ZeroDay Field Notes - Supply Chains on Fire, RATs in the Shadows

If you figured your dev pipeline was locked down, time for a reality check. This week dropped new poisoned npm packages, AI assistants getting popped, a RAT that laughs at ETW, and Cisco bugs begging to be chained. No fluff, just the stuff you actually need to make your next engagement sharper. Let's get into it.

Supply-Chain Sabotage: npm and NuGet Get Wormed

Socket just called out SANDWORM_MODE, a nasty npm worm hiding in 19 typosquat packages like suport-color, claud-code, cloude-code, and veim. This thing moves fast: import it and it grabs your crypto keys, CI secrets, npm and GitHub tokens, and LLM API keys from multiple providers, including OpenAI and Anthropic. It even probes for locally running AI services on ports like localhost:11434 (Ollama) and several others. It spreads by abusing npm publishes, GitHub APIs, and SSH key exfil, and it poisons GitHub Actions workflows to dump all your secrets in plaintext with ${{ toJSON(secrets) }}.

Don't confuse the name: SANDWORM_MODE has zero confirmed link to GRU's Sandworm (APT44). The label comes from SANDWORM_* environment variable switches baked into the malware's runtime logic. Socket traces the lineage back to the Shai-Hulud worm campaign from September 2025.

Here's the kicker: it drops rogue MCP servers into AI coding assistants like Claude Code, Cursor, Windsurf, and VS Code Continue, writing a malicious server under ~/.dev-utils/ and injecting mcpServers entries into their configs. Your AI helper then quietly leaks code and credentials to someone else via embedded prompt injection. DNS tunneling and DGAs keep C2 up, and there's a polymorphic engine just waiting to mutate. Infra's down for now since npm, GitHub, and Cloudflare moved quick, but if you touched any of these packages, start rotating every secret and nuke your git hooks.

If you're on offense, this is gold. Copy the MCP injection for persistent access in dev environments and use a custom prompt to quietly siphon off proprietary code. Blue teams, check ~/.claude/settings.json and similar files for unexpected mcpServers entries, audit global git hook templates (git config --global init.templateDir), and block freefan[.]net at DNS. Socket's report has the full breakdown. Endor Labs also published a solid technical teardown with execution flow diagrams and DNS tunneling details.

Switching gears to .NET, Socket also found four sketchy NuGet packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_) targeting ASP.NET with JIT hooking and credential exfil. Dropped by 'hamzazaheer' between August 12 and 21, 2024, and racking up over 4,500 downloads before takedown, these use static constructors to hook the JIT compiler with getJit() and compileMethod(), then inject a localhost proxy on port 7152 for C2 tunneling. The companion packages exfiltrate ASP.NET Identity data (user accounts, role assignments, permission mappings) through that proxy, and the C2 server responds with attacker-controlled authorization rules to create persistent backdoors.

Why this is hard to catch: VirusTotal shows 1 of 72 engines flagging NCrypt.dll. The DLL impersonates Windows' native CNG provider (C:\Windows\System32\NCrypt.dll) and exports an entry point at ordinal #1, so it runs standalone via rundll32.exe NCrypt.dll,#1 without NuGet in the picture at all. Protected by .NET Reactor obfuscation with a 14-day expiry timer and anti-debugging. If you're purple-teaming, this is a great example of why AV coverage alone means nothing.

Offensively, the JIT manipulation is a stealthy injection primitive. It bypasses common hooks while enabling credential grabs from Identity stores. If you're simulating supply-chain compromise, fork this for .NET pipelines; it works cross-platform (Windows/Linux/macOS ARM64). NuGet's on takedown, but check for listeners on port 7152. Socket's analysis has hashes and MITRE maps.

These aren't your grandma's typosquats. SANDWORM_MODE's AI poisoning turns dev tools into unwitting spies, like a Neuromancer plot twist. Red teams, weaponize MCP injections for post-exploit persistence; it's low-noise and survives reboots. NuGet's JIT hook? Chain it with a custom loader for memory-only ops. Remember, supply chains are the new perimeter. Trust nothing, verify hashes.

RAT Evolution: MIMICRAT's C++ Sophistication

Elastic Security Labs took apart MIMICRAT (also tracked as AstarionRAT), a custom C++ RAT dropped through compromised legitimate sites in the ClickFix campaign. This isn't throwaway infra; they've popped real sites across multiple industries, including bincheck[.]io and investonline[.]in, with victims confirmed at a US university and among Chinese-speaking users. It starts with a fake Cloudflare verification page that tricks users into pasting obfuscated PowerShell into the Windows Run dialog, which then grabs a second-stage script, patches ETW and AMSI, loads a Lua-based shellcode loader, and finally drops the main binary. MIMICRAT comes loaded with 22 commands: token theft, impersonation, SOCKS5 tunneling, process injection, and exfiltration over malleable HTTP profiles that mimic legit web analytics traffic.

C2 intel for emulation: MIMICRAT talks HTTPS on 443 with a 10-second callback, layering RC4/RSA/AES. Config and headers are hex-encoded ASCII in .data, decoded at runtime. Two infra clusters: payload delivery at 45.13.212.250/251, post-exploitation C2 at 23.227.202.114, relayed through d15mawx0xveem1.cloudfront[.]net. If you're building a lab to emulate this, note that Huntress has documented related ClickFix campaigns deploying Matanbuchus 3.0 into the same MIMICRAT payload.

