EvilBit Threat Digest - Patch Tuesday leftovers and supply-chain hangovers

Patch volume was up this week. The louder stories came from attackers abusing trust at the edges of developer workflows, AI tooling, and government portals.

Developer Tooling Under the Microscope

Socket.dev and The Hacker News detailed the short-lived but nasty compromise of the official Bitwarden CLI npm package. Version 2026.4.0 was backdoored for roughly 90 minutes via a malicious GitHub Action borrowed from the Checkmarx breach, with the payload tucked inside bw1.js. Strings inside referenced Dune ("Shai-Hulud: The Third Coming"), and the goals were predictable: GitHub tokens, AWS/Azure/GCP credentials, SSH keys, and anything else a CI/CD pipeline might have lying around. Bitwarden re-released the package as 2026.4.1, a clean rebuild of 2026.3.0.

Hunting note: Mend.io's analysis shows the worm doesn't stop at credential exfil. It writes rogue MCP servers into AI coding assistants like Claude Code, Cursor, and VS Code Continue, so a single bad install can poison a developer's AI helper for weeks. If MCP configs are landing on developer endpoints unmanaged, that's now a hunt surface, not a productivity feature.

If you touched 2026.4.0, rotate everything: GitHub tokens first, then cloud creds, then SSH. Yank the package, hunt for unexpected entries in shell profiles and ~/.npmrc, and review MCP server configs for entries you didn't put there.

The Bitwarden incident sits next to the ongoing Vercel/Context.ai compromise, where a Lumma Stealer infection on an employee machine led to environment-variable exposure and opportunistic API hammering by the attacker. No npm tampering there either, but the pattern is clear. Developer endpoints remain high-value real estate.

Sticking with AI tooling: Malwarebytes wrote up a researcher claim that Claude Desktop's macOS installer behaves like spyware (broad telemetry, persistent helpers, deep keychain access). Anthropic disputes the framing. Either way: AI desktop tools belong in the endpoint review queue with any other agent that phones home and writes to user space.

Kaspersky also found over 20 trojanized crypto wallet apps in the Apple App Store. These FakeWallet variants impersonate MetaMask, Coinbase, Ledger, and Trust Wallet, using stub apps plus enterprise provisioning profiles to install the real payload that grabs seed phrases. All pulled after disclosure. The lesson for anyone wrangling mobile fleets: official stores are not a safe harbor, and unmanaged enterprise profiles are the gate that lets the trojan in.

Linux Backdoors and AI-Augmented Intrusions

Symantec's Carbon Black team detailed Harvester APT's new GoGra backdoor. This one targets Linux systems in South Asia, masquerades as legitimate documents (filenames like report.pdf  with a trailing space and an ELF underneath), and uses Microsoft Graph API plus Outlook for C2. Persistence drops into ~/.config/systemd/user/ and XDG autostart entries pretending to be Conky.

Hunting note: Pair GoGra Graph-API C2 detections with whatever your tooling already does for Outlook abuse. Look for non-Outlook user-agent strings hitting graph.microsoft.com from Linux hosts, and ELF files with image or document extensions plus trailing whitespace.

The DFIR Report exposed Bissa Scanner, an AI-assisted mass exploitation campaign hammering CVE-2025-55182 (React2Shell) across millions of Next.js instances. Confirmed exploitation hit 900-plus victims, with tens of thousands of .env files harvested across finance, crypto, and retail targets. Operator artifacts showed Claude Code embedded in the exploitation pipeline for generation and refinement, with Telegram (@bissapwned_bot) used as both triage hub and C2. AI-provider keys were the single largest credential category recovered (Anthropic, Google, OpenAI, Mistral, OpenRouter, and others), which means a stolen key from one victim can quietly fund the next round of automated tooling.

Huntress followed up its earlier Codex story with Part 2: a Linux IR walkthrough showing how an attacker leaned on an OpenAI assistant to debug their post-exploitation kit in near-real-time. Worth a read if you're updating IR playbooks for AI-augmented adversaries. The same pattern applies whether the attacker's helper is Claude or GPT.

If you're still exposing Next.js apps without strict middleware protections, the Bissa operators have already noticed. Tenable has plugin coverage for CVE-2025-55182; make sure your scan policies cover React Server Components endpoints, not just the marketing pages.

Ransomware Watch

detect.fyi published a deep dive on GLOBAL GROUP / BlackLock artifacts: the ransomware family's tooling chain, lateral movement habits, and forensic tells. The writeup gives SOC teams something concrete to convert into Sigma or KQL: PowerShell loader patterns, scheduled-task naming conventions, and a predictable Cobalt Strike-derived command structure. If GLOBAL GROUP isn't already in your hunt rotation, this is the issue to add it.

Hunting note: While you're at it, the SimpleHelp KEV entries in the patch section below have been ridden by DragonForce affiliates as a pre-ransomware foothold. Treat any unpatched SimpleHelp instance as a ransomware countdown, not a missed patch.

Phishing Keeps Getting Specific

Infosecurity Magazine flagged a surge in "silent subject" phishing aimed at VIPs (executives, finance, legal). Attackers use empty or hidden Subject lines to slip past keyword-based gateways, then rely on a believable display name and a single-link body. If your secure email gateway scores by subject keywords more heavily than by display-name anomalies, that's the gap.

Infoblox tracked an International Revenue Share Fraud (IRSF) campaign using fake CAPTCHAs as the lure. The CAPTCHA tricks users into pasting attacker-supplied PowerShell or shell commands (the now-familiar ClickFix pattern), and the dialer payloads then push calls to premium-rate numbers controlled by the operators. Two hunt angles: anomalous outbound clipboard-launched commands on user endpoints, and unusual SIP/RTP traffic to international ranges from softphones.

