UNC6692 abused Microsoft Teams interactions to deliver the Snow malware toolkit
Attackers tracked as UNC6692 used email bombing followed by Microsoft Teams helpdesk impersonation to pressure targets into installing a fake patch. The payload chain delivered SnowBelt, a malicious browser extension, alongside SnowGlaze, a tunneler, and SnowBasin, a Python backdoor used for command execution and covert communications.
The intrusion chain relied on scheduled tasks, startup-folder persistence, a headless Microsoft Edge instance, and WebSocket tunneling to hide activity and maintain access. Threat reporting said the operators used this approach to pursue credential theft, deep network compromise, and domain takeover, which makes the campaign more than a simple phishing incident.
The broader implication is that Teams and remote support workflows have become primary attack surfaces, especially when employees are used to interacting with IT staff through chat and remote assistance. Because the operators leaned on legitimate tools and administrative protocols, post-compromise activity can blend into normal support activity and delay detection.
Bitwarden confirmed a short-lived supply chain compromise affecting its CLI npm package
A malicious @bitwarden/cli version 2026.4.0 was briefly distributed through npm on April 22, 2026, after attackers compromised the package’s delivery path. Bitwarden said the incident affected only the npm distribution mechanism for the CLI during a limited window and that it found no evidence of impact to vault data, production data or production systems.
Reporting said the malicious package added a custom loader and credential-stealing logic capable of harvesting secrets from developer environments and potentially spreading into other projects. The incident was linked to a broader developer-tooling supply-chain campaign, which increases the risk because poisoned builds can move from one workstation into CI/CD systems and downstream releases.
This matters operationally because password managers, CLIs, and package managers sit close to secrets, automation pipelines, and deployment workflows. A short-lived compromise can still force organizations to rotate tokens, review GitHub activity, inspect workflow integrity, and treat developer endpoints as possible initial infection points.
Phishing campaigns are exploiting OAuth permissions to compromise Microsoft 365 accounts
Recent threat intelligence described a GitHub-centered phishing campaign that used malicious OAuth applications to hijack user access. In this model, attackers create fake apps that mimic legitimate services, trick victims into granting permissions and then receive access tokens tied to the user identity, which can be used against Microsoft 365 services.
At the same time, publicly available tooling such as Microsoft365_devicePhish shows how attackers can generate device_code and user_code values through Microsoft OAuth endpoints, lure users to authenticate on legitimate Microsoft pages, capture access and refresh tokens, and then use Microsoft Graph APIs to read email, access files, and maintain persistence.
The key operational insight is that this attack chain is now commoditized and reproducible. It does not require malware, password theft, or endpoint exploitation because authentication occurs on genuine Microsoft infrastructure and persistence is established through tokens rather than passwords.
Trigona actors deployed a proprietary data exfiltration tool ahead of ransomware
Recent Trigona attacks used a custom command-line exfiltration tool named uploader_client.exe to steal data more quietly and efficiently than common utilities such as Rclone or MegaSync. Threat reporting said the change likely reflects an effort to keep a lower profile during a critical phase of the intrusion before encryption or extortion pressure begins.
The tool supported parallel uploads, TCP connection rotation and selective file-type filtering, which can speed up theft while reducing noisy traffic patterns. In at least one observed case, it was used to exfiltrate high-value business documents such as invoices and PDFs from network drives, which fits the group’s established double-extortion model.
The broader implication is that ransomware actors continue to invest in proprietary exfiltration tooling to avoid known detections and improve success rates during the data-theft phase. That increases the need to monitor not only encryption behavior, but also stealthier outbound transfer activity and suspicious collection on file shares.
ADT disclosed a breach following extortion threats from the ShinyHunters group
ADT said it detected unauthorized access to a limited set of customer and prospective customer data on April 20, 2026, terminated the intrusion, and launched a forensic investigation. The company said the stolen information was largely limited to names, phone numbers and addresses, with dates of birth and the last four digits of SSNs or tax IDs included in a smaller portion of cases.
The extortion group ShinyHunters claimed responsibility and said the intrusion began through a voice-phishing attack that compromised an employee’s Okta single sign-on account, which was then allegedly used to access and steal data from Salesforce. ADT did not confirm the attacker’s claimed volume of stolen data, but it did confirm that a breach occurred and that personal information was taken.
This matters because it shows how identity-focused intrusions can move from a single compromised SSO account into connected SaaS platforms and customer-data environments without needing malware on every downstream system. It also reinforces the pattern of vishing plus SaaS data theft as a practical extortion path against large enterprises.