Key evasions? It patches AMSI in-memory, bypasses ETW by unhooking and disabling logging, and reflectively loads modules (Meterpreter-family shellcode) for a low-disk footprint. The dispatch table supports everything from file discovery to credential dumping, with a focus on token manipulation for lateral moves.

If you're on the offensive side, pay attention to the ETW bypass. Direct syscalls and memory patching help you slip past endpoint telemetry. Combine this with the SOCKS proxy to pivot quietly. Elastic's full writeup has YARA rules, IoCs, and MITRE mappings if you want to emulate advanced RATs.

MIMICRAT's evasion tricks are a reminder that memory forensics isn't optional. Watch for weird PowerShell spawning mshta.exe or lua53.dll injections. Block sketchy TLDs and keep an eye on token impersonation; it's a big warning sign for privilege escalation.

Cisco Exploits: SD-WAN Auth Bypass and Command Injection

Cisco's latest patch dump had some fireworks, and this one's urgent. CVE-2026-20127 (CVSS 10.0) in Catalyst SD-WAN Controller/Manager lets unauthenticated attackers skip peering auth and get high-privileged access, which means they can reconfigure the SD-WAN fabric over NETCONF (port 830). Talos says UAT-8616 is already exploiting it, and has been since at least 2023 as a zero-day. Their post-compromise playbook is slick: create rogue SD-WAN peers, downgrade the software to exploit CVE-2022-20775 for root escalation, then restore the version to cover tracks. Patch to a fixed release (20.9.8.2+ for the 20.9 train) right now.

Heads up for fed teams: CISA dropped Emergency Directive 26-03 on February 25, with a Feb 27 deadline for agencies to inventory in-scope SD-WAN devices. Both CVE-2026-20127 and CVE-2022-20775 are now on the CISA KEV. The ASD-ACSC also published a joint alert. If your org runs Cisco SD-WAN, treat this as assume-breach and start hunting.

Pair it with CVE-2026-20099 (CVSS 6.7) in FXOS/UCS Manager: authenticated admins inject OS commands via the web UI for root RCE. Affects Firepower appliances and UCS Fabric Interconnects. Cisco's advisory has the fixed versions.

Red teams, chain these bugs for infrastructure pivots: use the auth bypass to create a rogue peer, reconfigure the fabric, then command-inject your way to root on downstream appliances. No public PoCs yet, but the attack paths are obvious. Cisco's SD-WAN advisory lists the fixed versions, and The Hacker News has a good rundown of the Talos exploitation details.

Quick Hits: More Malware and Vulns

• OysterLoader: Sekoia published a detailed teardown of this multi-stage C++ loader (aka Broomstick/CleanUp) tied to Rhysida and the WIZARD SPIDER crew. It arrives as signed MSI installers impersonating PuTTY, WinSCP, and Google Authenticator, using a four-stage chain with steganographic payload hiding in icon images. Also delivering Vidar. Rhysida burned through 40+ code-signing certs in recent campaigns per Expel, so "it's signed" means nothing. Hunt for C2 paths like /api/v2/init and /api/v2/facade, and watch for rundll32 persistence hitting AppData every 13 minutes.
• MarsSnake: UnsolicitedBooker hits Central Asian telecoms with this backdoor via CVE-2018-0802 exploits in Office docs. DLL side-loading and IPFS C2. Patch that ancient vuln. Details.
• Steaelite RAT: BlackFog broke down this all-in-one panel for double extortion, sold on underground forums since November 2025. It auto-harvests browser passwords, session cookies, and tokens the moment a victim connects, before the operator even touches the dashboard. Bundles ransomware deployment, hidden RDP, UAC bypass, and a crypto clipper in one browser UI. Android ransomware module coming soon. Block *.ngrok-free.app and watch for HVNC processes.
• OAuth Token Theft: Active campaign stealing Microsoft 365 tokens with device-code phishing, giving attackers read/write access to email, Teams, and OneDrive. Red Canary has the full intel on the Entra ID attack flow. Revoke suspicious apps and audit consented scopes.
• Agent Tesla Update: Fortinet's latest deep-dive covers a phishing campaign using RAR-packed .jse loaders, AES-CBC encrypted PowerShell stages, and process hollowing of aspnet_compiler.exe to run entirely in-memory. The whole chain is fileless after the initial script; SMTP exfil goes to mail[.]taikei-rmc-co[.]biz. If you're building your own beacons, the hollowing-into-trusted-dotnet-binary technique is worth studying.

These RATs and exploits are standard fare for chained operations. OysterLoader's cert abuse slips past AV like it's not even there. MarsSnake's IPFS C2 is tough to take down. Borrow the device-code token theft tricks for cloud pivots; it's social engineering that even MFA can't stop.

Wrapping this up: ecosystems are crumbling under the weight of the supply chain, but that's our playground. Adapt these primitives, test your evasions, and remember: every dev tool's a potential backdoor. Stay frosty out there.

~ UncleSp1d3r