Cyware Daily Threat Intelligence, April 03, 2026

A packaging blunder has turned the crown jewels of AI coding into a malware lure following the accidental leak of Claude Code’s entire source tree on npm. Within hours, threat actors began flooding GitHub with fraudulent "Enterprise Unlocked" repositories that actually bundle the Vidar infostealer with the GhostSocks proxy.

The barrier to entry for cybercrime continues to lower with the debut of CrystalRAT, a new MaaS being aggressively promoted across Telegram and YouTube. The RAT offers a "one-stop shop" for attackers, combining a credential harvester for Chromium browsers with advanced surveillance tools for remote audio and video capture.

Enterprise file-sharing security is facing a critical emergency as researchers disclose a "perfect 10" exploit chain affecting Progress ShareFile Storage Zones Controller (SZC). By chaining an authentication bypass (CVE-2026-2699) with an arbitrary file upload flaw (CVE-2026-2701), unauthenticated attackers can remotely execute code and siphon sensitive documents from storage repositories.

Top Malware Reported in the Last 24 Hours

Claude Code leak enables malware distribution

Threat actors are exploiting the recent leak of Claude Code's source code to distribute Vidar information-stealing malware through fraudulent GitHub repositories. Claude Code, developed by Anthropic, is a terminal-based AI agent designed for coding tasks and system interactions. On March 31, a significant portion of its source code was accidentally exposed in an npm package, revealing sensitive details across 1,906 files. This leak quickly attracted attention, leading to the creation of fake repositories claiming to offer "unlocked enterprise features." Users who downloaded these repositories inadvertently installed malware disguised as the AI tool. The malicious executable deploys Vidar alongside the GhostSocks proxy tool, with the repositories frequently updated to include new payloads. 

New CrystalRAT malware offers unique features

A new malware-as-a-service called CrystalRAT has emerged, offering a range of capabilities including remote access, data theft, keylogging, and clipboard hijacking. Promoted on Telegram and YouTube, CrystalRAT features a user-friendly control panel and an automated builder tool that allows for extensive customization, including anti-analysis measures. Its infostealer component targets Chromium-based browsers and popular desktop applications like Steam and Discord. Additionally, CrystalRAT incorporates prankware features, such as altering display settings, disabling input devices, and displaying fake notifications, which may appeal to less experienced attackers. 

New SparkCat malware variant targets crypto users

A new variant of the SparkCat malware has been identified on both the Apple App Store and Google Play Store, targeting cryptocurrency users by stealthily stealing wallet recovery phrase images from their photo galleries. Discovered by Kaspersky, this malware disguises itself within seemingly legitimate apps, such as enterprise messengers and food delivery services. The iOS version scans for English mnemonic phrases, broadening its potential impact, while the Android variant focuses on keywords in Japanese, Korean, and Chinese. Enhanced with multiple obfuscation layers, the Android version employs techniques like code virtualization and OCR to exfiltrate sensitive images to an attacker-controlled server. 

Top Vulnerabilities Reported in the Last 24 Hours

Progress ShareFile vulnerabilities enable RCE

Two critical vulnerabilities in Progress ShareFile, identified as CVE-2026-2699 and CVE-2026-2701, can be exploited together to enable unauthenticated file exfiltration and remote code execution. These flaws exist in the Storage Zones Controller (SZC) of ShareFile version 5.x, which allows users to manage data storage on various infrastructures. The first vulnerability, CVE-2026-2699, involves an authentication bypass due to improper HTTP redirect handling, granting access to the ShareFile admin interface. Attackers can then manipulate configuration settings, including sensitive parameters. The second vulnerability, CVE-2026-2701, enables remote code execution by allowing attackers to upload malicious ASPX webshells after exploiting the first flaw. Approximately 30,000 SZC instances are publicly exposed, primarily in the U.S. and Europe.

Hackers exploit critical vulnerability in Next.js

A large-scale credential harvesting operation has been identified, exploiting the critical vulnerability CVE-2025-55182 in Next.js applications. This flaw allows attackers to breach at least 766 hosts across various regions and cloud providers. The threat cluster UAT-10608 has been linked to this activity, which employs automated scripts to extract sensitive data such as database credentials, SSH private keys, and API keys. The attackers utilize a web-based GUI called "NEXUS Listener" to manage and analyze the stolen information. The operation demonstrates a sophisticated approach to targeting vulnerable Next.js deployments, leveraging automated scanning tools to identify and exploit weaknesses.