GitHub commits for the string OhNoWhatsGoingOnWithGitHub:, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.

Impact

This supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim’s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.

Recommendation

Monitor npm package installations for the presence of preinstall scripts executing unusual processes, such as the execution of setup.mjs or the download of the Bun JavaScript runtime from GitHub; implement the Detect Suspicious NPM Package Preinstall Script Sigma rule.
Implement the Detect GitHub Repository Creation with "A Mini Shai-Hulud has Appeared" Description Sigma rule to detect exfiltration attempts via public GitHub repositories.
Audit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.
Monitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of /proc//maps and /proc//mem as outlined in the overview.
Deprecate and remove the compromised packages @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) from your development and CI/CD environments.

UNC6692 Combines Social Engineering, Malware, and Cloud Abuse

hello@craftedsignal.io — Tue, 28 Apr 2026 14:00:00 +0000

UNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target’s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group’s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.

Attack Chain

The attacker floods a target’s email inbox to create a sense of urgency.
The attacker contacts the target via Microsoft Teams, impersonating help desk personnel.
The attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.
The target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
Execution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.
SNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.
The attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.
The attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.

Impact

The UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.

Recommendation

Monitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).
Implement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).
Monitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.
Monitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.
Investigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.

AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure

hello@craftedsignal.io — Wed, 22 Apr 2026 17:45:55 +0000

This threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the github-actions user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.

Attack Chain

An attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.
The attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.
The attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.
The attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker’s source IP address and ASN.
The attacker performs reconnaissance activities, such as calling sts:GetCallerIdentity, ListBuckets, DescribeInstances, or ListUsers, to understand the AWS environment and identify potential targets.
The attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.
The attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.

Impact

Successful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim’s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.

Recommendation

Deploy the Sigma rule “AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure” to your SIEM and tune for your environment to detect suspicious usage patterns.
Rotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.
Implement OIDC-based authentication (aws-actions/configure-aws-credentials with role-to-assume) instead of long-lived access keys as mentioned in the rule documentation.
If using OIDC, add IP condition policies to the IAM role trust policy to restrict AssumeRoleWithWebIdentity to known GitHub runner IP ranges, based on the information in the rule documentation.

Malicious Chrome Extensions Stealing Data and Opening Backdoors

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

A coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C&C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.

Attack Chain

Users install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).
Upon installation, the extensions execute JavaScript code in the background.
Extensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.
Extensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.
Some extensions contain a backdoor that opens an arbitrary URL received from the C&C server in a new tab upon browser start.
Other malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.
The attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.

Impact

Over 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.

Recommendation

Monitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).
Implement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.
Deploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.

SiYuan Zero-Click NTLM Theft and Blind SSRF via Mermaid Diagrams

hello@craftedsignal.io — Sat, 11 Apr 2026 12:00:00 +0000

SiYuan, a note-taking application, is vulnerable to a zero-click NTLM hash theft and blind SSRF exploit due to insecure configuration of Mermaid.js. The application configures Mermaid.js with securityLevel: "loose" and htmlLabels: true, which allows tags with src attributes to bypass sanitization and be injected into SVG blocks. When a user opens a note containing a malicious Mermaid diagram with a protocol-relative URL (e.g., //attacker.com/image.png), the Electron client fetches the URL. On Windows, this resolves as a UNC path, triggering SMB authentication and sending the victim’s NTLMv2 hash to the attacker. On macOS and Linux, the same diagram triggers an HTTP request to the attacker’s server, exfiltrating the victim’s IP address. The vulnerability affects SiYuan versions prior to the fix implemented after April 7, 2026. This allows for credential theft without any user interaction beyond opening a note.

Attack Chain

The attacker crafts a malicious SiYuan note containing a Mermaid diagram with a protocol-relative URL within an tag, such as .
The attacker distributes the malicious note (e.g., via sharing or a crafted .sy export).
The victim opens the note in SiYuan.
SiYuan renders the Mermaid diagram using the insecure Mermaid.js configuration.
The SVG containing the malicious tag is injected into the DOM via innerHTML.
The Electron client attempts to fetch the resource at the protocol-relative URL.
On Windows, the protocol-relative URL resolves to a UNC path (\\attacker.com\share\img.png), initiating an SMB connection.
Windows automatically sends the victim’s NTLMv2 hash to the attacker’s SMB server, or makes an HTTP request leaking victim’s IP on other platforms.

Impact

The vulnerability allows for zero-click NTLMv2 hash theft on Windows systems, where the victim only needs to open a note containing the malicious Mermaid diagram. The stolen NTLMv2 hashes can be cracked offline or used in relay attacks to gain unauthorized access to the victim’s resources. On all platforms, this vulnerability can be exploited to perform blind SSRF and leak the victim’s IP address, acting as a tracking pixel to confirm when the note was opened. This affects all SiYuan users who receive a crafted note.

Recommendation

Deploy the Sigma rule Detect SiYuan Mermaid NTLM Theft Attempt to identify SMB traffic originating from SiYuan processes attempting to connect to external IPs (network_connection log source).
Deploy the Sigma rule Detect SiYuan Mermaid SSRF Attempt to detect HTTP requests from SiYuan to external IP addresses with a suspicious URL (network_connection log source).
Monitor network traffic for SMB connections originating from SiYuan, especially to unusual or external destinations (network_connection log source).
Block the attacker’s domain (attacker.com) at the DNS resolver, as observed in the malicious Mermaid diagram example (iocs).
Upgrade SiYuan to a patched version that addresses CVE-2026-40107 to mitigate the underlying vulnerability.

OpenClaw Agent Suspicious Child Process Execution

hello@craftedsignal.io — Wed, 08 Apr 2026 12:07:54 +0000

OpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents’ ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.

Attack Chain

A user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.
The user installs a malicious skill from ClawHub or is subject to a prompt injection attack.
The OpenClaw agent, running under Node.js, receives a command to execute a shell command.
The Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).
The shell process executes a command to download a payload from a remote server using tools like curl or certutil.
The downloaded payload is saved to disk, often with an obfuscated name.
The shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.
The payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.

Impact

Compromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.

Recommendation

Monitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (Execution via OpenClaw Agent - Linux/macOS/Windows).
Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.
Implement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.
Review OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.
Enable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.
Deploy the Sigma rule to detect execution of curl/certutil downloads (OpenClaw Download Activity).

Amazon Athena ODBC Driver Man-in-the-Middle Vulnerability

hello@craftedsignal.io — Fri, 03 Apr 2026 21:17:12 +0000

A man-in-the-middle (MitM) vulnerability has been identified in the Amazon Athena ODBC driver. Specifically, versions prior to 2.1.0.0 exhibit improper certificate validation within the identity provider connection components. This flaw allows a threat actor positioned in the network to intercept authentication credentials when the driver attempts to connect to external identity providers. This vulnerability, identified as CVE-2026-35560, poses a significant risk to organizations utilizing affected versions of the Athena ODBC driver with external identity providers. The lack of proper certificate validation can lead to credential compromise and subsequent unauthorized access to sensitive data within Athena. This does not affect connections directly to Athena.

