DAILY WORKFLOW ARCHIVE

2026-05-01 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-01 AI创业新闻

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security , OX Security , Socket , and StepSecurity , the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday. As of writing, the project has been quarantined by the administrators of the Python Package Index (PyPI) repository.

PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch. The open-source project has more than 31,100 stars on GitHub. “The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.” The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to run an 11MB obfuscated malicious payload (“router_runtime.js”) with an aimto conduct comprehensive credential theft.

From among the harvested credentials, the GitHub tokens are validated against the “api.github[.]com/user” endpoint before being used to inject a worm-like payload to up to 50 branches retrieved from every repository the token can write to. “The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” Socket added. “No pre-check for existing content is performed. Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic’s Claude Code.” Separately, the malware implements an npm-based propagation vector that modifies the developer’s local npm packages with a postinstall hook in the “package.json” file to invoke the malicious payload, increases the patch version number, and repacks the .tgz tarballs.

Should the unsuspecting developer publish the tampered packages from their local environment, they are made available on npm, from where the malware ends up on downstream user systems. The maintainers of the project have acknowledged that “we are aware of the issue and are actively investigating.” It’s currently not clear how the incident occurred, but indications are that the project’s GitHub account has been compromised. In a separate advisory , Lightning revealed an investigation is still underway to determine the exact root cause of the compromise and that the “affected versions have introduced functionality consistent with a credential harvesting mechanism.” In the interim, it’s advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer systems, if already installed. It’s also essential to downgrade to the last known clean version, 2.6.1, and rotate credentials exposed in affected environments.

The supply chain attack is the latest addition to a long list of compromises carried out by a threat actor known as TeamPCP, which has now launched an onion website on the dark web after its account was suspended from X for violating the platform’s rules. It also called LAPSUS$ , a “good partner of ours and has been involved heavily throughout this entire operation.” The group also made it a point to emphasize that it has “never used VECT encryption tools and we own CipherForce, our own private locker,” following a report from Check Point Research about vulnerabilities discovered in the ransomware’s encryption process. Intercom npm Package Compromised as Part of Mini Shai-Hulud In a related development, it has emerged that version 7.0.4 of intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi as that of the SAP packages to trigger the execution of a credential-stealing malware using a preinstall hook. “The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target.

Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us. Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign.

You have to see these latest updates to believe them. Let’s look at the full list… SMS blaster phishing crackdown Canadian Authorities Arrest 3 Men for Alleged Use of SMS Blaster Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower.

“An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations,” authorities said . “These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords.” The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said.

This is the first time that an SMS blaster has been spotted in the country. npm brandsquat data theft npm Package Brand-Squats TanStack to Exfiltrate Environment Variables A new supply chain attack has leveraged an npm package impersonating TanStack to ship malicious versions that exfiltrate environment variables from developers’ machines during install. The package, named tanstack, is designed to “silently steal environment variable files, including .env, .env.local, and .env.production, from developers’ machines at install time, exfiltrating them to an attacker-controlled endpoint,” Socket said . The malicious package is maintained by a user named “sh20raj.” Versions 2.0.4 through 2.0.7 are confirmed malicious.

Extensions legally sell user data Extension Developers Sell Data of At Least 6.5M Users In a new analysis, LayerX found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions. “A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others,” LayerX said . “12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data.

Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data.” Komari tool weaponized in attacks First Recorded Abuse of Komari Agent Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket’s smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion. It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. “Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design.

The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator’s browser), and ping (ICMP / TCP / HTTP probing),” Huntress said . “All three are enabled by default.” Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket. Next-gen phishing kits escalate New Saiga 2FA and Phoenix System Phishing Kits Spotted Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle ( AitM ) features by integrating tools like FM Scanner for extracting and analyzing mailbox content.

“Saiga 2FA is an example of how phishing kits are evolving into application-level platforms,” the company said . “Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns.” Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting. It’s assessed to be the successor to the now-defunct Mouse System. “The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims,” Group-IB said .

“The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally.” Mass exposure of remote access servers Exposed RDP and VNC Servers Found A new analysis from Forescout has found 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. “China accounts for 22% of exposed RDP and 70% of exposed VNC servers; the U.S. accounts for 20% and 7%; Germany accounts for 8% and 2%,” the company said . “Of 91,000 RDP and 29,000 VNC servers mapped to specific industries, retail, services, and education lead RDP exposure; education, services, and healthcare lead VNC.” What’s more, 18% of exposed RDP servers run end-of-life Windows versions, more than 19,000 RDP servers remain vulnerable to BlueKeep (CVE-2019-0708), and nearly 60,000 VNC servers have authentication disabled.

To make matters worse, more than 670 exposed VNC servers have authentication disabled and provide direct access to OT/ICS control panels. China-linked influence op falters Spamouflage Attempts to Influence Tibetan Parliament-in-Exile Elections A China-linked online influence campaign attempted to undermine April 26 elections for the Tibetan parliament-in-exile with little impact. The operation, part of Spamouflage , a long-running influence network linked to Beijing, has used a cluster of 90 Facebook profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its leadership. “The network tries to drive wedges within the community,” DFRLab said .

“The goal is to erode trust in the exile government, weaken its international voice, and raise doubts about whether it can credibly represent Tibetans without the Dalai Lama. However, virtually none of these posts seem to have attracted any organic engagement, possibly because all the identified assets are regular Facebook profiles with limited reach and not established pages.” Unpatched RPC privilege escalation Windows PhantomRPC Privilege Escalation Remains Unpatched An unpatched vulnerability can allow for local privilege escalation in Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in the operating system. Called PhantomRPC , the flaw stems from an architectural weakness in how RPC handles connections to unavailable services. To exploit the flaw , an attacker with limited local access needs to first compromise a privileged service that runs under the Network Service identity, deploy a fake RPC server with the same RPC interface UUID and exposed endpoint name (i.e., TermService), listen to specific requests, and then impersonate the targeted service to escalate their privileges to SYSTEM.

Kaspersky, which identified the weakness, said it discovered four PhantomRPC exploitation paths that could lead to privilege escalation. Following responsible disclosure in September 2025, Microsoft opted to not address the issue as it requires an attacker to first compromise the machine through some other means. Vidar dominates infostealer market Vidar Stealer Races to the Top The information stealer known as Vidar (now in its second iteration called Vidar Stealer 2.0 ) has vaulted to the top of the infostealer market since November 2025 in the aftermath of law enforcement takedowns of Lumma and Rhadamanthys. “Vidar profited from the generated chaos to rise to the top of the stealer ecosystem,” Intrinsec said .

“We assess that this rise was made available due to the release of version 2.0 of the malware, and to the collaboration with ‘Cloud’ Telegram channels.” It’s advertised by a user named “Loadbaks” on underground forums. Recent campaigns have been observed distributing malware that has used bogus links shared via YouTube videos promoting fake software to direct users to Mediafire pages, which are used to deliver executables responsible for downloading and running the broad-spectrum credential harvester. The stolen credentials are then quickly monetized on underground marketplaces like Russian Market. Critical flaws hit healthcare platform 38 Flaws Discovered in OpenEMR Thirty-eight critical security vulnerabilities have been disclosed in OpenEMR, the world’s most widely used open-source electronic medical records platform.

The vulnerabilities, now patched, range in severity from medium to critical and include missing or incorrect authorization checks, cross-site scripting (XSS), SQL injection, path traversal, and insufficient session expiration. These issues, which include two designated critical (CVE-2026-24908 and CVE-2026-23627), could have been exploited to access and tamper with patient and provider data, posing a serious health and regulatory risk to individuals and institutions. “In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server,” AISLE said . OpenEMR is used by more than 100,000 medical providers, serving more than 200 million patients in 34 languages.

Swiss crackdown on Black Axe Black Axe Members Arrested in New Swiss Operation A coordinated police operation in Switzerland has led to the arrest of 10 suspected members of the Black Axe criminal network, including the Black Axe “Regional Head” for the Southern European region. Most of those arrested are reported to be of Nigerian origin. The suspects are accused of numerous crimes, including romance scams, cyber fraud offences causing millions of Swiss francs in damages, and money laundering. “The criminal network is known for its involvement in a wide range of criminal activities, including cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices,” Europol said .

PyPI package hijacked via CI exploit New Supply Chain Attack Hits elementary-data In yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular “elementary-data” package on the Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. According to StepSecurity, elementary-data version 0.23.3 was uploaded to PyPI on April 24, 2026, at 10:20 p.m. UTC. The attacker opened a pull request with malicious code and exploited a script-injection vulnerability in one of its GitHub Actions workflows to publish it as release 0.23.3.

