EvilBit Threat Digest - Trust, But Check the Package Manager
Supply chain compromises dominate the week: axios attribution lands, CI/CD blast radius widens, and phishing kits shrug off takedowns.
A quiet week, if by "quiet" we mean multiple software ecosystems caught fire at once.
The last few days delivered a very specific kind of bad news: trusted developer paths keep doubling as delivery channels. npm stayed cursed, PyPI kept its sketchy side hustle, RubyGems joined the party, and a few older vulnerability stories came back with sharper operational context instead of fresh novelty. Add in renewed espionage reporting, browser extensions behaving like resident spyware, and phishing kits that treat takedowns as mere scheduling conflicts, and here we are.
Let's sort the signal from the static.
Supply chain is still the main character
UPDATE: Axios moves from incident to ecosystem-wide response
We already knew the axios compromise was ugly. What changed this week is the clarity around impact, attribution, and response expectations. New reporting from Sophos, Elastic, Datadog, Huntress, and Snyk filled in the picture: compromised maintainer credentials led to malicious axios@1.14.1 and axios@0.30.4 releases, which pulled a phantom dependency, plain-crypto-js@4.2.1, and dropped a cross-platform RAT. Microsoft Threat Intelligence has attributed the infrastructure and the compromise to Sapphire Sleet, a North Korean state actor.
The practical takeaway is nastier than "downgrade and move on." If those versions landed anywhere in your environment, especially CI runners or developer workstations, assume secrets were exposed. Hunt for node_modules/plain-crypto-js/, outbound traffic to sfrclak[.]com or 142.11.206.73, and persistence artifacts like com.apple.act.mond, ld.py, or system.bat depending on platform (Sophos, StepSecurity). This stopped being a package-integrity story and became a credential-rotation story about five minutes after publication.
UPDATE: Trivy wasn't a single compromise, it was a blast radius lesson
We've covered the TeamPCP chain before. This week's worthwhile addition is a cleaner reconstruction of what was stolen, where the persistence lived, and how defenders should treat downstream exposure. SafeDep's write-up ties together the compromise of Trivy, related GitHub Actions, and more than 60 npm packages into one timeline.
The defender lesson here is that CI/CD compromise is rarely content with one registry. The attacker path moved from workflow secrets to malicious publishes to host persistence. SafeDep notes Linux/macOS developer systems running the tainted Trivy release should be checked for systemd/user-service style backdoors and Python-based persistence in user directories, while any GitHub Actions context that touched the bad workflow versions should be treated as secret-spilled by default. In plain English: if your build pipeline touched this mess, don't ask whether an API key was exposed. Ask how many.
A different flavor of npm rot: wallets, chatbots, and North Korean plumbing
Not every malicious package this week aimed for broad compromise. Some were far more selective, which arguably makes them more instructive.
Socket's report on four npm packages targeting BSC and Ethereum users shows a simpler but effective pattern: obfuscated JavaScript, hardcoded wallet logic, and direct value theft. No grand stealth framework, no post-exploitation opera. Just dependency abuse translated into money.
Meanwhile, Socket's look at the infrastructure behind the Contagious Interview campaign is the more strategic read. The notable bit isn't merely that 197 malicious npm packages were involved. It's the use of GitHub and Vercel as staging and delivery fabric, turning familiar developer infrastructure into part of the infection chain. That is the same old DPRK pattern in a newer coat: blend with legitimate workflows, parasitize trust, and let developers do the distribution for you.
And then there's the weird little gremlin award: a malicious Koishi plugin that exfiltrates messages containing eight-character hexadecimal strings to a hardcoded QQ account. Very specific, very odd, and exactly the kind of backdoor that survives because it doesn't look ambitious. Small ecosystems get targeted too. Attackers read niche docs now. What a time to be alive.
RubyGems joins the bad ideas club
Two typosquatted Fastlane-related RubyGems plugins, fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram, were found exfiltrating Telegram bot tokens, chat IDs, messages, and attachments to an attacker-controlled endpoint, according to Socket Threat Research. The campaign appears timed to demand around Telegram circumvention after Vietnam's move to block the platform, adding a little geopolitical opportunism to the usual registry abuse.
This one matters because it hits CI/CD-adjacent automation. Fastlane plugins often run in trusted build contexts with broad access to mobile delivery pipelines, secrets, and chat ops plumbing. A lot of supply-chain reporting focuses on developer laptops; this is a reminder that automation glue is just as juicy. If a plugin promises to "help you route around restrictions," perhaps do not hand it your bot token and the keys to the release train. Jane Austen did not cover this, but she would have recognized the poor judgment.
