← Back to Threat Briefs

Cyber Threat Brief — February 23, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — February 23, 2026

Audience: Detection Engineers | Window: Feb 22–23, 2026 | Threats: 3

1. SANDWORM_MODE — npm Supply Chain Worm Poisons AI Coding Assistants

What’s New

Socket disclosed an active “Shai-Hulud-like” npm supply chain worm campaign — dubbed SANDWORM_MODE — spreading via 19 typosquatted packages that steal developer secrets, crypto keys, CI/CD tokens, and LLM API keys while injecting malicious MCP servers into AI coding tools. The worm self-propagates by abusing stolen npm and GitHub identities, with a dormant polymorphic evasion engine and a wiper kill switch currently toggled off.

Technical Details

FieldValue
CVENone assigned
SeverityCritical
Malicious Publishersofficial334, javaorg (npm aliases)
PlatformsWindows, macOS, Linux (Node.js environments)
ExploitActive — packages live on npm (reported; take-down status unconfirmed)
Second-Stage Delay48 hours + per-machine jitter of up to 48 additional hours

Malicious Packages (19 confirmed): claud-code, cloude-code, cloude, crypto-locale, crypto-reader-info, detect-cache, format-defaults, hardhta, locale-loader-pro, naniod, node-native-bridge, opencraw, parse-compat, rimarf, scan-store, secp256, suport-color, veim, yarsg

Additional related packages (same day disclosure):

  • buildrunner-dev — delivers Pulsar RAT (.NET, via PNG-hosted payload from i.ibb[.]co), targets Windows/macOS/Linux (Veracode)
  • eslint-verify-plugin — deploys Poseidon agent (Mythic C2) on Linux and Apfell (JXA) on macOS; creates admin user, steals Chrome credentials, iCloud Keychain, screenshots (JFrog)

SANDWORM_MODE Capabilities:

  • Stage 1 (immediate): System profiling, npm/GitHub token exfil, crypto key theft (~/.ssh/id_rsa, ~/.aws/credentials, .env)
  • Stage 2 (48h+): Password manager harvest, worm propagation via poisoned package.json, git hooks, and GitHub Actions
  • McpInject module: Deploys rogue MCP server into Claude Code, Claude Desktop, Cursor, VS Code Continue, Windsurf — uses prompt injection to stage ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, .env for exfiltration
  • LLM API key harvesting: Targets Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, Together
  • Exfiltration: GitHub API primary, DNS fallback
  • Wiper: Kill switch wipes home directory on loss of GitHub/npm access (currently disabled)
  • Polymorphic engine: Uses local Ollama/DeepSeek Coder to rewrite code (currently disabled)

TTPs

TacticTechniqueObservable
Initial AccessT1195.001 — Compromise Software DependenciesMalicious npm packages installed via npm install
Credential AccessT1552.001 — Credentials in FilesAccess to ~/.ssh/id_*, ~/.aws/credentials, .env, .npmrc
Credential AccessT1056.001 — KeyloggingMCP prompt injection hooks returning file contents
PersistenceT1546 — Event-Triggered ExecutionGit post-commit hooks, GitHub Actions workflow injection
C2T1071.001 — Web ProtocolsHTTPS exfil to GitHub API, DNS fallback
Lateral MovementT1080 — Taint Shared ContentPropagation via poisoned package.json and lockfiles
Defense EvasionT1027.013 — Encrypted/Encoded FilePolymorphic code rewriting (staged, currently off)
ImpactT1485 — Data DestructionWiper routine triggered on loss of C2 (staged, currently off)

Detection Opportunities

1. Suspicious MCP Configuration Modification

# Monitor for new MCP server entries injected into AI tool configs
find ~/.cursor ~/.config/claude ~/.continue -name "*.json" -newer /tmp/baseline -exec grep -l "mcp\|server" {} \;

2. npm postinstall Spawning Network Connections

# Splunk SPL
index=endpoint (process_name="node" OR process_name="npm") 
| eval parent=mvindex(split(process_tree,"|"),0)
| where like(command_line,"%postinstall%") AND like(dns_query,"%api.github.com%")
| stats count by host, command_line, dns_query

3. CI/CD Secret Exfiltration (GitHub Actions)

# Sigma rule concept
title: GitHub Actions Workflow Modification with Network Exfiltration
detection:
  selection:
    EventID: 4663  # File written
    TargetFilename|contains: '.github/workflows/'
    TargetFilename|endswith: '.yml'

4. SSH Private Key Access from Node Process

index=endpoint process_name="node" file_path IN ("*/.ssh/id_rsa","*/.ssh/id_ed25519","*/.aws/credentials")
| stats count by host, user, file_path, process_command_line

5. DNS Exfiltration Fallback Pattern Watch for Node.js processes generating high-volume TXT or A record lookups with base64-encoded subdomains.