Specifically, it came embedded with a “elementary.pth” file that enabled the theft of developer credentials and secrets. “The attacker exploited a script injection vulnerability in one of the project’s own GitHub Actions workflows, then used the workflow’s GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it – without ever touching the master branch or opening a pull request,” the company said . The developers urged users who installed 0.23.3, or pulled and ran its Docker image, to assume compromise and rotate any credentials . $230M crypto laundering sentence California Man Gets 70 Months in Prison for $230M Crypto Heist 22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist as part of an elaborate social engineering scheme.

“This criminal enterprise was built on greed so brazen it borders on the cartoonish. They stole millions, spent it on half-million-dollar nightclub tabs, Lamborghinis, and Rolexes,” said U.S. Attorney Jeanine Ferris Pirro. “But Evan Tangeman didn’t just launder the money that fueled that lifestyle.

When his co-conspirators were arrested, he moved to destroy the evidence. That is consciousness of guilt, and this office and the court have treated that accordingly.” Tangeman pleaded guilty in December 2025. The criminal enterprise began no later than October 2023 and continued through at least May 2025. Legacy TLS finally deprecated Microsoft to Block Legacy TLS Connections for POP and IMAP in Exchange Online Microsoft has announced plans to start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026.

“We’re planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry-deprecated for some time and are no longer considered secure,” the company said . “Several years ago, we started the move to block these older versions, but we did allow you to use them by opting in; we’re now removing support for them entirely. Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation.” Phishing via account flow abuse Phishing Campaign Abuses Robinhood’s Account Creation Flow Threat actors are abusing online trading platform Robinhood’s account creation process to send phishing emails that bypass spam filters.

The emails, which originate from “noreply@robinhood[.]com,” warn of suspicious activity tied to their accounts and urge them to click to complete a security check by clicking on a link that directs to a phishing site. “This phishing attempt was made possible by an abuse of the account creation flow,” Robinhood said in an X post. “It was not a breach of our systems or customer accounts, and personal information and funds were not impacted. If you received this email, please delete it and do not click any suspicious links.

If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website.” Reports on Reddit indicate that the attackers created new Robinhood accounts using modified versions of existing Gmail addresses via the so-called “dot trick.” The technique takes advantage of the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as a distinct user, allowing the attackers to create a new account that points to an existing account. Social media scams surge FTC Warns of Surge in Losses from Social Media Scams The U.S. Federal Trade Commission (FTC) warned of a massive increase in losses from social media scams since 2020, exceeding $2.1 billion in 2025, including $794 million to scams that started on Facebook, more than on any other platform. “In 2025, nearly 30% of people who reported losing money to a scam said that it started on social media, with reported losses reaching a staggering $2.1 billion.

Social media scams produced far more in losses – an eightfold increase since 2020 – than any other contact method used by scammers to reach consumers,” the FTC said . “Social media creates easy access to billions of people from anywhere in the world, making a scammer’s job easier at very little cost. Scammers may hack a user’s account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests, or shopping habits.” Billions of credentials exposed Nearly 2.9B Compromised Credentials Tracked in 2025 KELA said it tracked 2.86 billion compromised credentials in 2025 globally. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories, and cybercrime marketplaces.

At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines. arXiv papers leak sensitive data What Do arXiv Preprints Contain? An analysis of 2.7 million submissions to the arXiv preprint service – which also makes available the LaTeX sources and other files used to create them – has found that they include unnecessary files, expose metadata embedded in files (usernames, email addresses, hardware details, GPS information, software versions), and leak irrelevant content in files such as source code comments. This includes backups, hidden .nfs files, Git repositories (including editing histories), andconfiguration files containing API keys.

“Apart from unused template files that put unnecessary storage burden on arXiv, we further discovered scripts, research data, and even entire Git repositories. Additionally, comments in LaTeX sources reveal, e.g., author conversations or todo items – for some of those comments, we are certain that the authors did not intend to disclose them publicly. Alarmingly, our findings also include URLs without any access restrictions to other resources (e.g., Google Docs), security tokens, and private keys,” the study said . While arXiv recommends Google’s arxiv_latex_cleaner to clean the LaTeX code, the researchers have released a tool called ALC-NG to comprehensively remove files, metadata, and comments that are not needed to compile a LaTeX paper.

Roblox account hacking ring busted Ukrainian Authorities Arrest 3 for Hacking Over 600K Roblox Accounts The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000 on Russian websites. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation is in progress. The scheme was allegedly masterminded by a 19-year-old resident of Drohobych, Lviv Oblast, who met his accomplices, aged 21 and 22, on gaming forums last year. From October 2025 to January 2026, the suspects are believed to have accessed more than 600,000 Roblox user accounts.

Iran-linked group targets troops Handala Group Targets U.S. Troops in Bahrain The Iran-linked threat actor Handala Hack has targeted U.S. troops in Bahrain in an influence campaign carried out via WhatsApp, according to Stars and Stripes . The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles.

“Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the message sent on April 28, 2026, read. Record surge in privacy fines U.S. States Issued $3.45B in Privacy Fines in 2025 U.S.

states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, per Gartner. “Regulators are also shifting their efforts away from spreading awareness to full-scale enforcement,” the company said . “This is increasingly becoming the standard in 2026 and beyond.” WordPress plugin backdoor uncovered WordPress Plugin Hijacked in 2020 to Plant Dormant Backdoor Anchor Hosting has revealed that a WordPress plugin named Quick Page/Post Redirect plugin, which has over 70,000 installs, was compromised with a backdoor that enables injecting arbitrary code into users’ sites. Plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, have been found to include a covert self-update mechanism that reaches out to a third-party domain, anadnet[.]com, to facilitate the execution of arbitrary code.

It’s worth noting that the passive backdoor triggers only for logged-out users to hide its activity from site administrators. As of April 16, the plugin has been closed temporarily pending a full review. Qinglong flaws abused for mining Threat Actors Exploit Qinglong Flaws for Crypto Mining Hackers are exploiting two authentication bypass vulnerabilities in Qinglong , an open-source timed task management platform with over 19,500 GitHub stars, to deploy cryptocurrency miners. The two flaws – CVE-2026-3965 and CVE-2026-4047 – enable authentication bypass that results in remote code execution.

“While these vulnerabilities were formally reported on February 27, exploitation had already been underway for weeks,” Snyk said . “Starting around February 7-8, 2026, Qinglong users began opening issues about a hidden process called .fullgc consuming 85-100% of their CPU. The .fullgc filename may have been chosen to blend in with legitimate processes. In Java/JVM environments, ‘Full GC’ (Full Garbage Collection) is a known source of CPU spikes, which could delay an administrator’s investigation.” The issues have since been addressed in #PR 2941 .

Trivy hack enabled repo breach Checkmarx Says Trivy Scanner Hack Led to its Compromise In a new update shared this week, Checkmarx said its investigation into the cybersecurity incident has revealed the TeamPCP attack affecting the Trivy scanner is the “likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories.” This, in turn, allowed the attackers to interact with Checkmarx’s GitHub environment and publish malicious code to certain artifacts. The development comes as the company acknowledged that data stolen from the GitHub repository was published on the dark web by a cybercrime group known as LAPSUS$. npm stealer tied to DPRK group Famous Chollima Linked to js-logger-pack npm Package The North Korean threat actor known as Famous Chollima has been attributed to the npm package named js-logger-pack that comes embedded with a WebSocket stealer that’s triggered via a postinstall hook. “The payload is a long-running WebSocket agent that: installs the attacker’s RSA key into ~/.ssh/authorized_keys on Linux; exfiltrates Telegram Desktop tdata sessions; drains credentials from 27 crypto wallets and Chromium-family browsers; steals .npmrc, cloud provider tokens, and shell history; and runs a native keylogger on Windows, macOS, and Linux with autostart persistence on all three,” SafeDep said .

Security is a team sport. We keep seeing the same gaps because we focus on the new shiny toys while the basics, like simple passwords and old software versions, fall through the cracks. It is clear that just having a patch isn’t enough if nobody actually installs it. The best lesson here is to stay curious and cautious.

Whether it is a weird text from a “trusted” source or a new tool that seems too good to be true, taking a second to verify can save a lot of trouble later. Let’s keep learning and stay sharp until the next update! Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. “The intrusion chain begins with execution of a batch script (‘install_obf.bat’) that disables Windows security controls, dynamically extracts an embedded Python payload (‘svc.py’), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. It’s assessed that the batch script is distributed via traditional approaches like phishing. It’s currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful.

“Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns,” Gaikwad, senior security research engineer at Securonix, told The Hacker News via email. “Its observed usage appears to be limited and somewhat targeted rather than broadly distributed.” “At this stage, we have not identified consistent indicators pointing to specific geographies or industry sectors being systematically targeted. However, given the modular nature of the framework, it is possible that different threat actors could adapt it for varied use cases over time.” What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it’s extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.

