PhantomRPC flaw, Checkmarx GitHub dark web data, PyPI package infostealer

8 min

•Apr 28, 2026about 1 month ago

Summary

This episode covers critical supply chain vulnerabilities affecting Windows, GitHub, and PyPI ecosystems, including an unpatched RPC privilege escalation flaw, compromised development tools distributing credential-stealing malware, and a widespread malicious package update. Additional stories address law enforcement actions against state-backed hackers, cryptocurrency criminals, and organized cybercrime networks.

Insights

Supply chain attacks are increasingly targeting developer tools and package repositories, with attackers using GitHub Actions and workflow token theft to distribute backdoored software at scale
Microsoft's decision not to patch the Phantom RPC vulnerability highlights the shift toward compensating controls rather than fixes for moderate-severity issues affecting legacy systems
Malicious package updates can auto-propagate to unpinned dependencies, making secret rotation and system restoration critical for affected organizations
Sleeper tactics in malware campaigns are evolving, with attackers cloning legitimate extensions and delaying activation to evade detection
International law enforcement coordination is increasingly effective in extraditing cybercriminals and disrupting transnational cybercrime operations

Trends

Supply chain attacks shifting focus to developer credentials and crypto wallets as high-value targetsIncreased use of GitHub Actions and CI/CD pipeline exploitation for malware distributionSleeper malware tactics using delayed activation and legitimate-looking clones to bypass security detectionGrowing coordination between international law enforcement agencies on cybercrime extradition and prosecutionUnpatched vulnerabilities becoming accepted risk requiring compensating controls rather than fixesOrganized cybercrime networks operating from physical compounds with human trafficking componentsOpen-source ecosystem vulnerabilities expanding attack surface for enterprise environmentsCredential theft and crypto wallet targeting becoming primary objectives in supply chain campaigns

Topics

Windows RPC Privilege Escalation Vulnerability GitHub Supply Chain Attack and Dark Web Data Exposure PyPI Package Compromise and Malicious Updates Developer Credential Theft and Crypto Wallet Targeting GitHub Actions Security and Workflow Token Exploitation State-Backed Hacking and Hafnium Campaign Attribution Open Source Package Security and Dependency Management VSX Extension Malware and Sleeper Tactics Cryptocurrency Money Laundering and Theft International Cybercriminal Extradition Cambodian Cybercrime Networks and Human Trafficking Mobile App Tampering and Client-Side Security Secret Rotation and Incident Response Procedures Compensating Controls for Unpatched Vulnerabilities Supply Chain Attack Detection and Remediation

Companies

Microsoft

Windows RPC vulnerability classified as moderate severity by Microsoft; company declined to issue a patch

Kaspersky

Kaspersky researcher disclosed the Phantom RPC vulnerability affecting Windows systems

Checkmarx

Confirmed GitHub repository data breach following March 23rd supply chain attack compromising development tools

GitHub

GitHub Actions and VS Code extensions were tampered with to distribute credential-stealing malware

PyPI

Widely-used PyPI package with 1M+ monthly downloads compromised to distribute info stealer malware

Step Security

Researchers at Step Security discovered the PyPI package compromise and GitHub ActionScript injection flaw

Socket

Researchers identified new Glassworm supply chain campaign abusing 73 open VSX extensions

iTron

Utility tech supplier disclosed cybersecurity breach with unauthorized IT system access but no customer impact

VS Code

VS Code extensions were tampered with during Checkmarx supply chain attack to distribute malware

Docker

Backdoored Docker image distributed alongside malicious PyPI package in supply chain attack

People

Sarah Lane

Host reporting on cybersecurity headlines for the episode

Xu Zhui

Alleged Chinese state hacker extradited to U.S. for involvement in Hafnium campaign targeting Microsoft Exchange

Kok An

Cambodian senator sanctioned by U.S. Treasury for involvement in large-scale cryptocurrency scam operations

Evan Tangiman

California-based crypto money launderer sentenced to 70 months for laundering $260M in stolen cryptocurrency

Quotes

"Your back end is only as secure as your front end. Research shows that client-side compromise is now a primary driver of API risk."

GuardSquare (sponsor message)

"The flaw lets attackers with limited access spin up rogue RPC servers that impersonate legitimate services and capture high-privileged connections"

Sarah Lane

"Developers should remove affected packages and rotate secrets."

