EvilBit Threat Digest - Apple Drops a May Patch Bomb, Supply Chains Take Another Hit

This week's flood of Apple security content is more volume than innovation. The company pushed fixes across iOS, iPadOS, macOS Sequoia/Sonoma/Tahoe, tvOS, visionOS, and watchOS that knock down kernel memory leaks, WebKit crashes, and the usual grab bag of permission bugs. Most are local DoS or info disclosure, but a few sandbox escapes and privilege escalations deserve immediate attention on managed fleets. Meanwhile, npm and PyPI absorbed another coordinated beating, and North Korean revenue ops keep using U.S. proxies to land remote IT gigs.

Apple's May 2026 Security Content Drops

Apple released updates addressing dozens of flaws, many carrying the same pattern: local apps or crafted web content leading to crashes, memory disclosure, or escalation. Standouts include:

• CVE-2026-28951 (kernel authorization flaw) lets a local app gain root via improper state management. Fixed in iOS/iPadOS 18.7.9/26.5 and macOS 15.7.7/14.8.7/26.5. (Apple iOS 26.5, Apple security releases)
• CVE-2026-28978 and CVE-2026-43652 (sandbox and permissions issues in macOS Sonoma/Sequoia/Tahoe) allow malicious apps to escape restrictions or access protected data. Both were patched in the latest point releases. (macOS Tahoe 26.5, macOS Sequoia 15.7.7)
• Multiple WebKit entries (CVE-2026-28946, CVE-2026-28953, CVE-2026-43660, others including CVE-2026-28958 and CVE-2026-28917) enable DoS or potential code execution via crafted web content. Apple says the issues were addressed with improved memory handling and bounds checks. No in-the-wild exploitation was reported.
• One worth singling out on macOS Tahoe: CVE-2026-28914, a ZIP handler Gatekeeper bypass. If your users routinely open archives from outside sources, treat this as the higher-tier signal in the batch. The companion CVE-2026-28910 (Tahoe app handler permissions) is in the same neighborhood.

Prioritization tip: Focus first on devices that run untrusted apps or handle external web content. Kernel and sandbox issues (CVE-2026-28925, CVE-2026-28972, CVE-2026-28897) matter more on enterprise fleets than the WebKit DoS noise. Tenable plugins for most landed in the May 10 Nessus update. Patch where you can; for air-gapped or legacy systems, lean on stricter app sandboxing and web content filtering until the boxes catch up.

Mini Shai-Hulud Returns: 170 npm Packages and PyPI Hits

The cluster behind recent npm compromises hit again, publishing 404 malicious versions across 170 npm packages and 2 PyPI packages. Big-name namespaces in the blast radius: @tanstack, @mistralai, @uipath, and @opensearch-project. The two PyPI hits were mistralai==2.4.6 and guardrails-ai==0.10.1. Payload is a multi-stage credential stealer that grabs AWS IAM creds and metadata, HashiCorp Vault tokens, GitHub tokens (ghp_*, gho_*, ghs_*), npm publish tokens, and GitHub Actions OIDC tokens. Once on a developer box, it drops a persistent daemon that polls GitHub every 60 seconds. Some versions ship a wiper that fires destructive commands the moment one of those stolen tokens gets revoked. (SafeDep analysis, Snyk, Wiz update)

The TanStack wave is the one to study. Rather than phishing maintainers or stealing publish credentials, the attackers chained three GitHub Actions bugs and pulled OIDC tokens straight from the runner's process memory. So the defender homework is annoying: revert affected lockfiles, rotate every CI credential that could have been minted from an OIDC token during the compromise window, and audit .vscode and .claude directories for poisoned tasks.json entries. SafeDep also has a writeup on a related DeFi-focused RAT in noon-contracts if you're tracking the broader cluster, and SecurityWeek covers build-time application firewalls aimed at exactly this failure mode.

Living off the land in the dependency graph is now the default playbook. If your CI/CD still trusts "latest" or skips hash pinning, this is an uncomfortable week.

North Korean Laptop Farms Get U.S. Helpers Sentenced

Matthew Isaac Knoot and Erick Ntekereze Prince each received 18-month sentences for running laptop farms and installing remote desktop software that let North Korean IT workers use stolen identities to land remote jobs at at least 70 American companies. The scheme generated over $1.2 million, most of it routed to the DPRK, with the DOJ press release citing more than $1 million in remediation costs to the victim companies. (DOJ press release, Hackread coverage)

TTPs remain consistent: proxy laptops, RDP abuse, and fraudulently obtained corporate network access. The DOJ/FBI PSA is worth a reread.

