SentinelOne — Living Off the Pipeline CI/CD subversion taxonomy with three case studies (TeamCity / GitLab service-account / Contagious Interview)

The most significant new actor finding the dailies did not carry is Turla's STOCKSTAY — Google GTIG characterised a multi-component .NET/Windows Forms backdoor that communicates C2 over secure WebSocket and shares significant code overlap with Kazuar (Turla's staple implant since 2017). Delivery used malicious RDP files by phishing and, as recently as November 2025, RAR archives exploiting WinRAR's CVE-2025-8088 (a flaw also abused by Sandworm, Gamaredon and RomCom). Current targeting is Ukrainian government and military, but earlier victims had Italian, Dutch, Polish and German foreign-policy interest — a direct read-across for Swiss federal and European governmental entities with Ukraine-adjacent policy work (The Hacker News). This sits alongside the week's other Russia-nexus signal: FBI/CISA escalated their warning that Russian intelligence (tracked as UNC5792) is now phishing Signal Backup Recovery Keys for persistent account takeover, and ESET's Gamaredon retrospective (§ 7) shows the FSB-linked group moving exfil and C2 wholesale onto trusted cloud services.

Two non-Russian clusters round out the picture. Unit 42 documented CL-STA-1062, a Chinese-speaking cluster (overlapping Talos's UAT-7237) deploying the new TinyRCT .NET backdoor via AppDomainManager injection against Southeast-Asian government and state-owned energy targets (Unit 42); Kaspersky GReAT analysed the StrikeShark cluster's SharkLoader deploying Cobalt Strike via "Perfect DLL Hijacking" against government targets (Securelist). And SentinelLABS' macOS.Gaslight, a DPRK-aligned Rust backdoor, notably turns prompt injection on the LLM-assisted analyst rather than the sandbox (SentinelLABS) — an early instance of tradecraft built specifically to poison AI-assisted triage. Attribute the claim to the research outfit, not the state, where the source itself hedges.

SentinelLABS analysed macOS.Gaslight, a single-binary Rust implant it ties with high confidence to DPRK-aligned activity (Apple's XProtect detects it as MACOS_BONZAI_COBUCH, with a sibling sample caught by the AIRPIPE rule SentinelLABS also attributes to North Korea) (SentinelLABS, 2026-06-23). Its novel evasion is aimed at the analyst's tooling rather than a sandbox: the binary carries a 3.5 KB Markdown-fenced blob of 38 fabricated "system" messages whose {{DATA}} tokens mimic an LLM triage harness's own prompt scaffold, designed to push an LLM agent into aborting, truncating, or refusing its analysis (Infosecurity Magazine, 2026-06-24). Beyond that, it is a full stealer — staging a CPython interpreter at runtime to harvest Chrome/Brave/Firefox/Safari credentials, terminal history, system_profiler output, and a wholesale copy of login.keychain-db. C2 runs over the Telegram Bot-API getUpdates polling loop with AES-GCM payloads over certificate-pinned TLS; persistence is a LaunchAgent labelled com.apple.system.services.activity (T1543.001).

Why it matters to us: as LLM-assisted triage moves into SOC and MDR workflows, embedding adversarial prompt payloads in samples to corrupt that pipeline is a technique class to expect generalising — treat "benign" LLM verdicts on submitted macOS binaries as provisional pending human review, and flag any binary carrying large role/content message arrays for secondary analysis. Detection concepts: LaunchAgent plists masquerading under com.apple.system.services.* with non-Apple signers; processes spawning Python from non-standard parents; outbound TLS to api.telegram.org from non-user-initiated processes on managed Macs.

Symantec's Threat Hunter Team and Broadcom's Carbon Black published findings on 2026-05-12 documenting a Q1 2026 MuddyWater (a.k.a. Seedworm, Static Kitten, MERCURY, TEMP.Zagros — attributed to Iran's Ministry of Intelligence and Security) espionage campaign across at least nine organisations on four continents. The story re-surfaced this run via fresh aggregator coverage on 2026-05-26 (The Hacker News) — included in window on that basis. Named victim categories include industrial and electronics manufacturing, education and public-sector bodies, financial services, and an international airport in the Middle East (Symantec / Broadcom Threat Intelligence, 2026-05-12; The Hacker News, 2026-05-26; Industrial Cyber, 2026-05-13).