Credential theft is getting more industrial
Talos maps a harvesting operation at scale against Next.js
This is the most useful update on CVE-2025-55182, not because the bug is new, but because the post-exploitation workflow is now better documented. Cisco Talos describes UAT-10608 compromising at least 766 hosts by exploiting vulnerable Next.js / React Server Components deployments.
CVE-2025-55182 is a critical RCE in React Server Components that affects vulnerable Next.js deployments exposing the relevant server-side execution path; exploitation has been confirmed in the wild and CISA added it to KEV. The plain-English version remains unchanged: if your app accepted maliciously crafted requests to vulnerable server function paths, an unauthenticated attacker could execute code on the server. Patch to vendor-fixed versions immediately per React's advisory. Federal agencies should note that CVE-2025-55182 is on CISA's KEV catalog with a binding remediation deadline; for everyone else, treat that deadline as your unofficial "if you haven't patched by now, write the risk acceptance memo" date.
What Talos adds is operational texture. The campaign wasn't just smashing boxes for a shell and wandering off. It systematically harvested AWS credentials, GitHub tokens, Stripe secrets, SSH keys, and environment data, then pushed them through a centralized C2 workflow called NEXUS Listener. That is a cleaner model of modern intrusion economics: exploit once, loot cloud and developer secrets, pivot later. Web app RCE is often just the appetizer.
Scan check: Tenable has plugins for CVE-2025-55182. If your scan policy covers web application frameworks, verify the RSC/Next.js detection is active. If you're running Nessus in "safe checks" mode, confirm it's not skipping the unauthenticated path test. This one is worth a manual spot check.
Tycoon 2FA is back, because takedowns are apparently just patch notes
eSentire's latest update shows the Tycoon 2FA phishing ecosystem adapting after the coalition disruption announced by Microsoft. The kit hasn't reinvented itself. It has re-homed itself: new ASNs, continued use of proxy infrastructure like ProxyLine, and the same core ability to steal credentials and session-linked MFA material from Microsoft 365 and Gmail users.
That's useful because it reinforces a depressing but important point: infrastructure takedowns hurt operations, but they rarely retire a successful phishing kit. Defenders should treat post-takedown periods as migration windows, not victory laps. Watch for shifts in source ASNs and mailbox-rule abuse, and keep conditional access tuned for impossible travel and weird proxy-heavy sign-in patterns. The kit survived. It just changed apartments.
Espionage crews stayed busy, and still love familiar tricks
TA416 returns to Europe with old habits and a few new wrappers
Proofpoint's new TA416 report is less about shocking innovation than campaign continuity. The group resumed targeting European government and diplomatic entities, while expanding into the Middle East, using a mix of web bugs, OAuth redirect abuse, ZIP smuggling, and PlugX delivery through DLL sideloading.
That last piece still matters because DLL sideloading remains one of those techniques defenders know intellectually and still miss operationally. A signed or legitimate executable loads a malicious DLL from a path the attacker controls, and the endpoint story begins with "but the binary was trusted." It is the security equivalent of letting a con man into the house because he wore a reflective vest.
Proofpoint also notes abuse of Cloudflare Turnstile and Entra ID/OAuth redirection in parts of the chain. The broader pattern is familiar: attackers increasingly avoid obviously malicious infrastructure until the last possible step. The phish looks ordinary, the redirect looks plausible, the binary looks signed, and then your diplomat's laptop has PlugX. Same melody, new arrangement.
Hunting note: Proofpoint's March 2026 variants used a signed Canon executable (CNMNSST.exe) loading a maliciousCNCLID.dllfor PlugX sideloading. If your EDR supports DLL load telemetry, alert onCNCLID.dllloaded from non-standard paths, orCNMNSST.exeexecuting outside Canon software directories. MITRE: T1574.002 (Hijack Execution Flow: DLL Side-Loading).
BlueNoroff keeps auditioning for the role of "worst possible Zoom call"
Kaspersky's deep dive into BlueNoroff's GhostCall and GhostHire campaigns is worth your time if you defend crypto, Web3, venture, or anyone who mistakes Telegram DMs for a hiring process.
The technical detail is extensive, but the important pattern is simple: fake meetings and fake recruiting workflows are now just delivery mechanics for a sprawling cross-platform theft operation. Kaspersky describes multiple malware families across macOS, Windows, and Linux targeting browser credentials, wallet data, SSH material, cloud configs, Telegram sessions, and more. The social engineering is not especially elegant; it is merely persistent, targeted, and attached to the kind of people who have money keys on disk.