Hunt guidance: Review remote workforce onboarding for identity gaps, watch for unexpected remote desktop binaries or anomalous laptop shipments, and baseline RDP/SMB behavior from contractor subnets. This is low-tech but persistently effective revenue generation for Pyongyang. Dr.Web has a related writeup on a stealer trojan delivered through fake job-interview applications targeting macOS and Windows; same operational theme, different end of the recruiting pipeline.

Quick Hits

• FamousSparrow hit an Azerbaijani oil and gas target across three intrusion waves with ProxyShell/ProxyNotShell exploits, Deed RAT, and Terndoor backdoors. The campaign used DLL sideloading (LMIGuardianSvc and USOShared sideload chains), API hooking against StartServiceCtrlDispatcherW, and Impacket-style atexec and smbexec for lateral movement. Legacy Exchange servers still make attractive footholds. (Bitdefender Labs)
• macOS campaigns keep abusing Google Ads and shared Claude.ai chats to deliver MacSync via base64-obfuscated zsh commands. Block customroofingcontractors[.]com, bernasibutuwqu2[.]com, and briskinternet[.]com, and train developers never to paste terminal commands from unverified sources. Credit to Berk Albayrak (Trendyol) for the writeup. (BleepingComputer, MacKeeper IoCs, Cyberpress coverage). A related strain abuses a fake Claude Code installer (Ontinue writeup), worth flagging to dev teams who copy-paste install commands.
• Operation HumanitarianBait uses humanitarian lures and a fileless Python implant to steal browser data and drop RustDesk/AnyDesk for RMM access. Heavy on scheduled tasks and obfuscated scripts. (AlienVault OTX pulse)
• Self-hosted tools took knocks: Outline had multiple path traversal and authorization bypasses (CVE-2026-43888, CVE-2026-43889, CVE-2026-43890, plus a Slack-auth CSRF in CVE-2026-44695); Vaultwarden lost brute-force protection on one endpoint (CVE-2026-43914); Pi-hole had a local priv-esc via systemd scripts (CVE-2026-41489). Audiobookshelf also picked up a path-traversal in podcast creation (CVE-2026-42888) and AVideo has an info-disclosure plus stored XSS pair (CVE-2026-43885, CVE-2026-43876). Patch the homelab stack too.

Also Tracking

Stuff on the radar that didn't get a full writeup this week:

• ShinyHunters breached Instructure's Canvas LMS via the Free-For-Teacher account program (Cryptika).
• Hijacked Microsoft Teams accounts pushing ModeloRAT to internal targets (GBHackers).
• Trend Micro's "Vibe Hacking" report on two AI-augmented campaigns against LATAM government and financial sectors.
• Google Threat Intelligence Group's AI Threat Tracker covering adversary use of AI for vuln exploitation and initial access.
• DFIR Report's flash alert on EtherRat and TukTuk C2 leading to The Gentleman ransomware (plus a related OTX pulse on the leak).
• Active exploitation of CVE-2026-41940 to take over cPanel/WHM servers.
• A fake "OpenAI Privacy Filter" Hugging Face repo hit #1 with 244K downloads; a separate trending HF repo cracked 200K downloads while shipping malware. Plus fake DeepSeek TUI repos on GitHub doing the same trick.
• UAT-8302: China-linked APT with a shared malware arsenal hitting governments across three continents.
• Kong RAT spreading via fake FinalShell and Xshell download sites.
• Genians on a Python backdoor following AI deepfake impersonation.
• DomainTools on the SDA/Structura/Doppelgänger influence operation.
• Industrialized smishing infrastructure targeting UAE and Singapore transportation and government.
• A few stragglers worth a glance: a QuickJS-NG privilege escalation, a barebox DHCP out-of-bounds, Sangoma Switchvox cleartext storage, and a libcaca heap overflow via crafted .caca files.
• Regulatory ledger: South Staffordshire Water fined ~£1m by the ICO over the 2022 breach, and GM agreed to a $12.75M California settlement over driver data sales.
• Worth bookmarking: SANS ISC on why CAPTCHAs still earn their keep, and Censys's guide to detection engineering with their data.

Closing note: The Apple deluge and the latest npm wave land on the same point. Dependencies and operating systems are both attack surfaces moving faster than most patching programs. Pick your battles with honest asset inventory and detection that hunts patterns, not just yesterday's hashes.

Mind the threads. The web remembers.

~ UncleSp1d3r