This week’s threat landscape exposes a severe escalation in highly targeted supply chain attacks and sophisticated social engineering. Attackers are pushing beyond simple typosquatting to poison AI coding assistants directly and brandjack enterprise SDKs. Concurrently, financially motivated actors and state-sponsored APTs are leveraging Phishing-as-a-Service (PhaaS) to bypass MFA entirely and utilizing memory-only, host-locked malware to completely evade sandbox detection.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

The Developer Supply Chain and AI Ecosystem Under Siege

Threat actors are explicitly targeting the tools developers use to write, format, and push code, turning AI assistants and open-source registries into direct vectors for enterprise compromise.

• "TrapDoor" Cross-Ecosystem Campaign — Targeting npm, PyPI, and Crates.io, this attack distributes credential-stealing malware to Cryptocurrency and AI developers. Uniquely, it drops malicious .cursorrules and CLAUDE.md files to poison AI coding assistants, tricking the AI models into silently executing local malware payloads and exfiltrating data.
• Advanced Brandjacking (NuGet & npm) — Attackers have moved beyond typosquatting to "brandjacking." The Sicoob.Sdk NuGet package impersonated a Brazilian financial system to exfiltrate mTLS banking certificates via legitimate Sentry telemetry. Meanwhile, the vpmdhaj npm cluster targeted OpenSearch developers to siphon AWS credentials and CI/CD secrets.
• "Malware-Slop" Targeting Claude AI — A malicious npm package (mouse5212-super-formatter) specifically targets the /mnt/user-data directory used by Anthropic's Claude AI tool. It exfiltrates prompt histories, proprietary source code, and internal corporate data back to attacker-controlled GitHub repositories.

SaaS Identity Hijacking and Next-Gen Social Engineering

Adversaries are exploiting legitimate cloud authentication flows and spoofing trusted corporate communication platforms to bypass traditional perimeters.

• "Kali365" and "EvilTokens" PhaaS Platforms — These Phishing-as-a-Service toolkits automate "Device Code Flow" exploitation. By tricking users into entering a device code on the legitimate [microsoft.com/devicelogin](https://microsoft.com/devicelogin) portal, attackers bypass MFA entirely to steal OAuth Access and Refresh Tokens for persistent, passwordless Microsoft 365 access.
• ShinyHunters Escalation (ShinyCorp) — This financially motivated group has shifted to aggressive cloud credential abuse, targeting misconfigured Salesforce Experience Cloud instances, Snowflake, and third-party SaaS integrations. They utilize vishing and stolen OAuth tokens to conduct massive extortion campaigns.
• JINX-0164 Targets Crypto via CI/CD Hijacking — Posing as recruiters on LinkedIn, this group lures developers into fake Webex/Teams meetings that display an "audio error." The provided "fix" deploys macOS malware (AUDIOFIX/MiniRAT). Attackers then pivot using stolen GitHub/GitLab tokens to inject trojanized code directly into the victim's CI/CD pipelines.

State-Sponsored Evasion and Enterprise Exploits

APTs are upgrading their evasion capabilities, ensuring payloads only detonate on validated targets, while unpatched enterprise servers remain vulnerable to critical RCEs.

• Lazarus Group's "RemotePE" RAT — North Korean actors are deploying a memory-only RAT via a custom loader (DPAPILoader). The malware encrypts its payload using the native Windows DPAPI, ensuring it can only be decrypted on the specific infected host, rendering automated sandbox analysis useless.
• Kimsuky Espionage Infrastructure Modernization — This North Korean group is using "JSONPing" to verify infections in real time before dropping their HTTPSpy payload. They are also spoofing Webex meetings and upgrading their PebbleDash and AppleSeed malware arsenals, exploiting legitimate VS Code Tunneling to move laterally.
• Microsoft SharePoint RCE (CVE-2026-45659) — A critical insecure deserialization vulnerability allows authenticated attackers to execute arbitrary code remotely on vulnerable SharePoint servers, enabling full server compromise and disruption of enterprise collaboration services.
• Dual-Platform Financial Campaign (Grandoreiro & BTMOB) — A coordinated financial fraud campaign is hitting Europe and Latin America. It utilizes the Grandoreiro banking trojan on Windows (abusing DLL side-loading and WebRTC for stealthy C2) and the BTMOB RAT on Android (distributed via fake apps using Accessibility Services for device takeover and crypto mining).

Proactive steps for the week

• Lock Down Device Code Flows: Configure Microsoft Entra ID Conditional Access policies to explicitly block the device code authentication flow for standard users, neutralizing the Kali365/EvilTokens PhaaS threat.
• Sanitize AI Workspaces: Audit developer directories for unexpected .cursorrules or CLAUDE.md files (TrapDoor mitigation) and restrict third-party package access to AI runtime directories like /mnt/user-data (Malware-Slop mitigation).
• Harden CI/CD & Developer Endpoints: Enforce strict dependency pinning and use --ignore-scripts during npm/pip/cargo installs. Treat developer workstations as high-risk assets and mandate hardware-backed FIDO2 MFA.
• Monitor for Living-off-the-Cloud (LotC) Abuse: Hunt for unauthorized VS Code Tunneling executions (Kimsuky) and audit OAuth applications in Salesforce and M365 environments to prevent token abuse by groups like ShinyHunters.
• Patch SharePoint: Immediately apply the latest security updates for Microsoft SharePoint to remediate the critical CVE-2026-45659 deserialization flaw.