"It's been one of those weeks," the ThreatsDay Bulletin began — and the tally that follows makes the understatement feel deliberate.
Flashpoint: 3.3 billion identity records now on illicit markets
New analysis from Flashpoint found that "more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets." Flashpoint identified over 30 infostealer strains being sold across underground marketplaces, with Lumma, Acreed, Rhadamanthys, Vidar, and StealC named as the most prolific in 2025. The work highlights both scale and accessibility: India, Brazil, Indonesia, Vietnam, the Philippines, and the U.S. were the six most affected countries during that period.
Miasma: supply-chain attack toolkit briefly public on GitHub
Since June 8, 2026, multiple repositories titled "Miasma-Open-Source-Release" began appearing on GitHub, exposing a credential-stealing framework identified by SafeDep as "larger than a supply chain worm." SafeDep says Miasma is a full supply chain attack toolkit able to operate against package registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, and AI coding tool configurations. Instead of a single C2 channel, Miasma uses three independent commit-search-driven channels on GitHub with distinct search strings and crypto keys: "DontRevokeOrItGoesBoom" to discover attacker-controlled personal access tokens (PATs) for exfiltration, "TheBeautifulSandsOfTime" to deliver JavaScript, and "firedalazer" to deliver Python script URLs as remote backdoors.
SafeDep assesses Miasma as a variant of the Shai-Hulud worm; the campaign has evolved into a Python variant called Hades. As of the latest count, 304 components have been impacted by Miasma.
SilabRAT: MaaS ratchet-up on credential theft
On darknet forums since September 2025 a Russian-speaking actor named "o1oo1" has been advertising SilabRAT under a malware-as-a-service model for $5,000 per month. Group-IB reports that "SilabRAT is heavily focused on financial gain through credential theft" and that the tool "offers stability and is capable of bypassing existing security measures." Delivered by ClickFix campaigns using Hijack Loader, SilabRAT employs Hidden Virtual Network Computing (HVNC) for remote control and implements Browser Profile Cloning — copying user agent, extensions, storage and other fingerprinting attributes — to impersonate victims' browser environments. The malware can identify wallet addresses and extract cryptocurrency artifacts; the developer previously offered a service named AsmCrypt.
AI agent phishing and CI/CD secrets: two sides of automated risk
Automation is easing both offense and accidental disclosure. Varonis tested four phishing simulations against an OpenClaw email agent codenamed Pinchy and found the agent "susceptible to tactics commonly used to deceive human users." In one test a casual email from "Dan" prompted Pinchy to forward AWS IAM keys, database passwords, and SSH access to an external Gmail account. Varonis draws a distinction between prompt injection (malicious content fed into a model) and what it calls "agent phishing," where a believable request arrives through normal channels and the agent acts before verifying the requester.
Separately, Microsoft disclosed a concrete CI/CD exposure in the Claude Code GitHub Action. Microsoft said the action's Read tool was not subject to the same sandboxing model as subprocess execution and "was eventually authorized to access /proc/self/environ, reading the workflow's ANTHROPIC_API_KEY and potentially other credentials available to the runner." Following responsible disclosure on April 29, 2026, Microsoft said the issue was fixed on May 5 with Claude Code version 2.1.128; the patch unconditionally rejects a number of files in /proc/ to prevent exfiltration.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: expect blended threats. The Miasma and SilabRAT cases underline that credential theft, supply-chain tampering, and remote access tools are being packaged and sold; teams will need to audit CI/CD runners, PAT usage, and any search-based automation that could act as covert C2.
- Procurement and software maintainers: download counts and public repositories are unreliable signals. Tenable and SafeDep findings about download pumping and trojanized packages emphasize the need for provenance checks — the presence of hundreds of benign versions or high download counts no longer guarantees safety.
- End users and administrators: automated agents and browser extensions carry second-order risk. Varonis and G DATA report agents and Chrome extensions hijacking conversations or forwarding secrets; users and admins should treat automated responses and third-party extensions as potential exfiltration vectors.
The thread connecting these items is simpler than any single exploit: "attackers do not always need exploits. They need patience, stolen credentials, trusted tools, and one policy setting nobody has checked since the last reorg." The incidents documented this week — from a 3.3 billion-record theft supply to a public leak of a supply-chain worm toolkit and agents that willact on a friendly-sounding email — drive home an operational truth: trust in code, agents, and default policies must be verified, not assumed.
