EvilBit Threat Digest - The Permissions We Granted

There is a particular kind of exhaustion that comes from watching the same trust model break in five different ways before Friday.

This week delivered exactly that: CI/CD credentials turned into skeleton keys, a Python runtime feature weaponized for ambient persistence, a rootkit that borrowed eBPF from the defenders' own playbook, and phishing campaigns that finally learned to sound like bureaucracy instead of Nigerian princes. The thread connecting all of it is not "supply chain" (we have beaten that drum enough). It is the widening gap between what we assume is trusted and what actually deserves to be.

When CI/CD Becomes C2

TeamPCP is back. If the name is starting to feel familiar, that should track. What we are seeing now is not a single incident; it is a campaign chaining compromises across ecosystems like a bored sysadmin with SSH access to everything.

The latest expansion: Checkmarx GitHub Actions and OpenVSX extensions compromised via stolen CI credentials (TeamPCP's Checkmarx GitHub Actions Attack).

Here is the uncomfortable part: this was not a "bug." It was trust abuse at scale.

The attack path looks roughly like this:

• Compromise upstream tooling (earlier: Trivy)
• Steal CI/CD credentials
• Inject malicious logic into downstream pipelines (Checkmarx Actions, extensions)
• Exfiltrate secrets from anyone who runs those pipelines

If your pipeline pulls a compromised action, congratulations. You just invited an attacker into your build environment with a backstage pass.

Hunting note: Check GitHub Actions workflow runs between March 19 and March 24 for unexpected secret access patterns. If your org uses Checkmarx Actions or OpenVSX extensions from cx-dev-assist or ast-results, audit those versions immediately. The malicious OpenVSX packages were ast-results v2.53.0 and cx-dev-assist v1.7.0.

And yes, it gets worse.

UPDATE: LiteLLM Turns Every Python Process Into an Informant

We covered the signs of this earlier in the week, and now we have the full picture. It is worse than it first looked.

The LiteLLM compromise has solidified into one of the more elegant (read: terrifying) abuses of Python's import mechanics in recent memory (LiteLLM Security Update, ReversingLabs analysis).

Affected versions:

• LiteLLM 1.82.7
• LiteLLM 1.82.8

The trick:

• A .pth file (litellm_init.pth) was dropped into site-packages
• Python automatically executes .pth files on interpreter startup
• Result: code execution on every Python run, regardless of whether LiteLLM is imported

That is not persistence. That is ambient presence.

Payload capabilities included:

• SSH key harvesting
• Cloud credential theft (AWS/GCP/Azure)
• Kubernetes config exfiltration
• CI/CD secrets and environment variables
• Crypto wallet scraping (because of course)

Because the malicious versions were live, though briefly, any environment doing unpinned installs during that window is suspect.

What to check now: Run find $(python3 -c "import site; print(site.getsitepackages()[0])") -name "*.pth" -exec grep -l "litellm" {} \; across your Python environments. If you pinned LiteLLM to latest or used a version range that includes 1.82.7/1.82.8, treat that host as compromised. Rotate cloud credentials, SSH keys, and any CI/CD tokens that were present in environment variables.

The deeper lesson is not about LiteLLM. It is this: language runtime features are now part of the attack surface.

A Familiar Trick, Sharpened: Magecart Goes Real-Time

Magecart never really left. It just upgraded its tooling.

This campaign targeting WooCommerce sites (especially in Spain) adds a sharp twist: WebSocket-based exfiltration (Global Magecart Campaign).

Instead of the usual "POST the card data to a sketchy domain," we get:

• Multi-stage JavaScript loaders with fallback domains
• Payment page impersonation (Redsys mimicry)
• Live exfil over wss:// connections

Why this matters:

• WebSockets blend in with modern app traffic
• Many monitoring setups treat them as "just another HTTPS tunnel"
• Data leaves as it is entered, not in batches

It is basically turning checkout pages into streaming keyloggers.

Detection angle: If your WAF or proxy logs do not capture WebSocket upgrade requests separately, you are blind to this. Look for wss:// connections initiated from payment pages to domains outside your expected merchant processor list. The campaign used infrastructure mimicking Redsys (e.g., redsysgate[.]com), so domain reputation alone will not catch copycat infrastructure.

If your detection logic still assumes exfil = HTTP POST, you are watching the wrong protocol.

Rootkits Are Not Dead. They Just Learned eBPF.

The VoidLink framework is a Linux rootkit that feels like it read the kernel roadmap and took notes (VoidLink analysis).

It blends:

• LKM (Loadable Kernel Modules) for deep hooks
• eBPF for flexible, harder-to-detect instrumentation

Add in:

• Delayed initialization (no immediate "I am here" signal)
• Process and network hiding
• Cross-view evasion (userland vs kernel discrepancies)

Result: something that behaves less like malware and more like a kernel feature that should not exist.

