Cyber Threat Brief — July 7 2026
1. LSHIY Azure CLI Password Spray — 81M Login Attempts, ROPC MFA Bypass
TL;DR: Huntress documented a massive automated password spray campaign from LSHIY LLC (AS32167) making 81M+ Azure CLI login attempts June 12-26, compromising 78 accounts across 64 orgs by abusing the deprecated ROPC OAuth flow to bypass MFA Conditional Access Policies.
What’s New:
- Huntress blog published June 30, widely reported July 7; attacks terminated July 2 after LSHIY suspended the responsible BYOIP customer
- ROPC (Resource Owner Password Credentials) flow sends credentials directly to
/tokenendpoint with no interactive MFA prompt — 15 of 23 orgs hit on June 22 spike had MFA but were misconfigured - Common CAP gaps: MFA scoped to specific apps (not “All Cloud Apps”), admin-only groups, trusted-location exceptions, report-only mode
- 155x increase in credential spray volume across Huntress customer base over past 6 months
- Threat actor used breached credential combos that were never rotated
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
IPv6 range 2a0a:d683::/32 | Source IP | T1110.003 | Azure AD Sign-in Logs | Block range; campaign terminated but block as precaution |
| AS32167 (LSHIY LLC) | ASN | T1110.003 | Firewall/proxy | Block ASN |
ClientApp = Microsoft Azure CLI | Auth indicator | T1078.004 | Azure AD Sign-in Logs, Entra | Alert on Azure CLI ROPC sign-ins from non-admin users |
ROPC grant type at /token endpoint | Auth flow | T1078.004 | Azure AD Sign-in Logs | Hunt for ResourceOwnerPasswordCredential grant type |
userStrongAuthClientAuthNRequired CAP setting | Config check | T1556 | Entra ID CAP audit | Verify this setting is enforced to block ROPC |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for Azure CLI ROPC password spray pattern; need SPL for grant_type=password + ClientApp=Azure CLI + high failure rate |
| Elastic | Entra ID Brute Force (generic) | Does not distinguish ROPC flow from interactive MFA; needs ROPC-specific variant |
| Sigma | cloud_azure_ad_password_spray.yml (partial) | Covers generic spray but not ROPC grant type bypass; add requestClientName filter |
Sources: Huntress — No (Bad) CAP: Inside an Ongoing LSHIY Password Spray Attack · The Hacker News · BleepingComputer
2. PolinRider Supply Chain Campaign — 108 Malicious Packages Across 4 Ecosystems
TL;DR: North Korea-linked Contagious Interview / Famous Chollima actors published 108 malicious packages and extensions across npm, Packagist, Go modules, and Chrome Web Store, delivering BeaverTail RAT variants that steal developer credentials, crypto wallets, and AI assistant API keys using blockchain-based C2 resolution.
What’s New:
- Socket Threat Research disclosed July 3-6; campaign active since at least March 2026
- 162 malicious release artifacts across 19 npm packages, 10 Composer packages, 61 Go modules, 1 Chrome extension
- Rollup polyfill typosquats (
rollup-packages-polyfill-core,rollup-runtime-polyfill-core) mimic legitimaterollup-plugin-polyfill-node - Payload resolves encrypted C2 material from TRON, Aptos, BNB Smart Chain blockchain RPC — no traditional C2 domain to block
- Targets: VS Code, Windsurf, Cursor configs; AWS, Azure, Gemini, Claude API keys; SSH keys; crypto wallets; browser data
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
rollup-packages-polyfill-core | Malicious npm package | T1195.001 | npm audit, SBOM | Remove immediately; scan lockfiles |
rollup-runtime-polyfill-core | Malicious npm package | T1195.001 | npm audit, SBOM | Remove immediately; scan lockfiles |
| Blockchain RPC calls to TRON/Aptos/BNB endpoints | C2 resolution | T1102.002 | DNS, proxy logs | Alert on blockchain RPC calls from CI/CD or dev workstations |
.vscode/, .windsurf/, .cursor/ config exfil | Credential theft | T1552.001 | EDR file access | Monitor reads of AI IDE configs from non-IDE processes |
| BeaverTail JS payload | RAT | T1059.007 | Node.js process monitoring | Hunt for obfuscated postinstall scripts spawning node with network calls |
| GitHub repos with mass obfuscated JS commits | Supply chain | T1195.001 | GitHub audit logs | Review recent contributor commits against known PolinRider patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for blockchain-resolved C2 or malicious npm postinstall chains |
| Elastic | None | No npm supply chain detection; need process tree: npm install → node postinstall → outbound blockchain RPC |
| Sigma | None | No coverage for BeaverTail or PolinRider indicators |
Sources: Socket — PolinRider Supply Chain Campaign · The Hacker News · BleepingComputer
Status Updates
- CVE-2026-48907 (Joomla JCE): CISA KEV federal deadline TODAY July 7. ITW exploitation ongoing. Patch to JCE 2.9.99.5. Original brief.
- CVE-2026-48558 (SimpleHelp OIDC): CISA KEV federal deadline TODAY July 7. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to SimpleHelp 5.5.16+. Original brief.
- FBI TeamPCP FLASH (FLASH-20260702-01): FBI published consolidated advisory July 2 covering Trivy, KICS, LiteLLM, Telnyx backdoors. New malware names: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma. 1,000+ cloud environments compromised. Pin GitHub Actions to commit SHAs. FBI FLASH.
- CVE-2026-20253 (Splunk Enterprise): Active ITW exploitation ongoing per Splunk PSIRT. No new artifacts. Upgrade to 10.4.0/10.2.4/10.0.7.
- CVE-2026-50656 (RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story available. WDAC/AppLocker remains primary mitigation.