Log Sources

  • npm audit logs: ~/.npm/_logs/
  • Sysmon Event 11 (File Create) for ~/.ssh, ~/.aws, ~/.npmrc, .env
  • Sysmon Event 3 (Network Connection) from node processes
  • GitHub Actions logs for unauthorized workflow modifications
  • EDR process tree for npm install → postinstall hooks spawning network connections
  • DNS logs for anomalous subdomain entropy from developer workstations

Detection Coverage

SourceStatusRule
Sigma❌ Gap (npm worm specific)N/A
Splunk ESCU⚠️ Partial3CX Supply Chain Network Indicators (supply chain concept)
Elastic❌ GapN/A
KQL⚠️ PartialMCP Server Registered to Entra (MCP persistence concept)

Gap: No existing rules specifically detect typosquatted npm package installation, McpInject MCP server injection into Claude/Cursor configs, or the 48-hour delayed second-stage activation pattern. Priority candidate for new Sigma rules.

Sources

2. MuddyWater Operation Olalampo — New Rust Backdoor + AI-Assisted Malware

What’s New

Group-IB published technical analysis of Operation Olalampo, a new MuddyWater (Iranian APT) campaign active since January 26, 2026. The operation introduces four new malware families — including a Rust-based backdoor controlled via Telegram bot — targeting organizations in the MENA region. AI-assisted development signatures found in the malware’s debug strings confirm the group’s continued adoption of generative AI for malware production.

Technical Details

FieldValue
CVENone (phishing-delivered)
Threat ActorMuddyWater (aka Earth Vetala, Mango Sandstorm, MUDDYCOAST) — Iranian state-sponsored
AttributionMOIS (Ministry of Intelligence and Security)
First ObservedJanuary 26, 2026
TargetsEnergy, marine services, financial orgs in MENA region
C2 Infrastructurecodefusiontech[.]org (HTTP_VIP C2), Telegram bot stager_51_bot (CHAR)
New MalwareGhostFetch, GhostBackDoor, HTTP_VIP, CHAR (Rust)
ExploitNo public CVE — macro-enabled Office documents

Malware Family Breakdown:

MalwareTypeCapability
GhostFetchFirst-stage downloaderVM/sandbox/AV checks, mouse movement validation, screen resolution check, fetches GhostBackDoor in-memory
GhostBackDoorSecond-stage backdoorInteractive shell, file read/write, re-run GhostFetch
HTTP_VIPNative downloaderSystem recon, auth to codefusiontech[.]org, deploys AnyDesk; newer variant adds shell/clipboard/file ops
CHARRust backdoorTelegram bot C2 (stager_51_bot), executes cmd.exe/PowerShell, SOCKS5 proxy deployment, deploys Kalim backdoor

Attack Chains:

  1. Phishing email → Malicious Excel (macro-enabled) → CHAR Rust backdoor
  2. Phishing email → Malicious Office document → GhostFetch → GhostBackDoor (in-memory)
  3. Phishing email → Flight ticket/report lure → HTTP_VIP → AnyDesk deployment

AI Development Evidence:

  • Emojis present in CHAR Rust source code debug strings (consistent with LLM-assisted coding)
  • CHAR shares structural/development environment overlap with BlackBeard/RustyWater (previously attributed to MuddyWater)

TTPs

TacticTechniqueObservable
Initial AccessT1566.001 — Spearphishing AttachmentMalicious Excel/Office documents with macros
ExecutionT1059.003 — Windows Command Shellcmd.exe spawned by CHAR via Telegram commands
ExecutionT1059.001 — PowerShellPowerShell for SOCKS5 proxy/Kalim deployment
ExecutionT1204.002 — Malicious FileUser enabling macros in Office document
Defense EvasionT1497 — Virtualization/Sandbox EvasionMouse movement, VM artifact, screen resolution checks in GhostFetch
Defense EvasionT1497.003 — Time Based EvasionSandbox check heuristics
C2T1102.002 — Bidirectional Communication via Web ServiceTelegram bot C2 (CHAR stager_51_bot)
C2T1071.001 — Web Protocolscodefusiontech[.]org HTTP/S C2 (HTTP_VIP)
Remote AccessT1219 — Remote Access ToolsAnyDesk deployed by HTTP_VIP
CollectionT1115 — Clipboard DataHTTP_VIP captures clipboard contents
Lateral MovementT1090.001 — SOCKS5 ProxyCHAR deploys SOCKS5 reverse proxy

Detection Opportunities

1. Telegram Bot API from Unexpected Processes

index=endpoint (process_name="cmd.exe" OR process_name="powershell.exe") 
  dest_host IN ("api.telegram.org") 
| stats count by src_host, user, parent_process, command_line

2. Office Document Spawning Suspicious Child Processes

index=endpoint parent_process IN ("WINWORD.EXE","EXCEL.EXE") 
  process_name IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe")
| where NOT like(command_line, "%trusted_macro%")
| stats count by host, user, command_line

3. AnyDesk Execution Following Office Macro Activity Look for AnyDesk installation/launch within 5 minutes of Office macro execution events (Sysmon Event 1 chain).

4. Rust Backdoor Pattern — Telegram C2 Phone-Home

# Network: Watch for beacon traffic to api.telegram.org with bot token patterns
# DNS: Resolve api.telegram.org from non-browser processes
dest_hostname="api.telegram.org" AND process_name NOT IN ("chrome.exe","firefox.exe","teams.exe")

5. GhostFetch Anti-Analysis Checks Watch for WMI queries for VM artifacts combined with process injection (Sysmon Event 10):

EventID=10 (CallTrace contains VirtualAlloc) AND EventID=1 (CommandLine contains SystemInfo OR wmic os get)

Log Sources

  • Sysmon Events: 1 (process create), 3 (network), 10 (process access), 11 (file create)
  • Office macro audit logs (AMSI, Microsoft 365 Advanced Threat Protection)
  • EDR telemetry for Office child processes
  • Proxy/firewall logs for codefusiontech[.]org and api.telegram.org
  • DNS logs for Telegram API resolution from non-browser processes

Detection Coverage

SourceStatusRule
Sigma✅ PartialTelegram Bot API Request, Suspicious Non-Browser Network Communication With Telegram API
Sigma✅ PartialAnydesk Remote Access Software Service Installation, Suspicious Binary Writes Via AnyDesk
Splunk ESCU✅ PartialPotential Telegram API Request Via CommandLine, Download Files Using Telegram
Elastic✅ PartialSuspicious MS Office Child Process
All Sources❌ GapNo GhostFetch-specific or CHAR/Rust Telegram backdoor rules

Priority Detection Gaps: CHAR (Rust) Telegram bot C2, GhostFetch VM sandbox evasion chain, HTTP_VIP AnyDesk deployment pattern, in-memory payload execution via reflective loading.

Sources

3. CVE-2025-40551 — SolarWinds Web Help Desk RCE Hits CISA KEV

What’s New

CISA added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog on February 22, 2026, giving federal civilian agencies a 3-day deadline to patch SolarWinds Web Help Desk. Active exploitation is confirmed. The vulnerability is one of four critical flaws (all CVSS 9.8) fixed in the January 28 Web Help Desk 2026.1 release — attackers can chain the auth bypass CVEs with RCE to achieve full system compromise unauthenticated.

Technical Details

FieldValue
CVECVE-2025-40551 (RCE), CVE-2025-40552 (Auth Bypass), CVE-2025-40553 (RCE), CVE-2025-40554 (Auth Bypass)
CVSS9.8 (all four)
AffectedSolarWinds Web Help Desk ≤ 12.8.8 Hotfix 1
FixedWeb Help Desk 2026.1 (released Jan 28, 2026)
Root CauseUnsafe deserialization of attacker-controlled Java objects in AjaxProxy functionality
ExploitActive exploitation confirmed; no public PoC (Horizon3.ai technical writeup published ~2 weeks ago)
CISA KEVAdded Feb 22, 2026; FCEB deadline: Feb 25, 2026
DiscoveryCVE-2025-40551 by Jimi Sebree (Horizon3.ai); CVE-2025-40552/53/54 by Piotr Bazydlo (watchTowr)

Attack Chain (most dangerous):

  1. CVE-2025-40552 or CVE-2025-40554 — Unauthenticated auth bypass → invoke protected actions
  2. CVE-2025-40551 or CVE-2025-40553 — Deserialization of untrusted Java objects → arbitrary OS command execution as WHD service account

Deployment context: WHD is widely deployed in government agencies, healthcare, education — IT ticketing/help desk infrastructure with high-privilege service accounts and broad network access.