Once launched, the malware establishes communication with “bore[.]pub,” a Rust-based tunneling service , allowing the operator to issue commands that facilitate remote command execution and extensive surveillance. This includes - Reverse shell System reconnaissance Keylogging Clipboard monitoring Screenshot capture Webcam access Ambient audio recording Web browser credential harvesting SSH key extraction Credentials stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager Cloud credential theft (Amazon Web Services, Google Cloud, and Microsoft Azure) The use of public TCP tunneling service for command-and-control (C2) offers several advantages in that it eliminates the need for setting up dedicated infrastructure, blends malicious traffic, and avoids embedding details of the server within the payload. In parallel, DEEP#DOOR incorporates a bevy of anti-analysis and defense evasion mechanisms, such as sandbox, debugger, and virtual machine (VM) detection, AMSI and Event Tracing for Windows ( ETW ) patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing, to fly under the radar and complicate incident response efforts. It also employs multiple persistence mechanisms that involve creating Windows Startup folder scripts, Registry Run keys, and scheduled tasks, while also relying on a watchdog mechanism to make sure the persistence artifacts have not been removed, and if so, automatically recreate them, making remediation challenging.

“The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments,” Securonix said. “The implant prioritizes evading detection and forensic visibility by directly tampering with Windows security and telemetry mechanisms.” “DEEP#DOOR highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades

Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO) poisoning , a dual-stage GitHub distribution architecture , and decentralized blockchain-based command-and-control (C2) resolving, Threat Actors have established a highly resilient delivery and persistence mechanism. Creative Distribution via GitHub Facades The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking.

The attack begins with SEO poisoning on various search engines, including Bing, Yahoo, DuckDuckGo, and Yandex. That ensures that malicious results for niche IT terms rank at the top of search results. Users are initially directed to a primary “facade” GitHub repository . These repositories are optimized for SEO but contain no malicious code - just a professional-looking README file.

To maintain operational flexibility, the README contains a link directing a victim to a second, hidden GitHub repository . It serves as the true distribution point for the malware. By separating the SEO-optimized “storefront” from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched. Strategic Tool Impersonation and Victim Profiling The campaign is characterized by its focus on the administrative stack .

By distributing malicious MSI installers disguised as tools like PsExec , AzCopy , Sysmon , LAPS , and Kusto Explorer , the adversary performs automated victim profiling. These utilities are almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator’s workstation may provide the “keys to the kingdom, “ which can facilitate lateral movement inside the enterprise environment. Decentralized Command and Control via Ethereum The most technically significant aspect of the campaign is its implementation of Blockchain-based Dead Drop Resolving (DDR) .

Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address, which could be easily blocklisted. Instead, the malware repetitively initiates a query to a public Ethereum (ETH) RPC endpoint . The malware is hardcoded with a specific Smart Contract address on the Ethereum blockchain. By querying this contract, malware dynamically retrieves the live C2 server address.

This technique provides the adversary with extreme resilience: Infrastructure agility: The attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract. Robustness: As long as public Ethereum gateways are accessible, the malware can always find its “home,” making traditional domain takedown or blockage efforts ineffective. Research analysis This research provides a comprehensive technical analysis of the current campaign, based on long-term observation and active detonation within a controlled environment. Our research moves beyond initial delivery vectors to examine the sophisticated infrastructure and post-exploitation behaviors.

The following data points represent the core operational mechanics of the campaign, including: Malware Distribution: breakdown of the dual-stage GitHub repository architecture and the SEO-poisoning usage to manipulate search engine results. Administrative Tools Impersonation: adetailed look at the specific administrative utilities being impersonated to ensure the compromise of high-privilege IT personnel. Malware Logic: malware analysis of the malicious MSI payloads, including their initial staging and persistent components. Decentralized C2 Infrastructure: investigation into the malware’s use of Ethereum Smart Contracts and public RPC gateways to dynamically resolve live Command and Control (C2) addresses.

NOTE: During the finalization of the research, we identified a preliminary alert from KISA&KrCERT/CC regarding this threat actor’s campaign - LINK . While their initial report provided early visibility, our longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation. Our investigation further confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign’s inception. Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs.

Malware Distribution Visualisation below demonstrates the dual-stage distribution chain, where SEO-optimized facade repository redirects unsuspecting users to a secondary GitHub account hosting the malicious MSI. This modular architecture allows the threat actors to preserve their search engine rankings even if the individual payload delivery accounts are taken down. The intrusion lifecycle begins with a search query via Bing (also Yahoo, DuckDuckGo, Yandex) for specialized IT administrative utilities. Through aggressive SEO poisoning, the threat actors ensure that the facade GitHub repository appears prominently among the top search results.

In this instance, a user seeking Kusto Explorer – acritical tool for engineers and analysts querying Azure Data Explorer via KQL – is led toward a non-malicious storefront designed to build initial trust. Bing search for “kusto explorer” Bing search for “kusto explorer download” The first repository the user opens is a storefront that impersonates the targeted administrative tool. This facade repo is intentionally clean of malware, acting only as a gateway to the second, malicious stage of the delivery process. Thanks to such a design, it maintains a high search engine ranking.

First GitHub repo - used only as a facade First GitHub repo - used only as a facade As we can see it’s the one that survives quite long time By embedding a link in the README of a clean facade repository, Threat Actors effectively separate their search visibility from their malware distribution. This second repository hosts the actual malware, while the first remains untainted. This strategy allows for rapid recovery after a takedown, as the adversary only needs to update a single URL to restore their infection chain. This separation is key to the campaign’s longevity, as the initial landing page appears benign to both users and security tools.

Link to second GitHub repo that serves malware to the user Historical Commits in facade GitHub: we can see changes of links to second GitHub repo The redirection leads the user to a second GitHub repository where the malicious software is hosted. This secondary site acts as the final stage in the distribution chain, providing the direct download for the malware impersonating administrative tools. Second GitHub used to host malware Malware downloaded by user The threat actor has successfully hijacked the search results for larger set of Windows administrative stack, placing malicious storefronts at the very top of Bing. This dominant search presence effectively masks the threat, as the facade repositories appear as the primary, verified download locations for essential IT tools.

Such high visibility on the front page is the critical factor that could help campaign’s broader reach into corporate environments. “ProcDump” Bing SEO poisoning and Threat Actors GitHub repo “LAPS” Bing SEO poisoning and Threat Actors GitHub repo “BgInfo” Bing SEO poisoning and Threat Actors GitHub repo DuckDuckGo SEO poisoning and Threat Actors GitHub repo Yandex SEO poisoning and Threat Actors GitHub repo Yahoo SEO poisoning and Threat Actors GitHub repo Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub facades, each spoofing a different administrative or developer tool. This high-volume approach indicates a sustained effort to maximize search engine visibility and capture a diverse range of high-privilege victims. Total 44 malicious GitHub repositories identified Administrative Tools Impersonation Category Impersonated tools Sysinternals / Diagnostics Autoruns, ProcDump, RAMMap, TCPView, Process Monitor, Process Explorer, Disk2vhd, Sysmon, DebugView, WinDbg, BgInfo AD / Credential / Admin Windows ADK, Windows LAPS, RSAT, IIS Crypto, Profwiz, PCmover, Transwiz, Delprof2 Remote Access Dameware, SecureCRT, SuperPuTTY, ScreenConnect Client, Bitvise SSH Client, TeraTerm Data Transfer / Cloud AzCopy, FSLogix, PCmover, Transwiz Security / Auth AppLocker, SafeNet Authentication Client, NSSM Network / Debugging PRTG Network Monitor, HTTP Debugger Utility / Business Apps KDiff3, Beyond Compare, BarTender, PaperPort Misc Sysadmin Tools Autologon, Kusto Explorer, LEAP Desktop, VMware Tools Identified Threat Actors campaign specifically targets the professional toolsets of enterprise administrators, systems engineers, and security practitioners.

Unlike traditional malware campaigns that cast a wide net across general consumers, this activity is surgically focused on the “crown jewel” accounts of the enterprise . By leveraging Search Engine Optimization (SEO) poisoning, theadversary is distributing malicious MSI installers that mimic essential infrastructure management and diagnostic tools. The primary objective is the compromise of high-privilege credentials and the establishment of persistent backdoors within corporate environments, which can lead to large-scale breaches . The current threat landscape is defined by the strategic impersonation of utilities foundational to modern IT operations, such as PsExec, AzCopy, Sysmon, and LAPS.

The rationale for selecting these specific targets is rooted in an advanced victim profiling model. Because a standard user very rarely interacts with a debugger like WinDbg or a deployment kit like Windows ADK, the adversary ensures that every successful infection lands on a machine belonging to a user with elevated system or network permissions. The psychological component of this campaign is also particularly aggressive. Many of these utilities are the tools defenders use to investigate malicious activity.

