EvilBit Threat Digest - When the Supply Chain Eats Itself

KryptoKat here. If there's a theme for the last two weeks, it's this: the developer toolchain is now officially the battlefield. We've watched the npm ecosystem get carpet-bombed by a self-propagating worm that stole credentials from 25,000+ repositories, SaaS integrations weaponized for OAuth token theft on a massive scale, and state-sponsored groups refining their espionage tradecraft to the point where they're using cloud services as command infrastructure. Oh, and IoT botnets took advantage of a major cloud outage to test their DDoS capabilities. Just another fortnight in infosec.

The fundamentals haven't changed--patch your systems, audit your integrations, segment your networks--but the execution is getting creative enough that "trust nothing" is starting to feel optimistic. Let's break down what actually matters.

Shai-Hulud 2.0: The NPM Worm That Wouldn't Quit

The biggest story of the past fortnight is unquestionably Shai-Hulud 2.0 (also tracked as Sha1-Hulud), a supply-chain worm that turned the npm ecosystem into its own propagation vector. Wiz Research documented the campaign's scope: over 700 malicious packages, 25,000+ compromised repositories, and automated credential theft targeting AWS, Azure, GCP, GitHub, and npm tokens. The worm is still active as of November 28.

Here's how it works. Attackers publish trojanized npm packages (including legitimate-sounding names like @postman/tunnel-agent, posthog-node, @asyncapi/specs, and @zapier/platform-core) with malicious preinstall scripts. When developers run npm install, the script downloads the Bun JavaScript runtime, executes an obfuscated payload (bun_environment.js), and scans the filesystem for credentials in .aws/credentials, .npmrc, .gitconfig, and cloud secret manager caches. Stolen credentials are exfiltrated to attacker-controlled GitHub repositories--over 25,000 of them--creating a sprawling botnet of hijacked accounts.

The worm doesn't stop at exfiltration. It persists by injecting malicious GitHub Actions workflows (named discussion.yaml and formatter_*.yml) and registers self-hosted runners labeled SHA1HULUD. These runners enable long-term access and further propagation by backdooring victim packages and re-publishing them with the same infection vector. Trend Micro's analysis confirms the worm uses TruffleHog to scan repositories for additional secrets, and includes a destructive wiper that activates if certain anti-analysis conditions are met.

For defenders, the immediate actions are clear:

• Clear npm caches (npm cache clean --force) and remove node_modules before reinstalling dependencies.
• Pin package versions to known-good releases published before November 21, 2025.
• Rotate all credentials: npm tokens, GitHub personal access tokens, and cloud provider credentials (AWS, Azure, GCP).
• Audit GitHub repositories for workflows named discussion.yaml, formatter_*.yml, and self-hosted runners labeled SHA1HULUD.
• Disable npm lifecycle scripts in CI/CD pipelines where possible, or restrict outbound network access during package installation.
• Hunt using IOCs: SentinelOne, Wiz, and Trend Micro have all published SHA256 hashes and detection rules.

This is the new baseline for supply-chain attacks: automated, self-propagating, and targeting the infrastructure developers trust implicitly. If you're not monitoring your CI/CD pipelines for anomalous script execution and credential access, you're already behind.

SaaS Supply Chain: OAuth Tokens and Third-Party Trust Failures

Gainsight/Salesforce Breach Expands

The Gainsight OAuth token compromise we flagged last week has grown in scope. Recorded Future and Google Threat Intelligence Group now report that 200–300 Salesforce customer organizations had data accessed via stolen OAuth refresh tokens from Gainsight's customer success platform. The attackers--tracked as Scattered Lapsus$ Hunters and overlapping with UNC6040/UNC6240--used the tokens to impersonate legitimate Gainsight apps and access Salesforce CRM data, including customer contacts, support cases, and licensing information.

Salesforce responded by revoking all OAuth tokens for Gainsight-published apps and temporarily pulling them from the AppExchange. While there's no evidence of a vulnerability in either platform, the breach underscores the fragility of OAuth-based integrations: once an attacker has valid tokens, they inherit all the permissions granted to that app.