Government Data and Domain Deception

UK Biobank had a nasty third-party incident: de-identified genetic and health data from over half a million volunteers turned up for sale on an Alibaba-hosted listing. As The Register noted, the mechanism was less "hack" and more "researchers who legitimately accessed the data and then re-uploaded it abroad." No sales completed, access suspended, and Biobank is bolting the barn door with daily export monitoring and automated exfil prevention by year-end. Mostly policy pain, but a sharp reminder that academic partners are how research data leaves your control.

Across the Channel, the University of Warsaw confirmed a 200,000-file breach that ended up posted to the dark web in mid-April as an 850 GB dump. Initial detection was a routine scan in February; the access vector was credential theft via infostealer malware on a user device. Poland's CBZC and CERT Polska are running it. If your environment runs research collaborations with European universities, treat this as a reminder that a single infostealer infection on a partner can leak years of joint data.

Cyble and CRIL mapped Operation TrustTrap: over 16,800 spoofed government domains using subdomain trust injection to bypass traditional URL filters. Targets included US state sites and Indian, Vietnamese, and UK government portals. One cluster ties back to APT36 (Transparent Tribe). The technique is elegant: attackers register domains like mass.gov-bzyc[.]cc so root-domain checks sail right past, with hosting concentrated on Tencent and Alibaba Cloud APAC and roughly 70 percent of registrations through Gname.com. Update your email and proxy rules to respect the full eTLD+1, and add Gname-registered domains to a higher-scrutiny bucket.

Patch Season: Debian, Oracle, and KEV

Debian DSA-6229-1 fixes a pile of memory safety and use-after-free bugs in Thunderbird that could lead to arbitrary code execution (CVE-2026-6746 through CVE-2026-6786). DSA-6230-1 patches Chromium with three more execution and info-disclosure flaws. DSA-6226-1 closes a TOCTOU race in PackageKit (CVE-2026-41651) that lets local users install packages as root. All have updates available for bookworm and trixie; go apply them before someone does it for you.

Oracle's April CPU addressed 481 vulnerabilities across 28 product families. Communications Server took the worst of it with 139 flaws, 93 of them remotely exploitable without authentication. Qualys has QIDs ready if you're in that ecosystem. Most are third-party components, because of course they are.

CISA added four actively exploited flaws to the KEV catalog on 24 April: CVE-2024-7399 in Samsung MagicINFO, CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, and CVE-2025-29635 in EoL D-Link DIR-823X routers. The D-Link flaw is seeing fresh Mirai variant activity ("tuxnokill") per Akamai SIRT. Federal agencies have until 8 May to remediate under BOD 22-01. If you're still running EoL D-Link gear in production, replace it yesterday. The vendor is not shipping a fix and the botnet operators know it.

Quick Hits

• NCSC updated Cyber Essentials to v3.3: cloud services are fully in scope, MFA is now a hard fail if offered, and critical/high patches must land within 14 days or you auto-fail. UK public-sector suppliers, take note.
• NCSC also told UK enterprises to offer passkeys by default, reversing years of "passwords are fine if you do them right" guidance. The two announcements pair well: passkeys for the human side, Cyber Essentials for the org side.
• The FTC reported $2.1 billion lost to social media scams in 2025, an eightfold jump since 2020. Investment fraud led the pack. Your users are still clicking.
• US authorities disrupted a major Southeast Asian pig-butchering network with $702 million in crypto restrained, 503 fake sites seized, and sanctions on 29 Cambodian entities. $10 million reward still on the table for the top guy. Separately, a money launderer tied to a $230M crypto heist drew 70 months. Slow progress, but progress.

Other Items I'm Tracking

Not enough on these yet to warrant a full section, but worth a look:

• ZDNet on the 77% of IT managers who say their AI agents are out of control, and what to do about it. Pairs with the Bitwarden MCP-poisoning angle above.
• Symantec walks through DLP plus Google's Agent Gateway for agentic AI. Vendor framing, but the architecture diagram is worth the click if you're scoping AI egress controls.
• CIO covers RAIDER, a detection-engineering and threat-hunting framework aiming to standardize how teams convert intel into detections.
• Microsoft is folding Anthropic's Claude Mythos (the controlled-access Project Glasswing model) into its Security Development Lifecycle for vulnerability discovery and mitigation. Worth watching: the same model that finds bugs at scale finds them for everyone, and Mythos was held back from general release for a reason.
• Outpost24 on defending critical infrastructure in a hyperconnected society and Huntress on what cybersecurity leaders must prioritize in 2026. Both lean strategic; useful for budget-conversation backup.
• Infoblox on pairing managed rules with AWS Network Firewall for phishing, C2, and exfil blocking. Vendor pitch, but the rule taxonomy is reusable.
• For weekly roundups, Malwarebytes' April 20-26 recap and AboutDFIR's 04/27 News Nuggets cover items I didn't get to.
• An alternative writeup of the Bitwarden incident is up at securityonline.info if you want a different framing.

Same gray-space pattern as the last few weeks. Attackers are comfortable wedging in between legitimate tools, third-party trust, AI assistants, and "good enough" opsec. Rotate what got exposed, patch what can be patched, and treat every npm install, every MCP server config, and every government subdomain like it might be the one that bites you.

The fundamentals haven't changed. The surface area just keeps growing.

Trust the thread. Trust the loom less.

~ UncleSp1d3r