ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
A weekly roundup covers abuse of Claude AI chat for malware delivery, malicious npm packages (NastyC2), device-code phishing attacks, and 25 other security stories.
The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash courier scams, and the picture is clear: defenders are fighting a hydra.
This week's ThreatsDay bulletin aggregates over 25 security stories spanning active threats, new attack vectors, and critical patches. Among the highlights, threat actors are abusing Claude AI's shared chat feature to host malicious ClickFix lures, tricking users into executing PowerShell commands that deploy malware. The technique leverages legitimate claude.ai URLs to bypass security filters, with over 2,000 victims reported.
In the software supply chain, researchers uncovered NastyC2, a set of malicious npm packages designed to deliver a C2 backdoor. The packages masquerade as legitimate libraries but contain obfuscated code that establishes persistent remote access. This follows a broader trend of attackers targeting npm and PyPI ecosystems, with campaigns like TeamPCP compromising over 1,000 open-source packages since February 2026.
Device-code phishing is also on the rise, with a campaign targeting Microsoft 365 accounts. Attackers trick users into entering device codes on legitimate Microsoft login pages, granting OAuth tokens without stealing passwords. This technique bypasses MFA and has been observed in the wild by ReversingLabs.
On the defense side, multiple vendors released critical patches. Mozilla fixed Firefox 152 vulnerabilities including use-after-free and sandbox escapes. F5 patched critical NGINX flaws (CVSS 9.2) allowing unauthenticated RCE. Cisco addressed a command injection in ISE, and Atlassian and Splunk updated their AI toolkits. However, Windows 11's June update KB5095051 broke Office apps launched via third-party tools, causing enterprise disruptions.
Law enforcement also made moves: police cleaned nearly 15,000 SocGholish-infected WordPress sites and took down over 100 servers tied to Evil Corp. Meanwhile, Google sued a Chinese phishing service for abusing Gemini AI to generate scam URLs, and researchers demonstrated how SQL Server 2025 AI features can be abused for covert data exfiltration.
This bulletin underscores the breadth of modern cyber threats—from AI-powered attacks to supply chain compromises and credential theft. Defenders must stay vigilant across multiple fronts, as attackers continue to innovate and exploit every available vector.