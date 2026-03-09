Malware Activity

Fake Repositories and Social Engineering Attacks

Recent cybersecurity incidents highlight the growing sophistication of cybercriminals targeting developers and organizations. One attack involved creating fake coding projects on trusted platforms like GitHub, designed to trick developers into running malicious scripts that give hackers remote control over their machines, risking data theft and network breaches. Meanwhile, a Russian-linked group known as UAC-0050 or Mercenary Akula has targeted European financial institutions with convincing fake emails impersonating Ukrainian courts, leading to malware infections that grant remote access. These tactics, blending social engineering and stealthy malware delivery, show the increasing use of deception to infiltrate sensitive systems. Experts advise organizations and developers to be vigilant, adopt strong security practices, and monitor suspicious activity to defend against these complex threats that threaten both individual users and critical institutions. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

BleepingComputer: Fake Next.js Job Interview Tests Backdoor Developer's Devices article

TheHackerNews: Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware article

TheHackerNews: UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware article

Threat Actor Activity

New Phishing Operation Targeting Freight, Cargo, and Logistics Industries in US, Europe

The Diesel Vortex group, a financially motivated threat actor, has been targeting freight and logistics operators in the U.S. and Europe using phishing attacks across fifty-two (52) domains since September 2025. This campaign resulted in the theft of 1,649 unique credentials from key industry platforms such as DAT Truckstop and Penske Logistics. The group's phishing infrastructure was designed to mimic logistics platforms, capturing sensitive data like credentials, PINs, and two-factor authentication codes. They employed techniques like voice phishing (vishing) and Telegram channel infiltration, using Cyrillic homoglyphs to evade security filters. Researchers from Have I Been Squatted uncovered the operation through an exposed repository containing a phishing project database and Telegram logs. Analysis revealed that Diesel Vortex, likely Armenian speaking with Russian ties, operated a sophisticated criminal enterprise complete with a call center and mail support. The operation involved freight impersonation, mailbox compromise, and double-brokering, where stolen carrier identities were used to divert cargo. The infrastructure supporting Diesel Vortex was dismantled following a coordinated effort by GitLab, Cloudflare, Google Threat Intelligence Group, and others. The operation's ties to Russian companies were established through domain registration data and corporate filings. The campaign highlights the growing threat of cargo theft increasing in the digital logistics sector, with estimated annual losses around $35 billion. The U.S. is responding with legislative measures like the "Combatting Organized Retail Crime Act of 2025" to address cargo theft and related crimes.

Bleeping Computer: Diesel Vortex Article

The Record: Diesel Vortex Article

Vulnerabilities

Configuration-Based Flaws in Anthropic Claude Code Enable RCE and API Key Exfiltration

Researchers from Check Point have disclosed multiple vulnerabilities in Anthropic's Claude Code AI coding assistant that could allow remote code execution (RCE) and theft of sensitive API credentials when developers open untrusted repositories. The issues stem from configuration abuse involving Hooks, Model Context Protocol (MCP) servers, and environment variables, enabling attackers to execute arbitrary shell commands and exfiltrate Anthropic API keys without meaningful user interaction. The flaws include a consent-bypass code injection vulnerability tied to project hooks (fixed in v1.0.87),

CVE-2025-59536

allowing automatic command execution during tool initialization in untrusted directories (fixed in v1.0.111), and

CVE-2026-21852

, which exposes API keys through manipulated project-load behavior (fixed in v2.0.65). Exploitation could occur simply by opening a malicious repository that redirects API traffic to attacker-controlled infrastructure, enabling credential capture, unauthorized data access, cloud data manipulation, and unexpected API usage costs. Researchers emphasized that AI development environments expand the traditional supply-chain threat model, as configuration files and automation layers now directly influence execution behavior, making the act of opening untrusted projects itself a significant security risk.

The Hacker News: Claude Code Vulnerabilities Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.