This creates an “irony lure” where a security professional, attempting to diagnose a perceived issue using a tool like Process Explorer or TCPView, inadvertently introduces a threat. By delivering these via legitimate-looking MSI packages, the attackers bypass the initial suspicion often associated with raw scripts or standalone executables. The consequences of an infection might be devastating. Given the administrative nature of the victims, this often transitions into a “keys to the kingdom” scenario.

Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs. Malware Logic Atos TRC has analyzed a number of .msi installers from identified malicious repositories. Since the malware evolved over time this analysis focuses on its latest variant. All paths, file names, extensions, and keys shown are specific to one single sample as they are randomly generated for each.

This malware is a multi-stage, fileless-style Remote Access Trojan (RAT) written in  JavaScript, delivered as a malicious MSI installer impersonating various IT administration and enterprise sysadmin tools. It uses layered AES-256-CBC encryption to conceal its payload, a blockchain-based dead-drop resolver for resilient C2 communication, and an AsyncFunction constructor engine for arbitrary remote code execution. Node.js is downloaded at runtime from nodejs.org rather than bundled, keeping the package small (~4.7 MB) at the cost of requiring internet access during infection. Ultimately, Atos Researchers identified it to be an EtherRat malware, a recently emerging threat using Ethereum to store C2 URL addresses, preventing takedown of the infrastructure.

Latest versions of installers consist of four files. When the MSI is executed, these files are extracted, and a CMD batch script is run via a Custom Action, initiating the chain that leads to RAT deployment: MSI content screenshot It is important to note that file extensions differed among the analyzed samples, but “.cmd” was always the initiating file. The table contains a few examples: Stage # Extensions Sample #1 Sample #2 Sample #3 Sample #4 0 - Dropper .cmd .cmd .cmd .cmd 1 – In-memory loader .bak .cfg .xml .tmp 2 – Loader/Persistence .xml .bak .bak .dat 3 - RAT .cfg .bin .xml .log File names, decryption keys, secrets, directory names, and extensions presented below are extracted from the latest installer version. STAGE 0 - DROPPER File: VW80IqXy.cmd (2,377 bytes) Stage 0 code screenshot The malware’s entry point is a heavily obfuscated Windows batch script (VW80IqXy.cmd), launched at SYSTEM privilege by the MSI CustomAction immediately after file extraction.

Its primary obfuscation mechanism splits all sensitive command names - including curl, tar, copy, start, and cmd - across multiple SET variable assignments that are silently concatenated at runtime, ensuring no recognizable keywords appear in the raw file and defeating simple string-based static analysis. To ensure execution in a hidden window regardless of how the MSI launched it, the script immediately re-launches itself as a minimized background process and exits, with the re-launched copy performing all actual work. That copy proceeds to create a build-specific staging directory under %LOCALAPPDATA%\, download the Node.js runtime from its official distribution endpoint to a temporary archive via curl, extract it into a build-specific runtime subdirectory within the staging directory, and delete the zip archive to minimize forensic artifacts on disk. With the environment prepared, the script hands off execution to Stage 1 by invoking the bundled node.exe against the first-stage payload file and terminates, carrying no persistence mechanism of its own and playing no further role in the infection chain.

Stage 0 simplified graph ( link to detailed) STAGE 1 – In-memory loader File: ZOVTSc3WW9wotbj.bak (472 bytes) Stage 1 code screenshot A minimal Node.js script. Unobfuscated and fully readable. It is never saved onto the disk. Its main goal is to read the file containing the second-stage payload (in this example, “tQqoxkAJFhqWtg5.xml”), decrypt it using a hardcoded key and initialization vector (IV), and execute it in memory via “module._compile()” AES-256-CBC credentials from example: Key : F4J/454U+W0+8y7L+L9MxSY15rB0KoSeQkPauifCTiQ= IV  : RXvUsgFBwDx9HuOhpkoiqQ== Simplified Stage 1 graph ( link to detailed) STAGE 2 – Loader/Persistence File: tQqoxkAJFhqWtg5.xml (2,096 bytes encrypted) Stage 2 code screenshot Stage 2 decrypted code screenshot Decrypted and executed in-memory by Stage 1.

It is an intermediary stage that decrypts the content of obfuscated stage 3 payload (0cZeeDPZMsxWtaK.cfg), writes this content into a new file (4S3HKjraAP.cfg) and then executes it via node.exe wrapped by “conhost.exe –headless”, which disguises the process in Task Manager as a standard console host. Additionally, it creates persistence via the registry Run key. AES-256-CBC credentials from example: Key : m+wOc81aCEKfGEOpZsEr8WAN4O8mJnEoalp3LwZau0A= IV  : cOoXZ1ImLZ/V90MLhCpVJw== Registry persistence from example: Key  : HKCU\Software\Microsoft\Windows\CurrentVersion\Run Name : <6-byte random hex, regenerated on every fresh install> Data : conhost.exe –headless 1FgUre\node.exe 4S3HKjraAP.cfg Simplified Stage 2 graph ( link to detailed) STAGE 3 - RAT File: 0cZeeDPZMsxWtaK.cfg (encrypted) / 4S3HKjraAP.cfg (plaintext, ~9.8 KB) Stage 3 code screenshot Stage 3 decrypted code screenshot Stage 3 is the malware’s main payload - a JavaScript file that runs silently in the background on every system boot. It is written to disk under a randomly generated filename with a non-descriptive extension, making pattern-based file detection unreliable across different malware distributions.

It runs inside conhost.exe, a legitimate Windows process, so it does not stand out in Task Manager. All strings inside the file - including server addresses and API names - are encrypted, making static analysis difficult. When executed, the RAT first assigns to the infected machine a persistent identity. It reads a unique bot ID from a hidden file on disk or generates a fresh one if the file does not yet exist and stores it for use in all future communication.

It also computes a working directory path derived from the machine’s username and computer name, making that path unique on every victim system. RAT’s next task is to find out where its command-and-control server is. Rather than hardcoding a server address directly, which could be blocked by defenders, the attacker stores the address inside an Ethereum smart contract on the blockchain. RAT queries nine public Ethereum API services in parallel and picks the answer that the majority return - this makes the lookup reliable even if some services are temporarily down.

Because the address lives on the blockchain, it cannot be taken down by blocking a domain or an IP address; the attacker can update it at any time by sending a single transaction. Independent of everything else, a background timer re-runs this blockchain lookup every five minutes, so if the attacker publishes a new server address, the RAT switches to it automatically on its next contact attempt without needing to restart. Once the C2 address is known, the RAT enters a continuous polling loop, repeatedly beaconing to the server to check for new commands. Each request is constructed to resemble an ordinary browser fetch for a static web asset — the URL path contains random hex segments, a randomly chosen common file extension (.png, .jpg, .gif, .css, .ico, or .webp), and a randomly selected query parameter name.

While every beacon looks different to a network observer, each one also silently carries the bot’s unique ID and a campaign identifier baked into the build, allowing the attacker’s server to recognize and track each victim individually. RAT also sends its own source code to the server and receives back a freshly obfuscated replacement, which it writes over itself on disk, effectively re-encrypting itself once every execution, whether it was from “.msi” or a persistent Run registry key. Commands from the attacker arrive as JavaScript code and are executed directly inside the running Node.js process, giving the attacker full access to the file system, the ability to run any OS command, and the ability to exfiltrate data - all without ever dropping a traditional executable to disk.” Every action that the malware makes, like startup, blockchain resolution, re-obfuscation, every poll request, task receipt, task execution, errors, URL updates are being written to %APPDATA%\svchost.log, keeping a complete operational trace of everything the RAT does. For all samples analyzed, the same 9 endpoints were queried to obtain the C2 address from the contract.

The earlier versions of this malware had a lower number of stages used from the moment of execution until the C2 communications and followed the same file extension pattern: .msi -> .cmd -> .js -> obfuscated file with no clear extension. Additionally, the oldest sample Atos Researcher was able to find had fallback C2 IP hardcoded inside the RAT logic to use when the smart contract was unresponsive. This C2 IP was the same as the first value set for the smart contract from this oldest sample (hxxp[://]135[.]125[.]255[.]55). Simplified Stage 3 graph ( link to detailed) Decentralized C2 Infrastructure The campaign implements a decentralized C2 model that does not rely on fixed domains or attacker-controlled servers.

Instead, the malware retrieves its C2 address from the Ethereum blockchain. Each sample contains the address of a specific Ethereum smart contract , which is queried periodically via multiple public Ethereum RPC services. In this context, a smart contract is a small piece of program logic stored on the blockchain that can hold data and return it on request in a consistent and verifiable way. This design enables centralized C2 changes without modifying or redeploying the malware, increasing resilience against takedown and blocklisting efforts.