Attack Chain

The attacker positions themselves in a privileged network location between the user’s machine and the external identity provider.
The user attempts to establish a connection to Amazon Athena using the vulnerable ODBC driver version (prior to 2.1.0.0). The connection is configured to use an external identity provider for authentication.
The ODBC driver initiates a connection to the configured external identity provider.
The attacker intercepts the network traffic between the ODBC driver and the identity provider.
Due to the lack of proper certificate validation in the vulnerable ODBC driver, the attacker can present a fraudulent certificate to the driver without triggering an error.
The ODBC driver, trusting the fraudulent certificate, proceeds with the authentication process and transmits the user’s credentials to the attacker-controlled server.
The attacker captures the user’s authentication credentials (e.g., username and password or an access token).
The attacker uses the stolen credentials to authenticate to the external identity provider or directly to resources protected by those credentials, potentially gaining unauthorized access to sensitive data within Amazon Athena or other connected services.

Impact

Successful exploitation of this vulnerability allows a man-in-the-middle attacker to intercept authentication credentials used to connect to external identity providers. This could lead to unauthorized access to an organization’s Amazon Athena data and other resources protected by the compromised credentials. The severity of the impact depends on the privileges associated with the compromised user account. If successful, the attacker could potentially read, modify, or delete sensitive data stored in Athena, leading to data breaches, financial losses, and reputational damage. The number of potential victims is directly proportional to the number of organizations using affected versions of the Athena ODBC driver with external identity providers.

Recommendation

Upgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later to remediate the improper certificate validation vulnerability as documented in CVE-2026-35560.
Monitor network traffic for unexpected connections to external identity providers from machines running the Athena ODBC driver. Use network connection logs to identify suspicious activity.
Implement network segmentation to limit the potential impact of a successful man-in-the-middle attack, reducing the attacker’s ability to intercept traffic.

Compromised Axios Library Leads to RAT Deployment via @usebruno/cli

hello@craftedsignal.io — Fri, 03 Apr 2026 12:00:00 +0000

On March 31, 2026, a supply chain attack targeted the axios npm package, a widely used HTTP client library for JavaScript. Compromised versions 1.14.1 and 0.30.4 of the library were injected with malicious code that installed a cross-platform Remote Access Trojan (RAT) on systems that installed the affected versions of @usebruno/cli. This attack specifically impacted users of the @usebruno/cli who performed an npm install within a roughly 3-hour window, between 00:21 UTC and 03:30 UTC. The malicious code was designed to execute during the postinstall phase of the package installation, indicating a targeted effort to compromise developer environments. This incident highlights the increasing risk of supply chain attacks targeting open-source software and the importance of verifying the integrity of third-party dependencies.

Attack Chain

Attacker compromises the axios npm package, injecting malicious code into versions 1.14.1 and 0.30.4.
The compromised axios package is published to the npm registry.
A user of @usebruno/cli executes npm install within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).
The npm package manager resolves the dependency chain and downloads the compromised axios package as a dependency of @usebruno/cli.
The malicious code within the axios package executes during the postinstall script phase of the installation process.
The postinstall script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user’s system.
The RAT establishes a connection to a remote command-and-control (C2) server.
The attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.

Impact

This supply chain attack could have resulted in widespread compromise of developer systems that used the @usebruno/cli. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.

Recommendation

If @usebruno/cli was installed during the affected window, reinstall dependencies to ensure a clean version of axios is used (reference: Impact section).
Rotate all credentials and secrets that were present on systems where @usebruno/cli was installed during the affected window (reference: Impact section).
Review and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat).
Monitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - “Detect Suspicious Process Spawned by NPM”).

DeepLoad Malware Distributed via ClickFix

hello@craftedsignal.io — Thu, 02 Apr 2026 12:00:00 +0000

DeepLoad is a recently discovered malware family designed for credential theft, malicious browser extension installation, and potential cryptocurrency theft. First advertised on a dark web forum in early February 2026, DeepLoad is now being distributed in the wild via ClickFix campaigns. The malware is delivered through fake browser error messages that instruct victims to execute a PowerShell command, resulting in the persistent execution of a PowerShell loader. This loader dynamically generates a DLL component in the Temp directory to evade detection. DeepLoad also injects into the legitimate LockAppHost.exe process to further blend into trusted Windows activity and evade detection by security tools. The threat actor’s motivations appear to be financially driven, focusing on credential and cryptocurrency theft.

Attack Chain

The victim encounters a fake browser error message.
The victim is instructed to paste a command into Windows Run or a terminal.
The command executes a PowerShell loader, which is designed for persistence.
The PowerShell loader drops a DLL component in the Temp directory, compiled on every execution with a different filename.
The loader disables PowerShell command history and calls Windows core functions directly to evade monitoring.
The DLL is injected into LockAppHost.exe using asynchronous procedure call (APC) injection.
DeepLoad steals credentials via a standalone credential stealer executed alongside the main loader.
A rogue browser extension is dropped to intercept user activity, including logins, open tabs, session tokens, and saved passwords. The malware also attempts to spread via USB drives.

Impact

Successful DeepLoad infections can lead to significant credential theft, potentially compromising sensitive user accounts and data. The rogue browser extension can expose all user browser activity, including banking and cryptocurrency exchanges. The spread via USB drives allows the malware to propagate rapidly across an organization. The financial impact can be substantial if cryptocurrency wallets and other financial accounts are compromised. The number of affected organizations is currently unknown.

Recommendation

Deploy the “Detect DeepLoad PowerShell Loader” Sigma rule to detect the initial PowerShell execution used to deliver the malware.
Monitor process injection into LockAppHost.exe to identify potential DeepLoad infections (reference the Sigma rule “Detect Injection into LockAppHost.exe”).
Enable PowerShell logging and review for suspicious command line arguments indicative of the DeepLoad loader to enhance the effectiveness of the “Detect DeepLoad PowerShell Loader” rule.
Implement USB drive security policies to prevent the spread of malware via removable media.
Educate users on the risks of executing commands from untrusted sources to prevent initial infection via ClickFix techniques.

Compromised trivy-action GitHub Action Leads to Credential Theft

hello@craftedsignal.io — Tue, 31 Mar 2026 08:36:29 +0000

On March 19, 2026, CrowdStrike detected a spike in script execution on Linux-based GitHub Actions runners. Investigation traced the activity to a compromise of the aquasecurity/trivy-action GitHub Action, a widely used open-source vulnerability scanner in CI/CD pipelines. The compromise involved retroactively poisoning 76 of the scanner’s 77 release tags through git tag repointing. This replaced the legitimate entry point with a multi-stage credential stealer. The malicious code ran before the actual scanner, making the compromise difficult to detect as workflows appeared to complete normally. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary, and removed the malicious artifacts. This supply chain attack highlights the risk of relying on third-party actions in CI/CD pipelines without proper verification and monitoring.

Attack Chain

A developer pushes code, opens a pull request, or merges a branch in a repository using the compromised trivy-action.
The GitHub Actions runner executes the workflow, downloading the specified version of the trivy-action. Due to tag repointing, a malicious version of the action is downloaded instead of the legitimate one.
The malicious entrypoint.sh script is executed, which prepends approximately 105 lines of attack code before the original Trivy scanner logic.
The malicious script enumerates process IDs (PIDs) on the runner to identify potential targets.
The script executes a multi-stage credential theft operation, stealing secrets and credentials available within the runner environment.
The legitimate Trivy scanner is executed after the malicious code, masking the compromise as the workflow appears to complete successfully.
Stolen credentials are exfiltrated to a destination controlled by the attacker.
The attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.

