EvilBit Threat Digest - The Week the Toolchain Bit Back

Monday's vibe: "just a quick npm install." Tuesday's vibe: "why is our BPO provider in the news?" Wednesday's vibe: Lazarus is serving "job interviews" with a side of credential theft.

The menu this week: self-propagating supply-chain worms, upstream SaaS credential pivots into cloud data, and a reminder that social engineering still scales better than most zero-days.

Hope you're hungry. Grab a fork and let's chow down.

Developer ecosystems: worms, invisible ink, and AI toolchain poisoning (UPDATE)

The definition of "supply chain" keeps expanding. It used to mean a compromised library. Now it's your editor, your registry, your extensions, your CI pipeline, and your AI coding assistant. If your asset inventory doesn't account for developer tooling, this section is your wake-up call.

GlassWorm's "four arms" got longer (UPDATE)

GlassWorm is being described as a self-propagating supply-chain worm spanning GitHub repos, npm, PyPI, and VS Code/Open VSX extensions, with credential theft and crypto wallet draining as table stakes. A key detail that keeps showing up: invisible Unicode obfuscation (variation selectors in the U+FE00-U+FE0F and U+E0100-U+E01EF ranges) used to hide malicious logic in plain sight; think steganography, but for code review fatigue. See: Four Arms, One Monster: GlassWorm Invades GitHub, NPM, VS Code, and PyPI, plus corroboration from Aikido's write-up and broader reporting in The Hacker News.

What's changed since our prior supply-chain coverage: this isn't "one bad package." It's propagation via stolen dev credentials, turning marketplaces into a multiplier.

Defender move (practical, not magical):

• Add Unicode "weirdness" scanning to your review and CI paths (don't rely on humans to spot invisible characters).
• Treat developer tokens (GitHub/npm/OpenVSX) like production secrets: rotate aggressively when suspicion exists, and alert on unusual publish bursts.

GlassWorm moves toward MCP / AI dev tooling (UPDATE)

Koi Security flags a newer wave pushing into MCP servers / AI development tooling territory, with fresh delivery techniques layered on the same distribution model. Even if your org isn't "doing AI agents," your developers might be, quietly, through tools that support MCP integrations. That's an attack surface you didn't ticket, didn't threat model, and probably didn't put behind egress controls. Source: GlassWorm Hits MCP: 5th Wave with New Delivery Techniques.

SANDWORM_MODE is still the blueprint for AI-toolchain abuse (UPDATE)

We covered SANDWORM_MODE previously; this week's relevance is that its playbook keeps looking less "novel" and more "repeatable." The campaign's headline remains: typosquatted npm packages that steal secrets, inject GitHub Actions workflows, and poison AI coding assistants via rogue MCP server injection. Originally disclosed by Socket's Threat Research Team, with detailed follow-up analysis from Endor Labs and additional reporting at SecurityWeek and HivePro.

"Benign payload" still means "hostile publishing pipeline"

Endor Labs also dug into the compromise of the Cline CLI npm package, where a malicious release used a post-install hook to globally install OpenClaw. OpenClaw itself is a legitimate, non-malicious package; the issue was the unauthorized installation mechanism. The root cause is worth noting: attackers used a prompt injection attack via a crafted GitHub issue title that tricked Cline's AI triage bot into leaking a publish token. Today it's a benign package; tomorrow it's a loader. Patch guidance exists: update and remove the global package. Source: Supply Chain Attack Compromises Cline NPM Package, Installs OpenClaw.

"Trusted relationships" as a breach primitive: Telus Digital and the upstream credential pivot

Outsourcing is an act of faith: you hand your data to a third party and hope they're having a better day than you are.

ShinyHunters claims a breach of Telus Digital with alleged exfiltration on the order of ~1PB, and Telus Digital has confirmed an intrusion. The reported entry point is especially modern: stolen Google Cloud credentials tied to the earlier Salesloft Drift supply-chain incident, then leveraged to move through cloud data and SaaS-connected systems. Reports indicate the attackers used TruffleHog to discover additional credentials post-entry, and demanded $65M in ransom. Sources: Telus Digital affirms hack following ShinyHunters assertions (SC World), Bitdefender coverage, TechRadar, and The Globe and Mail.

Operational takeaway: this is what "supply chain" looks like when the payload is credentials, not code. No CVE. No exploit kit. Just valid access that unlocks the rest of the org chart.

If you're downstream (a client / partner):

• Assume your data may be present in their environment; get clarity on what datasets were hosted, where, and which identities touched them.
• Push for audit evidence: cloud access logs, SaaS integration reviews, and token rotation timelines.

Lazarus' "Contagious Interview": job offers, RATs, and a very real credential harvest

The interview lure is one of the oldest social engineering plays in the book, and Lazarus has turned it into an industrial operation. If a "coding assessment" asks someone on your team to clone and run an unvetted repo, that's initial access with extra steps.

Red Asgard's continuing series on Lazarus' Contagious Interview campaign paints a blunt picture: large-scale developer targeting, credential theft at volume, and infrastructure built to survive takedowns. The Part IV report documents 857 victims across 90 countries and 241,000+ credentials stolen, alongside a newer AnyDesk-flavored RAT for persistent remote desktop access. Source: Hunting Lazarus Part IV: Real Blood on the Wire.