For the purpose of this explanation, we used one of the contracts used by attackers ( 0xc12c8d8f9706244eca0acf04e880f10ff4e52522) and the wallet that funded it ( 0x37ef6e88425613564b2cf8adc496acff4b6481a9). The smart contract used for C2 resolution is implemented as an on‑chain coordination mechanism and shows clear signs of operational use during its lifetime. Its blockchain record exposes a defined contract address, a fixed creation timestamp, and a sequence of transactions submitted over time. The observed activity indicates that the contract instance is actively used as part of a broader and persistent C2 resolution architecture, even though individual smart contracts may be replaced or rotated as the campaign evolves.

Etherscan contract overview page The contract can be directly associated with the Ethereum wallet that deployed it. Review of the wallet’s activity shows repeated interactions with the same contract during its operational period, demonstrating that control over C2 resolution is exercised through blockchain transactions. This confirms that changes to C2 distribution are performed independently of the malware already deployed on compromised systems. Etherscan wallet page Analysis of the contract’s transaction history reveals multiple state-changing calls used to update values stored on-chain.

Each of these updates corresponds to a change in the C2 address retrieved by the malware during its regular resolution cycle. As a result, infected systems automatically redirect to the new backend infrastructure without requiring any additional payload delivery or local configuration changes. Etherscan contract transaction list highlighting repeated state‑changing calls (Set String) At the transaction level, a single state-changing operation is sufficient to redirect all active infections. Detailed inspection shows that one blockchain write operation, submitted from the operator’s wallet, modifies the contract state and is immediately reflected in subsequent C2 resolution attempts by the malware.

This replaces traditional infrastructure management steps -such as domain registration, DNS updates, or server redeployment -with a single on-chain transaction. Detailed Etherscan view of a single state‑changing transaction, including timestamp, sender, and input data By anchoring C2 resolution to blockchain state and resolving it through widely available public Ethereum services, the campaign moves a critical dependency of its control infrastructure onto a decentralized network designed for high availability. This substantially limits the effectiveness of conventional disruption techniques based on domain seizure, IP blocking, or server takedown, and contributes to the operation’s overall resilience and longevity. Full list of found malicious domains as well as wallets and contracts to distribute them is available for download and review at the TRC GitHub repository .

Conclusions As of the day of writing this article, the Administrative Utility Spoofing campaign remains a highly active and technically resilient threat to enterprise environments. Our research confirms that this is not merely an opportunistic malware cluster, but a more sophisticated operation designed for specific victim profiling. By impersonating the specialized utilities required for infrastructure management, the adversary has “automated” the discovery of high-privilege IT personnel, increasing the probability that successful infections provide immediate pathways for lateral movement into the corporate environment. The campaign’s operational longevity is rooted in two strategic factors: the dual-stage GitHub distribution architecture and the integration of decentralized blockchain-based C2 resolution .

The use of SEO-optimized “facade” repositories allows the threat actors to maintain front-page visibility on search engines while isolating their malicious payloads on secondary accounts that can be rapidly rotated. Furthermore, the EtherHiding module’s reliance on Ethereum smart contracts creates an infrastructure that is particularly difficult to dismantle. Malware analysis of the MSI payload distributed across this campaign identifies it as an EtherRAT , a modular Node.js backdoor distinguished by its high-resilience “ EtherHiding “ C2 module. The Sysdig Threat Research Team has previously linked this malware to the North Korean state-sponsored actor - Lazarus Group .

They noticed significant overlaps in the tooling utilized during operations conducted with the usage of EtherRAT and the “ Contagious Interview ” campaign. Furthermore, in March 2026, eSentire’s Threat Response Unit (TRU) investigated an open-directory web server attributed to Iranian state-sponsored group MuddyWater (APT34). During the engagement, TRU found on that server a malicious file with functionality to establish persistence and deploy the Tsundere botnet malware, which also integrates the “EtherHiding” C2 resolution logic. Their analysis documented extensive code commonalities between EtherRAT and the Tsundere malware .

Active Atos TRC monitoring confirms that this operation is not yet another high-velocity stealer campaign. While commodity malware often prioritizes immediate data exfiltration, these actors demonstrate a focus on operational patience and stealth . Following the initial breach, we have documented a transition to methodical hands-on-keyboard activities characterized by a deliberate approach to environmental discovery. The adversary avoids aggressive, high-volume scanning that might trigger behavioural alerts, opting instead for quiet discovery to map the network’s high-privilege architecture .

This measured pace indicates that the primary objective is sustained persistence and strategic access rather than a simple opportunistic extraction. By carefully profiling the environment before escalating their activity , the threat actors significantly increase their chances of remaining undetected within enterprise networks. In alignment with our commitment to proactive defense, the Atos Threat Research Center has initiated formal takedown actions against the identified malicious scheme in order to neutralize distribution channels and disrupt the campaign’s operational resilience. Recommendation To mitigate the risks associated with the Administrative Utility Spoofing campaign, organizations should implement the following defensive measures: Restrict Decentralized Infrastructure Access: block access to the public Ethereum (ETH) RPC endpoints used by EtherRAT, attached in the Appendixes’ section.

These gateways are the primary heartbeat for the decentralized C2 resolution mechanism. Retrospective Communication Review: review of historical logs to identify any outbound communications with the listed RPC ETH endpoints and identified historical C2 domains identified in this research. Tool Provenance & Administrative Awareness: increase awareness among IT personnel regarding using verified internal software centers or direct, authenticated vendor portals for all administrative tools. It is important to educate administrators on the potential risks of sourcing critical utilities from search engine results.

Behavioural Threat Hunting
following behavioural patterns should be reviewed in the given for organization telemetry: repeated, high-frequency beacons (every 500ms) to suspicious external domains periodic outbound requests (every 30000ms or 5 minutes) to public ETH RPC endpoints suspicious process tree: node.exe processes executing shell commands, which may indicate the secondary stages of the EtherRAT payload usage of conhost.exe with the –headless argument, a common artifact of the malware’s attempts to maintain a silent background presence. Appendixes A complete list of Indicators of Compromise (IoCs), mapped TTPs, and detailed malware relationship graphs for this campaign are available for download and review at the TRC GitHub repository . Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. “An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root,” the vulnerability research team at Xint.io and Theori said . At its core, the vulnerability stems from a logic flaw in the Linux kernel’s cryptographic subsystem, specifically within the algif_aead module.

The issue was introduced in a source code commit made in August 2017. Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four steps - Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes)) Construct the shellcode payload Trigger the write operation to the kernel’s cached copy of “/usr/bin/su” Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary. The same primitive also has cross-container impacts as the page cache is shared across all processes on a system.

In response to the disclosure, Linux distributions have released their own advisories - Amazon Linux Debian Red Hat Enterprise Linux SUSE Ubuntu Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution. “Copy Fail is the same class of primitive, in a different subsystem,” Bugcrowd’s David Brumley said . “The 2017 in-place optimization in algif_aead allows a page-cache page to end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process can then drive splice() into that socket and complete a small, targeted write into the page cache of a file it doesn’t own.” What makes the vulnerability dangerous is that it can be reliably triggered and does not require any race condition or kernel offset.

On top of that, the same exploit works across distributions. “This vulnerability is unique because it has four properties that almost never appear together: it’s portable, tiny, stealthy, and cross-container,” a Xint.io spokesperson told The Hacker News in a statement. “It allows any user account, no matter how low-level, to increase their privilege to full admin access. It also allows them to bypass sandboxing and works across all Linux versions and distributions.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

99% of Mythos Findings Remain Unpatched. Defenders Are Building the Response

Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

Google has addressed a maximum severity security flaw in Gemini CLI – the “@google/gemini-cli” npm package and the “google-github-actions/run-gemini-cli” GitHub Actions workflow – that could have allowed attackers to execute arbitrary commands on host systems. “The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,” Novee Security said in a Wednesday report. “This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized.” The shortcoming, which does not have a CVE identifier, carries a CVSS score of 10.0. It affects the following versions - @google/gemini-cli < 0.39.1 @google/gemini-cli < 0.40.0-preview.3 google-github-actions/run-gemini-cli < 0.1.22 In its advisory published last week, Google said the impact is limited to workflows using Gemini CLI in headless mode, adding that any use of the tool in headless mode without folder trust will require manual review to configure this trust mechanism.

“In previous versions, Gemini CLI running in CI environments (headless mode) automatically trusted workspace folders for the purpose of loading configuration and environment variables,” it said. “This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode (e.g., CI workflows that review user-submitted pull requests). If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini/ directory.” This automatic trust of the current workspace folder meant that the tool could load any agent configuration it found without review, sandboxing, or explicit user consent. An attacker could weaponize this behavior by planting a specially crafted configuration that could pave the way for code execution on the host running the agent, effectively turning CI/CD pipelines into supply-chain attack paths.

