The Bad

A packaging blunder has turned the crown jewels of AI coding into a malware lure following the accidental leak of Claude Code’s entire source tree on npm. Within hours, threat actors began flooding GitHub with fraudulent "Enterprise Unlocked" repositories that actually bundle the Vidar infostealer with the GhostSocks proxy. Phishing has entered a new phase of automation with DeepLoad, a sophisticated loader that pairs ClickFix social engineering with AI-generated obfuscation to bypass static scanners.

• Threat actors are exploiting the recent leak of Claude Code's source code to distribute Vidar information-stealing malware through fraudulent GitHub repositories. Claude Code, developed by Anthropic, is a terminal-based AI agent designed for coding tasks and system interactions. On March 31, a significant portion of its source code was accidentally exposed in an npm package, revealing sensitive details across 1,906 files. This leak quickly attracted attention, leading to the creation of fake repositories claiming to offer "unlocked enterprise features." Users who downloaded these repositories inadvertently installed malware disguised as the AI tool. The malicious executable deploys Vidar alongside the GhostSocks proxy tool, with the repositories frequently updated to include new payloads. 

• A large-scale credential harvesting operation has been identified, exploiting the critical vulnerability CVE-2025-55182 in Next.js applications. This flaw allows attackers to breach at least 766 hosts across various regions and cloud providers. The threat cluster UAT-10608 has been linked to this activity, which employs automated scripts to extract sensitive data such as database credentials, SSH private keys, and API keys. The attackers utilize a web-based GUI called "NEXUS Listener" to manage and analyze the stolen information. The operation demonstrates a sophisticated approach to targeting vulnerable Next.js deployments, leveraging automated scanning tools to identify and exploit weaknesses. 

• DeepLoad is a sophisticated malware that employs the ClickFix social engineering tactic to distribute itself and steal browser credentials. It utilizes AI-assisted obfuscation and process injection to evade detection, starting its attack by tricking users into executing PowerShell commands via a deceptive lure. The malware hides within legitimate Windows processes, such as "LockAppHost.exe," and disables PowerShell command history to avoid monitoring. It generates a temporary Dynamic Link Library (DLL) in the user’s Temp directory to bypass file-based detection and employs asynchronous procedure call injection to execute its payload covertly. DeepLoad not only extracts browser passwords but also installs malicious extensions that capture credentials in real-time. Additionally, it can reinfect hosts using Windows Management Instrumentation, ensuring persistence without user interaction.

New Threats

The barrier to entry for cybercrime continues to lower with the debut of CrystalRAT, a new MaaS being aggressively promoted across Telegram and YouTube.  The lightweight RoadK1ll reverse tunneling tool allows attackers to pivot through compromised environments using a custom WebSocket protocol, effectively transforming infected machines into relay points to access unreachable internal services.

• Two critical vulnerabilities in Progress ShareFile, identified as CVE-2026-2699 and CVE-2026-2701, can be exploited together to enable unauthenticated file exfiltration and remote code execution. These flaws exist in the Storage Zones Controller (SZC) of ShareFile version 5.x, which allows users to manage data storage on various infrastructures. The first vulnerability, CVE-2026-2699, involves an authentication bypass due to improper HTTP redirect handling, granting access to the ShareFile admin interface. Attackers can then manipulate configuration settings, including sensitive parameters. The second vulnerability, CVE-2026-2701, enables remote code execution by allowing attackers to upload malicious ASPX webshells after exploiting the first flaw. Approximately 30,000 SZC instances are publicly exposed, primarily in the U.S. and Europe.

• A new malware-as-a-service called CrystalRAT has emerged, offering a range of capabilities including remote access, data theft, keylogging, and clipboard hijacking. Promoted on Telegram and YouTube, CrystalRAT features a user-friendly control panel and an automated builder tool that allows for extensive customization, including anti-analysis measures. Its infostealer component targets Chromium-based browsers and popular desktop applications like Steam and Discord. Additionally, CrystalRAT incorporates prankware features, such as altering display settings, disabling input devices, and displaying fake notifications, which may appeal to less experienced attackers. 

• A new variant of the SparkCat malware has been identified on both the Apple App Store and Google Play Store, targeting cryptocurrency users by stealthily stealing wallet recovery phrase images from their photo galleries. Discovered by Kaspersky, this malware disguises itself within seemingly legitimate apps, such as enterprise messengers and food delivery services. The iOS version scans for English mnemonic phrases, broadening its potential impact, while the Android variant focuses on keywords in Japanese, Korean, and Chinese. Enhanced with multiple obfuscation layers, the Android version employs techniques like code virtualization and OCR to exfiltrate sensitive images to an attacker-controlled server. 

• A newly identified malware implant named RoadK1ll allows attackers to navigate through compromised networks by utilizing a custom WebSocket protocol. Discovered by Blackpoint during an incident response, this lightweight reverse tunneling tool transforms infected machines into relay points, enabling attackers to access internal services and systems that are otherwise unreachable. RoadK1ll establishes outbound connections to attacker-controlled infrastructure, facilitating covert communication and traffic forwarding without detection. It supports multiple commands, including opening TCP connections and managing data flow, while its reconnection mechanism ensures persistent access even if the channel is interrupted. However, it operates without traditional persistence methods, relying solely on the active process of the implant.