EvilBit Threat Digest - Features, Until They're Evidence

The through-line this week is not subtle. It arrived wielding a crowbar.

The common thread across the past few days is not simply "supply chain" or "ransomware." It is operational trust getting abused at machine speed: npm maintainers, GitHub Actions workflows, OAuth device code prompts, exposed AI tooling, and long-forgotten edge software all doing the attacker's paperwork for them. Meanwhile, old-school malware hasn't gone anywhere; it just brought a bigger bag and a quieter pair of shoes.

Supply chain, now with more automation

UPDATE: Axios turns from incident to case study

We touched the Axios compromise in the last issue when the story was still forming. Now the fog has lifted, and the interesting part is no longer just that a massively popular package got backdoored. It is how cleanly the attack bridged developer trust into cross-platform hands-on-keyboard access.

Follow-up analysis shows the two trojaned releases, axios@1.14.1 and axios@0.30.4, pulled in a fake dependency, plain-crypto-js@4.2.1, whose postinstall hook fetched a RAT for Windows, macOS, and Linux Microsoft. Microsoft Threat Intelligence attributes the campaign to Sapphire Sleet, while Google tracks the same North Korean-nexus activity as UNC1069 Google Cloud. The implant itself is being tracked as WAVESHAPER.V2, an updated C++ family previously used by the same cluster against cryptocurrency targets.

The mechanism matters. This was not "package does suspicious npm things" in the abstract. The malicious dependency used install-time execution as the initial trampoline, then dropped platform-specific payloads: PowerShell and a renamed wt.exe path on Windows, a Mach-O implant on macOS, and a Python-based loader on Linux, all beaconing back on a short loop to attacker infrastructure. That is a dev ecosystem problem with endpoint consequences, not just a registry hygiene story.

The live window was roughly three hours before npm removed both packages Microsoft. Three hours on a package with 100 million weekly downloads is not a narrow miss; it is a sampling interval.

The takeaway is blunt but necessary: if a build host, CI runner, or workstation ran npm install during the malicious publication window, treat it like a compromised endpoint, not a "maybe" event. Rotate secrets. Audit lockfiles. Check for plain-crypto-js. Assume your CI runner had a visitor. For anyone running a formal vulnerability management program, this is also the week to remind ISSOs that "out of scope because it's developer tooling" is not a finding type; build hosts are production when they touch the code that ships.

Also worth noting: recent coverage has shifted the defender angle from "what happened" to "what survived initial cleanup." That is the right focus now. The poisoned releases were short-lived. The credential and token fallout may not be.

New: prt-scan industrializes the malicious pull request

If Axios was a maintainer account takeover, the write-up on prt-scan is the other side of the same rotten coin: no registry compromise required, just a lot of malicious pull requests and one common GitHub Actions footgun.

According to Wiz Research, a single actor cluster used six GitHub identities over six waves starting March 11, 2026, collectively pushing more than 500 pull requests designed to exploit repositories using the pull_request_target workflow trigger. That trigger runs in the context of the target repo, which is convenient for maintainers and extremely convenient for thieves when secrets are in scope. The campaign did manage to steal real AWS, Cloudflare, and npm credentials, and from there the actor compromised at least two npm packages across dozens of versions, including the @fairwords family SafeDep.

What makes this one notable is the tempo and the tailoring. Later-wave payloads were designed to adapt to the victim repo's language and build patterns. Not genius, just efficient. Think less Skynet, more a very determined temp with infinite coffee and no ethics. The payloads also used distinctive workflow log markers and branch-naming conventions (prt-scan-<hex>) that defenders can actually hunt for, which is refreshing in a landscape where half the advice is still "be more vigilant" and other ornamental nonsense.

The defensive lesson here is unglamorous: pull_request_target is not evil, but using it casually is. If external PRs can reach secrets, your repo is one "helpful CI fix" away from becoming someone else's credential broker. Restrict the trigger to approved contributors, gate first-time contributors, and scope workflow secrets narrowly.

Identity attacks keep skipping around MFA

The latest reports on device code phishing show the trick is no longer novel, just getting better packaging. The attacker does not need your password if they can convince you to complete a legitimate OAuth device authorization flow on their behalf. The EvilTokens kit, sold phishing-as-a-service on Telegram since mid-February, automates the lure generation, rotates infrastructure across cloud platforms, and dynamically generates device codes so the old "wait them out for 15 minutes" safety margin gets a lot thinner in practice. Microsoft reports the associated campaigns have hit more than 340 organizations across the US, Canada, Australia, New Zealand, and Germany, with hundreds of new compromises per day Sekoia.

