EvilBit Threat Digest: Supply-Chain Mayhem and Insider Roulette

Two stories anchored my queue this week. A fresh wave of npm and PyPI compromises that says attackers are still feasting on the developer toolchain, and two former incident responders trading their IR badges for federal prison time. Most of the rest is noise. A few items earned their slot.

Inside Jobs Meet Ransomware-as-a-Service

Two former cybersecurity professionals, Ryan Goldberg (former Sygnia IR manager) and Kevin Martin (former DigitalMint ransomware negotiator), each drew four-year sentences for running as ALPHV/BlackCat affiliates. Between April and December 2023, they hit a Maryland pharma company, a Florida medical device maker, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer. The gang took 20%. Goldberg, Martin, and accomplice Angelo Martino split the remaining 80% three ways. One victim coughed up roughly $1.2 million in Bitcoin, and patient data hit the leak sites. DOJ announcement, BleepingComputer coverage.

Insider knowledge of response playbooks is worth its weight in BTC. Both men used valid accounts, lateral movement via cloud services, and standard encryption-for-impact TTPs (T1486). If your IR retainer or in-house response team includes staff with negotiator or DFIR-lead access to victim environments, this is the week to revisit background checks and SoD on the privileged accounts they touch during engagements.

ShinyHunters Back in Form with AI Vishing

ShinyHunters reportedly used AI-generated voice calls to compromise an Okta SSO account at ADT (and ran similar tradecraft against Medtronic), then pivoted into Salesforce Experience Cloud. ADT confirmed 5.5 million records exposed. ShinyHunters claimed another 9 million from Medtronic before pulling that listing without vendor confirmation. ADT's confirmed data set is names, phone numbers, addresses, dates of birth, and SSN last-four for a small subset. No payment data. BleepingComputer on ADT, BleepingComputer on Medtronic.

The TTP chain maps cleanly: voice phishing (T1566.004), valid accounts (T1078), cloud service access (T1021.007), and exfil over C2 (T1041). Blue teams should be moving SSO to phishing-resistant MFA (FIDO2/WebAuthn), auditing Salesforce guest permissions on Aura/Experience Cloud endpoints, and hunting for bulk API exports tied to recently re-authenticated SSO sessions. Healthcare and home-security verticals get an extra dose of existential dread.

Multiple NPM/PyPI Incidents Keep the Dependency Fire Burning

Three more supply-chain hits in the same general shape:

• elementary-data (1.1 million monthly downloads) fell on April 25 via GitHub Actions script injection through a PR comment. Attackers exfiltrated the runner's GITHUB_TOKEN, committed a malicious elementary.pth file, and tagged it as v0.23.3. The auto-publish pipeline then signed and shipped it to PyPI and GHCR. The payload swept up cloud creds (AWS, GCP, Azure), SSH keys, Kubernetes configs, and crypto wallets. Upgrade past v0.23.3, rotate everything that touched a build runner, and stop letting untrusted PR-comment input flow into shell steps. Snyk analysis, The CyberSec Guru timeline.
• SAP-related packages (@cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, @cap-js/db-service 2.10.1, mbt 1.2.48) and now intercom-client@7.0.4 (361,510 weekly downloads) were poisoned by the evolving "Mini Shai-Hulud" worm. A preinstall hook fetches a Bun runtime, then runs an obfuscated loader that steals creds and self-propagates by abusing the GitHub Actions OIDC tokens it just stole. Rotate, audit, --ignore-scripts, the usual drill. This campaign has been iterating for weeks and it is not done. StepSecurity on intercom-client, StepSecurity on SAP packages, Endor Labs corroborating analysis.
• The Trivy scanner itself was backdoored on March 19 when "TeamPCP" force-pushed 75 of 76 version tags in aquasecurity/trivy-action to malicious commits and shipped a poisoned v0.69.4 binary, GitHub Action, and Docker images during a roughly 12-hour window. If you ran affected Trivy versions or pinned trivy-action/setup-trivy to a tag rather than a commit SHA, assume your CI secrets are gone and start rotating. Safe versions: trivy v0.69.3 or earlier, trivy-action v0.35.0 (commit 57a97c7), setup-trivy v0.2.6 (commit 3fb12ec). Legit Security playbook, Microsoft hunting guidance.

Same takeaway as last month, and the month before that: pin by commit SHA, generate SBOMs without executing the package, and treat every preinstall hook as hostile until proven otherwise.

Quick Hits Worth Triaging

• PolinRider (DPRK/Lazarus nexus) has expanded to 1,951 GitHub repos across 1,047 owners, a 2.9x jump in five weeks. They're still poisoning .vscode/tasks.json, npm packages, fake .woff2 fonts, and "interview" project templates. The new variant uses marker Cot%3t=shtP; C2 has shifted to multiple Vercel subdomains. The OpenSourceMalware repo now ships a scanner. Block the listed Vercel domains and grep your repos for those strings. OpenSourceMalware deep dive.
• Instructure disclosed a cyber incident affecting Canvas and is still sorting out impact. Canvas Data 2 and Canvas Beta have been in maintenance, so anything wired to those APIs deserves a look. BleepingComputer report.
• Hister is an open-source local search engine that indexes every page you browse into a privacy-first knowledge base with MCP/RAG support. If your CTI team is tired of leaking queries to commercial LLMs, this is worth a look for offline TTP/IoC summarization, especially chained with tools like Cyberbro. Project post.
• International law enforcement bagged 276 suspects and dismantled nine pig-butchering crypto scam centers, and the Romanian leader of an online swatting ring picked up four years. Useful for awareness training, limited new tradecraft.

Other Items I'm Tracking

Things that didn't make the cut but are worth a tab:

• The CTO at NCSC week-ending-May-3rd roundup is the standard weekly meta-read.
• Microsoft's Q1 2026 email threat landscape for phishing baselines.
• Forescout on RDP and CPS targeting, and Krypt3ia's IRGC OT/IoT malware evolution write-up if you defend ICS or remote-access perimeters.
• Ransomware reading: Halcyon on Warlock and a Pay2Key resurgence, plus Rapid7 on Kyber's Windows + ESXi double-trouble playbook.
• Wired on SentinelLABS' Fast16 attribution, a Stuxnet precursor finally surfacing 20 years later. Worth reading slowly.
• For hosting-stack defenders, Censys on the cPanel exposure picture and the defend.network cPanel briefing.
• IAM hygiene reading: Include Security on the AWS Console / Terraform privilege gap.
• Awareness collateral: Cofense on the Meta verified-badge 2FA trap and Forcepoint on a fake DHL credential-theft campaign.
• Mac fleets: DShield on a malicious Homebrew ad pushing MacSync and LevelBlue on the MioLab macOS stealer empire.

Closing Reflection

The supply-chain stories keep landing on the same uncomfortable truth: the average developer machine is now a reusable launch platform. Rotate early, scan often, treat every dependency update like it might phone home. And the BlackCat insider case proves that even the people who write the incident reports can end up on the wrong side of one.

Watch the threads. The web tightens.

~ UncleSp1d3r