For defenders:

• Revoke and rotate OAuth tokens for all third-party connected apps in Salesforce (Setup → Connected Apps).
• Review Salesforce API logs for anomalous access patterns, unexpected IP addresses, and bulk data exports.
• Implement IP allowlisting where possible and enforce conditional access policies for SaaS integrations.
• Monitor for the IOCs published by Google TAG, including Tor exit nodes 109.70.100.68 and 109.70.100.71.

Scattered Lapsus$ Targets Zendesk Users

The same threat group is also running a phishing campaign against Zendesk users, documented by ReliaQuest and AlienVault. Attackers registered over 40 typosquatted domains mimicking Zendesk's branding and submitted malicious support tickets containing credential-harvesting links and RAT payloads. The goal is to compromise Zendesk support staff accounts, which can then be pivoted to access customer environments.

Mitigations include:

• Enforce hardware MFA and session timeouts for Zendesk admin accounts.
• Block typosquatted domains via DNS filtering (IOCs available in the ReliaQuest report).
• Limit direct messages in Zendesk chat and deploy content filtering rules to catch phishing patterns in support tickets.

The Gainsight and Zendesk campaigns demonstrate a clear pattern: attackers are exploiting the trust relationships between SaaS platforms and their third-party integrations. If you're not treating OAuth apps as privileged access, you're missing the threat model.

APT Espionage: Aerospace, Russia, and Cloud C2

UNC1549 Escalates Aerospace Targeting

Mandiant's updated analysis of UNC1549, an Iran-linked espionage group, shows an escalation in targeting of aerospace, defense, and telecommunications sectors. The group exploits third-party vendor relationships to breach Citrix VDI, VMware, and Azure Virtual Desktop environments, then deploys custom backdoors--MINIBIKE, TWOSTROKE, and DEEPROOT--via DLL search order hijacking with legitimate digital signatures.

Once inside, UNC1549 steals credentials through DCSync attacks against Active Directory and exfiltrates browser data, maintains persistence via reverse SSH tunnels, and uses Azure infrastructure for command and control. The campaign demonstrates increasing operational security sophistication, including targeting internal service ticketing systems to harvest administrative credentials and timing operations around holidays to evade detection.

For defenders:

• Implement zero-trust access policies for third-party vendors with multi-factor authentication and just-in-time provisioning.
• Monitor DLL load paths in VDI environments and enforce application allowlisting.
• Enable comprehensive Active Directory auditing, particularly for DCSync-related operations (Event ID 4662).
• Hunt for reverse SSH tunnels and unusual outbound connections to Azure infrastructure.

APT31 Pivots to Russia

In a geopolitically fascinating turn, Positive Technologies reports that China's APT31 (also known as Striking Panda) has been targeting Russian IT firms and government contractors since at least 2022. The campaign uses phishing to deploy custom backdoors including AufTime (a Linux implant), COFFProxy, VtChatter (which uses VirusTotal comment sections for C2), and OneDriveDoor (leveraging OneDrive for exfiltration). Operations are timed for holidays and weekends, and the group uses scheduled tasks that mimic legitimate application names for persistence.

The shift from traditional Western targets to Russian infrastructure is noteworthy and suggests broader strategic intelligence collection objectives.

QuietCrabs Exploits Fresh CVEs

Positive Technologies also uncovered QuietCrabs, a new APT group exploiting vulnerabilities in Microsoft SharePoint (CVE-2021-27065) and Ivanti Endpoint Manager Mobile (CVE-2025-4427, CVE-2025-4428, CVE-2025-53770) within hours of PoC publication. The group deploys webshells and then a Rust-based loader called KrustyLoader, which injects Sliver C2 beacons into memory. The campaign has an average dwell time of 393 days and targets defense, healthcare, and U.S. organizations. There's infrastructure overlap with the Thor ransomware group, which has hit 110+ Russian organizations.