There's also a supply-chain wrinkle in the use of malicious Go packages. Because apparently "download a coding task from a stranger on Telegram" still has a user base. The campaign is a reminder that APT tradecraft is often less about zero-days and more about patient abuse of professional habits: interviews, demos, collaboration tooling, code review, urgency. Corporate theater, but with better malware.
Browsers continue to be tiny unmanaged endpoints
Browser extensions are still the spyware nobody inventories properly
Socket's research on malicious browser extensions doesn't revolve around a single outbreak so much as a pattern defenders keep underestimating. Extensions in trusted stores are abusing ordinary APIs for pop-up hijacking, traffic redirection, social-media metric manipulation, and credential theft. Socket also notes a dark-web market for turnkey Chrome extension malware frameworks.
That matters because extensions sit in an awkward security blind spot. They're more privileged than users realize, less visible than most endpoint tools would like, and often approved with the same care people use when accepting cookie banners. Which is to say: none.
The practical defense here is painfully unglamorous. Enforce allowlists, review permissions, and stop letting "needs access to all websites" slide by because the icon looked friendly. Browser fleets have quietly become another application control problem. We just keep pretending they're a usability feature.
The social engineering layer remains undefeated
CRESCENTHARVEST weaponizes protest solidarity
Among the week's more sobering reports, Acronis TRU's write-up on CRESCENTHARVEST stands out because the targeting is so direct. The campaign abuses Iran protest narratives to lure Farsi-speaking activists, dissidents, and journalists into opening RAR archives that eventually deploy a RAT via DLL sideloading through a signed Google binary.
Technically, the chain is solid: spearphishing attachment, user execution, signed-binary sideloading, keylogging, browser credential theft, Telegram session theft, and a persistence trick based on scheduled task triggers tied to NetworkProfile events. Socially, it is uglier than the usual crimeware sludge because the targets face real-world consequences beyond stolen passwords.
The signed-binary angle is also worth calling out. The malware uses software_reporter_tool.exe from Google Chrome in a non-standard path as part of the sideloading chain. That means "signed" and "Google" can still end with "your Telegram session now belongs to someone else." Trust signals remain cheap.
ATT&CK mapping: The CRESCENTHARVEST chain maps to T1204.002 (User Execution: Malicious File), T1574.002 (DLL Side-Loading viasoftware_reporter_tool.exe), T1053.005 (Scheduled Task persistence onNetworkProfileevents), and T1555 (Credentials from Password Stores). Hunt teams: look forsoftware_reporter_tool.exerunning outside%LOCALAPPDATA%\Google\Chrome\and scheduled tasks triggered by network profile changes.
Tax season phishing remains the most annual tradition in security
Check Point's tax-season report shows attackers registering IRS- and tax-agency-themed domains months ahead of filing deadlines, then using them for phishing and loader delivery. One in ten newly registered tax-related domains in March 2026 was flagged as malicious or suspicious, with parallel lures aimed at U.S. IRS and Spain's AEAT users.
There is nothing novel here except the consistency. Attackers love deadlines, bureaucracy, and panic. Taxes have all three. The useful defender angle is infrastructure timing: monitor newly registered domains containing tax-related terms during filing season and be especially suspicious of executable attachments dressed as forms or refunds. The IRS still uses mail. Criminals use urgency and ZIP files. Same as it ever was.
A few quick hits worth your queue
- Proofpoint's Rhadamanthys update is a good snapshot of what law-enforcement disruption actually looks like from the malware ecosystem's point of view: shaken operators, not instant extinction. MaaS survives shocks.
- Fortinet's DPRK campaign write-up details LNK-triggered PowerShell and GitHub-backed C2. Still a very effective combination if your controls treat GitHub like a harmless utility instead of a possible dead drop.
- Trend Micro and Zscaler show how quickly attackers turned the Claude Code leak into malware lures. News breaks, fake GitHub repos appear, Vidar gets to work. The internet remains a machine for converting hype into telemetry.
Closing
The pattern this week was not dazzling novelty. It was repetition with better packaging.
Attackers kept showing the same preference: don't break trust when you can borrow it. Publish through a package registry. Hide in a browser extension. Stage from GitHub. Phish through a familiar login flow. Use a signed binary. Use a real meeting invite. Let defenders explain to themselves why the thing looked normal right up until the incident bridge started.
A lot of modern intrusion work is just parasitic normalcy.
Happy Easter. Go audit your build pipeline before it starts writing its own memoir.
Eyes on the network. Claws ready.
~ KryptoKat