Once in, the operators moved like adults with a checklist: Graph API reconnaissance, email collection with a bias toward finance and leadership targets, malicious inbox rules, and in some cases device registration activity to establish more durable access. The old comfort blanket of "but we have MFA" continues to have the tensile strength of wet cardboard when the flow itself is being abused.

If you do not need device code authentication, block it via Conditional Access. If you do need it, scope it tightly and hunt the sign-in patterns, especially the weird sequence around pending auth and subsequent success. This is one of those rare cases where the vendor guidance is not hand-wavy. Take the gift.

Internet-facing software remains a buffet

Medusa's access brokers are not subtle, merely busy

Microsoft's analysis of Storm-1175, the China-linked Medusa ransomware affiliate, is really a report on attacker throughput. The group is hitting exposed enterprise software across a broad spread of products: Microsoft Exchange, PaperCut NG/MF, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, BeyondTrust, SimpleHelp, CrushFTP, GoAnywhere MFT, and SmarterMail, with CVEs ranging from 2023 through 2025 issues. In one case, Storm-1175 weaponized CVE-2025-31324 in SAP NetWeaver roughly a day after disclosure, which is about as much patching runway as your change board gives you on a good week.

That product list is the story. This is not an actor married to one exploit chain or one vendor ecosystem. It is a shopping cart. Whatever gets them inside a public-facing admin or support plane with the least fuss wins. Once access is in hand, the rest looks familiar: credential theft via legitimate RMM tooling (Atera, Level, MeshAgent, AnyDesk, ScreenConnect, SimpleHelp), lateral movement via PDQ Deployer, persistence, exfiltration, then encryption.

The practical takeaway is broader than patching this week's hottest bug. If you run internet-facing support portals, MFT appliances, or "temporary" external management access that became permanent in 2022 because everyone was tired, you are in the target class. Storm-1175 is basically an argument against wishful asset inventory; if your ASM tooling cannot see your own external admin planes, the adversary's scanners will find them first and introduce you. ISSOs reviewing POA&Ms this quarter: the unsanctioned-but-tolerated management surface is the finding, not the exception.

UPDATE: PolyShell goes from critical flaw to assembly-line compromise

We covered PolyShell as an emerging mess. It is now a production mess.

Sansec reports attackers have hit hundreds of Magento and Adobe Commerce stores in short windows using an unauthenticated REST API file-upload flaw that Adobe addressed in bulletin APSB25-94, fixed in the 2.4.9 pre-release branch. The nasty detail: no isolated patch exists for current production versions at the time of publication, which turns this from a patch decision into a compensating-controls decision whether you wanted one or not Searchlight Cyber. Mass exploitation has been running since mid-March.

The polyglot file upload angle is where the name comes from: attacker-controlled files pass as benign media (valid GIF or PNG headers) while retaining executable server-side behavior, leading to webshell placement and skimmer injection against storefronts. That makes this less "edge-case upload bug" and more "payment card theft starter kit."

The immediate move is compensating control territory: block execution in the exposed media paths, clamp down on upload routes at the web server or WAF, and inspect for known skimmer and backdoor artifacts. Not glamorous. Still better than explaining to Legal why your checkout page started freelancing. For PCI-scoped environments, "we were waiting for Adobe to ship an isolated patch" is not going to survive a QSA's attention.

ComfyUI's plugin model meets old-fashioned resource hijacking

And while the enterprise admin planes were getting plundered, the newer weirder corner of the exposure map was busy too. Censys ARC says attackers are scanning cloud IP space for internet-facing ComfyUI instances and using malicious custom nodes to pull those systems into a botnet. The interesting part is not just the mining. Compromised hosts are reportedly doing double duty: mining Monero and Conflux while also serving as Hysteria v2 proxy exit nodes for a separate proxy network. The Hacker News notes the campaign has already targeted more than 1,000 exposed instances.

That dual-use design is what makes this worth a second look. Cryptominers are usually noisy, crude tenants. Proxy nodes are quieter and often more useful to an operator over time. Put both on a cloud GPU box and you get immediate monetization from spare cycles, plus network infrastructure for whatever comes next. It is less smash and grab, more convert the vacant condo into an Airbnb and a server closet.

The attack path leans on ComfyUI's extensibility rather than a named CVE. Specifically, the campaign abuses custom nodes, including installation paths tied to ComfyUI-Manager, to achieve persistent remote code execution on exposed systems. That matters because defenders tend to think in patch language: fixed version, vulnerable version, move on. Here, the plain-English takeaway is simpler and less comforting: if your ComfyUI instance is exposed and lets an attacker influence node installation or management, they may not need a memory corruption bug at all. The feature is close enough to the exploit.

Operationally, the indicators here are refreshingly concrete. Censys linked the campaign to outbound mining traffic involving Kryptex infrastructure and identified a web-based C2 dashboard at 77.110.96.200 (a Flask app on port 3301 with default creds admin/pickmezr), hosted on Aeza Group infrastructure. If you run GPU-backed cloud systems, especially ones assembled quickly for inference or image workflows, the hunting questions are straightforward: why is this host reaching mining pool domains, why is it making unusual outbound connections on 3333 or 4444, and what exactly got installed through custom node workflows? In environments where GPU spend already causes low-grade heart palpitations, hidden mining is less an intrusion symptom than a budget crime scene.

From a blue-team angle, this is a reminder that AI tooling is rapidly inheriting all the same trust problems that plagued browser extensions, CI plugins, package registries, and WordPress themes. A custom node ecosystem is convenient right up until it becomes an execution and persistence mechanism with a friendlier user interface. There is no patch to save you from publishing an administrative surface to the whole planet. The practical fixes are the boring ones because the boring ones work: do not expose ComfyUI directly, require authentication, audit installed custom nodes, and watch for outbound connections to known mining and C2 infrastructure. Also: if your asset inventory does not know about the shadow GPU box your data science team spun up last quarter, congratulations, you are running a proxy service.

Malware still doing malware things

Phorpiex is old, filthy, and still economically useful

Recent research from Bitsight on Phorpiex, now wrapped in "Twizt" branding, serves as a reminder that persistence in crime often beats novelty in research decks. The botnet is still large (roughly 125,000 daily infections, with about 70,000 participating in the P2P component), still Windows-focused, and still versatile: ransomware delivery, sextortion spam, crypto clipboard hijacking, and brute-force propagation all packed into one unpleasant bundle. Recent loader activity has delivered LockBit Black and a Global-family ransomware variant aimed at devices in China.

The interesting bit is less the individual features than the resilience model. Phorpiex now runs a hybrid architecture: traditional HTTP polling on top of a custom P2P protocol over TCP and UDP, with commands authenticated via a 256-byte RSA-encrypted header. That means takedowns are harder and command integrity is easier for the operator to maintain. Crimeware loves durable.

Routers as residential proxies: the internet's least glamorous side hustle

The FBI's March 12 FLASH warned that AVrecon-infected routers have been sold as residential proxy infrastructure for the SocksEscort operation since around 2020, across roughly 369,000 devices spanning 1,200-odd models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel. The FLASH dropped alongside a coordinated takedown of SocksEscort itself by the FBI, Europol, France's OFAC, the Dutch National Police, Austria's BK, DCIS, and IRS SecurityWeek. Which is good news, except that hundreds of thousands of infected edge devices do not uninstall themselves just because the marketplace went down. The tenant left. The rot stayed.

For defenders, this is the usual ugly homework. Patch router firmware where the vendor still remembers your product exists, lock down remote management, and treat odd outbound traffic from branch and home-office edge devices as worth a second look. Consumer and SMB routers continue to be the crawlspace of the internet: ignored until something starts scratching.

The budget note nobody wanted but everyone recognized

Not every meaningful security story comes with shellcode.

The 2026 RH-ISAC CISO Benchmark suggests CISOs are being pushed to absorb AI demands inside budgets that are flat or only slowly moving upward, with roughly a third of organizations expecting no budget growth at all and the rest settling for 1% to 10%. That matters because all the stories above imply more work, not less: more CI/CD review, more identity hardening, more internet-facing asset discipline, more secret rotation, more pipeline controls, and, if you are in a regulated environment, more artifacts to produce for the auditor who wants to know how your ASM covers the GPU box nobody admitted to spinning up.

In plainer English, security strategy for the near term appears to be: "Please add another major risk domain without adding headcount, time, or money." A classic management move. Very vintage.

Closing

If this edition feels crowded with trust failures, that is because the attackers have noticed something defenders already knew and procurement teams keep forgetting: the easiest path into a network is often the thing we deliberately made convenient.

Package install hooks. CI workflows. OAuth prompts. Remote admin panels. Update channels. Plugin ecosystems. All of them are features right up until they are evidence.

Keep your logs, your lockfiles, and your sense of humor.

Eyes on the network. Claws at the ready.

~KryptoKat