Impact

This supply chain compromise affected users of the aquasecurity/trivy-action GitHub Action. The retroactive poisoning of 76 release tags meant that any CI/CD pipeline using those versions of the action was potentially compromised. The impact included the potential theft of sensitive credentials, secrets, and API keys stored within the GitHub Actions runner environment. Successful credential theft could lead to unauthorized access to critical infrastructure, data breaches, and further downstream attacks. The number of affected organizations is unknown, but given the popularity of trivy-action, the scope could be significant.

Recommendation

Review your GitHub Actions workflows for usage of aquasecurity/trivy-action and verify the integrity of the action’s code. Consider pinning to specific commit SHAs instead of tags to avoid tag repointing attacks.
Deploy the Sigma rule Detect Suspicious Script Execution in GitHub Actions Runner to identify potentially malicious script execution within GitHub Actions runner environments.
Monitor process execution on GitHub Actions runners for unusual or unexpected activity, particularly scripts running from temporary directories, to detect deviations from expected CI/CD behavior.
Implement strict access controls and credential management policies for GitHub Actions secrets and credentials to minimize the impact of potential credential theft.

Compromised trivy-action GitHub Action Leads to Credential Theft

hello@craftedsignal.io — Tue, 31 Mar 2026 07:24:09 +0000

On March 19, 2026, a spike in suspicious script executions on Linux GitHub Actions runners was observed across multiple CrowdStrike Falcon platform customers. The investigation traced the activity to a supply chain compromise within the widely-used aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. Attackers retroactively poisoned 76 out of 77 release tags by repointing them to malicious commits. This allowed them to inject a multi-stage credential stealer into the action’s entrypoint.sh script. The malicious code executes before the legitimate scanner, making the compromise less noticeable. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary and has removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to exploit tag mutability in Git.

Attack Chain

The attacker gains unauthorized write access to the aquasecurity/trivy-action GitHub repository.
The attacker retroactively modifies existing Git tags (e.g., 0.24.0) to point to a malicious commit.
The malicious commit injects approximately 105 lines of malicious code into the entrypoint.sh script, prepended before the legitimate Trivy scanner logic.
A GitHub Actions workflow includes a step using the compromised aquasecurity/trivy-action by referencing a poisoned tag (e.g., - uses: aquasecurity/trivy-action@0.24.0).
When the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious entrypoint.sh script.
The malicious code in entrypoint.sh enumerates running processes to identify potential credential sources and exfiltrates sensitive data.
The legitimate Trivy scanner executes, masking the malicious activity.
The attacker gains access to stolen credentials, secrets, and API keys, potentially allowing them to compromise cloud infrastructure, internal systems, and source code repositories.

Impact

This supply chain attack directly impacted organizations using the compromised aquasecurity/trivy-action GitHub Action in their CI/CD pipelines. The number of affected organizations is currently unknown, but given the action’s popularity, it is likely significant. Successful exploitation allows attackers to steal sensitive credentials, including API keys, cloud credentials, and deploy tokens. This can lead to unauthorized access to internal infrastructure, data exfiltration, and further compromise of the software supply chain. The incident highlights the critical importance of verifying the integrity of third-party dependencies and implementing robust security measures in CI/CD environments.

Recommendation

Immediately audit your GitHub Actions workflows for usage of the aquasecurity/trivy-action and update to a safe version (as provided by Aqua Security) or remove the action entirely.
Implement integrity checks for third-party GitHub Actions by verifying the commit SHA instead of relying solely on tags to mitigate tag re-pointing attacks.
Monitor process execution on GitHub Actions runners for suspicious scripts, especially those running from within action directories, using process creation logs. An example detection rule is provided below.
Enable network connection logging on GitHub Actions runners to identify potential data exfiltration attempts originating from action scripts.
Review GitHub Actions logs for any anomalies or unexpected behavior that may indicate a compromise.

Compromised trivy-action GitHub Action Leads to Credential Theft

hello@craftedsignal.io — Tue, 31 Mar 2026 06:07:07 +0000

On March 19, 2026, CrowdStrike detected a spike in suspicious script executions on Linux-based GitHub Actions runners, which led to the discovery of a supply chain compromise affecting the aquasecurity/trivy-action GitHub Action. This action is a popular open-source vulnerability scanner frequently used in CI/CD pipelines. The attacker retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. These commits replaced the legitimate entry point with a multi-stage credential stealer. The injected code executes before the original scanner, allowing workflows to complete seemingly normally while secretly exfiltrating sensitive information. Aqua Security has confirmed and removed the malicious artifacts. This incident highlights the risks associated with mutable tags in Git-based workflows and the importance of verifying action integrity.

Attack Chain

Attacker gains write access to the aquasecurity/trivy-action repository on GitHub.
The attacker modifies the action’s entrypoint.sh script to include malicious code for credential theft. Specifically, the attacker prepends approximately 105 lines of malicious code.
The attacker uses git tag repointing to retroactively poison existing release tags (e.g., @0.24.0) to point to the malicious commit.
Developers’ CI/CD pipelines reference the compromised trivy-action using a poisoned tag (e.g., aquasecurity/trivy-action@0.24.0).
When a workflow runs, the GitHub Actions runner downloads and executes the malicious entrypoint.sh script, granting it access to the runner’s environment, secrets, and network.
The malicious script enumerates running processes to identify potential targets for credential theft.
The malicious code exfiltrates credentials and secrets.
The original trivy scanner is executed, masking the malicious activity and allowing the workflow to complete normally.

Impact

The compromise of the trivy-action GitHub Action allowed attackers to steal credentials and secrets from CI/CD pipelines that used the compromised action. Because the malicious code ran with the full privileges of the runner, it had access to sensitive information such as API keys, deployment tokens, and cloud credentials. The number of affected organizations is unknown, but given the widespread adoption of trivy-action, the potential impact is significant. Successful exploitation can lead to unauthorized access to cloud resources, code repositories, and other sensitive systems.

Recommendation

Inspect your CI/CD pipeline configurations for usage of the aquasecurity/trivy-action and audit the integrity of the referenced tags against the known good commits, if available from Aqua Security’s advisories.
Implement tooling and processes to verify the integrity of third-party GitHub Actions used in CI/CD pipelines.
Monitor process execution on GitHub Actions runners for suspicious activity, such as enumeration of processes or unexpected network connections (see Sigma rule below).
Enable and review process creation logs on CI/CD runner environments to identify anomalous script execution (see Sigma rule below).

Compromised Telnyx PyPI Package Distributes Credential-Stealing Malware

hello@craftedsignal.io — Mon, 30 Mar 2026 19:15:30 +0000

On March 27, 2026, the telnyx Python package on PyPI was compromised by TeamPCP, resulting in the distribution of malicious versions 4.87.1 and 4.87.2. The attacker, having gained unauthorized access to PyPI credentials, bypassed the legitimate GitHub release pipeline to upload these compromised packages directly. These versions contain malware designed to harvest sensitive credentials from infected systems and exfiltrate them to a command-and-control (C2) server. The malicious packages were available for approximately 6 hours before being quarantined by PyPI. Version 4.87.1 contained a typo preventing execution, making 4.87.2 the fully functional malicious version. This incident highlights the risk of supply chain attacks targeting open-source package repositories, potentially affecting any system that installed the telnyx package during the exposure window.