The eBPF angle is key. It is powerful, legitimate, and increasingly monitored, but not always well monitored.

Hunting query: Compare the output of bpftool prog list against your expected eBPF programs. VoidLink's eBPF components manipulate Netlink socket responses to hide network connections from tools like ss. Cross-reference ss output with /proc/net/tcp directly; discrepancies between the two are a strong indicator of Netlink-layer tampering.

We are watching attackers move into the same space defenders adopted for observability. That overlap rarely ends cleanly.

Botnets That Do Not Look Like Botnets

Kamasers is technically "just" a DDoS botnet, but that undersells it (Kamasers analysis).

What stands out:

• Multi-vector attacks (L7 + volumetric + protocol abuse)
• C2 infrastructure hiding behind legitimate services
• Acts as a loader for additional payloads

Translation: today it floods your edge, tomorrow it drops ransomware.

Also worth noting:

• Multiple distinct attack commands across HTTP flood, TCP SYN/ACK, UDP, and slowloris variants
• Ties to known distribution chains (Amadey, GCleaner)

This is not a smash-and-grab botnet. It is modular. Which means access is probably being resold.

Rent-a-DDoS meets "oh, by the way, we left something behind."

Network defense note: Kamasers' loader capability means DDoS mitigation alone is insufficient. If you see traffic patterns consistent with Kamasers C2 (check ANY.RUN's IoC list in the linked analysis), treat it as a potential initial access vector, not just a volumetric nuisance. Hunt for secondary payloads on any host that communicated with known Kamasers infrastructure.

Social Engineering, Now With Better UX

Two campaigns from this week leaned hard into presentation.

First: TikTok Business AitM phishing using Cloudflare Turnstile to filter bots and look legitimate (Push Security write-up).

Highlights:

• Adversary-in-the-Middle proxies that bypass MFA
• Domains registered in bulk within seconds
• Targets ad accounts, enabling malvertising at scale

Second: Silver Fox's fake tax audits delivering multi-stage malware (Sekoia analysis).

The shift here is subtle but important:

• Less "you have won a prize"
• More "this looks like a bureaucratic nightmare you should deal with immediately"

Attackers are getting better at emotional tone, not just technical delivery.

Frankly, fear of taxes is more reliable than curiosity about invoices.

MFA is not the finish line: The TikTok campaign demonstrates that AitM proxies render traditional TOTP and SMS-based MFA ineffective. Phishing-resistant MFA (FIDO2/WebAuthn hardware keys) remains the only reliable countermeasure for high-value accounts. If your organization manages ad spend through social media business accounts, those accounts deserve the same authentication rigor as your cloud admin consoles.

Patch Notes Worth Your Time

A few items that should not get buried:

• Cisco IOS XE DoS trio. Plain English: your switches can be knocked over, sometimes remotely, sometimes by someone already inside.
  • CVE-2026-20084: unauthenticated BOOTP-triggered DoS on Catalyst 9000 (CVSS 8.6) (Cisco advisory)
  • CVE-2026-20083: SCP malformed request DoS (authenticated, low privilege)
  • CVE-2026-20110: privilege misassignment enabling interface disruption on Catalyst 9300 (CVSS 6.5)
• GitLab CE/EE patch set Multiple high-severity issues (CVE-2026-2370 at CVSS 8.1, CVE-2026-3857 at CVSS 8.1, others) affecting versions prior to 18.10.1 / 18.9.3 / 18.8.7 (GitLab release)
• Nessus plugin updates Coverage now includes:
  • Langflow RCE + auth bypass (AI tooling now firmly in scope)
  • Nginx updates (1.28.3 / 1.29.7)
  • IBM WebSphere fixes (Tenable plugin feed)

Patch prioritization: The Cisco BOOTP vulnerability (CVE-2026-20084) is the one to fast-track. It is unauthenticated, network-adjacent, and hits Catalyst 9000 series, which sit at the core of a lot of campus and branch networks. If you cannot patch immediately, ensure DHCP snooping configurations are reviewed and BOOTP traffic is filtered at the access layer. The GitLab CVEs both score 8.1; CVE-2026-2370 affects Jira Connect integrations and CVE-2026-3857 is a CSRF in the GLQL API affecting all versions from 17.10 onward.

The pattern: infrastructure, CI/CD, and AI tooling all showing up in the same patch cycle. That is not a coincidence.

Closing Thoughts

We used to worry about "downloading malware." Now we pip install it, automate it, version it, and grant it permissions.

But this week's stories tell a broader arc. The real shift is not just in how code gets compromised. It is in where the battlefield moved: into kernel features that double as rootkits, into botnets that double as access brokers, into phishing pages that feel more legitimate than the real ones. Trust, once abstract, is now executable.

Choose your dependencies accordingly.

Eyes on the network. Claws at the ready.

- KryptoKat