CVE-2024-4577: PHP-CGI on Windows argument injection, RCE

• CVSS: 9.8 (Critical).
• Impact: remote code execution in certain Windows + PHP-CGI deployments (commonly with Apache).
• Affected: Windows PHP running in CGI mode; fixed releases include PHP 8.1.29 / 8.2.20 / 8.3.8. PHP 8.0, 7.x, and 5.x are end-of-life and unpatched.
• Plain-English takeaway: if you've still got PHP-CGI on Windows exposed (or reachable internally), it's the sort of legacy corner that becomes an APT's favorite door.

Context note: Red Asgard tested CVE-2024-4577 against the Lazarus C2 infrastructure during their investigation, but the server ran mod_php, not CGI. The CVE is included here because it's relevant to any environment running PHP-CGI on Windows, not because Lazarus exploited it in this campaign.

Why defenders should care even if you "don't hire devs": The same lure mechanics work on finance analysts, IT admins, and vendors: anyone who can be convinced to "just run this thing." The developer angle simply grants the attacker better odds of landing on machines rich in tokens, SSH keys, and cloud credentials.

For earlier infrastructure-focused context in the same campaign family, Red Asgard's C2 teardown is worth bookmarking: Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure.

ClickFix keeps printing money: Vidar via fake CAPTCHAs

The fake CAPTCHA is the modern-day "please disable your antivirus." Same energy, better UX.

Malwarebytes details a campaign where compromised sites (often WordPress in the mix) serve fake CAPTCHA pages that instruct Windows users to run copy-pasted commands, delivering Vidar infostealer. This "ClickFix" pattern is thriving because it exploits human autopilot: "I'm blocked, so I comply." Source: Hacked sites deliver Vidar infostealer to Windows users.

Defensive note: this is one of the rare social-engineering patterns where basic guardrails help a lot:

• Clamp down on script interpreters spawned from browsers (where your environment supports it).
• Train for the specific smell: any webpage that asks you to run a command is hostile until proven otherwise.

Commodity malware with sharper teeth: fake Telegram loaders + VIP_Keylogger MaaS

Two solid analyses from K7 Security Labs this cycle. Not the kind of threat that makes headlines, but absolutely the kind that fills your incident queue.

• A typosquatted "Telegram download" chain delivering a multi-stage loader that tampers with security settings and executes payloads in-memory, with reported C2 at 27.50.59.77:18852 (jiijua.com). Source: Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites.
• A VIP_Keylogger malware-as-a-service campaign using spearphishing and techniques like steganography and process hollowing. Source: MAAS VIP_Keylogger Campaign - K7 Labs.

Pattern to clock: the commodity tier keeps borrowing tradecraft once reserved for more patient crews, because it works, and kits turn technique into a feature checkbox.

"AI-enhanced malware" in practice: Slopoly (and the part that matters)

IBM X-Force highlights Slopoly, described as an AI-generated C2 backdoor associated with Hive0163 (the group behind Interlock ransomware), alongside supporting tooling including Cloudflare tunnel usage for command-and-control. The interesting bit isn't "AI wrote malware" (attackers have been copy-pasting since before most of us had logins); it's that polymorphism + fast iteration continues to squeeze traditional static detections. Source: A Slopoly start to AI-enhanced ransomware attacks.

Takeaway for blue teams: treat "AI-enhanced" as "faster churn," not "new physics." Your resilience still comes from segmentation, credential hygiene, and catching the early-stage execution behaviors.

Regional espionage check-in: China-nexus activity targets the Persian Gulf with PlugX

Zscaler reports China-nexus activity (assessed with medium confidence as Mustang Panda) targeting the Persian Gulf region, using PlugX and variants; still one of the most stubborn "it won't die" malware families in the APT ecosystem. A decoy PDF referencing Iranian missile strikes against a US base in Bahrain serves as the lure. Source: China-nexus Threat Actor Targets Persian Gulf Region With PlugX.

Why it's worth your time: PlugX campaigns tend to come with long dwell time and operational discipline. If you've got regional exposure (government, defense-adjacent, energy) this is a reminder to validate your telemetry and response readiness before the incident report asks you to.

A small bright spot: $12.5M into open-source security

Major tech companies (Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI) pledged 12.5M into Linux Foundation security initiatives (Alpha-Omega / OpenSSF). It's not a cure-all, but it's aligned with the reality that modern enterprise risk is welded to maintainers' unpaid labor. Source: [Tech Giants Invest 12.5 Million in Open Source Security](https://www.securityweek.com/tech-giants-invest-12-5-million-in-open-source-security/).

Funding won't eliminate supply-chain attacks, but it can make the "boring guardrails" (signing, CI hardening, secure defaults) less optional.

Closing: Trust is the attack surface

This issue isn't about one vulnerability. It's about the places we outsource trust: registries, marketplaces, freelance platforms, SaaS integrations, BPO providers, and "helpful" AI assistants. The future isn't a single catastrophic exploit. It's a post-install script, a stolen token, and an approval workflow nobody owns.

Audit the relationships, not just the software. The breach path is often a handshake.

Eyes on the network. Claws ready.

- KryptoKat