Attack Chain

The attacker gains unauthorized access to PyPI credentials for the telnyx package.
The attacker uploads malicious versions 4.87.1 and 4.87.2 of the telnyx package to PyPI, bypassing the legitimate GitHub repository.
When a user installs or upgrades to the malicious telnyx package, the injected malware within telnyx/_client.py executes upon importing the library (import telnyx).
On Linux/macOS systems, the malware spawns a detached subprocess to ensure persistence and downloads a payload hidden inside a WAV audio file (ringtone.wav) from the C2 server at http://83.142.209.203:8080/.
The downloaded payload harvests sensitive credentials, including SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configurations, .env files, database credentials, and crypto wallets.
If Kubernetes access is detected, the malware deploys privileged pods to all nodes for lateral movement within the Kubernetes cluster.
The collected data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated to the C2 server, identified by the header X-Filename: tpcp.tar.gz.
On Windows, a binary payload hidden in hangup.wav is downloaded from http://83.142.209.203:8080/, dropped as msbuild.exe in the Startup folder for persistence, and executed with a hidden window, polling the endpoint http://83.142.209.203:8080/raw.

Impact

The compromise of the telnyx PyPI package poses a significant risk to developers and organizations that use the library. Successful exploitation leads to the theft of sensitive credentials, potentially granting the attacker unauthorized access to critical infrastructure, cloud resources, and sensitive data. TeamPCP’s previous campaign against LiteLLM and the similarities in this attack suggest a pattern of targeting open-source projects to infiltrate developer environments and steal secrets. The impact includes potential data breaches, financial losses, and reputational damage. The exposure window was approximately 6 hours during which vulnerable versions were available.

Recommendation

Immediately check for the presence of malicious telnyx package versions (4.87.1 or 4.87.2) in your environment using the provided commands and uninstall them (pip uninstall telnyx).
Due to the credential-stealing nature of the malware, rotate all potentially exposed secrets, including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, API keys in .env files, and Telnyx API keys.
Check for persistence mechanisms used by the malware, specifically the audiomon service and associated files on Linux/macOS, and the msbuild.exe executable in the Startup folder on Windows, based on the file paths provided in the “Filesystem” section.
Block the identified C2 IP address (83.142.209.203) and payload URLs (http://83.142.209.203:8080/ringtone.wav, http://83.142.209.203:8080/hangup.wav, http://83.142.209.203:8080/raw) at your network perimeter.
Deploy the following Sigma rule to detect the creation of msbuild.exe in the Startup folder.
Pin the telnyx package to the safe version 4.87.0 in your project dependencies to prevent future installations of compromised versions.

Compromised trivy-action GitHub Action Leads to Credential Theft

hello@craftedsignal.io — Mon, 30 Mar 2026 06:24:43 +0000

On March 19, 2026, CrowdStrike’s Engineering team discovered a supply chain compromise targeting the aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. The attackers retroactively poisoned 76 of the scanner’s 77 release tags using git tag repointing, replacing the original entry point with a multi-stage credential stealer. The malicious code operates before the legitimate scanner, masking its activity and allowing workflows to appear normal. This attack highlights the risks associated with mutable tags in Git and the potential for widespread compromise when relying on third-party actions within CI/CD environments. Defenders should implement strong integrity checks and consider using immutable references to mitigate such risks.

Attack Chain

An attacker gains write access to the aquasecurity/trivy-action repository.
The attacker uses git tag repointing to modify existing release tags (e.g., 0.24.0), replacing the legitimate entrypoint.sh script with a malicious version.
A developer’s CI/CD pipeline includes a step that uses the compromised trivy-action by referencing a poisoned tag (e.g., uses: aquasecurity/trivy-action@0.24.0).
When the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious entrypoint.sh script.
The malicious script enumerates running processes to identify potential credential sources.
The script steals credentials and secrets from the runner’s environment, including API keys, deployment tokens, and cloud credentials.
After stealing credentials, the malicious script executes the legitimate Trivy scanner to avoid raising suspicion.
The stolen credentials are used to gain unauthorized access to internal infrastructure and resources.

Impact

The compromise of the trivy-action GitHub Action could impact a significant number of organizations relying on this popular scanner in their CI/CD pipelines. With 76 of 77 release tags poisoned, the potential scope of the attack is broad. Successful exploitation leads to the theft of sensitive credentials, enabling attackers to access internal infrastructure, deploy malicious code, or exfiltrate sensitive data. The silent nature of the attack, with the legitimate scanner still running, makes detection challenging and increases the dwell time of the attacker.

Recommendation

Enable process monitoring on GitHub Actions runners to detect suspicious script execution and unusual process trees (reference: Attack Chain).
Implement integrity checks for third-party actions used in CI/CD pipelines to verify their authenticity and prevent tampering (reference: Overview).
Consider using immutable references (e.g., commit SHAs instead of tags) for GitHub Actions to prevent tag repointing attacks (reference: Overview).
Deploy the Sigma rule below to detect suspicious bash scripts executing in the context of GitHub Action runners (reference: rules).

Tycoon2FA Phishing-as-a-Service Platform Persists After Takedown

hello@craftedsignal.io — Sun, 29 Mar 2026 08:34:23 +0000

On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform enabling cybercriminals to bypass MFA and compromise email accounts. The takedown involved seizing 330 domains. Despite this disruption, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and Tycoon2FA’s tactics, techniques, and procedures (TTPs) remain unchanged. This resurgence suggests that the actors behind Tycoon2FA are adaptive and persistent. Tycoon2FA began operations in 2023, and in mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. The platform also had a competitor named RaccoonO365, which law enforcement took down in September 2025.

Attack Chain

Victims receive phishing emails designed to mimic legitimate login pages.
Phishing emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.
Upon CAPTCHA validation, victims’ session cookies are stolen by the attackers.
A JavaScript (JS) file extracts victims’ email addresses.
Victims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.
Victims enter their credentials into the fake login pages, which are then captured by the attackers.
Stolen credentials are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
Attackers authenticate to the victim’s cloud environment using the stolen cookies and credentials, gaining unauthorized access.

Impact

Tycoon2FA was responsible for 62% of all phishing attempts blocked by Microsoft in mid-2025, generating over 30 million malicious emails in a single month. Successful attacks lead to unauthorized access to victims’ cloud environments, potentially resulting in data theft, business email compromise (BEC), and further malicious activities. Despite law enforcement takedowns, the platform’s rapid resurgence demonstrates the resilience of PhaaS operations and their potential for significant damage.

Recommendation

Monitor network traffic for connections to known phishing domains or newly registered domains, correlating with user agent strings and HTTP referrer headers common in phishing kits, to detect initial access attempts. Deploy the network_connection Sigma rule to identify suspicious connections.
Implement detections for suspicious JavaScript execution within browser environments attempting to steal session cookies or extract email addresses. Enable webserver and proxy logging to capture these events and deploy the process_creation Sigma rule to identify associated processes.
Monitor authentication logs for successful logins from unusual locations or using suspicious user agents after a user has visited a known phishing site. Analyze user authentication patterns and correlate with other security events to detect compromised accounts.

TeamPCP Backdoors Telnyx PyPI Package with Steganographic Malware

hello@craftedsignal.io — Sat, 28 Mar 2026 12:00:00 +0000

On March 27, 2026, the Telnyx package on the Python Package Index (PyPI) was compromised by the threat actor TeamPCP. Malicious versions 4.87.1 and 4.87.2 were uploaded, containing credential-stealing malware concealed within WAV audio files. This supply-chain attack targeted developers using the Telnyx Python SDK, a popular package with over 740,000 monthly downloads, used for integrating communication services into applications. The malicious code resides in the telnyx/_client.py file and executes upon import. The compromise is believed to have originated from stolen credentials for the publishing account on the PyPI registry. TeamPCP has been linked to previous supply-chain attacks and wiper campaigns against Iranian systems, highlighting the group’s focus on disrupting software development and infrastructure.

