Bottom line: Attackers systematically exploit legitimate AI tools and popular developer infrastructure as attack vectors while deliberately minimizing traditional security signals.
Cybercriminals abuse Claude Chat links as malware distribution channels and operate manipulated npm packages in open-source repositories. At the same time, new device code phishing campaigns signal an escalation in cloud environment infiltration.
The current threat landscape shows a shift in attack patterns: instead of new zero-days, established, trusted communication and distribution channels are being compromised. Claude Chat links have been deliberately prepared to trigger malware downloads when clicked. In the npm ecosystem, attackers operating under the name NastyC2 have deployed multiple packages that appear as legitimate dependencies but enable remote code execution.
In parallel, device code phishing campaigns are scaling: attackers generate device authentication codes and trigger chain reactions in cloud systems. Memory-resident macOS malware is also being actively deployed, leaving minimal forensic traces after execution. Cloud agents and automation tools deployed as auxiliary systems are being abused by attackers as unprotected shell access.
For CISOs, this means a fundamentally altered threat priority: the assumption that malware will be detected through significant artifacts no longer holds true. At the same time, popular developer tools and cloud-native components are now primary attack surfaces, not peripheral systems.
Source: thehackernews.com · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.