The update addresses the problem by requiring folders to be explicitly trusted before configuration files can be accessed. To that end, users are being urged to review their workflows and adopt one of two approaches - If the workflow runs on trusted inputs (e.g., reviewing pull requests from trusted collaborators), set GEMINI_TRUST_WORKSPACE: ‘true’ in the workflow. If the workflow runs on untrusted inputs, review Google’s guidance in google-github-actions/run-gemini-cli to harden the workflow against malicious content, and set the environment variable. The tech giant also noted that it’s taking steps to harden tool allowlisting when Gemini CLI is configured to run in –yolo mode to prevent scenarios where untrusted inputs (e.g., user-submitted GitHub issues) could lead to remote code execution via prompt injection by taking advantage of the fact that the auto-approve mode would ignore any allowlist in “~/.gemini/settings.json” and run all tool calls automatically (including “run_shell_command”) without requiring user confirmation.

“In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under –yolo mode, which is useful for CI workflows that allowlist a few safe commands to run when processing untrusted inputs,” Google said. “As a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task.” Cursor Bug Leads to Code Execution The disclosure comes as Novee Security also highlighted a high-severity vulnerability in the AI-powered development tool Cursor prior to version 2.5 (CVE-2026-26268, CVSS score: 8.1) that could also lead to arbitrary code execution by means of a prompt injection. Cursor, in an alert released in February 2026, described it as a case of sandbox escape through .git configurations, allowing a rogue agent to set up a bare repository (“.git”) with a malicious Git hook that’s automatically fired every time a commit operation runs within the embedded repository context without requiring any user interaction. The end result is auto-approved arbitrary code execution on the victim’s machine through the following sequence of actions - User clones a public GitHub repository with the embedded bare repository containing a malicious post-checkout hook User opens the repository in CursorIDE Users ask an innocuous prompt to “explain the codebase” Cursor agent parses the AGENTS.md that instructs it to navigate to the bare repository and performs a “git checkout” of the master branch The post-checkout hook inside the bare repository is triggered, leading to code execution.

“The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control,” security researcher Assaf Levkovich said . “When the agent runs git checkout as part of fulfilling a routine request, it is not doing anything the user didn’t implicitly authorize. But neither the user nor the agent has visibility into what the repository’s Cursor Rules have set in motion. A malicious pre-commit hook embedded in a nested bare repository executes silently, outside the agent’s reasoning chain and outside the user’s field of view.” The findings also coincide with the discovery of another high-severity access control vulnerability in the IDE (CVSS score: 8.2) that could allow any installed extension to access sensitive API keys and credentials stored locally in an SQLite database, enabling account takeover, data exposure, and financial loss stemming from unauthorized API usage.

The issue, codenamed CursorJacking by LayerX, remains unpatched. “Cursor does not enforce access control boundaries between extensions and this database,” LayerX researcher Roy Paz said. “Exploitation of this vulnerability can lead to exposure of session tokens and API keys, unauthorized access to Cursor backend services, and data theft via user impersonation.” Cursor has maintained that the access is limited to the local machine where the user has already installed and granted permissions to the extension, meaning any rogue extension with local file system access could potentially extract valuable information from various application data stores. To counter the threat, it’s essential that users stick to downloading trusted extensions.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security , Onapsis , OX Security , SafeDep , Socket , StepSecurity , and Google-owned Wiz , the campaign – calling itself the Mini Shai-Hulud – has affected the following packages associated with SAP’s JavaScript and cloud application development ecosystem - mbt@1.2.48 @cap-js/db-service@2.10.1 @cap-js/postgres@2.2.2 @cap-js/sqlite@2.2.2 “The affected versions introduced new installation-time behavior that was not previously part of these packages’ expected functionality,” Socket said. “The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary.” “The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI/CD environments.” Wiz noted that the malicious packages match several features present in previous TeamPCP operations, indicating that the same threat actor is likely behind the latest campaign. The suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC.

The poisoned packages introduce a new package.json preinstall hook that runs a file named “setup.mjs,” which acts as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework (“execution.js”). According to Aikido, the malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim’s own account with the description “A Mini Shai-Hulud has Appeared.” As of writing, there are more than 1,100 repositories with descriptions. In addition, the 11.6 MB payload comes with capabilities to self-propagate through developer and release workflows, specifically using the GitHub and npm tokens to inject a malicious GitHub Actions workflow into the victim’s repositories to steal repository secrets and publish poisoned versions of the npm packages to the registry.

However, the latest incident bears significant differences from prior Shai-Hulud waves - All exfiltrated data is encrypted with AES-256-GCM and encapsulates the key using RSA-4096 with a public key embedded in the payload, effectively making it decipherable only to the attacker. It exits on Russian-locale systems. The payload commits itself into every accessible GitHub repository by injecting a “.claude/settings.json” file that abuses Claude Code’s SessionStart hook and a “.vscode/tasks.json” file with “runOn”: “folderOpen” setting so that any attempt to open the infected repository in Microsoft Visual Studio Code (VS Code) or Claude Code causes the malware to be executed. “This is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector,” StepSecurity said.

Wiz also pointed out that the check for Russian locale was detected in the recent Checkmarx and Bitwarden compromises, adding the attack uses a TeamPCP-linked shared RSA public key used to encrypt the exfiltrated secrets. “The SAP operation adds the ability to steal credentials from multiple browsers (Chrome, Safari, Edge, Brave, Chromium) and exfiltrate any passwords found there,” Wiz researchers noted. “This feature was not present in any of the previous operations. GitHub based exfiltration to Dune themed repos was the fallback C2 method for the Bitwarden CLI operation, but is now the primary option.” Further analysis into the root cause has revealed that the attackers compromised RoshniNaveenaS’s account for the three “@cap-js” packages, followed by pushing a modified workflow to a non-main branch and using the extracted npm OIDC token to publish the malicious packages without provenance.

As for mbt, it’s suspected to involve the compromise of the “cloudmtabot” static npm token through an as-yet-undetermined channel. “The cds-dbs team migrated to npm OIDC trusted publishing in November 2025,” SafeDep said. “Under this setup, GitHub Actions can request a short-lived npm token without storing any long-lived secrets in the repository. The attacker reproduced this exchange manually in a CI step and printed the resulting token.” “The critical configuration gap: npm’s OIDC trusted publisher configuration for @cap-js/sqlite trusted any workflow in cap-js/cds-dbs, not just the canonical release-please.yml on main.

A branch push could exchange an OIDC token on behalf of the package if the workflow had id-token: write permission and the environment: npm reference.” In response to the incident, the maintainers of the packages have released new safe versions that supersede the compromised releases - sqlite: v2.4.0 , v2.3.0 postgres: v2.3.0 , v2.2.2 hana: v2.8.0 , v2.7.2 db-service: v2.10.1 mbt: v1.2.49 “This campaign illustrates once again how GitHub is becoming the C2 infrastructure of choice for data exfiltration,” OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said. “Blocking github.com is not a realistic option for most development teams, and tracing exfiltration back to a specific threat actor domain becomes nearly impossible when GitHub is the delivery mechanism.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic’s Claude Opus large language model (LLM). The package in question is “ @validate-sdk/v2 ,” which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025.

The malware campaign has been codenamed PromptMink by ReversingLabs, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as Famous Chollima (aka Shifty Corsair), which is behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam . “The new malware campaign […] involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent,” ReversingLabs researcher Vladimir Pezo said in a report shared with The Hacker News. “The commit was co-authored by Anthropic’s Claude Opus large language model (LLM).

It allows attackers to access users’ crypto wallets and funds.” The package is listed as a dependency for an another npm package named “ @solana-launchpad/sdk ,” which, in turn, is used by a third package called “ openpaw-graveyard ,” which is described as an “autonomous AI agent” that creates a social on-chain identity on the Solana blockchain using the Tapestry Protocol , trades cryptocurrency via Bankr , as well as interacts with other agents on Moltbook . ReversingLabs said the AI agent-generated package was added as a dependency in a source code commit made in February 2026, causing the agent package to execute malicious code and give attackers access via leaked credentials to the victim’s cryptocurrency wallets and funds. The attack adopts a phased approach, where the first-layer packages do not contain any malicious code, but import second-layer packages that actually embed the nefarious functionality. Should the second cluster be detected or removed from npm, they are swiftly replaced.

Some of the first-layer packages identified are listed below - @solana-launchpad/sdk @meme-sdk/trade @validate-ethereum-address/core @solmasterv3/solana-metadata-sdk @pumpfun-ipfs/sdk @solana-ipfs/sdk “They implement some functionality related to cryptocurrencies,” ReversingLabs explained. “And each package lists many dependencies, most of which are popular npm packages with download counts in the millions and billions, like axios, bn.js etc. However, a small number of the dependencies are malicious packages from the second layer.” The threat actors employ various techniques to help the rogue packages escape detection. These include creating a malicious version of the functions already present in the listed popular packages.

