{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/email-bombing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["axios","LiteLLM","Microsoft Teams","Microsoft Quick Assist","ScreenConnect"],"_cs_severities":["high"],"_cs_tags":["supply-chain","phishing","rat","npm","pypi","email-bombing"],"_cs_type":"threat","_cs_vendors":["npm","Microsoft","ConnectWise"],"content_html":"\u003cp\u003eRed Canary\u0026rsquo;s April 2026 Intelligence Insights report details several prominent threats observed in March 2026. The most significant was the axios npm compromise, where attackers gained control of a lead maintainer\u0026rsquo;s account on March 30, 2026, and published two malicious versions of the axios package. This was achieved by bypassing the project\u0026rsquo;s GitHub Actions CI/CD pipeline after compromising the maintainer’s npm account and changing its associated email. These poisoned releases injected a hidden dependency, \u003ca href=\"mailto:plain-crypto-js@4.2.1\"\u003eplain-crypto-js@4.2.1\u003c/a\u003e, which acted as a cross-platform RAT dropper targeting macOS, Windows, and Linux systems.  Additionally, the report highlights the activities of the threat group TeamPCP, which compromised LiteLLM via PyPI, and a surge in Microsoft Teams phishing campaigns paired with email bombing. These campaigns leverage social engineering to trick users into installing RMM tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e Attackers compromise a lead maintainer\u0026rsquo;s npm account and change the associated email.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePipeline Bypass:\u003c/strong\u003e The attacker bypasses the project\u0026rsquo;s GitHub Actions CI/CD pipeline using the compromised account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Package Publication:\u003c/strong\u003e The attacker manually publishes two malicious versions of the axios package via the npm CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDependency Injection:\u003c/strong\u003e The poisoned releases inject a hidden dependency called \u003ca href=\"mailto:plain-crypto-js@4.2.1\"\u003eplain-crypto-js@4.2.1\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRAT Dropper Execution:\u003c/strong\u003e The injected dependency executes a postinstall script, functioning as a cross-platform RAT dropper.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Installation:\u003c/strong\u003e The RAT dropper installs a remote access trojan (RAT) on macOS, Windows, and Linux systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmail Bombing and Teams Phishing:\u003c/strong\u003e  Victims are flooded with spam emails, followed by contact from an adversary posing as IT support via Microsoft Teams.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRMM Installation:\u003c/strong\u003e The adversary guides the user into running an RMM tool like Microsoft Quick Assist, leading to potential ransomware deployment or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe axios npm compromise resulted in the potential installation of RAT payloads on macOS, Windows, and Linux systems.  TeamPCP\u0026rsquo;s compromise of LiteLLM via PyPI highlights the risk of supply chain attacks leading to credential harvesting and coinmining. The increase in Microsoft Teams phishing paired with email bombing can lead to the installation of RMM tools, potentially resulting in ransomware deployment or data theft.  Successful attacks may result in significant financial losses, data breaches, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable two-factor authentication (2FA) for all accounts with publishing rights to the npm package repository to mitigate impacts from npm compromises as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Tar Archive Extraction\u0026rdquo; to identify potential malicious file extraction activities associated with the Microsoft Teams phishing campaigns.\u003c/li\u003e\n\u003cli\u003eEvaluate and baseline legitimate RMM applications running in your environment, particularly Microsoft Quick Assist, as mentioned in the attack chain, to provide critical context for identifying abused tools.\u003c/li\u003e\n\u003cli\u003eImplement a policy that all calls with IT be conducted over the approved video conferencing application, ensuring users know how to verify the caller\u0026rsquo;s identity, as mentioned in the analysis of Teams phishing campaigns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-supply-chain-compromises/","summary":"The April 2026 Red Canary Intelligence Insights highlights the axios npm compromise, TeamPCP's LiteLLM compromise via PyPI, and a surge in Microsoft Teams phishing, leading to RAT deployment, credential harvesting, ransomware deployment, or data theft.","title":"Supply Chain Compromises via Npm, PyPI Packages and Teams Phishing Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-04-supply-chain-compromises/"}],"language":"en","title":"CraftedSignal Threat Feed — Email-Bombing","version":"https://jsonfeed.org/version/1.1"}