CTI Daily Brief — 2026-05-26

"TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files

Socket disclosed TrapDoor, a coordinated supply-chain campaign spanning 34+ malicious packages across 384+ versions published to npm, PyPI and Crates.io, with earliest activity on 2026-05-22 ~20:20 UTC; Socket reports a median detection latency of under six minutes after publish (Socket, 2026-05-24; The Hacker News, 2026-05-25). Each registry carries a distinct execution path: npm packages run a JavaScript credential harvester via a postinstall lifecycle hook (T1195.001, T1059.004); PyPI packages execute on import and pull a remote payload via node -e; Rust crates use build.rs scripts that XOR-encrypt local Sui/Solana/Aptos wallet keystores and exfiltrate them to GitHub Gists. The npm harvester validates stolen AWS and GitHub tokens against live APIs before flagging them — only working credentials are exfiltrated (T1552.001) — and establishes persistence via cron, systemd units, Git hooks and SSH-based lateral movement (T1053.003, T1021.004). The defining novelty is an AI-assistant targeting vector: the packages write hidden instructions into .cursorrules and CLAUDE.md using zero-width Unicode characters (U+200B family), so a developer reviewing the file sees clean text while Cursor or Claude Code parses an attacker "security scan" directive that triggers data exfiltration (T1195.002).

Why it matters to us: the targeting (crypto/DeFi/AI developer communities) is narrow, but the execution model is not — any CH/EU public-sector DevOps pipeline that installs from these registries is exposed, and the AI-config-poisoning vector is a fresh class of persistence that survives a clean-looking code review. Hunt for node/python/cargo build processes spawning sh/bash/node -e, package-manager process trees writing to ~/.cursorrules or CLAUDE.md (especially with zero-width code points U+200B/U+200C/U+FEFF present), unexpected systemd unit or crontab writes from build runners, and GitHub Gist POST from CI. Pin exact versions, verify lockfile hashes, and run installs with --ignore-scripts where feasible.

ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads [SINGLE-SOURCE]

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government

CERT Polska disclosed CVE-2026-9058, an improper-certificate-validation flaw (CWE-393 / CWE-637) scored CVSS 4.0 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) in Szafir SDK, the qualified-electronic-signature library developed by clearinghouse Krajowa Izba Rozliczeniowa (KIR) and embedded across Polish public-administration systems (CERT Polska, 2026-05-25; ENISA EUVD-2026-31679, 2026-05-25). The defect is precise and instructive: the SDK returns the success code /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0 ("Positively verified") from cryptographic signature verification even when the signer certificate's trust status is nondetermined — i.e. the chain could not be validated to a trusted root. A consuming application that gates on the result code alone treats a signature backed by an unverifiable or attacker-supplied certificate as valid, yielding authentication bypass and user impersonation without possession of a legitimate qualified certificate (T1606). Any application that consumes Szafir to accept qualified electronic signatures is therefore exposed to forged-signature acceptance — squarely the qualified-signature use case across Polish e-government and regulated industry; the issue is fixed in version 463.

This clears the § 2 bar on ENISA EUVD CVSS ≥ 9.0 and as a national-CERT primary disclosure for its own jurisdiction. Defender action beyond upgrading to ≥ 463: applications must validate the certificate trust status independently of the result code — check …/SigningCertificate/@certificateType != "nondetermined" before accepting the signature — and audit verification logs for events where Result/@code == 0 coincided with a nondetermined certificate, which indicates likely abuse. The broader lesson generalises to any CH/EU qualified-signature stack: never collapse "cryptographically intact" and "anchored to a trusted root" into a single boolean. No in-the-wild exploitation is reported.

CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET `machineKey` enables ViewState deserialization RCE, exploited as a zero-day

Mandiant / Google Threat Intelligence Group published an incident-response investigation into a late-2025 compromise of a web server running KnowledgeDeliver, an ASP.NET learning-management system from Japan-based Digital Knowledge that is widely deployed in Japanese enterprise and education environments (Google Threat Intelligence Group, 2026-05-25; Mandiant Vulnerability Disclosures MNDT-2026-0009). The root cause (CVE-2026-5426) is identical pre-shared ASP.NET machineKey values shipped across all customer installations by default: any party who recovers the hardcoded key from one instance can forge a valid signed/encrypted ViewState payload and replay it against any other deployment. Because ASP.NET ViewState is deserialized through ObjectStateFormatter → BinaryFormatter, a forged payload yields arbitrary .NET object-graph deserialization and remote code execution (T1190). Mandiant states the flaw was exploited as a zero-day prior to the 2026-02-24 patch.

Post-exploitation, the actor deployed BLUEBEAM (a variant of the Godzilla web shell) that runs entirely inside the IIS worker process w3wp.exe — no shell file on disk — receiving commands over encrypted HTTP POST (T1505.003, T1071.001), then injected content into the LMS to mount a watering-hole attack against its users (T1189). Targeting is Japan-primary, but the transferable lesson is broad and urgent for CH/EU public-sector .NET estates: audit every ASP.NET application for shared or default machineKey values and rotate to unique, cryptographically strong per-deployment keys — there is no default-config toggle that removes the shared-key risk. Hunt for Windows Application-log Event ID 1316 (ViewState validation failure — Mandiant notes even successful exploitation generated these) on LMS-adjacent web servers, and for w3wp.exe spawning cmd.exe/powershell.exe/cscript.exe or making unexpected outbound connections (Sysmon EID 1 with a parent-image filter on w3wp.exe). Because BLUEBEAM is memory-resident with no on-disk shell file, live-memory collection on the IIS worker is the primary post-exploitation detection path.

CVE Summary Table

Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage [SINGLE-SOURCE]

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

UPDATE: TeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.