Weekly review

ThreatNoir Weekend Brief — June 28

2026-06-28Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — June 28, 2026

The threat landscape continues to intensify across multiple attack vectors on June 28, 2026, with Russian state-sponsored actors refining their social engineering tactics, new malware families targeting government entities, and supply-chain campaigns expanding their scope across legitimate open-source infrastructure. Today's coverage examines critical developments in identity compromise, advanced persistent threats, and the ongoing Miasma supply-chain attack campaign affecting developer environments globally.

FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency have updated their March advisory regarding Russian intelligence phishing campaigns targeting Signal accounts, revealing an escalation in attacker sophistication. The threat actors have added a new exploitation step to their social engineering workflow: they now manipulate targets into voluntarily disclosing their Signal Backup Recovery Keys. Once obtained, these keys provide attackers with persistent access to restore account backups, read complete private and group message histories, and assume full control of compromised accounts. A critical vulnerability in this attack vector is that the recovery key remains functional indefinitely, enabling long-term account compromise and surveillance capabilities. Source: FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

This campaign demonstrates the continued evolution of state-sponsored social engineering tactics beyond simple credential theft. By targeting the recovery mechanism itself rather than passwords alone, Russian intelligence operators have identified a higher-value attack surface that provides sustained access and bypasses standard two-factor authentication protections. Organizations and individuals using Signal for sensitive communications should be aware that recovery keys represent a critical security perimeter requiring the same protection as primary authentication credentials.

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Security researchers at Kaspersky have identified a new malware family designated SharkLoader that functions as a loader for delivering Cobalt Strike Beacon payloads to compromised systems. The campaign, tracked under the operational name StrikeShark, has targeted a diplomatic organization in Indonesia and multiple government entities in Taiwan, indicating a focused nation-state targeting strategy. The SharkLoader malware family represents a previously undocumented threat tool that extends the operational capabilities of established post-exploitation frameworks. Source: New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

The StrikeShark campaign has exploited a substantial collection of unpatched vulnerabilities across multiple Microsoft products and network infrastructure solutions, including Exchange Server, Cisco devices, and other critical systems. The breadth of CVEs leveraged in this campaign underscores the continued risk posed by delayed patching cycles in government and diplomatic networks, where legacy systems and operational constraints frequently prevent timely security updates.

Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

Socket Threat Research has documented a new wave of the ongoing Miasma Mini Shai-Hulud supply-chain campaign affecting legitimate npm packages published under the @immobiliarelabs scope on June 26, 2026. The compromised packages include Backstage plugins designed for GitLab integration and LDAP authentication, which are commonly deployed as components of internal developer portals that interface with source-control systems, CI/CD workflows, and authentication infrastructure. This represents an expansion of the broader campaign that previously affected LeoPlatform, RStreams, and Verana packages, demonstrating the threat actor's systematic approach to compromising trusted developer infrastructure. Source: Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

The malicious package releases follow the established Miasma pattern of hiding execution outside obvious package metadata, employing the "Phantom Gyp" binding.gyp technique to invoke node-gyp command expansion and trigger hidden index.js payloads without relying on preinstall or postinstall hooks. The hidden payloads decrypt and execute multi-stage JavaScript malware staged through Bun, steal developer and CI/CD secrets including npm tokens, GitHub credentials, SSH keys, cloud provider authentication, and Kubernetes configurations, and then abuse GitHub Actions to inject malicious workflow steps and propagate to downstream repositories. The campaign also plants persistence hooks in AI coding assistant plugins and IDE extensions, enabling long-term presence in developer environments.

A critical upstream compromise path has been identified involving the codfish/semantic-release-action GitHub Action, which was itself compromised on June 24, 2026. An attacker force-pushed malicious commits and repointed mutable version tags, causing downstream workflows referencing those tags to execute attacker-controlled code. This technique provided a plausible route for gaining access to npm publishing credentials and GitHub tokens used by the ImmobiliareLabs release automation. The attack also leveraged a GitHub Actions privilege-escalation technique involving the deployment workflow trigger, which can bypass standard workflow protections by executing temporary Git objects containing malicious workflows without requiring permanent modifications to the default branch.

Socket identified malicious releases across 22 affected npm package versions published in a tight window on June 26, 2026, affecting @immobiliarelabs/backstage-plugin-gitlab, @immobiliarelabs/backstage-plugin-gitlab-backend, @immobiliarelabs/backstage-plugin-ldap-auth, and @immobiliarelabs/backstage-plugin-ldap-auth-backend across multiple major versions. The publication pattern is consistent with automated republishing of historical versions to maximize exposure across users pinned to older major versions. Organizations that installed any affected ImmobiliareLabs package version should treat the installing environment as compromised and immediately rotate all exposed credentials from clean machines, including npm, GitHub, GitLab, cloud provider, Kubernetes, Docker, Vault, SSH, and CI/CD secrets.

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

Palo Alto Networks has attributed a new custom backdoor family called TinyRCT to a Chinese-speaking advanced persistent threat actor designated CL-STA-1062 as part of a targeted campaign against government entities and critical infrastructure in Southeast Asia. The campaign has specifically focused on state-owned enterprises in the energy and government sectors, demonstrating strategic targeting consistent with nation-state intelligence collection objectives. Source: Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

The TinyRCT backdoor represents a new addition to the threat actor's operational toolkit and provides remote command and control capabilities targeting Southeast Asian government infrastructure. The campaign has been linked to specific command and control infrastructure and malware components, enabling organizations in affected regions to identify and respond to potential intrusions. Government agencies and critical infrastructure operators in Southeast Asia should prioritize threat hunting activities focused on identifying TinyRCT indicators and related CL-STA-1062 activity within their networks.

The convergence of Russian state-sponsored social engineering, new nation-state malware families, and sophisticated supply-chain attacks targeting developer infrastructure reflects an increasingly complex threat environment requiring coordinated defensive responses across identity security, endpoint protection, and software supply-chain integrity. Organizations should prioritize patching unpatched systems, rotating credentials exposed to compromised environments, and implementing strict controls on GitHub Actions workflow execution and CI/CD secret management.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
CVE13
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Malware2
  • Phantom Gyp
    Technique using binding.gyp and node-gyp for install-time code execution
  • Miasma Mini Shai-Hulud
    Supply chain attack campaign targeting npm and Go ecosystems
SHA-2563
  • dfcdec5f43cc…
    @immobiliarelabs/backstage-plugin-gitlab@1.0.1 tarball
  • ef641e956f91…
    binding.gyp file used across all 22 malicious packages
  • 1e7b04a9a4a2…
    @immobiliarelabs/backstage-plugin-gitlab@1.0.1 index.js