Another technique uses typosquatting, where the names and descriptions mimic legitimate libraries. The first package version published to npm as part of this campaign dates back to September 2025, when “@hash-validator/v2” was uploaded to the registry. The decision to split the cryptocurrency stealer into two parts – a benign bait that downloads the actual malware – may have helped it evade detection and help conceal the true scale of the attack. It’s worth noting that some aspects of the activity were documented by JFrog two months later, highlighting the threat actor’s use of transitive dependencies to execute malicious code on developer systems and siphon valuable data.

In the intervening months, the campaign has undergone various transformations, even targeting the Python Package Index (PyPI) by pushing a malicious package (“scraper-npm”) with the same functionality in February 2026. As recently as last month, threat actors have been observed establishing persistent remote access via SSH and using Rust-compiled payloads to exfiltrate entire projects containing source code and other intellectual property from compromised systems. Early versions of the malware were obfuscated JavaScript-based stealers that scan the current working directory recursively for .env or .json files and stage for exfiltration to a Vercel URL (“ipfs-url-validator.vercel.app”), a platform repeatedly abused by Famous Chollima in its campaigns. While subsequent iterations came embedded with PromptMink in the form of a Node.js single executable application (SEA), it also suffered from a notable disadvantage in that it caused the payload size to grow from a mere 5.1KB to around 85MB.This is said to have caused the threat actors to shift to using NAPI-RS to create pre-compiled Node.js add-ons in Rust.

The evolution of the malware from a simple infostealer to a specialized multi-platform harvester targeting Windows, Linux, and macOS capable of dropping SSH backdoors and gathering entire projects demonstrates North Korean threat actors’ continued targeting of the open-source ecosystem to target developers in the Web3 space. Famous Chollima is “leveraging AI-generated code and a layered package strategy to evade detection and more effectively deceive automated coding assistants than human developers,” ReversingLabs added. Contagious Trader Emerges The findings coincide with the discovery of a malicious npm package named “express-session-js” that’s believed to be linked to the Contagious Interview campaign, with the library acting as a conduit for a dropper that fetches a second-stage obfuscated payload from JSON Keeper, a paste service. “Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71 via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control,” SafeDep noted this month.

Interestingly, the use of legitimate packages like “socket.io-client” for command-and-control (C2) communication, “screenshot-desktop” for screen capture, “sharp” for image compression, and “clipboardy” for clipboard access overlaps with that of OtterCookie , a known stealer malware attributed to the campaign. What’s novel this time around is the addition of the “@nut-tree-fork/nut-js” package for mouse and keyboard control, suggesting broader attempts to upgrade the RAT capabilities to facilitate interactive control of infected hosts. OtterCookie deployment chain OtterCookie, for its part, has witnessed a maturation of its own, getting distributed via a trojanized open-source 3D chess project hosted on Bitbucket and malicious npm packages like “gemini-ai-checker,” “express-flowlimit,” and “chai-extensions-extras.” A third method has employed a Matryoshka Doll approach as part of a campaign dubbed Contagious Trader . The attack begins with the download of a benign wrapper package (e.g., “bjs-biginteger”), which then proceeds to download a malicious dependency (e.g., “bjs-lint-builder”) and ultimately install the stealer.

Overlaps between Contagious Interview, Contagious Trader, and graphalgo “The recent campaigns orchestrated by Shifty Corsair demonstrate the escalating threat of DPRK state-aligned cyber operations,” BlueVoyant researcher Curt Buchanan said . “Their rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities.” Graphalgo Uses Fake Companies to Drop RAT The development is significant as the threat actor has been simultaneously linked to another ongoing campaign dubbed graphalgo that lures developers using fake companies and leverages fake job interviews and coding tests to deliver malicious npm packages to their systems. The campaign plays out like this: the hackers employ social engineering ploys on job-seeking platforms and social networks to trick prospective targets into downloading GitHub-hosted projects as part of an assessment. These projects, in turn, contain a dependency to a malicious package published on npm or PyPI, whose main goal is to deploy a remote access trojan (RAT) on the machine.

To pull off the attack, the operators set up a network of fake companies, complete with convincing profiles on platforms like GitHub, LinkedIn, and X to give them a veneer of legitimacy and make the deception more convincing. In the case of Blocmerce, the attackers even went to the extent of actually registering a limited liability corporation (LLC) in the U.S. state of Florida under the same name in August 2025. The names of some of the companies used for frontend phishing are as follows - Veltrix Capital Blockmerce Bridgers Finance “These organizations link to several GitHub organizations related to blockchain companies that have been active on GitHub since June 2025,” ReversingLabs security researcher Karlo Zanki said .

“Their purpose is to provide trustworthiness to fake job offerings and to host fake job interview tasks.” Recent versions of the campaign have also been spotted using a different technique for hosting the malicious dependencies. Instead of publishing them to npm or PyPI, they are hosted as a release artifact in GitHub repositories, likely in an effort to minimize the risk of detection. “The reference to the malicious dependency is buried deep inside the list of the transitive dependencies. The resolved field in the package-lock.json file instructs the package manager where to fetch specific package dependencies from,” ReversingLabs noted.

“While all other dependencies are fetched from the official npm registry, the malicious one is fetched directly from a release artifact located in a crafted GitHub repository.” The list of npm packages is below - graph-dynamic graphbase-js graphlib-js The attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. In recent weeks, a North Korean state-sponsored threat cluster tracked as UNC1069 has also been linked to the compromise of “ axios ,” one of the most popular npm packages, highlighting the continued threat faced by open-source repositories from Pyongyang. Since then, the attackers behind the breach have published a new npm package called “csec-crypto-utils” containing an “updated payload” that substitutes the RAT dropper for a data stealer that exfoliates AWS keys, GitHub tokens, and .npmrc configuration files to an external server (“csec-c2-server.onrender[.]com”). In its report detailing the supply chain compromise, Hunt.io tied the attack to a Lazarus Group sub-cluster known as BlueNoroff , citing infrastructure overlaps and the RAT’s similarities with NukeSped .

“The threat actors’ use of advanced techniques and tactics, as well as an astonishing level of campaign preparation (setting up a Florida LLC) and their ability to adapt, makes North Korean threat actors a top threat to organizations or individual developers focused on cryptocurrency,” ReversingLabs said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Webinar: How to Automate Exposure Validation to Match the Speed of AI Attacks

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren’t just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem?

Most defensive workflows still look like this: your CTI team finds a threat, they pass it to the Red Team to test, and eventually, the results reach the Blue Team for patching. This process is full of friction, silos, and delays. The reality is simple: You cannot fight an AI adversary moving at machine speed when your defense moves at the speed of a calendar invite. To bridge this gap, we’re hosting a technical deep dive with the team at Picus Security to unveil a new defensive paradigm: Autonomous Exposure Validation .

Register for the Webinar Here ➜ Leading this session are Kevin Cole (VP of Product Marketing) and Gursel Arici (Sr. Director of Solution Architecture) from Picus Security. Together, they bring a unique blend of strategic threat intelligence and deep technical engineering to show you how to flip the script. Here is exactly what you will walk away with: The Speed Asymmetry: A behind-the-scenes look at the real-world mechanics of how autonomous, AI-driven attacks actually operate.

The Agent Architecture: How to safely automate threat intel ingestion, simulate attacks, and coordinate fixes—without breaking your network. Breaking the Silos: How to eliminate the slow hand-offs between your CTI, Red, and Blue teams so they work as a single unit. The “Team Multiplier” Effect: How lean security teams can achieve enterprise-level protection without doubling their headcount. The attackers have already upgraded their toolkits.

It’s time for us to do the same. If you work in cybersecurity, you cannot afford to miss this shift. 📅 Save Your Spot Today: Register for the Webinar Here (P.S. Even if you can’t make it live, register anyway!

We’ll send you the full recording so you don’t miss out on these insights.) Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

What to Look for in an Exposure Management Platform (And What Most of Them Get Wrong)

Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: “So, are we actually safer now?” Crickets.

The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure management was created to provide this context - to bridge the gap between remediation efforts and actual risk reduction. The market has responded with a flood of platforms claiming to deliver it. Yet the question security leaders are asking is: which exposure management platform actually does provide it?

In this article, I’ll break down the four dominant approaches to exposure management, explain what each one can and can’t deliver, and lay out five evaluation criteria that help you separate platforms built to reduce risk to your unique business and environment from platforms built to report on risk in the wild. Four Approaches, Four Architectures Most exposure management platforms fall into one of four categories, each shaped by how the vendor built (or pieced together) the platform and how it processes data. Stitched portfolio platforms are the product of acquisition(s). A vendor buys point solutions - cloud security, vulnerability scanning, identity analytics, etc.