The differentiating TTPs from prior MuddyWater coverage are twofold. First, DLL side-loading via two pairs of legitimately signed third-party binaries: Fortemedia audio-driver binary fmapp.exe side-loading a malicious fmapp.dll; SentinelOne's sentinelmemoryscanner.exe side-loading a rogue sentinelagentcore.dll — abuse of a signed security-product binary specifically chosen to bypass signature-based detection. Both malicious DLLs embed ChromElevator, an open-source post-exploitation tool that bypasses Chromium App-Bound Encryption to extract passwords, cookies and payment-card data without triggering AV. Second, orchestration moved to Node.js: node.exe appears as a parent-process ancestor of cmd.exe before any operator commands — i.e. a Node.js script (not a human operator) drives the kill chain. PowerShell scripts pulled from a staging server perform discovery (T1087, T1482), screenshot capture, SAM-hive theft via VSS (T1003.002), and SOCKS5 reverse-proxy tunnelling (T1090.003). A credential harvester calls CredUIPromptForWindowsCredentialsW to display a Windows security dialogue and trick targets into entering credentials. A Kerberos TGT extractor via GSS-API was also observed.

Why it matters to us: signed-binary side-loading abusing a security-product binary is the highest-value evasion class — signature-based controls are bypassed by design. Detection: Sysmon EID 7 image-loads from fmapp.exe or sentinelmemoryscanner.exe outside their expected installation directories; alert on node.exe as a parent of cmd.exe or powershell.exe -enc in non-developer environments; flag CredUIPromptForWindowsCredentialsW calls from non-standard parents. Hardening: AppLocker / WDAC enforcing signed-and-known-path DLL loads; restrict node.exe execution to development OUs.

CVE-2026-26980 is an unauthenticated SQL injection (CWE-89) scored CVSS 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) in Ghost's Content API. The defect sits in the handling of the slug filter parameter, which is interpolated into a raw SQL fragment without parameterisation; a remote attacker with no authentication can perform boolean-based blind extraction of arbitrary database contents — critically the admin API key, which then grants full content-management scope over articles, themes and users (GitHub Security Advisory GHSA-w52v-v783-gw97). Affected versions span Ghost 3.24.0 through 6.19.0 (a roughly three-year release range); the fix shipped in 6.19.1 on 19 February 2026. Ghost(Pro) cloud instances were patched server-side; self-hosted operators must upgrade themselves, which is the exposed long tail the current campaign targets (BleepingComputer, 2026-05-24).

The CVE clears the § 2 bar on exploitation: SentinelOne documented in-the-wild exploitation as early as 27 February, and XLab confirmed the present large-scale wave (700+ compromised domains) on 21 May (XLab Qianxin, 2026-05-21). Mitigation: upgrade to 6.19.1 or later. Interim compensating controls — block Content API requests whose query string contains slug:[ (URL-encoded slug%3A%5B) at the WAF and restrict or disable the public Content API to trusted origins; the vendor mitigation targets exactly that request pattern. Because the admin API key is the exfiltration target, treat it as compromised on any exposed instance and rotate it after patching, then audit posts and themes for injected JavaScript. Full kill chain and detection in § 5.

CVE Summary Table

Background. Fast16 — a Lua-based sabotage framework — was first disclosed by SentinelOne at LABScon 2026 in April 2026 and originally framed as a Stuxnet predecessor by approximately two years. Earlier reporting also speculated that the malware operated against physical centrifuge equipment. Both framings now appear incorrect on closer expert review.

Broadcom's Symantec and Carbon Black teams published a technical analysis on 2026-05-18 documenting the framework's operating envelope and target selection (Broadcom Security, 2026-05-18; The Hacker News, 2026-05-18). The architecture: a service binary embedding an early Lua 5.0 VM; a boot-start filesystem driver intercepting executable code as it is read from disk; and a rule-driven hook engine rewriting specific instruction sequences inside narrowly targeted simulation applications. The hook engine selectively intercepts execution inside LS-DYNA and AUTODYN — the canonical high-explosive simulation codes used for weapons design — and activates only when the simulated material density exceeds 30 g/cm³, the threshold reachable only under implosion shock-compression conditions relevant to weapons-grade uranium. Kim Zetter's investigative analysis on 2026-05-16 separately corrected the historical framing of the campaign (Kim Zetter / ZERO DAY, 2026-05-16): Fast16 was contemporaneous with Stuxnet, not a predecessor, and was engineered to feed false output to weapons engineers rather than to physically alter nuclear infrastructure. Defender relevance is narrow but specific: Broadcom appears to describe the first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine to corrupt scientific-simulation output — a sabotage technique class distinct from data exfiltration, ransomware, or DoS. Operators of national-laboratory research-computing environments, defence-related HPC clusters, and reactor-physics-modelling labs should add filesystem-driver-load monitoring (Sysmon EID 6, Windows boot-start driver enumeration) and integrity checking of long-running simulation binaries to their threat models.

