EvilBit Threat Digest - EvilBit Threat Digest: Copy, Paste, Regret
Developers lured through Slack, macOS users tricked into pasting malware, AI prompt injection in government, and NHS domains hijacked.
Trust keeps showing up to work wearing its best "I belong here" face, and this week the disguise held long enough to cause real damage.
Developers are being lured through Slack by fake community leaders. macOS users are still being talked into pasting terminal commands like it is a chain letter from 1997. Governments are bolting GenAI into daily workflows before they have sorted out what happens when the model obediently treats attacker text as gospel. And somewhere in Scotland, legacy healthcare domains briefly turned into a very shabby pirate TV service.
Different targets, same old sin: systems keep assuming that familiar equals safe. It does not. It never did. It just wears better clothes.
Developer trust is under active assault
Update: TeamPCP fallout now comes with an infrastructure map
We already covered the LiteLLM supply-chain compromise when the poisoned PyPI releases 1.82.7 and 1.82.8 surfaced. The update now is less about whether the package was malicious and more about the blast radius around it. Hunt.io mapped more than 33,000 exposed LiteLLM deployments and tied exfiltration and C2 infrastructure back to the broader TeamPCP operation, adding much-needed operational context to the earlier GitHub security advisory from the project itself. The malicious package executed on install or startup, harvested local credentials, cloud secrets, and Kubernetes material, then attempted persistence through artifacts like litellm_init.pth, ~/.config/sysmon/sysmon.py, and a user-level systemd service. In Kubernetes, it even looked for ways to expand via privileged pods in kube-system, which is exactly the sort of sentence that ruins a platform engineer's afternoon. 33K Exposed LiteLLM Deployments and the C2 Servers Behind TeamPCP's Supply Chain Attack Security: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8, credential stealer
The practical takeaway has sharpened since the first reporting: if those versions touched a CI runner, dev workstation, or cluster-connected host, treat the machine as compromised, not "possibly affected." Rotate reachable secrets, inspect for the Python .pth persistence trick, review outbound connections to listed infrastructure, and check clusters for suspicious privileged pod creation. This is not just a bad package. It is a reminder that AI-adjacent tooling now sits close enough to cloud credentials and container control planes to make every dependency mistake count double.
Open source communities are now part of the pretext kit
OpenSSF issued a high-severity warning after attackers impersonated a Linux Foundation leader inside Slack to target open source developers. The chain is ugly because it is patient. First comes identity spoofing in a trusted workspace. Then a phishing hop through Google Sites. Then credential capture. Then a prompt to install a malicious root certificate. Then platform-specific payload delivery, including a macOS binary named gapi served from 2.26.97.61. That progression tells you this was never just a phish. It was a trust-conversion exercise: take community legitimacy, turn it into browser trust, and then into code execution. Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers
Blue teams protecting engineering orgs should pay special attention to the root certificate step. Credential theft is noisy but familiar. Convincing a developer to install a new trust anchor is a different level of trouble, because it opens the door to TLS interception, tampered downloads, and cleaner follow-on theft. Developer chat platforms are now part of the attack surface in the same way package registries and extension markets are. Same movie, new set.
npm's worm problem is not subtle, just effective
SafeDep flagged malicious @fairwords npm packages being used as a credential-harvesting worm. The notable part is not elegance; it is propagation. The packages were built to steal credentials and support lateral movement, with C2 traffic tied to an Internet Computer canister domain and supporting infrastructure on exposed IP space. That makes this less like a one-off implant and more like dependency abuse designed to keep replicating anywhere credentials can open the next door. SafeDep Threat Report
DevSecOps teams should read this as another argument for hash pinning, SBOM-backed policy gates, and aggressive package provenance checks. "We only install from npm" is not a control. It is a confession.
The terminal remains the most emotionally vulnerable application on your Mac
Update: MacSync has evolved from fake installers into a broader campaign problem
We have covered MacSync before as part of the broader macOS infostealer boom. The update this week is campaign scale and operational maturity. MacSync Stealer continues to leverage ClickFix-style fake CAPTCHA pages and malicious terminal copy-paste instructions to reach new victims. The malware steals browser credentials, Keychain data, SSH keys, cloud credentials, wallet material, and, in one especially mean flourish, can trojanize Ledger wallet apps to capture seed phrases. ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers Evil evolution: ClickFix and macOS infostealers
The angle has changed too. Earlier MacSync reporting focused on notarization, code-signing abuse, and malware maturity. This wave is more revealing about user-interface tradecraft. ClickFix works because it hijacks a user's sense of procedural normalcy. Fake CAPTCHA, fake verification step, paste this into Terminal, problem solved. It is the social-engineering equivalent of putting a laminated badge on a raccoon.
Defenders on macOS need to stop treating Terminal abuse as a niche edge case. Alert on browser-to-Terminal handoffs, osascript launched from browser contexts, suspicious curl | sh style chains, and child processes spawned by Terminal or osascript that do not fit developer baselines. For policy teams, the simple version is still the correct one: no employee should ever paste shell commands from a website to "prove they are human." Humans, perhaps. Security controls, no.
ClipBanker shows how long an infection chain can be when nobody interrupts it
Kaspersky's new write-up on ClipBanker starts with a trojanized Proxifier installer on GitHub and ends with crypto wallet theft, but the middle is where the interesting work happens. The campaign leans hard on fileless execution: PowerShell spun up through PSObject, shellcode injection into fontdrvhost.exe, script material stashed in the registry, scheduled tasks for continuity, and Microsoft Defender exclusions for .TMP files to make the rest of the chain less visible. The final payload monitors the clipboard for more than two dozen wallet address formats and swaps in attacker-controlled values at the moment of transfer. It is banal, profitable crime, but implemented with the patience of someone who knows defenders often only catch the last stage. The long road to your crypto: ClipBanker and its marathon infection chain
That "marathon infection chain" framing is the right one. Plenty of detections key off the wallet swapper at the end. Fewer organizations are looking for the earlier signs: new Defender exclusions for throwaway extensions, registry blobs holding Base64 payloads, or scheduled tasks launching encoded PowerShell under the cover of an installer. The old lesson still applies: if the payload looks simple, the intrusion probably was not.
AI adoption is outrunning AI security
CIS is out with a timely warning on prompt injection as GenAI use becomes routine across state and territorial governments. Separately, NASCIO survey data puts the number at 82% of state CIOs saying generative AI is already in use in some form. That would be mildly comforting if large language models could reliably distinguish instructions from content. They cannot. So an email, document, webpage, or knowledge-base entry can smuggle attacker instructions into an assistant or agent workflow and trigger data leakage, poisoning, or unauthorized actions. Prompt Injections: The Inherent Threat to Generative AI Prompt injection tags along as GenAI enters daily government use The Machines Move Up: How Artificial Intelligence Dethroned Cybersecurity as the Obsession of Every State CIO
What makes this worth your time, despite the lack of a neat CVE, is the attack geometry. Prompt injection is not just "phishing for chatbots." In agentic setups, it starts to look a lot like living off the land for AI systems: poison the retrieval source, wait for the model to ingest it, and let the assistant use its own permissions against the environment. The same convenience that makes AI tools attractive in government (search across internal data, draft responses, summarize records, trigger actions) also turns them into strange little privilege brokers.
The defensive advice here is refreshingly unglamorous and therefore useful: least privilege for AI systems, hard separation between retrieval and privileged actions, content filtering and sanitization, human approval before sensitive actions or code execution, and log review for "that was odd" behavior rather than only classic IOC matching. We have spent years teaching users not to trust attachments. Now we get to teach organizations not to trust paragraphs.
Public-sector hygiene: still not optional
NHS Scotland confirmed that legacy scot.nhs.uk domains for several GP practices were hijacked and used to serve adult content and illegal sports streams. Nobody wants to explain to leadership why a trusted healthcare namespace briefly resembled the world's saddest IPTV reseller, but here we are. DNS still pointed correctly to WP Engine, which suggests either a WordPress-side compromise or theft of administrative access rather than a random subdomain typo drifting in the wind. No evidence of patient data exposure has surfaced so far. NHS Scotland-linked domains push pr0n and illegal streams
This is not the most severe incident of the week, but it is one of the more instructive. Brand trust and namespace trust are operational assets. When legacy sites linger under a major public-sector domain, they can become staging ground for fraud, SEO poisoning, malware delivery, or just public embarrassment with a side of incident response. "It was only a forgotten site" is how these stories start, not how they end. Inventory the namespace, prune what nobody owns, harden registrar and DNS access, and keep old WordPress installs on a very short leash.
Meanwhile, far from the patch dashboard
Lookout and Access Now published a joint report detailing a BITTER-linked hack-for-hire campaign targeting journalists and civil society across the MENA region since at least 2022. SMEX published a parallel investigation into related activity in Lebanon. The operation uses fake social media personas, messaging app outreach, credential phishing, and ProSpy/ToSpy Android spyware to collect data from high-risk targets in Egypt, Lebanon, Bahrain, the UAE, Saudi Arabia, and beyond. Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linked to BITTER APT Rotten Apple: An Invasive Threat Actor Targeting Civil Society in Lebanon Hack-for-hire spyware campaign targets journalists in Middle East, North Africa
The important point is not merely attribution. It is market structure. The old wall between state espionage and commercial intrusion crews keeps looking more like drywall. If you protect media, NGOs, dissidents, or international field teams, assume the attacker across the table may have both patience and a customer.
Closing
This edition had no shortage of technical detail, but the through-line was almost boring in its consistency: chat messages, package installs, terminal prompts, trusted domains, helpful assistants. The attack chains are getting fancier. The opening move is still usually "please believe me."
Which, if you think about it, is the most human bug in the stack.
Eyes on the network. Claws ready.