Immediate actions:

• Patch SharePoint and Ivanti immediately (patches available for all listed CVEs).
• Hunt for webshell artifacts in SharePoint and IIS directories.
• Monitor for KrustyLoader indicators including .text markers and relocated.exe in %TEMP%.

IoT Botnets: Testing in Production

ShadowV2 Exploits AWS Outage for DDoS Testing

FortiGuard Labs documented ShadowV2, a Mirai-variant botnet that exploited eight CVEs in D-Link, TP-Link, DD-WRT, DigiEver, and TBK devices to build a global DDoS army. The botnet made headlines for using a recent AWS outage as a live-fire test opportunity, launching DDoS floods across 28 countries. The command-and-control infrastructure is hosted at silverpath.shadowstresser.info and 81.88.18.108.

The campaign targets end-of-life routers and IoT devices with known vulnerabilities including CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2023-52163, CVE-2024-3721, CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375.

Mitigations:

• Replace end-of-life devices (D-Link has explicitly stated no patches will be issued for affected models).
• Disable remote management interfaces on consumer routers.
• Block C2 domains and IPs at the network edge.
• Deploy IPS signatures for the listed CVEs.

Flodrix/MooBot Targets Langflow AI Framework

AlienVault documented a campaign exploiting CVE-2025-3248, an unauthenticated RCE in the Langflow AI framework (versions prior to 1.3.0). The Flodrix/MooBot botnet, another Mirai variant, is exploiting exposed Langflow instances to deploy DDoS capabilities. Trend Micro and Recorded Future confirmed active exploitation.

If you're running Langflow:

• Upgrade to version 1.3.0 or later immediately.
• Restrict public access to the /api/v1/validate/code endpoint.
• Segment AI/ML infrastructure from production networks.

Mobile Threats: State Spyware and Banking Trojans

CISA Warns of State-Backed Messaging App Compromise

CISA issued advisory AA25-329A warning that state-sponsored actors are using zero-click exploits and device-level vulnerabilities to bypass end-to-end encryption in Signal, WhatsApp, and Telegram. The advisory references Palo Alto's analysis of Landfall spyware, which exploits CVE-2025-21042 (an out-of-bounds write in Samsung's image codec) to achieve zero-click remote code execution on Galaxy S23/S24 devices.

Once compromised, the spyware uses Android Accessibility Services to record decrypted messages, capture screen content, log keystrokes, and exfiltrate location data. The attack doesn't break encryption--it simply waits until messages are decrypted for display and records them at the UI layer.

For high-risk users:

• Apply OS and app updates immediately.
• Avoid enabling Accessibility Services for untrusted apps.
• Verify QR codes and links even from known contacts (account takeover enables follow-on attacks).
• Use hardware security keys for account authentication where possible.

IRATA Android RAT Targets Iran

AhnLab uncovered IRATA, an Android RAT targeting Iranian users via SMS smishing campaigns. The malware uses geographic evasion (blocking non-Iranian IPs), deploys phishing overlays for banking apps, steals credentials and SMS messages, and self-propagates by hijacking victims' contact lists. It's distributed as fake APKs for popular Iranian services.

Mitigations are standard mobile hygiene: disable sideloading from untrusted sources, enforce app permission reviews, and blocklist the IOCs published by AhnLab.

Closing Thoughts: Supply Chains All the Way Down

The last two weeks have been a reminder that "supply chain" isn't just about SolarWinds-scale incidents anymore--it's every npm package you install, every OAuth app you connect, every third-party vendor relationship you inherit. Shai-Hulud 2.0 demonstrated that developer toolchains are the new perimeter, and the attackers have built automation that scales faster than most organizations can audit.

The defensive playbook hasn't changed: least privilege, credential rotation, network segmentation, and monitoring for anomalous behavior. But the attack surface has expanded to include every transitive dependency, every cloud integration, and every "legitimate" tool that can be repurposed for command and control.

Patch your edge devices. Audit your OAuth apps. Rotate your secrets. And for the love of all that is secure, stop blindly trusting npm install.

Until the next breach notification--and there's always a next one.

-- KryptoKat