UPDATE (originally covered 2026-W21): Grafana Labs issued an official 2026-05-18 confirmation of the GitHub Pwn-Request breach previously reported in the 2026-W21 weekly summary (SecurityWeek, 2026-05-18; BleepingComputer, 2026-05-18; The Register, 2026-05-18). The material new disclosures in the 2026-05-18 confirmation: Grafana explicitly states (a) only source code was accessed — "no personal or customer information was stolen"; (b) the incident has not impacted customer systems or operations; (c) the ransom was refused. The technical-mechanism details (pull_request_target workflow misconfiguration, forked-PR injection of a curl command, harvested write-scoped GitHub token, canary-token detection) were previously reported in the 2026-W21 weekly summary citing THN's earlier coverage (The Hacker News, 2026-05-17); they are repeated here as context for defenders who did not catch the weekly. CoinbaseCartel is assessed by THN as an offshoot of the ShinyHunters / Scattered Spider / LAPSUS$ ecosystem and has accumulated ~170 victims since September 2025.

Defender takeaway: Grafana OSS is the de facto monitoring/observability platform in EU/CH public-sector SOC and NOC environments; defenders should monitor non-official Grafana plugin updates and unsigned Grafana agent builds for the next 30 days as a potential supply-chain trojanisation follow-on. The Pwn-Request attack pattern is the same class of CI/CD misconfiguration covered by SentinelOne's Living off the Pipeline taxonomy (referenced 2026-05-16); audit every pull_request_target workflow to ensure no privileged steps run on untrusted-fork code, set permissions: read-all at workflow level and elevate only as needed, and separate privilege-requiring steps into a second workflow_run workflow gated on merged code. MITRE T1195.002 / T1552.004 / T1567.

SentinelOne's "Living Off the Pipeline" research (covered daily 2026-05-16, [SINGLE-SOURCE]) presents a three-case taxonomy of CI/CD subversion in real intrusions: TeamCity buildAgent-token theft, GitLab service-account pivot, and Contagious Interview (DPRK-aligned) build-time compromise. The weekly-level synthesis worth surfacing: the three-case study generalises to a defender pattern — CI/CD systems concentrate trust (build secrets, artifact-signing keys, deployment credentials) in machine-identity environments with weaker authentication / authorisation telemetry than human-identity environments. Combined with the Sophos NHI finding (41% of identity breaches root-caused to NHI mismanagement, above), CI/CD platforms are the highest-leverage NHI-governance attack surface for Swiss / EU public-sector DevSecOps programmes. Hunt seeds: TeamCity buildAgent re-auth events, GitLab CI job impersonation patterns, GitHub Actions OIDC-token reuse outside expected workflow scope (daily 2026-05-16).

SentinelOne published on 2026-05-15 a practitioner-focused taxonomy of CI/CD pipeline subversion techniques, illustrated with three real intrusion case studies that are immediately useful for SOC and DevSecOps teams running JetBrains TeamCity, GitLab, or GitHub Actions (SentinelOne, 2026-05-15). Case 1: an unpatched TeamCity server (CVE-2023-42793) exploited to deploy backdoors via privileged build tasks, remaining undetected for 12+ months. Case 2: a GitLab service-account token compromise enabling creation of malicious Ansible playbooks that were then automatically executed by pipelines — a clean demonstration of how service-account over-privilege translates directly into production code execution. Case 3: the Contagious Interview campaign using fraudulent job offers directing developer victims to fake skill-assessment sites that deploy malware silently to developer workstations. Additional vectors covered include attacker-registered self-hosted runners, workflow triggers from repository discussion comments, dependency poisoning with reconnaissance preinstall scripts, and maintainer-account compromise appending malicious code; the article cross-links a separate SentinelOne analysis of the "Sha1-Hulud" NPM compromise as a related supply-chain case. MITRE ATT&CK: T1195.002, T1547 (rogue runner registration as persistence), T1555 (pipeline secret extraction), T1204 (user execution via fake job-offer social engineering), T1072 (software-deployment-tool abuse via Ansible). Defender monitoring priorities surfaced in the report: GitHub / GitLab audit logs for runner.registered events with unfamiliar names or unexpected source IP ranges; new or modified pipelines authored by service accounts; suspicious child-process spawn from build agents (cmd.exe, powershell.exe, curl, wget outside baseline); credential-access and reverse-tunnel traffic originating from build infrastructure; and secret-injection patterns in workflow-config modifications. Single-source — SentinelOne only.

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.