Attack Chain

TeamPCP gains unauthorized access to the Telnyx PyPI account, likely through credential theft.
Malicious versions 4.87.1 and 4.87.2 of the Telnyx package are published to PyPI.
When a developer installs the compromised Telnyx package, the telnyx/_client.py file is executed upon import.
On Linux and macOS, a detached process is spawned to download a second-stage payload disguised as a WAV audio file (ringtone.wav) from a remote command-and-control (C2) server.
Steganography is used to hide malicious code within the WAV file’s data frames.
The embedded payload is extracted using an XOR-based decryption routine and executed in memory.
The malware harvests sensitive data, including SSH keys, credentials, cloud tokens, cryptocurrency wallets, and environment variables.
If Kubernetes is present, the malware enumerates cluster secrets and deploys privileged pods to access underlying host systems. On Windows, a different WAV file (hangup.wav) is downloaded that extracts and saves an executable named msbuild.exe to the startup folder for persistence.

Impact

This supply chain attack could result in widespread compromise of systems utilizing the Telnyx Python SDK. Over 740,000 monthly downloads indicate a large potential victim pool. Stolen credentials and secrets can lead to unauthorized access to cloud resources, sensitive data exfiltration, and further lateral movement within compromised networks. For systems running Kubernetes, the attacker could gain control over the entire cluster, leading to significant disruption and data loss. Developers who installed the malicious packages are advised to consider their systems fully compromised and rotate all secrets as soon as possible.

Recommendation

Identify and remove Telnyx versions 4.87.1 and 4.87.2 from all environments, reverting to version 4.87.0 as recommended by the vendor.
Monitor network connections for processes spawned by Python interpreters (python.exe, python3) attempting to download files with the .wav extension, using the “Detect Suspicious Python WAV Download” Sigma rule provided below.
Implement stricter controls and multi-factor authentication for PyPI accounts used to publish packages to prevent similar supply chain attacks.
Deploy the “Detect msbuild.exe in Startup Folder” Sigma rule to identify potential persistence attempts on Windows systems.
Rotate all secrets and credentials on any system that has imported the malicious Telnyx package.

Tycoon2FA PhaaS Platform Resurgence After Takedown

hello@craftedsignal.io — Sat, 28 Mar 2026 08:28:28 +0000

Tycoon2FA is a subscription-based PhaaS platform that enables cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts using adversary-in-the-middle (AITM) techniques. The platform gained prominence in 2025, reportedly generating over 30 million malicious emails in a single month and accounting for 62% of all phishing attempts blocked by Microsoft at one point. On March 4, 2026, Europol announced a technical disruption of Tycoon2FA, seizing 330 domains forming the platform’s core infrastructure. Despite this takedown, CrowdStrike Falcon Complete observed a short-term decrease in Tycoon2FA activity followed by a return to pre-disruption levels. The persistence of the platform’s original tactics, techniques, and procedures (TTPs) suggests that the actors behind Tycoon2FA remain active and pose a continued threat. Defenders should maintain vigilance.

Attack Chain

Victims receive phishing emails designed to appear legitimate.
These emails direct victims to Tycoon2FA CAPTCHA pages hosted on attacker-controlled domains.
Upon CAPTCHA validation, a JavaScript (JS) file extracts the victim’s email address.
The victim is then redirected to a fake Microsoft 365 or Google login page hosted on a Tycoon2FA domain.
Victims enter their credentials, which are proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
The attacker steals the victim’s session cookies and credentials.
The attacker authenticates to the victim’s cloud environment using the stolen cookies and credentials.
The attacker gains access to the victim’s email and other cloud-based resources, potentially leading to data exfiltration or further malicious activity.

Impact

Tycoon2FA’s operations began in 2023, and by mid-2025, it was responsible for 62% of all phishing attempts blocked by Microsoft, generating over 30 million malicious emails in a single month. A successful attack can lead to unauthorized access to sensitive data, business email compromise, financial loss, and reputational damage. The resurgence of Tycoon2FA following the takedown indicates the platform remains a significant threat, highlighting the need for robust defenses against phishing and credential theft.

Recommendation

Monitor email traffic for unusual patterns and sender addresses to detect phishing attempts associated with Tycoon2FA (IOC: phishing emails).
Implement and tune web filtering rules to block access to known Tycoon2FA domains and newly registered domains that may be used for phishing campaigns (IOC: Tycoon2FA domain).
Deploy the Sigma rule to detect JavaScript files that attempt to extract email addresses from web pages, a technique used by Tycoon2FA to target victims.
Review and reinforce MFA policies and educate users about the risks of phishing and credential theft.

Tycoon2FA Phishing-as-a-Service Resurgence After Takedown

hello@craftedsignal.io — Sat, 28 Mar 2026 08:20:54 +0000

On March 4, 2026, Europol announced a technical disruption of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform, which enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. The takedown involved seizing 330 domains that formed the platform’s core infrastructure. However, following the takedown, CrowdStrike observed only a short-term decrease in Tycoon2FA campaign activity. The volume of cloud compromises has since returned to pre-disruption levels, and the platform continues to employ previously observed TTPs. Tycoon2FA, active since 2023, was responsible for a significant portion of phishing attempts, purportedly generating over 30 million malicious emails in a single month in mid-2025. The platform primarily targets Microsoft 365 and Google accounts using adversary-in-the-middle (AITM) techniques.

Attack Chain

Victims receive phishing emails directing them to Tycoon2FA CAPTCHA pages.
Upon CAPTCHA validation, victims’ session cookies are stolen.
A JavaScript (JS) file is used to extract victims’ email addresses.
Victims are redirected to fake Microsoft 365 or Google login pages hosted on a Tycoon2FA domain.
Victims enter their credentials into the fake login pages, which are then proxied to a legitimate Microsoft 365 cloud account via an obfuscated JS file.
The threat actor authenticates to the victim’s cloud environment using the stolen cookies and credentials.
Once authenticated, the attacker gains access to the victim’s email and other cloud resources.
The attacker can then perform actions such as data exfiltration, sending phishing emails to other targets, or further compromising the organization’s environment.

Impact

The resurgence of Tycoon2FA demonstrates the resilience of PhaaS platforms and their operators. The platform was responsible for a large percentage of phishing attacks in 2025, including 62% of all phishing attempts blocked by Microsoft in mid-2025, and generating over 30 million malicious emails in a single month. Successful attacks can lead to unauthorized access to sensitive data, financial losses, and reputational damage. The observed return to pre-disruption activity levels indicates a sustained threat to organizations relying on MFA for account security.

Recommendation

Deploy the “Tycoon2FA Phishing Redirection” Sigma rule to detect potential phishing attempts redirecting to Tycoon2FA infrastructure.
Monitor email traffic for patterns indicative of phishing campaigns, focusing on emails directing users to external login pages, as described in the Attack Chain.
Implement strict session management policies and regularly review user authentication logs for suspicious activity following successful authentication as described in the attack chain, step 7.
Block known Tycoon2FA domains at the DNS resolver, as referenced in the IOC section.
Educate users about the tactics used by Tycoon2FA, specifically the use of CAPTCHA pages to steal session cookies, as described in the Attack Chain, step 2.

