Threat Research

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

Seedworm (also known as MuddyWater) has been observed conducting cyber espionage activities against multiple organizations in the United States and Canada since early 2026. Targeted entities include a U.S. bank, airport, defense-related software company, and non-profit organizations....

A multi-stage campaign linked to AsyncRAT abuses trusted infrastructure to evade detection and ensure reliable payload delivery. Threat actors leverage Cloudflare free-tier services and TryCloudflare tunnels to host WebDAV servers, while phishing emails delivered via Dropbox use double-extension files to trick victims....

Arkanix Stealer is an actively developed credential-stealing malware promoted mainly on Discord, where its operators advertise frequent updates and new features. Originally written in Python, the malware has evolved to include a C++ “Premium” version with expanded theft capabilities such as VPN and Steam accounts, screenshots, and Wi-Fi credentials....

The Confucius group is a long-standing cyber-espionage actor active mainly in South Asia, particularly targeting Pakistan. Since its discovery in 2013, the group has evolved significantly, shifting from early tools like document stealers (e.g., WooperStealer) to more advanced tactics, including Python-based backdoors such as AnonDoor....

North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea....

In May 2025, the North Korean-aligned threat actor Famous Chollima began deploying a Python-based version of their remote access trojan (RAT) called PylangGhost, which shares many capabilities with the previously known GolangGhost RAT. The Python RAT targets Windows systems, while the Golang version continues to target MacOS users....

"Python Inline Command Execution" refers to executing Python code directly from the command line using the -c flag, allowing for the execution of Python scripts without creating a separate file. This feature can be used for quick scripts or one-liners....