GitHub Repository Abuse Enables Malware Delivery Through Trusted Installer Paths
GMO Researchers have identified a malware campaign that exploits GitHub's repository-forking mechanism to distribute trojanized installers under the guise of official projects. Attackers fork the legitimate GitHub Desktop repository, alter download links in documentation to point to malicious installers, and publish commits that appear under the original project’s namespace even without direct access. This design behavior allows malicious content to appear authoritative and remain accessible even if the attacker removes their account or forks it. The campaign has been active since at least mid-2025 and has also impersonated other widely used applications, increasing the likelihood of developer exposure. To expand their reach, threat actors paired this approach with paid search ads that directed users to these manipulated repository pages. The result is a convincing delivery channel that blends into normal developer workflows and trusted platforms. The malicious installer functions as a multi-stage loader that uses advanced evasion techniques to complicate detection and analysis, including abuse of graphics processing interfaces and deliberate execution flaws that frustrate automated inspection. Once running, it pulls additional components, injects malicious code into legitimate files, and establishes persistence through scheduled tasks and security exclusions, enabling long-term access. The tooling deployed has been tied to known malware loaders capable of delivering credential theft and follow-on payloads, raising broader supply-chain concerns. This activity highlights how developer-focused attacks increasingly rely on trust in well-known platforms rather than exploiting software bugs directly. Organizations should require software downloads only from verified release channels, block or scrutinize sponsored search links for developer tools, and monitor endpoints for unexpected installer executions tied to developer utilities. Security teams should also reinforce guidance for developers to validate repository sources and treat documentation-linked downloads with the same caution applied to third-party binaries.
Operation Bizarre Bazaar Signals the Rise of Commercial LLM Infrastructure Abuse
Pillar Security researchers have identified an active and organized campaign targeting exposed large language model infrastructure, marking one of the first documented cases of large-scale “LLMjacking” tied to a commercial criminal operation. Over a 40-day period, more than 35,000 attack sessions were observed targeting misconfigured or unauthenticated AI endpoints, indicating systematic, sustained targeting rather than opportunistic abuse. The operation, named Bizarre Bazaar, focuses on stealing access to AI services to monetize compute resources, resell API access, and harvest sensitive data from prompts and conversation history. Attackers primarily target self-hosted or poorly secured AI deployments, including development and staging environments that are publicly reachable. Once an exposed endpoint is detected by public scanning tools, exploitation attempts typically begin within hours. This demonstrates how quickly AI infrastructure becomes a target when basic access controls are missing. What makes this campaign especially concerning is its mature supply-chain style model built around reconnaissance, validation, and resale. One group scans the internet for exposed AI and Model Context Protocol endpoints, another verifies access and capabilities, and a third operates a marketplace that resells unauthorized access under the guise of a unified AI platform. Beyond cost abuse, compromised AI endpoints can expose proprietary data and serve as pivot points into internal systems, especially when MCP servers connect models to file systems, databases, cloud services, or container platforms. Researchers also observed a parallel campaign focused specifically on MCP reconnaissance, aimed at enabling deeper lateral movement rather than immediate monetization. The activity remains ongoing, with attacker infrastructure still operational, underscoring that this is not a theoretical risk but an active threat category. Organizations should immediately enforce authentication on all AI endpoints, ensure MCP services are never internet-facing, regularly inventory and scan their external AI attack surface, apply rate limiting and monitoring to detect abnormal usage patterns, and treat AI infrastructure with the same security rigor applied to traditional applications and cloud services.
Mustang Panda Expands CoolClient Backdoor With Credential Theft Capabilities
Kaspersky researchers reported that the Chinese espionage group known as Mustang Panda has released an updated version of its CoolClient backdoor, significantly expanding its surveillance and data theft capabilities. CoolClient has been used by the group for several years as a secondary implant alongside other tools, but the latest variant shows a clear shift toward broader credential harvesting and deeper system control. Recent activity has targeted government entities across Southeast Asia, South Asia, and parts of Eastern Europe, with infections delivered through legitimate software from a trusted Chinese IT vendor, increasing the likelihood of successful compromise. The malware continues to rely on multi-stage execution using encrypted data files and establishes persistence through registry changes, services, and scheduled tasks. It performs extensive system profiling to understand the environment before activating specific modules. Researchers also observed deployment of a previously undocumented rootkit in some cases, signaling continued investment in stealth and long-term access. The most notable enhancement in the new CoolClient variant is its focus on credential and activity monitoring. The malware now includes modules to steal saved login data from Chromium-based browsers, monitor clipboard contents, track active window titles, and sniff credentials passing through HTTP proxy traffic. Operators have also expanded the plugin ecosystem to include a remote command shell, advanced file management, and full control over Windows services, allowing them to modify how systems start and operate. Data exfiltration has shifted toward legitimate public file-sharing services with embedded access tokens, helping attackers blend malicious traffic into normal cloud usage. These changes indicate a move toward more comprehensive espionage operations that prioritize credential access and persistent control over simple reconnaissance. Organizations should monitor for suspicious use of trusted software in unexpected contexts, watch for abnormal service creation and browser credential access, restrict outbound access to public file-sharing platforms where feasible, and ensure endpoint telemetry is reviewed for clipboard access, proxy credential harvesting, and unauthorized plugin execution consistent with advanced state-sponsored activity.