Compromised trivy-action GitHub Action Enables Credential Theft

hello@craftedsignal.io — Sat, 28 Mar 2026 08:12:22 +0000

On March 19, 2026, a spike in script execution detections on Linux-based GitHub Actions runners led to the discovery of a supply chain compromise affecting the aquasecurity/trivy-action GitHub Action. The attackers retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. This manipulation replaced the legitimate entry point with a multi-stage credential stealer. The malicious code operates silently before the legitimate Trivy scanner logic is executed, which allows the malicious activity to remain hidden as workflows appear to complete normally. Aqua Security has confirmed the compromise and removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to gain access to sensitive credentials and internal infrastructure.

Attack Chain

A developer triggers a GitHub Actions workflow that utilizes the aquasecurity/trivy-action.
The GitHub Actions runner downloads the specified version of the trivy-action from GitHub.
Due to tag repointing, the downloaded action contains malicious code in the entrypoint.sh script.
The malicious entrypoint.sh script executes a multi-stage credential theft operation.
The script enumerates process IDs (PIDs) to discover runner processes.
After credential theft, the legitimate Trivy scanner logic is executed to maintain the appearance of normal operation.
Stolen credentials and secrets are likely exfiltrated to a attacker controlled server.
The attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.

Impact

The compromise of the trivy-action GitHub Action could have resulted in widespread credential theft across numerous organizations using the affected versions. With 76 of 77 release tags poisoned, a vast majority of users were exposed. Successful credential theft can lead to unauthorized access to sensitive systems, data breaches, and potential supply chain attacks affecting downstream customers. The incident highlights the critical importance of supply chain security and the need for robust monitoring and detection mechanisms in CI/CD pipelines.

Recommendation

Inspect your CI/CD pipelines for usage of the aquasecurity/trivy-action GitHub Action and verify the integrity of the action being used.
Implement the Sigma rule Detect Suspicious Script Execution in GitHub Actions Runner to identify potentially malicious script execution within GitHub Actions runners.
Monitor process execution within GitHub Actions runners for unusual or unexpected activity that deviates from normal CI/CD operations (reference: Attack Chain step 5).
Enable detailed logging on GitHub Actions runners to capture process execution, network connections, and file system activity for forensic analysis and threat hunting.
Implement strong access controls and least privilege principles for GitHub Actions secrets and credentials to limit the impact of potential credential theft.

UniFi Network Controller Improper Certificate Verification Vulnerability (CVE-2019-25652)

hello@craftedsignal.io — Fri, 27 Mar 2026 22:16:19 +0000

CVE-2019-25652 affects UniFi Network Controller versions prior to 5.10.22 and 5.11.x before 5.11.18. The vulnerability stems from an improper certificate verification process during SMTP connections. An attacker positioned on an adjacent network can exploit this weakness to conduct man-in-the-middle (MitM) attacks. By presenting a false SSL certificate, the attacker can intercept SMTP traffic intended for the UniFi Network Controller, potentially gaining access to sensitive information…

Malicious LiteLLM Versions Harvest Credentials

hello@craftedsignal.io — Thu, 26 Mar 2026 12:00:00 +0000

On March 25, 2026, two malicious versions of the litellm package (versions 1.82.7 and 1.82.8) were discovered on the PyPI repository. These versions were found to contain automatically activated malware. The malicious code was designed to harvest sensitive credentials and files from systems where the compromised packages were installed. This supply chain attack follows a previous API token exposure stemming from a compromised trivy dependency, indicating a potential escalation in targeting the litellm project. The compromised packages exfiltrate stolen data to a remote API controlled by the attacker.

Attack Chain

An attacker compromises the litellm PyPI package repository, likely leveraging exposed credentials.
The attacker injects malicious code into versions 1.82.7 and 1.82.8 of the litellm package. The malicious code is automatically activated upon installation.
A user installs either litellm version 1.82.7 or 1.82.8 via pip.
Upon execution, the malicious code begins harvesting credentials and files accessible to the litellm environment. This may include API keys, tokens, and other sensitive information.
The malware establishes a network connection to a remote API server controlled by the attacker.
The harvested credentials and files are exfiltrated to the attacker’s remote API server.
The attacker gains unauthorized access to services and data protected by the stolen credentials.

Impact

This supply chain attack directly impacts any user who installed the malicious litellm packages (versions 1.82.7 and 1.82.8). Successful credential harvesting allows attackers to pivot and compromise other systems and services accessible with the stolen credentials, potentially leading to data breaches, unauthorized access, and further lateral movement within victim environments. The number of affected users is currently unknown, but the popularity of litellm suggests a potentially wide impact.

Recommendation

Immediately revoke and rotate any credentials accessible to environments where litellm versions 1.82.7 or 1.82.8 were installed (description).
Deploy the following Sigma rule to detect installations of the affected litellm versions (Sigma rule).
Monitor network traffic for connections originating from litellm processes to external, untrusted APIs (network_connection).
Implement strong dependency management practices, including the use of software composition analysis tools, to identify and prevent the installation of malicious packages (overview).

LiteLLM Package Compromised with Credential-Stealing Code via Trivy

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

On March 24, 2026, reports surfaced indicating that the LiteLLM package, a library designed to provide a unified interface for interacting with various large language models, was compromised and injected with malicious code. This compromise occurred through a vulnerability in Trivy, a widely-used open-source vulnerability scanner. The malicious code was designed to steal credentials, potentially including API keys and other sensitive information used to access and manage language models. The scope of the compromise is currently unknown, but given the popularity of both LiteLLM and Trivy, the potential impact could be significant across various sectors using LLMs. This incident highlights the risks associated with supply chain vulnerabilities and the importance of thorough security audits of third-party dependencies.

Attack Chain

A vulnerability is exploited within Trivy, potentially during its build or update process.
The attacker leverages this vulnerability to inject malicious code into the LiteLLM package during its build or release process.
Users download and install the compromised LiteLLM package from the official repository (e.g., PyPI).
Upon execution of the infected LiteLLM package, the malicious code is triggered.
The malicious code collects credentials, such as API keys, environment variables, or configuration files, from the user’s system or environment.
The stolen credentials are exfiltrated to a remote server controlled by the attacker using network protocols like HTTP/S.
The attacker uses the stolen credentials to access and control the victim’s accounts, resources, and data related to language model services.
The attacker may further exploit the compromised systems for lateral movement, data exfiltration, or other malicious activities.

Impact

The successful compromise of the LiteLLM package can lead to significant damage, including unauthorized access to language model APIs, data breaches, and financial losses. The number of affected users and organizations is currently unknown. Sectors relying heavily on LLMs, such as AI development, research, and various industries integrating AI-powered applications, are particularly vulnerable. If successful, the attack can result in the exposure of sensitive data, disruption of services, and reputational damage.

Recommendation

Implement integrity checks on all downloaded packages to verify their authenticity and prevent the installation of compromised versions (reference: overview).
Monitor network traffic for suspicious outbound connections originating from processes associated with the LiteLLM package, looking for connections to unknown or malicious IPs (reference: Attack Chain, step 6).
Deploy the Sigma rules provided below to detect potential credential theft and exfiltration attempts (reference: rules).
Implement strict access controls and least privilege principles to limit the impact of compromised credentials (reference: Impact).
Conduct regular security audits of all third-party dependencies and use software composition analysis tools to identify and remediate vulnerabilities (reference: Overview).

