Threat Research | Weekly Recap [24 May 2026]

TrapDoor crypto-stealer hit npm, PyPI, and Crates.io, abusing AI config files to steal wallets, SSH keys, cloud creds, and browser data — original
Compromised @antv npm packages spread Mini Shai-Hulud-style install-time payloads that steal developer secrets and republish infected releases — original
Typosquatted Go module github.com/shopsprint/decimal shipped a DNS TXT backdoor and remained available via proxy mirrors — original
Trojanized JDownloader installers delivered an r77 rootkit bot and WDAC policy to disable security tools — original
Compromised art-template npm package helped deliver a Coruna-linked iOS browser exploit kit — original
Malicious Windsurf IDE extension used the Solana blockchain to stage a NodeJS stealer and hidden persistence — original

SEO poisoning used fake Gemini CLI and Claude Code downloads to install an infostealer that grabs tokens, cookies, files, and credentials — original
Google Ads impersonating Claude Code pushed Windows stealers and a macOS backdoor via ClickFix-style commands — original
Gemini-assisted influence and fraud campaign automated credential theft, crypto scams, and propaganda through a fake persona network — original
AI-generated scripts are increasingly reaching production, raising governance and embedded-credential risks in SMB automation — original

YellowKey and GreenPlasma zero-days enabled BitLocker bypass and SYSTEM escalation; CVE-2026-45585 was assigned to YellowKey — original
Nightmare-Eclipse publicly released YellowKey and GreenPlasma, with evidence the toolkit is already used in intrusions — original
Legacy MSHTA remains a common malware launcher for LummaStealer, PurpleFox, loaders, and multi-stage HTA/PowerShell chains — original
SonicWall SSL VPN exploitation of CVE-2024-12802 showed patched devices can remain exposed without manual reconfiguration — original
Azure VMAccess naming abuse can evade password-reset telemetry and create a detection gap in Azure environments — original

Screening Serpens used tailored lures, DLL sideloading, and AppDomainManager hijacking to deploy MiniUpdate and MiniJunk V2 RATs — original
Nimbus Manticore reused phishing, Trojanized installers, and MiniFast in campaigns against aviation and software targets — original
Cloud Atlas expanded SSH-tunnel tradecraft with VBCloud, PowerShower, RevSocks, Tor, and PowerCloud for covert access — original
Webworm added EchoCreep and GraphWorm, leveraging Discord, Microsoft Graph API, GitHub staging, and cloud infrastructure — original
UNG0002 targeted Chinese academia with a weaponized institutional lure, DLL sideloading, and a final Cobalt Strike beacon — original
Void Dokkaebi updated InvisibleFerret to Cython-compiled binaries and broadened BeaverTail for credential theft and wallet installation — original

CoinbaseCartel ran a single-extortion, data-theft-only model and tied into ShinyHunters/Scattered Spider/Lapsus$ ecosystems — original
The Gentlemen ransomware used Scheduled Tasks, PowerShell, log clearing, and Defender tampering for defense evasion — original
Agent Tesla campaign hit LATAM enterprises with procurement lures, fileless execution, and FTP-based exfiltration — original
ValleyRAT was delivered through fake Microsoft Teams downloads, NSIS installers, and DLL sideloading — original
Banana RAT was linked to banking fraud activity originating from a compromised build server — original
ShinyHunters, Andariel, BlueNoroff, and others featured in a broader financial-sector phishing, infostealer, and ransomware wave — original

Azure-based vulnerable lab environments and validation workflows help test misconfigurations, privilege escalation, and cross-account access at scale — original
Kubernetes CVE-2021-25740 allows traffic redirection via EndpointSlice/Endpoint manipulation in multi-tenant clusters — original
UEFI PNG decoder flaw in BIOS firmware can trigger boot-time buffer over-read and potential memory/NVRAM leakage — original

Android carrier-billing fraud used nearly 250 malicious apps for premium SMS abuse across multiple countries — original
Discord- and Dropbox-backed lure campaign hijacked Google accounts by abusing Family Link and malicious parent controls — original
Fake event-invitation phishing delivered remote management tools such as ScreenConnect and LogMeIn Rescue for unauthorized access — original
Phishing-to-RMM activity abused trusted tools and routine-looking downloads to create a remote-access blind spot for SOCs — original
IPL 2026 betting ecosystem expanded through fake domains, tipper networks, deepfakes, and money-mule services — original

Dark web profile and sector reports highlighted growing reuse of stolen credentials, Telegram theft channels, and malware-for-hire ecosystems — original
Global domain activity data showed millions of newly registered domains with a large malicious share, reinforcing NRD abuse trends — original
AI-era threat research notes a need for machine-speed prioritization of actively exploited CVEs like React2Shell — original

SHARE THIS STORY