Sarah Lane

Full Transcript

From the CISO series, it's Cybersecurity Headlines. These are the Cybersecurity Headlines for Tuesday, April 28, 2026. I'm Sarah Lane. Phantom RPC flaw enables privilege escalation. A Kaspersky researcher disclosed an unpatched Windows vulnerability dubbed Phantom RPC that allows privilege escalation by exploiting how the OS's Remote Procedure Call, or RPC, mechanism handles connections to inactive services. The flaw lets attackers with limited access spin up rogue RPC servers that impersonate legitimate services and capture high-privileged connections, potentially escalating to system-level control, with five exploit paths validated on recent Windows Server versions. Microsoft classified the issue as moderate severity due to required privileges and is not issuing a fix. So, monitoring RPC activity and restricting impersonation privileges is key to reduce risk. Checkmarks confirms GitHub data leak hit the dark web. Checkmarks confirmed that data from its GitHub repository has been posted on the dark web following a March 23rd supply chain attack that compromised development tools and workflows. The reach involved tampered GitHub actions and VS Code extensions distributing credential stealing malware, with researchers linking subsequent leaks to groups like Lapsus and activity attributed to Team PCP. Exposed data may include source code and credentials, though customer environments were reportedly unaffected. The company has restricted access to the impacted repository and is continuing its investigation, noting it will notify customers of sensitive data exposure. PyPI package hacked to push InfoStealer A widely used PyPI package with more than 1 million monthly downloads was compromised in a supply chain attack that pushed a malicious version containing an info stealer targeting developer credentials and crypto wallets Researchers at Step Security found the attacker exploited a GitHub ActionScript injection flaw to steal a workflow token, forge a legitimate release, and then distribute the backdoored package and Docker image. The issue has been fixed in version 0.23.4, but affected users should rotate secrets and restore systems, since the malicious release could automatically propagate to environments using unpinned dependencies. Italy extradites alleged Chinese state hacker to the U.S. Italian authorities extradited Xu Zhui to the U.S., where he faces charges tied to alleged involvement in the state-backed Hafnium, also known as Silk Typhoon, campaign that targeted Microsoft Exchange servers and thousands of global victims. U.S. prosecutors say he participated in intrusions between 2020 and 2021, including attacks on universities and researchers to steal COVID-19-related data, allegedly under direction from Chinese intelligence services. Xu denies the allegations, but could face up to 77 years in prison if convicted. China has criticized the extradition. Huge thanks to our sponsor, GuardSquare. Your back end is only as secure as your front end. Research shows that client-side compromise is now a primary driver of API risk. With 63% of leaders detecting mobile app tampering or cloning last year, don't leave your mobile app security to chance. Get multi protection for your entire mobile app ecosystem from the outside in Learn more at guardsquare U sanctions target Cambodian scams The U Treasury Office of Foreign Assets Control sanctioned a Cambodian cybercrime network including Senator Kok An, over large-scale cryptocurrency scams that have defrauded Americans of millions of dollars through romance and fake investment schemes. Authorities say the operation runs from scam compounds tied to casinos, where victims send funds to fraudulent platforms, while trafficked workers carry out the scams under coercive conditions. The action was coordinated with the DOJ, FBI, and Secret Service, including domain seizures and criminal charges, intended to disrupt both the financial infrastructure and human trafficking tied to the network. Glassworm Malware Attacks Return Researchers at Socket identified a new wave of the Glassworm Supply Chain Campaign, abusing 73 open VSX extensions designed to appear benign before turning malicious through later updates. Six extensions have already been activated, using loader techniques to fetch and execute hidden payloads that can steal developer credentials, crypto wallets, and sensitive environment data. The campaign reflects a shift towards stealthier sleeper tactics, with cloned extensions mimicking legitimate tools. Developers should remove affected packages and rotate secrets. Utilities tech supplier iTron discloses attack. iTron disclosed a cybersecurity breach involving unauthorized access to its IT systems, but said it has since contained and remediated the incident with no ongoing malicious activity detected. The company reported no impact to customer systems or core operations which continued without disruption and expects insurance to cover most of the associated costs ITRON is still investigating the scope of the breach and evaluating any required regulatory disclosures but doesn't currently expect a material business impact. Crypto money launderer given five-year sentence. California-based Evan Tangiman was sentenced to 70 months in prison for laundering millions in stolen cryptocurrency tied to a cybercriminal group known as the Social Engineering Enterprise, which stole roughly $260 million from victims. Prosecutors say the group used social engineering and physical tactics to target high-value crypto holders, while Tangimon helped convert stolen funds into cash and assets, including luxury homes used in operations. He also attempted to cover up the scheme after arrests and is one of nine individuals to plead guilty in this case. The rush to not fall behind with the latest AI tooling is creating a vicious cycle. Is there any way to enable teams to use these new tools without abandoning security best practices? That's one of the segments we try to get answers for on the latest episode of the CISO series podcast. Look for the episode, step one, deploy new AI tool. Step two, discover security flaws. Step three, repeat wherever you get your podcasts. And if you have some thoughts on the news from today or about our show in general, be sure to reach out to us at feedback at CISOseries.com. We'd love to hear from you. I am Sarah Lane reporting for the CISO Series. You stay safe out there, Milky Way and beyond. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines.