Cyber Threat Brief — April 25 2026
⚠️ This report is AI-generated. Always validate findings.
1. Bitwarden CLI Supply Chain — Shai-Hulud Credential Worm
TL;DR: @bitwarden/[email protected] was backdoored for 93 minutes on April 22 via a compromised Checkmarx GitHub Action. The payload — “Shai-Hulud: The Third Coming” — steals dev credentials, npm/GitHub tokens, cloud keys, and explicitly targets AI coding tool configs (Claude Code, Cursor, Codex CLI).
What’s New:
- TeamPCP (same actor behind Trivy/litellm/telnyx compromises) pivoted to Bitwarden via cascading Checkmarx CI/CD token theft
bw_setup.jsdownloads Bun runtime, launches obfuscatedbw1.jscredential stealer- Exfil via AES-256-GCM to
audit.checkmarx[.]cx(94.154.172[.]43) with GitHub repo fallback under victim accounts - Self-propagating npm worm creates repos named
{sardaukar|fremen|atreides}-{sandworm|ornithopter}-NNNwith description “Shai-Hulud: The Third Coming” - Attacker GitHub account
helloworm00(created April 20, email[email protected]) used for staging
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
@bitwarden/[email protected] | Malicious npm package | T1195.002 | npm audit / SBOM | Remove, rotate all creds on host |
audit.checkmarx[.]cx | Exfil domain | T1567 | DNS/Proxy | Block |
94.154.172.43 | C2 IP | T1071.001 | Firewall | Block |
bw_setup.js, bw1.js | Malware loader/stealer | T1059.007 | EDR (file create) | Hunt in node_modules |
helloworm00 GitHub repos | Exfil repos (Dune-themed names) | T1567.001 | GitHub audit log | Hunt for repo creation under org accounts |
bw1|checkmarx|butlerian|shai-hulud|tmp.987654321 | Shell RC persistence markers | T1546.004 | EDR / .bashrc/.zshrc | Grep developer workstations |
~/.claude/, ~/.cursor/, .codex/ config access | AI tool credential theft | T1552.001 | EDR (file read) | Alert on unexpected reads |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need: npm preinstall script spawning Bun runtime; bw_setup.js file creation |
| Elastic | None | Need: Node.js process downloading Bun binary; GitHub API repo creation from CI runner |
| Sigma | None | Need: Shell RC file modification with known Shai-Hulud markers |
Sources: Aikido · HackerNews · Endor Labs · OX Security · Bitwarden Statement
2. CISA KEV April 24 — Samsung MagicINFO, SimpleHelp, D-Link
TL;DR: CISA added 4 actively exploited CVEs on April 24: Samsung MagicINFO unauthenticated JSP upload delivering Mirai, SimpleHelp RMM chain enabling DragonForce ransomware, and D-Link EoL router RCE for Mirai botnet recruitment.
What’s New:
- CVE-2024-7399 (Samsung MagicINFO 9 Server): Unauthenticated path traversal JSP upload → RCE as SYSTEM; Mirai variant “tuxnokill” deployed; version 21.1050.0 still vulnerable despite vendor claims; CISA deadline May 15
- CVE-2024-57726 + CVE-2024-57728 (SimpleHelp ≤5.5.7): Missing authorization → admin API key creation → Zip Slip arbitrary file write → RCE; DragonForce ransomware precursor per Sophos/Field Effect; CISA deadline May 15
- CVE-2025-29635 (D-Link DIR-823X): Command injection, EoL device — no patch forthcoming; Mirai “tuxnokill” campaign per Akamai SIRT; CISA deadline May 15
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to MagicINFO upload endpoint with .jsp extension | Exploit payload | T1190 | WAF/Reverse proxy | Block unauthenticated JSP uploads |
| Mirai variant “tuxnokill” | Botnet payload | T1583.005 | EDR/IDS | Hunt for binary name |
| SimpleHelp technician API key creation from low-priv account | Privilege escalation | T1078.004 | SimpleHelp audit logs | Alert on API key creation by non-admin |
Zip file uploads to SimpleHelp with ../ path components | Zip Slip exploit | T1105 | SimpleHelp server logs | WAF rule for path traversal in archives |
| D-Link DIR-823X on network | Vulnerable asset | T1190 | Asset inventory | Decommission — no patch available |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None for MagicINFO or SimpleHelp-specific | Need: JSP file creation in MagicINFO web root; SimpleHelp API key escalation |
| Elastic | None specific | Need: SimpleHelp zip upload with path traversal indicators |
| Sigma | None specific | Need: Samsung MagicINFO unauthenticated upload detection |
Sources: CISA Alert · BleepingComputer - MagicINFO · Akamai - D-Link Mirai · HackerNews · Arctic Wolf
3. Tropic Trooper (APT23) Pivots to AdaptixC2 — GitHub C2
TL;DR: Zscaler ThreatLabz caught Tropic Trooper deploying a trojanized SumatraPDF reader with a custom AdaptixC2 beacon that uses GitHub Issues as C2, targeting Chinese-speaking military/government entities. Staging server ties to prior Cobalt Strike and EntryShell infrastructure.
What’s New:
- March 12 2026 ZIP archive with military-themed lure: “Comparative Analysis of US-UK and US-Australia Nuclear Submarine Cooperation (2025).exe” — trojanized SumatraPDF
- TOSHIS loader hijacks
_security_init_cookie, resolves APIs via Adler-32, downloads AES-128-CBC encrypted shellcode from staging server - AdaptixC2 Beacon generates per-session RC4 key, gets victim external IP from
ipinfo.io, posts to GitHub Issues for task assignment/result upload - VS Code tunnels used for interactive remote access post-beacon
- Staging server
158.247.193[.]100previously hosted Cobalt Strike Beacon and EntryShell backdoor (known Tropic Trooper tooling)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
158.247.193.100 | Staging/C2 server | T1105 | Firewall/Proxy | Block |
| GitHub Issues API calls from non-dev endpoints | C2 channel | T1102.002 | Proxy/CASB | Alert on GitHub API from unexpected hosts |
ipinfo.io lookups from endpoints | Victim fingerprinting | T1016 | DNS/Proxy | Correlate with other suspicious activity |
SumatraPDF with modified _security_init_cookie | Trojanized binary | T1036.005 | EDR (hash mismatch) | Baseline legitimate SumatraPDF hashes |
| VS Code tunnel connections from non-developer hosts | Remote access | T1219 | Proxy/EDR | Alert on unexpected code tunnel usage |
| Adler-32 API resolution pattern | Loader behavior | T1027.010 | EDR (API call pattern) | Behavioral rule for hashed API resolution |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need: VS Code tunnel from non-dev host; GitHub Issues API abuse from endpoint |
| Elastic | Suspicious Remote Access Tool Execution (partial for VS Code) | Need: SumatraPDF spawning network connections; GitHub API as C2 |
| Sigma | win_susp_vscode_tunnel.yml (community, partial) | Need: Adler-32 loader pattern; trojanized PDF reader behavioral detection |
Sources: Zscaler ThreatLabz · HackerNews · GBHackers
Status Updates
- CVE-2026-4681 (PTC Windchill): Still no patch; German police physical outreach continues; imminent exploitation threat persists. Original brief.
- CVE-2026-33825 / BlueHammer (Windows Defender): CISA KEV addition April 22; federal deadline May 7; RedSun and UnDefend remain unpatched. Original brief.
- CVE-2026-35616 (FortiClient EMS): Federal deadline passed April 9; 7.4.7 full fix still pending; exploitation ongoing since March 31. Original brief.
- CVE-2026-34621 (Adobe Reader): ITW exploitation ongoing since Dec 2025; CISA KEV deadline May 4; no new IOCs. Original brief.