剣 KENSAI
← All posts · security · 2026-03-29 · 7 min

Infinity Stealer ClickFix के ज़रिए macOS को निशाना बनाता है, Red Menshen BPFDoor इम्प्लांट्स टेलीकॉम में मिले, LangChain की गंभीर CVEs सामने आईं

नया Infinity Stealer मैलवेयर ClickFix लूर्स और Nuitka-कम्पाइल्ड Python के ज़रिए macOS को निशाना बनाता है। चीन से जुड़ा Red Menshen टेलीकॉम नेटवर्क में कर्नेल-लेवल BPFDoor इम्प्लांट्स तैनात करता है। LangChain/LangGraph की तीन गंभीर कमज़ोरियाँ एंटरप्राइज़ AI सिस्टम को ख़तरे में डालती हैं। TeamPCP ने WAV स्टेगनोग्राफ़ी से Telnyx PyPI पैकेज को कम्प्रोमाइज़ किया।


🍎 Infinity Stealer: New macOS Malware Uses ClickFix + Nuitka to Evade Detection

⚠️ Active Threat — macOS Users at Risk

Malwarebytes has documented the first macOS campaign combining ClickFix social engineering with a Nuitka-compiled Python infostealer. The malware evades static analysis by producing a native binary with no obvious bytecode layer.

A sophisticated new info-stealing malware dubbed Infinity Stealer has been discovered targeting macOS systems through ClickFix lures — fake CAPTCHA pages that mimic Cloudflare's human verification to trick users into executing malicious terminal commands.

How the Attack Works

The infection chain begins when a victim visits the domain update-check[.]com, which presents a convincing Cloudflare verification prompt. The page instructs the user to paste a base64-obfuscated curl command into the macOS Terminal, effectively bypassing all OS-level protections.

The decoded command writes a stage-2 Nuitka loader to /tmp, removes the quarantine flag via xattr, and executes it via nohup. The loader is an 8.6 MB Mach-O binary containing a 35 MB zstd-compressed archive with the final Infinity Stealer payload (UpdateHelper.bin).

What It Steals

All stolen data is exfiltrated via HTTP POST to the C2 server, with a Telegram notification sent to the attackers upon successful exfiltration.

Why Nuitka Matters

Unlike PyInstaller (which bundles Python bytecode), Nuitka compiles Python source code to C, producing a genuine native binary. This eliminates the bytecode layer that security tools typically analyze, making reverse engineering significantly harder and detection rates lower.

Defender Action: Block the domain update-check[.]com. Remind users to never paste commands from websites into Terminal. Monitor for suspicious nohup executions and xattr -d com.apple.quarantine calls. Consider endpoint detection rules for large Mach-O binaries in /tmp.


🇨🇳 Red Menshen: China-Linked APT Deploys "Stealthiest Digital Sleeper Cells" in Telecoms

🔶 Nation-State Espionage — Telecom Infrastructure

Rapid7 has uncovered an ongoing campaign by Red Menshen (Earth Bluecrow / DecisiveArchitect) embedding kernel-level BPFDoor implants in telecom networks across the Middle East and Asia to spy on government communications.

A long-running espionage campaign attributed to the China-nexus threat group Red Menshen has been operating inside telecom provider networks since at least 2021, using some of the most sophisticated stealth techniques ever documented in telecommunications environments.

What Makes BPFDoor So Dangerous

The group's signature tool, BPFDoor, operates at the kernel level using Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the Linux kernel. Unlike conventional malware:

Rapid7 described these implants as "some of the stealthiest digital sleeper cells" ever encountered.

Attack Chain

Initial access targets internet-facing infrastructure from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts. After gaining a foothold, the group deploys:

The BPFDoor controller can also operate within the victim's environment, sending activation packets to other internal implants for lateral movement — creating a mesh of hidden backdoors across the network.

Defender Action: Audit Linux systems for unexpected BPF filters using bpftool. Monitor for anomalous raw socket creation. Review edge device firmware and patch status for Ivanti, Cisco, Fortinet, and Palo Alto products. Deploy network traffic analysis capable of detecting magic packet patterns.


🤖 LangChain & LangGraph: Three Critical CVEs Expose Enterprise AI Systems

⚠️ Critical Vulnerabilities — Patch Immediately

Three independently exploitable vulnerabilities in LangChain and LangGraph can leak filesystem data, environment secrets, and conversation histories. Combined weekly downloads exceed 84 million.

Security researcher Vladimir Tokarev of Cyera has disclosed three serious vulnerabilities in LangChain and LangGraph, two of the most widely used frameworks for building LLM-powered applications. Each flaw exposes a different class of enterprise data.

CVE CVSS Type Impact
CVE-2026-34070 7.5 Path Traversal Arbitrary file read via prompt-loading API
CVE-2025-68664 9.3 Deserialization API key and environment secret leakage
CVE-2025-67644 7.3 SQL Injection Arbitrary SQL against SQLite checkpoints

Exploitation Details

CVE-2026-34070 exploits the prompt-loading API in langchain_core/prompts/loading.py. By supplying a crafted prompt template with path traversal sequences, an attacker can read arbitrary files — including Docker configurations and private keys.

CVE-2025-68664 (also known as "LangGrinch") tricks the application into interpreting user input as a pre-serialized LangChain object. This deserialization flaw can siphon all API keys and environment secrets from the deployment.

CVE-2025-67644 targets the LangGraph SQLite checkpoint implementation. By manipulating metadata filter keys, an attacker can inject arbitrary SQL queries to access conversation histories — potentially containing sensitive business data, PII, or internal deliberations.

Patched Versions

Defender Action: Immediately update all LangChain and LangGraph dependencies. Audit AI application deployments for exposed prompt-loading endpoints. Review environment variable access patterns and secrets management for LLM applications.


📦 TeamPCP Strikes Again: Telnyx PyPI Package Compromised with WAV Steganography

The prolific threat actor TeamPCP — already responsible for supply chain attacks on Trivy, KICS, and LiteLLM — has compromised the Telnyx Python SDK on PyPI. Malicious versions 4.87.1 and 4.87.2 were published on March 27, 2026, and the project is now quarantined.

Three-Stage Attack Chain

  1. Stage 1 — Delivery: Malicious code injected into telnyx/_client.py activates on package import
  2. Stage 2 — Steganography: Downloads a .WAV file from C2 containing XOR-obfuscated payloads hidden in audio data
  3. Stage 3 — Collection: In-memory credential harvester targeting browser data, SSH keys, cloud tokens, and environment variables

The entire chain operates in a self-destructing temporary directory, leaving near-zero forensic artifacts. On Windows, the payload persists via the Startup folder as msbuild.exe. On Linux/macOS, it runs in-memory and exfiltrates as tpcp.tar.gz via HTTP POST to 83.142.209[.]203:8080.

Defender Action: Pin Telnyx to version 4.87.0 or lower. Audit CI/CD pipelines for any installation of 4.87.1 or 4.87.2. Block the C2 IP 83.142.209[.]203. Review all TeamPCP-affected packages: Trivy, KICS, LiteLLM, and now Telnyx.


📊 Threat Landscape Summary

Threat Category Severity Target
Infinity Stealer Malware High macOS users
Red Menshen / BPFDoor APT / Espionage Critical Telecom infrastructure
LangChain/LangGraph CVEs Vulnerability Critical (9.3) AI/ML enterprise deployments
TeamPCP / Telnyx Supply Chain High Python developers

🔑 Key Takeaways