Threat Research | Weekly Recap [26 Apr 2026]

Supply Chain & Developer Ecosystems

• Open VSX sleeper extensions later activated to deliver malware through normal updates and dependency chains. GlassWorm Open VSX Sleeper Extensions
• npm supply-chain worms and package backdoors spread via install-time malware, credential theft, and self-propagation. Shai-Hulud CanisterWorm TeamPCP npm Threat Landscape | Namastex.ai npm Packages
• Developer repo infections used as malware delivery channels via obfuscated JS, workspace tasks, and rewritten git history. ForceMemo Void Dokkaebi ForceMemo in the DNS Spotlight | Void Dokkaebi via Code Repositories

APT Intrusions & Covert C2

• China-aligned APT activity reused Go-based tooling and legitimate services for stealthy C2, exfiltration, and mailbox abuse. GopherWhisper Harvester/GoGra Red Menshen/BPFDoor GopherWhisper | Harvester GoGra | Red Menshen Profile
• Tropic Trooper, Mustang Panda, and UNC6692 deployed staged loaders, custom beacons, and cloud-hosted infrastructure to sustain access. AdaptixC2 LOTUSLITE SNOWBELT SNOWGLAZE SNOWBASIN Tropic Trooper Pivots | Mustang Panda LOTUSLITE | UNC6692 Snow Flurries

Phishing, Social Engineering & Identity Abuse

• Fake portals and device-code phishing were used to steal credentials, tokens, and payment data at scale. Operation TrustTrap OAuth Device Code Flow IRSF/Click2SMSh TrustTrap Domain Spoofing | OAuth Device Code Flow | Fake CAPTCHA IRSF
• Fake IT worker and hiring workflows enabled covert access using stolen identities and legitimate SaaS onboarding. Jasper Sleet Workday Infiltrating IT Workers

Ransomware, Exfiltration & Financial Theft

• Ransomware crews upgraded exfiltration and evasion tooling, with detections spanning Windows and network-edge devices. BQTLock Trigona Rhantus LockBit BQTLock Ransomware | Trigona Custom Exfiltration | Bomgar Exploitation
• Crypto stealers and drainers targeted wallets, browser data, and multichain assets through malicious sites and trojanized apps. StepDrainer EtherRAT Needle Stealer NGate FakeWallet Crypto Drainers | Needle Stealer | NGate Variant | FakeWallet iOS

Edge, IoT & Network Infrastructure

• Edge-device and router abuse remained a key stealth layer for espionage and malware delivery. FIRESTARTER BPFDoor Raptor Train Volt Typhoon UAT-4356 FIRESTARTER | China-Nexus Covert Networks
• Shadow supply chains and weak IoT firmware exposed large fleets of consumer devices to remote control and telemetry abuse. Allwinner Eken Chinese Cameras Supply Chain

AI, LLMs & Offensive Acceleration

• AI-assisted operations accelerated exploitation, reconnaissance, and reverse engineering at scale. Bissa Scanner Claude Code OpenClaw Anthropic Mythos Bissa Scanner Exposed | Anthropic Mythos | Frontier AI & Software Security
• LLM and LLM-platform risks included rapid SSRF exploitation and new defenses against AI-driven reverse engineering. LMDeploy CVE-2026-33626 Claude Opus 4.6 Tigress LMDeploy SSRF Exploitation | LLM-Driven Reverse Engineering

Wi‑Fi, Browser & Endpoint Tradecraft

• Wireless, browser, and endpoint attacks introduced new bypasses, stealers, and persistence methods. AirSnitch ClickFix BlueHammer RedSun UnDefend AirSnitch Wi‑Fi Attacks | macOS ClickFix | BlueHammer / RedSun / UnDefend

Vulnerability & Exposure Trends

• Vulnerable public-facing services saw active exploitation across backup, VPN, and firepower ecosystems. Bomgar FortiGate Cisco Firepower Nightmare-Eclipse Intrusion | FIRESTARTER on Cisco Firepower
• Operational reliability lessons from backup telemetry showed off-hours failures and the need for better scheduling and monitoring. Acronis Backup Reliability Report

Threat Research | Weekly Recap – hendryadrian.com