A new Nuitka-compiled info-stealer targets macOS through fake CAPTCHA lures. China-linked Red Menshen embeds kernel-level BPFDoor implants in telecom networks across the Middle East and Asia. Three critical vulnerabilities in LangChain and LangGraph threaten enterprise AI deployments. TeamPCP continues its supply chain rampage by compromising the Telnyx PyPI package with WAV steganography.
Malwarebytes has documented the first macOS campaign combining ClickFix social engineering with a Nuitka-compiled Python infostealer. The malware evades static analysis by producing a native binary with no obvious bytecode layer.
A sophisticated new info-stealing malware dubbed Infinity Stealer has been discovered targeting macOS systems through ClickFix lures — fake CAPTCHA pages that mimic Cloudflare's human verification to trick users into executing malicious terminal commands.
The infection chain begins when a victim visits the domain update-check[.]com, which presents a convincing Cloudflare verification prompt. The page instructs the user to paste a base64-obfuscated curl command into the macOS Terminal, effectively bypassing all OS-level protections.
The decoded command writes a stage-2 Nuitka loader to /tmp, removes the quarantine flag via xattr, and executes it via nohup. The loader is an 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive with the final Infinity Stealer payload (UpdateHelper.bin).
.env filesAll stolen data is exfiltrated via HTTP POST to the C2 server, with a Telegram notification sent to the attackers upon successful exfiltration.
Unlike PyInstaller (which bundles Python bytecode), Nuitka compiles Python source code to C, producing a genuine native binary. This eliminates the bytecode layer that security tools typically analyze, making reverse engineering significantly harder and detection rates lower.
Defender Action: Block the domain update-check[.]com. Remind users to never paste commands from websites into Terminal. Monitor for suspicious nohup executions and xattr -d com.apple.quarantine calls. Consider endpoint detection rules for large Mach-O binaries in /tmp.
Rapid7 has uncovered an ongoing campaign by Red Menshen (Earth Bluecrow / DecisiveArchitect) embedding kernel-level BPFDoor implants in telecom networks across the Middle East and Asia to spy on government communications.
A long-running espionage campaign attributed to the China-nexus threat group Red Menshen has been operating inside telecom provider networks since at least 2021, using some of the most sophisticated stealth techniques ever documented in telecommunications environments.
The group's signature tool, BPFDoor, operates at the kernel level using Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the Linux kernel. Unlike conventional malware:
Rapid7 described these implants as "some of the stealthiest digital sleeper cells" ever encountered.
Initial access targets internet-facing infrastructure from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts. After gaining a foothold, the group deploys:
The BPFDoor controller can also operate within the victim's environment, sending activation packets to other internal implants for lateral movement — creating a mesh of hidden backdoors across the network.
Defender Action: Audit Linux systems for unexpected BPF filters using bpftool. Monitor for anomalous raw socket creation. Review edge device firmware and patch status for Ivanti, Cisco, Fortinet, and Palo Alto products. Deploy network traffic analysis capable of detecting magic packet patterns.
Three independently exploitable vulnerabilities in LangChain and LangGraph can leak filesystem data, environment secrets, and conversation histories. Combined weekly downloads exceed 84 million.
Security researcher Vladimir Tokarev of Cyera has disclosed three serious vulnerabilities in LangChain and LangGraph, two of the most widely used frameworks for building LLM-powered applications. Each flaw exposes a different class of enterprise data.
| CVE | CVSS | Type | Impact |
|---|---|---|---|
CVE-2026-34070 |
7.5 | Path Traversal | Arbitrary file read via prompt-loading API |
CVE-2025-68664 |
9.3 | Deserialization | API key and environment secret leakage |
CVE-2025-67644 |
7.3 | SQL Injection | Arbitrary SQL against SQLite checkpoints |
CVE-2026-34070 exploits the prompt-loading API in langchain_core/prompts/loading.py. By supplying a crafted prompt template with path traversal sequences, an attacker can read arbitrary files — including Docker configurations and private keys.
CVE-2025-68664 (also known as "LangGrinch") tricks the application into interpreting user input as a pre-serialized LangChain object. This deserialization flaw can siphon all API keys and environment secrets from the deployment.
CVE-2025-67644 targets the LangGraph SQLite checkpoint implementation. By manipulating metadata filter keys, an attacker can inject arbitrary SQL queries to access conversation histories — potentially containing sensitive business data, PII, or internal deliberations.
langchain-core >= 1.2.22langchain-core 0.3.81 or 1.2.5langgraph-checkpoint-sqlite 3.0.1Defender Action: Immediately update all LangChain and LangGraph dependencies. Audit AI application deployments for exposed prompt-loading endpoints. Review environment variable access patterns and secrets management for LLM applications.
The prolific threat actor TeamPCP — already responsible for supply chain attacks on Trivy, KICS, and LiteLLM — has compromised the Telnyx Python SDK on PyPI. Malicious versions 4.87.1 and 4.87.2 were published on March 27, 2026, and the project is now quarantined.
telnyx/_client.py activates on package import.WAV file from C2 containing XOR-obfuscated payloads hidden in audio dataThe entire chain operates in a self-destructing temporary directory, leaving near-zero forensic artifacts. On Windows, the payload persists via the Startup folder as msbuild.exe. On Linux/macOS, it runs in-memory and exfiltrates as tpcp.tar.gz via HTTP POST to 83.142.209[.]203:8080.
Defender Action: Pin Telnyx to version 4.87.0 or lower. Audit CI/CD pipelines for any installation of 4.87.1 or 4.87.2. Block the C2 IP 83.142.209[.]203. Review all TeamPCP-affected packages: Trivy, KICS, LiteLLM, and now Telnyx.
| Threat | Category | Severity | Target |
|---|---|---|---|
| Infinity Stealer | Malware | High | macOS users |
| Red Menshen / BPFDoor | APT / Espionage | Critical | Telecom infrastructure |
| LangChain/LangGraph CVEs | Vulnerability | Critical (9.3) | AI/ML enterprise deployments |
| TeamPCP / Telnyx | Supply Chain | High | Python developers |
KENSAI continuously monitors your attack surface for vulnerabilities, misconfigurations, and exposure — before attackers find them.
Start Your Free Scan →Published by the KENSAI Threat Intelligence Team
March 29, 2026 — Afternoon Edition
Sources: Malwarebytes, Rapid7, Cyera, Socket, BleepingComputer, The Hacker News