TrapDoor Targets 34 Packages Across npm, PyPI and Crates.io to Steal Crypto Keys and Poison AI Assistants

GroupAttribution unconfirmed. Publisher accounts: npm (asdxzxc), PyPI (asdmini67, dae5411). Campaign marker P-2024-001.TypeCross-ecosystem supply chain credential stealer with AI assistant poisoning componentCVEsNone assigned. CWE-506 (Embedded Malicious Code) applies across all 34 packages.Malwaretrap-core.js — 1,149-line npm credential harvester (48,485 bytes); Crates.io build.rs stealer using XOR key

China APT Webworm Hides European Government Espionage Traffic Inside Discord and Microsoft Cloud

GroupWebworm (China-aligned APT); linked to SixLittleMonkeys and FishMongerTypeAPT Campaign / Multi-stage Government EspionageCVEsCVE-2017-7692 (SquirrelMail post-authentication RCE, CVSS 8.5 — used for initial access against webmail targets)MalwareEchoCreep (Go-based backdoor using Discord for C2); GraphWorm (.NET backdoor using Microsoft Graph API and OneDrive for C2); WormFrp, ChainWorm, SmuxProxy, WormSocket (custom proxy chain

Fake Claude Code Install Guide Hides MacSync Infostealer in Active Google Ads Campaign

GroupAttribution unconfirmed; compromised Malaysian company's Google Ads account used as delivery infrastructure proxyTypeMalvertising / ClickFix Infostealer Campaign — cross-platform macOS and WindowsMalwareMacSync — macOS Malware as a Service infostealer targeting browser credentials, Keychain databases, session cookies, and cryptocurrency wallets; Trojan.Stealer.GJ / Trojan.Stealer.GK — Windows credential stealers delivered via mshta.

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

GroupUnknown threat actor, attribution unconfirmedTypeModular RAT with novel MFA-interception pluginCVEsNone assigned. Exploits legitimate Windows application behaviour rather than a software vulnerabilityMalwareCloudZ RAT — modular .NET remote access tool with credential theft, screen recording, and C2 capabilities. Pheno — previously undocumented plugin that hijacks Microsoft Phone Link to intercept SMS messages and OTPs

Copy Fail, The Nine-Year Linux Kernel Flaw That Gives Any User Root in Seconds

GroupNo attributed threat actor. Vulnerability discovered by Xint Code (Theori). Public PoC released April 2026.TypeLocal Privilege Escalation (LPE), Linux Kernel Logic Flaw, Container Escape PrimitiveCVEsCVE-2026-31431 (Linux kernel algif_aead page-cache corruption enabling root access, CVSS 7.8)MalwareNo associated malware family. Public 732-byte Python PoC (copy_fail_exp.py)