"The internet did not break this week. It got used exactly as designed, which is worse," the ThreatsDay Bulletin observed — and the evidence in the reporting that follows reads like a catalog of trust abused at scale.
Claude.ai shared chats weaponized to deliver MacSync
Trend Micro reported that threat actors hijacked Google Ads for AI developer tools to funnel more than 2,000 victims to malicious download pages and then "quietly mov[ed] their operation onto claude.ai's own platform," turning a trusted domain into a malware delivery mechanism. The campaign concentrated in the Asia‑Pacific region, which accounted for 67.2% of confirmed victims, and Taiwan alone represented 30.5% of total traffic — a pattern Trend Micro called indicative of deliberate geographic ad targeting. Investigators found as many as 106 unique malicious hostnames over seven weeks and six attack waves. Anthropic has banned the accounts, disabled the malicious shared conversations, and said it is "implementing additional abuse mitigations" for the shared chat feature.
23 Chrome extensions reroute searches for ~758,000 users
Security researcher Jean‑Marie R. uncovered a cluster of 23 deceptive Chrome extensions that quietly override users' default search engines and route queries through monetization brokers. The campaign spans "at least 8 distinct monetization brokers and ~758,000 affected users," the researcher said, noting each extension advertised a legitimate utility — satellite imagery, news readers, maps — while the operators’ "actual business is search affiliate revenue." Jean‑Marie R. warned this is more than adware: it is "a massive privacy violation" that lets operators swap in phishing links or malicious downloads without updating the extension code.
Rust-based NastyC2 in npm and a memory-only worm/miner in crypto-javascript
Panther disclosed three npm packages — node-ci-utils@2.1.4, win-env-setup@3.0.6, and macos-ci-utils@1.0.0 — that act as droppers for a previously undocumented Rust post‑exploitation framework codenamed NastyC2. Panther described NastyC2 as "written entirely in Rust" and implementing "over 80 commands spanning credential harvesting, Active Directory attacks, container escape, cloud metadata theft, and fileless execution," with capabilities comparable to Cobalt Strike or Sliver.
In a related supply‑chain incident, Panther also flagged crypto-javascript@4.2.5 for installing three payloads: a supply‑chain worm that spreads across six build ecosystems (Rust, Cargo, Python, CMake, and npm), a Monero miner, and an exploit for the Linux Dirty Frag local‑privilege‑escalation vulnerability. Panther noted all three run from memory, leaving no named file on disk, and that the embedded kernel exploit carries a GCC build timestamp of "2026-04-30 1," seven days before public disclosure of Dirty Frag — a detail that raised the possibility the actor had early access to working exploit code.
Fileless macOS "ClickFix" chain and Microsoft 365 device‑code phishing
Netskope Threat Labs traced a Russian‑speaking actor using ClickFix lures to deliver an AppleScript‑based infostealer to macOS victims across Asia, North America, and Oceania in the technology, media, and business‑services sectors. To evade detection, Netskope said the "entire infection chain, starting from the initial clipboard paste to payload execution, is completely fileless, leaving no static artifacts on disk until persistence is established." Victims are socially engineered to run a curl command that fetches a gzip‑compressed stager, piping the second‑stage AppleScript into osascript memory. The payload, codenamed "Meow (DEBUG)," presents a fake system dialog to harvest credentials, browser data, session cookies, and keychain contents, and can trojanize legitimate desktop cryptocurrency wallets while maintaining persistent C2 access.
Separately, ReversingLabs detailed a Microsoft 365 device‑code phishing campaign that abuses the OAuth 2.0 Device Authorization Grant flow. Researcher Robert Simmons explained the kit "persuades victims to complete a legitimate Microsoft authentication process that authorizes an attacker‑controlled device" — not by stealing passwords on a counterfeit page but by convincing targets to approve access through Microsoft's own flow. The initial emails mimic approval notices for vendor estimates.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Watch non‑file artifacts and trusted channels. Netskope and Panther both highlight memory‑resident and fileless techniques; detection and response should validate telemetry across process memory and cloud logs, not just disk signatures.
- Procurement and platform owners: Treat "trusted" services and packages as execution risk. The npm incidents and the Cline findings (Manifold Security flagged Cline's Approve/Deny dialog and "Safe Commands" logic as failing to block attacker‑supplied shell commands) stress the need to vet third‑party components and to require fix plans and mitigations from maintainers before deployment.
- End users and administrators: Be skeptical of links and dialogs — even from familiar domains. Trend Micro and ReversingLabs show attackers are shifting from fake pages to abuse of legitimate platforms and flows; contextual details like unusual geographic traffic, unexpected shared chats, or device‑approval prompts warrant verification.
The week's pattern is stark: attackers are not always forcing entry. They are exploiting the doors we’ve left open — shared chats, extensions, OAuth flows, package ecosystems, and cloud telemetry gaps. As the bulletin bluntly put it, "legitimate" is not the same as safe.