GlassWorm Supply Chain Attack Using Unicode Encoding and Credential Theft

hello@craftedsignal.io — Tue, 24 Mar 2026 14:30:00 +0000

The GlassWorm campaign, active since October 2025, targets software supply chains through malicious code concealed using Unicode variation selectors. This technique renders the payload virtually invisible in standard editors and code review processes. The attackers rotate extension IDs, npm package names, wallet addresses, and C2 infrastructure across multiple waves. A decoder component extracts the hidden bytes and executes them via eval() or Function(). The malware queries a Solana wallet to dynamically retrieve C2 URLs and proceeds to steal sensitive information, including .npmrc, .git-credentials, SSH keys (id_rsa, id_ed25519), and token environment variables such as NPM_TOKEN, GITHUB_TOKEN, and OPEN_VSX_TOKEN. Wave 5, observed in March, compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages. Defenders relying solely on IOC-based detections may struggle to keep pace with the rapid evolution of this threat.

Attack Chain

Malicious code is injected into a software supply chain component (VS Code extension, npm package, etc.).
The payload is encoded using Unicode variation selectors, rendering it nearly invisible.
The victim installs or incorporates the compromised component into their development environment.
A decoder routine within the payload utilizes codePointAt() with arithmetic against 0xFE00/0xE0100 to reconstruct the original bytecode.
The decoded bytecode is executed using eval() or Function().
The executed code queries a Solana wallet using RPC methods (getTransaction, getSignaturesForAddress) to retrieve C2 URLs.
The malware targets files such as .npmrc, .git-credentials, id_rsa, and id_ed25519 for credential theft.
Stolen credentials and token environment variables (NPM_TOKEN, GITHUB_TOKEN, OPEN_VSX_TOKEN) are exfiltrated to the C2 server.

Impact

The GlassWorm campaign has successfully compromised over 150 GitHub repositories, 72 Open VSX extensions, and 4 npm packages in Wave 5 alone. Successful attacks can lead to the theft of sensitive credentials, potentially granting attackers unauthorized access to code repositories, package management accounts, and other critical infrastructure. This, in turn, can enable further supply chain attacks or intellectual property theft.

Recommendation

Implement the Unicode payload detection rule to identify suspicious densities of Unicode variation selector clusters in source code (see “Unicode Payload Detection” rule below).
Deploy the decoder detection rule to flag code patterns that use codePointAt() with specific arithmetic operations followed by eval() or Function() calls (see “GlassWorm Decoder Detection” rule below).
Monitor for network connections originating from non-blockchain applications using Solana RPC methods (getTransaction, getSignaturesForAddress), as described in the overview, to identify potential C2 activity.
Implement access controls and monitoring for sensitive files like .npmrc, .git-credentials, and SSH keys as described in the overview.
Use the glassworm-hunter tool linked in the references section to scan VS Code extensions, node_modules, pip site-packages, and git repos.

Crunchyroll Data Breach via Telus Supply Chain Compromise

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

On March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll’s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee’s Okta credentials, granting the attacker a foothold into Crunchyroll’s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.

Attack Chain

Initial Access: A Telus employee received a spoofed phishing email containing malware. (T1566)
Malware Deployment: The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.
Credential Theft: The malware captured the employee’s Okta credentials. (TA0006)
Authentication: The attacker used the stolen Okta credentials to authenticate into Crunchyroll’s environment.
Data Access: Upon successful authentication, the attacker gained access to customer analytics and ticketing data.
Data Exfiltration: The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)
Lateral Movement (Likely): While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.
Objective Achieved: The attacker successfully exfiltrated sensitive customer data.

Impact

The Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll’s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.

Recommendation

Implement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).
Deploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).
Monitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).
Implement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).
Conduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).
Deploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.

GhostLoader Malware Targeting macOS via GitHub and AI Workflows

hello@craftedsignal.io — Sat, 21 Mar 2026 13:03:03 +0000

GhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.

Attack Chain

The attacker creates a seemingly legitimate software repository on GitHub.
The repository contains a project with files that may appear benign or related to AI workflows.
A malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.
A user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.
The user executes the GhostLoader script or binary on their macOS system.
GhostLoader executes, initiating the credential-stealing process.
Stolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.
The attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.

Impact

The GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.

Recommendation

Monitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).
Implement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.
Educate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.
Enable and review macOS system logs for suspicious activity related to credential access and keychain modifications.

VoidStealer Steals Secrets by Debugging Chrome

hello@craftedsignal.io — Fri, 20 Mar 2026 05:48:21 +0000

VoidStealer is a threat actor utilizing advanced techniques to extract sensitive information from Google Chrome. This is achieved by abusing Chrome’s built-in debugging features. The threat actor’s primary goal is to steal credentials, session cookies, and potentially other sensitive data stored within the browser’s memory. This allows for account takeover and lateral movement within compromised environments. The technique bypasses traditional security measures, as it operates within a legitimate browser process. This activity started being discussed in open source forums around March 2026 and represents a sophisticated approach to browser credential theft.

Attack Chain

The attacker gains initial access to the target system through an unspecified method (e.g., malware distribution, social engineering).
The attacker deploys VoidStealer, a custom tool or script designed to interface with Chrome’s debugging API.
VoidStealer identifies running Chrome processes and attaches itself as a debugger.
The tool leverages the debugging interface to inspect Chrome’s memory space.
VoidStealer searches for specific data structures and memory regions known to store credentials, session cookies, and other sensitive information.
The attacker extracts the targeted data from Chrome’s memory.
Stolen data is exfiltrated to a command-and-control server controlled by the attacker.
The attacker uses the stolen credentials and session cookies for account takeover, lateral movement, and potentially data exfiltration from other systems.

Impact

Successful VoidStealer attacks can lead to significant data breaches, account takeovers, and financial losses. Organizations in any sector are at risk, especially those that heavily rely on web-based applications and services. The compromise of user credentials allows attackers to gain unauthorized access to sensitive corporate resources, intellectual property, and customer data. If successful, this can also lead to follow-on attacks, such as ransomware deployment.

Recommendation

Monitor process creation events for unexpected tools attaching to Chrome processes as debuggers to identify potential VoidStealer activity. Deploy the “Suspicious Chrome Debugging Attachment” Sigma rule to your SIEM.
Implement strict process whitelisting policies to prevent unauthorized applications from running on endpoints.
Enable and review Chrome’s built-in security features, such as password protection and safe browsing, to mitigate the risk of credential theft.
Educate users about the risks of downloading and executing untrusted software.

Unscoped API Keys in AI Agent Frameworks

hello@craftedsignal.io — Mon, 16 Mar 2026 12:00:00 +0000

A recent audit of 30 popular AI agent frameworks, including OpenClaw, AutoGen, CrewAI, LangGraph, MetaGPT, and AutoGPT, reveals a widespread lack of robust authorization mechanisms. The report, published in March 2026, highlights that 93% of these frameworks rely solely on unscoped API keys for authentication. This means that any agent with access to the API key has full privileges, creating significant security risks. Furthermore, none of the frameworks provide per-agent cryptographic identity or revocation capabilities. In multi-agent systems, child agents inherit the full credentials of their parent agents, with no option for scope narrowing. This lack of granular control and isolation can lead to significant security breaches, including credential exposure and privilege escalation, as demonstrated by the 21,000 exposed OpenClaw instances leaking credentials and the 1.5 million API tokens exposed in the Moltbook breach.