TTPs

TacticTechniqueObservable
Initial AccessT1190 — Exploit Public-Facing ApplicationHTTP POST to /helpdesk/WebObjects/AjaxProxy.woa/ws/... endpoints
ExecutionT1059 — Command and Scripting InterpreterOS commands executed via deserialized Java payload
Defense EvasionT1190 — Pre-Auth BypassNo credentials required for auth bypass CVEs
PersistenceT1505.003 — Web ShellPost-exploitation web shell deployment likely
Lateral MovementT1021 — Remote ServicesLateral movement from compromised WHD server
CollectionT1005 — Data from Local SystemHelp desk ticket data, credentials, user PII

Detection Opportunities

1. Elastic Rule — SolarWinds WHD Suspicious Activity

Existing: Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Confirms: Java module loads or child processes spawned from WHD process tree

2. Web Server Log Pattern — AjaxProxy Exploitation

index=web_logs (sourcetype=iis OR sourcetype=apache_access)
  uri_path="*/AjaxProxy.woa/ws/*" method=POST
| eval suspicious=if(status=200 AND len(request_body)>500, "high", "low")
| where suspicious="high"
| stats count by src_ip, uri_path, status, cs_bytes

3. WHD Process Spawning OS Commands

index=endpoint parent_process_name="java.exe" 
  process_name IN ("cmd.exe","powershell.exe","sh","bash","whoami","net.exe","certutil.exe")
  parent_process_path="*SolarWinds*"
| stats count by host, user, process_name, command_line

4. Auth Bypass Indicators — Unauthenticated Access to Protected Endpoints

Monitor: HTTP 200 responses to `/helpdesk/WebObjects/` admin endpoints without session cookie
Alert: IP addresses hitting AjaxProxy endpoints with serialized Java object payloads (magic bytes: `AC ED 00 05`)

5. Post-Exploitation: Web Shell Deployment

EventID=11 (Sysmon File Create) TargetFilename CONTAINS "SolarWinds\Web Help Desk\WebObjects\" TargetFilename ENDSWITH ".jsp"

Log Sources

  • IIS/Apache access logs for WHD web server (POST requests to AjaxProxy)
  • Sysmon Event 1 — java.exe spawning child processes on WHD server
  • Sysmon Event 11 — File creation in WHD WebObjects directory (potential web shell)
  • Windows Security Event 4688 — Process creation on WHD host
  • EDR telemetry on the WHD server host

Detection Coverage

SourceStatusRule
Sigma❌ GapNo CVE-2025-40551-specific rule
Splunk ESCU⚠️ PartialTomcat Session Deserialization Attempt (concept match)
Elastic✅ ExistsSuspicious SolarWinds Web Help Desk Java Module Load or Child Process
KQL❌ GapNo specific rule

Recommendation: Write Sigma rule for: java.exe child process spawning cmd.exe/powershell.exe with parent path containing “Web Help Desk”. Also add web log detection for AjaxProxy POST anomalies. Priority: HIGH given active exploitation + government targeting.

Sources

Detection Priority Matrix

ThreatSeverityExploitationPriority
SANDWORM_MODE npm Worm🔴 CriticalActive (packages live)P1 — Block malicious packages, audit developer systems
SolarWinds WHD CVE-2025-40551🔴 CriticalActive (CISA KEV)P1 — Patch by Feb 25 (FCEB deadline)
MuddyWater Operation Olalampo🟠 HighActive (phishing campaign)P2 — MENA-focused but TTPs widely reusable

Key Detection Gaps Summary

GapPriorityRecommended Action
npm typosquatting worm install detectionHIGHNew Sigma rule: npm postinstall → network connection to github API
McpInject MCP server poisoningHIGHNew rule: Claude/Cursor config modification from non-standard process
CHAR Rust Telegram C2 (non-browser Telegram API)MEDIUMEnhance existing Sigma Telegram rules with process exclusions
SolarWinds WHD AjaxProxy exploitationHIGHNew Sigma rule: java.exe → cmd.exe/PS under WHD path
GhostFetch in-memory payload executionMEDIUMEDR rule for reflective loading after Office macro

Brief generated: 2026-02-23 05:00 PST | Sources verified against 24-hour window | Detection coverage checked against 6,800+ rule index