Data aggregation platforms ingest findings from your existing scanners and third-party tools. Then they normalize the data and present it in a unified interface. These platforms can only work with what they receive. That means if ingested findings are disconnected, there’s no way to correlate how one exposure could enable the next.

Single-domain specialist platforms go deep in one area: cloud misconfigurations, network vulnerabilities, identity exposures, and external attack surface. They deliver strong results, but only in their specific domain of expertise. They run into challenges when exposures in one domain chain into exposures in another domain, and the platform has no way to model that relationship. Integrated platforms are built from scratch to discover and correlate multiple exposure types - credentials, misconfigurations, CVEs, identity issues, cloud configurations - in the same engine.

The platform builds a digital twin of the environment and maps how attackers can move laterally from one exposure to the next  - across on-prem, cloud, and hybrid boundaries. Five Questions That Reveal What a Platform Can Actually Do The architecture behind each of the four approaches has real consequences for what your team can see, validate, and act on. How do you tell the difference when you’re evaluating? Start by asking these five questions: 1.

How many exposure types can it discover - and how deeply does it analyze each one? CVEs account for roughly 25% of the exposures that attackers exploit. Misconfigurations, cached credentials, excessive permissions, and identity weaknesses make up the rest. Stitched portfolios are limited to what each acquired product was built to find.

Aggregators can only normalize what their feeds provide. Single-domain platforms cover just one slice of the pie. An integrated platform should cover both existing and (especially) emerging exposure types - like AI workloads and machine identities - natively. And coverage alone doesn’t tell you enough.

What the platform actually knows about each exposure matters just as much. A platform that ingests findings from third-party tools is limited to the metadata those tools collect - their exploitability conditions, their remediation guidance, their research. A platform that discovers exposures natively controls every layer of information for each finding, from exploitability to fix. If your platform can’t see certain exposure types, you have blind spots.

If it sees them but lacks depth, you’re working with noise. 2. Can it map attack paths across environments? Some stitched products show attack paths.

Those paths are derived from network topology and based on connectivity alone. The platform never models how an attacker would actually move laterally from one exposure to the next. Aggregators produce no paths at all, just normalized lists of disconnected findings. The real test is whether the platform can trace paths across environment boundaries.

An attacker who captures cloud credentials on-prem can bypass every cloud-native defense - because the path started outside the cloud platform’s visibility. An external-facing vulnerability may look low-priority in isolation, but if it maps to an internal entity with a path to a critical asset, it’s an emergency. Most platforms can’t draw those connections. They scan each environment on its own and leave the gaps between them uncharted.

  1. Does it validate exploitability? Most platforms check one or two conditions per exposure, limited by the metadata they store for each finding and the information they collect from each entity in your environment. But true validation means testing multiple conditions: Is the vulnerable library loaded by a running process?

Is the port open and reachable? The platform should deliver binary answers - exploitable or not, reachable or not, path to critical assets or not - all grounded in your actual environment, not general assumptions. 4. Does it factor in security controls?

A CVSS 9.8 vulnerability blocked by a firewall cannot be used for lateral movement…because it’s blocked. A 5.5 identity exposure with a direct path to a domain controller is an emergency. Platforms that ignore firewalls, MFA, EDR, and segmentation can leave your team chasing findings that carry no real risk - and missing the ones that actually threaten your critical assets. If security controls aren’t part of the attack path analysis, your prioritization is pointing you in the wrong direction, and you’re still exposed.

  1. How does it prioritize? Prioritization should answer one question: Does this exposure put a critical asset at risk? Score-based ranking ignores your unique environment.

Asset-tag-based ranking ignores the assets on the blast radius of an exposure. Assumed-path ranking never validates exploitability. All three of these can overwhelm IT teams because none of them connect findings to what the business actually needs to protect. Effective prioritization starts with your critical assets and works backward.

The platform needs to prove that the exposure is exploitable, that an attacker can reach it, and the path leads to something the business can’t afford to lose. When a platform maps all of that in one graph, choke points emerge - places where one fix eliminates multiple attack paths. In large enterprise environments, that narrows the priority list to about 2% of all exposures. What This Means for Your Team The choice of platform architecture determines how secure your environment will be - and how your team spends its time getting there.

Stitched and aggregated platforms can leave teams scrambling to reconcile their findings across tools, fighting with IT over remediations that may not reduce risk, and chasing exposures that lead to dead ends. Single-domain platforms deliver depth in one area but leave blind spots across the rest of the attack surface. An integrated approach eliminates that overhead. It correlates exposures into validated attack paths, factors in the controls you’ve got in place, and identifies the fixes that eliminate the most risk with the fewest actions.

When a remediation closes a choke point, continuous exposure management platforms update the graph in real time. That way, you know that exposures that once looked urgent now lead nowhere, and your priority queue always reflects current risk. When your exposure management platform can validate exploitability, model security controls, and map every viable path to your critical assets – you can answer the question from the opening of this article ( Are we actually safer? ) with an honest yes!

. Note: This article was thoughtfully written and contributed for our audience by Maya Malevich, Head of Product Marketing at XM Cyber. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to the control panel software. The problem affects all currently supported versions of cPanel and WebHost Manager (WHM), according to an alert published by WebPros on Tuesday. It does not have an official identifier. The issue has been addressed in the following versions - 11.86.0.41 11.110.0.97 11.118.0.63 11.126.0.54 11.130.0.19 11.132.0.29 11.136.0.5 11.134.0.20 “If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” cPanel noted.

While cPanel did not share any details about the vulnerability, web hosting and domain registration company Namecheap disclosed that it “relates to an authentication login exploit that could allow unauthorized access to the control panel.” As a precautionary measure, the company has applied a firewall rule to block access to TCP ports 2083 and 2087, a move it said will temporarily restrict customer access to their cPanel and WHM interfaces until a full patch is applied. “Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available,” Namecheap noted. “Access to your control panels will be restored immediately once the patch has been successfully deployed.” As of April 29, 2026, 02:42 a.m. UTC, the fix has been applied to Reseller, Stellar Business servers, and the rest, according to the Namecheap Support Team.

Flaw Now Tracked as CVE-2026-41940; Exploited as 0-Day The authentication bypass vulnerability has been assigned the CVE identifier CVE-2026-41940 , and carries a CVSS score of 9.8 out of 10.0. In an update to its advisory, cPanel said patches have also been pushed to WP Squared version 136.1.7 . “cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). cPanel has also urged customers to perform the following actions - Update the server to one of the above-listed versions immediately via the cPanel update script (“/scripts/upcp –force”) Verify and confirm the cPanel build version being returned and perform a restart As mitigations until a patch can be applied, the company is suggesting the following steps - Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall, or Stop cpsrvd and cpdavd Reports on Reddit indicate that the vulnerability has been under active exploitation as a zero-day, with KnownHost CEO Daniel Pearson noting that “this has absolutely been used in the wild, and has been seen at least for the last 30 days if not longer.” The Hacker News has reached out to cPanel for more information, and we will update the story if we hear back.

cPanel has released a detection script to look for indicators of compromise - Session has both token_denied AND cp_security_token and method=badpass origin Pre-authenticated session with authenticated attributes Any session with tfa_verified but no valid origin Password field containing newlines “Compromise of cPanel is materially different from the compromise of a single customer website. WHM grants root administrative access to the server,” Hadrian said . “An attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks.” In a post shared on LinkedIn, Eye Security said it identified over 2 million cPanel instances connected to the internet, although it’s currently not known how many of those have auto-update enabled and are vulnerable to the flaw. watchTowr Labs, which published additional technical specifics about the flaw, said inconsistencies in cPanel’s authentication flow can be exploited by add actors to bypass login checks and access accounts.

In its own advisory for the vulnerability, Rapid7 said CVE-2026-41940 is caused by a Carriage Return Line Feed ( CRLF ) injection in the login and session loading processes of cPanel and WHM, allowing an attacker to gain unauthorized administrative access to the affected systems - Before authentication occurs, cpsrvd (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw \r\n characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as user=root, into their session file.

After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token. “Let’s call this what it is: an unauthenticated authentication bypass in cPanel and WHM, a management-plane solution deployed on tens of thousands of servers and sitting in front of a meaningful chunk of the internet,” Benjamin Harris, CEO and founder of watchTowr, told The Hacker News. “Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in  ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. (Fixed in February 2024) CVE-2026-32202 (CVSS score: 4.3) - A protection mechanism failure vulnerability in  Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network.

(Fixed in April 2026) The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft updated its advisory for the flaw to acknowledge it had come under active exploitation. Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025. Attacks exploiting CVE-2024-1708 , on the other hand, have been chained with CVE-2024-1709 (CVSS score: 10.0), a critical authentication bypass vulnerability, by multiple threat actors over the years.

Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware. It’s worth noting that CISA added CVE-2024-1709 to the KEV catalog on February 22, 2024. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by May 12, 2026, to secure their networks. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.