Attack Chain

Attacker gains access to an unscoped API key, either through exposed instances like the 21,000 OpenClaw instances or breaches like the Moltbook incident affecting 1.5 million tokens.
The attacker leverages the unscoped API key to authenticate to the AI agent framework.
The attacker uses the API key to control an AI agent, potentially injecting malicious goals or code.
In multi-agent systems, the attacker exploits the inherited privileges of child agents to gain broader access.
The attacker leverages the agent’s capabilities to access sensitive data or perform unauthorized actions.
The attacker escalates privileges by exploiting vulnerabilities within the agent framework or underlying system.
The attacker uses the compromised agent to move laterally within the system or network.
The attacker achieves their objective, which could include data theft, system disruption, or further compromise of the environment.

Impact

The widespread use of unscoped API keys and lack of proper authorization in AI agent frameworks creates a significant security risk. Successful exploitation can lead to data breaches, system compromise, and reputational damage. The report cites real-world incidents, including 21,000 exposed OpenClaw instances leaking credentials and 1.5 million API tokens exposed in the Moltbook breach, demonstrating the potential for widespread impact. The lack of per-agent revocation means that if one agent is compromised, the API key for all agents must be rotated, causing significant disruption.

Recommendation

Implement network monitoring to detect unusual traffic patterns originating from AI agent servers. Analyze outbound connections for connections to unusual or malicious domains (grantex.dev).
Audit the configuration of AI agent frameworks to identify instances using unscoped API keys. Prioritize upgrading or replacing frameworks that lack proper authorization controls.
Deploy the Sigma rule for detecting API key usage in command-line arguments or environment variables to identify potential credential exposure.
Monitor for access to sensitive data or resources by AI agents and implement least-privilege access controls.
Implement regular security audits and penetration testing of AI agent frameworks to identify and address vulnerabilities.

Azure Identity Protection Atypical Travel Anomaly

hello@craftedsignal.io — Tue, 02 Jan 2024 18:21:00 +0000

The Atypical Travel detection in Azure Identity Protection is designed to identify instances where a user signs in from two geographically distant locations within a time frame that makes legitimate travel improbable. This anomaly indicates that an attacker may have compromised a user’s credentials and is attempting to access resources from a different location. The alert is triggered by the ‘unlikelyTravel’ risk event type within Azure’s risk detection service. This capability helps defenders identify compromised accounts and prevent further damage such as data exfiltration or lateral movement within the environment. The detection is based on comparing current sign-in locations against the user’s historical sign-in patterns, making it more accurate and less prone to false positives compared to simple geo-location based alerts.

Attack Chain

Credential Compromise: An attacker obtains a user’s credentials through phishing, credential stuffing, or malware.
Initial Access (Location A): The attacker uses the compromised credentials to sign in from a location that may be atypical for the user.
Successful Authentication (Location A): The attacker successfully authenticates and gains access to Azure resources.
Privilege Escalation (Optional): If the compromised account has sufficient permissions, the attacker attempts to escalate privileges within the Azure environment.
Lateral Movement (Optional): The attacker uses the compromised account to move laterally to other resources or accounts within the Azure environment.
Second Sign-in (Location B): Within a short timeframe, the attacker (or another attacker using the same credentials) signs in from a geographically distant location (Location B).
Atypical Travel Alert: Azure Identity Protection detects the unlikely travel scenario based on the two geographically improbable sign-ins.
Resource Access/Data Exfiltration: The attacker accesses sensitive resources or exfiltrates data from the environment.

Impact

A successful Atypical Travel attack can lead to unauthorized access to sensitive data, privilege escalation, lateral movement within the Azure environment, and potentially data exfiltration. The number of victims depends on the scope of the compromised user’s access and the attacker’s objectives. Organizations in all sectors are potentially at risk, as attackers often target user accounts with elevated privileges or access to critical data. The financial impact can include the cost of incident response, data breach notifications, and potential regulatory fines.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect Atypical Travel events (logsource: azure, service: riskdetection).
Investigate flagged sessions in the context of other sign-ins from the user, as suggested by the false positives guidance.
Implement multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.
Review and enforce conditional access policies to restrict access based on location and other factors.
Monitor user accounts for unusual activity, such as changes in sign-in patterns or resource access.
Implement account lockout policies to prevent brute-force attacks against user accounts.

NTDS or SAM Database File Copied

hello@craftedsignal.io — Mon, 01 Jan 2024 12:00:00 +0000

This detection identifies attempts to copy the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM) files on Windows systems. These files contain highly sensitive information, including hashed domain and local credentials, and their unauthorized duplication can lead to significant credential compromise. The detection focuses on identifying specific command-line operations associated with copying these files, including the use of utilities like cmd.exe, powershell.exe, xcopy.exe, and esentutl.exe. The rule is designed for data generated by Elastic Defend and also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, making it broadly applicable for organizations using these security solutions. The detection is based on observed attacker behaviors documented in reports such as those detailing Pysa/Mespinoza ransomware and techniques used for credential access.

Attack Chain

Initial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
Privilege Escalation: The attacker elevates privileges to gain necessary access to protected system files, possibly using exploits or misconfigurations.
Volume Shadow Copy Creation (Optional): The attacker creates a Volume Shadow Copy (VSS) of the system drive to bypass file locking and access the NTDS.dit or SAM files without disrupting system operations. This may involve commands utilizing vssadmin.exe.
NTDS.dit or SAM File Copy: The attacker uses command-line tools like cmd.exe, powershell.exe, xcopy.exe, or esentutl.exe to copy the NTDS.dit or SAM files to a different location. Example commands include copy C:\\Windows\\NTDS\\ntds.dit C:\\temp\\ntds.dit or esentutl.exe /y /vss /d.
Staging: The copied files are staged in a temporary directory or network share accessible to the attacker.
Credential Extraction: The attacker uses tools like Mimikatz or other credential dumping utilities to extract plaintext passwords and hashes from the copied NTDS.dit or SAM files.
Lateral Movement/Domain Dominance: The attacker uses the extracted credentials to move laterally within the network, compromise additional systems, and potentially achieve domain dominance.
Exfiltration (Optional): The attacker may exfiltrate the copied NTDS.dit or SAM file for offline analysis or further exploitation.

Impact

A successful attack involving the copying of NTDS.dit or SAM files can lead to a complete compromise of an organization’s Active Directory domain and/or local system credentials. This allows attackers to move laterally through the network, access sensitive data, and disrupt business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Incidents like the Pysa/Mespinoza ransomware attacks highlight the real-world consequences of this type of credential access.

Recommendation

Deploy the Sigma rule NTDS or SAM Database File Copied to your SIEM to detect suspicious copy operations involving NTDS.dit or SAM files. Tune the rule based on your environment.
Enable Sysmon process creation logging (Event ID 1) to ensure adequate coverage for the Sigma rules and investigation.
Monitor process command lines for the execution of cmd.exe, powershell.exe, xcopy.exe, and esentutl.exe with arguments related to copying NTDS.dit or SAM files as described in the rule NTDS or SAM Database File Copied.
Investigate and validate legitimate backup or disaster recovery processes, adding exceptions based on stable process.executable, process.code_signature.subject_name, process.parent.executable, bounded process.command_line source/destination, user.id, and host.id to minimize false positives.