Today's picture
Kaspersky presented PhantomRPC at Black Hat Asia two days ago and the reception has been significant. It is an architectural design flaw in how Windows RPC handles connections to unavailable servers that lets a low-privilege process impersonate a trusted system service and receive SYSTEM-level credentials in response. Microsoft has not patched it and the research tools are now public. Separately, the GlassWorm campaign against developer extensions escalated today with 73 new sleeper packages discovered on the Open VSX marketplace, six of them already activated to deliver malware, and the campaign is now specifically targeting extensions for AI coding tools.
Threat snapshot
3 new · 2 monitoring
New
No Patch
All Windows
PhantomRPC: Windows RPC design flaw lets any low-privilege process reach SYSTEM. No patch exists.
Architectural weakness in rpcrt4.dll. Five exploitation paths. No CVE assigned, no patch from Microsoft. Research tools now public on GitHub. No confirmed exploitation yet.
New
Supply Chain
GlassWorm escalates. 73 new sleeper extensions in Open VSX. Six already delivering malware today.
Third major wave. Targets AI coding tools including Claude Code and Codex extensions. Sleeper pattern: publish clean, build trust, then weaponize through updates and dependencies.
New
Breach
ADT confirms breach. ShinyHunters claims 10 million security customer records stolen.
Home and business security monitoring provider. Customer data exposed. ShinyHunters posting records on breach forums. Physical security details in scope for follow-on targeting.
Detailed intelligence
Full analysis
01 New No Patch
PhantomRPC: An unpatched architectural flaw in Windows RPC gives any low-privilege process a path to SYSTEM.
PhantomRPC · No CVE
What happened
Kaspersky application security researcher Haidar Kabibo presented PhantomRPC at Black Hat Asia on April 24. The research documents an architectural design weakness in rpcrt4.dll, the Windows RPC runtime, that affects every version of Windows currently in use.
The flaw exists in how the RPC runtime handles connections to unavailable servers. When a highly privileged Windows process initiates an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate. An attacker running a low-privilege process such as NT AUTHORITY\NETWORK SERVICE can deploy a malicious RPC server that mimics the expected service. When the privileged process makes its call and receives a response from the attacker's fake server, it can be coerced into relaying its own SYSTEM-level credentials back. Kabibo documented five distinct exploitation paths from different starting privilege levels, some requiring no user interaction and some relying on coercion of background services.
Because the issue stems from an architectural design decision rather than a bug in a specific component, the researcher notes the number of potential attack vectors is effectively unlimited. Any process or service that depends on RPC and calls a server that can be taken offline or impersonated creates another exploitation opportunity. Microsoft was notified through proper disclosure. No CVE has been assigned and no patch has been released. Kaspersky published the full research tools and methodology on GitHub to allow organizations to audit their own environments for exploitable RPC call patterns.
CyberSip Take
No confirmed exploitation is the important qualifier here, and it matters. PhantomRPC is a research disclosure at this stage, not an active threat in the way that RedSun and UnDefend are. That said, the combination of factors that makes it worth watching is clear. The research is fully public, the tools are on GitHub, the flaw affects every version of Windows, there is no patch, and there is no patch timeline. That is the same setup we saw with Defender RedSun and UnDefend before those moved from disclosed to actively exploited.
The five exploitation paths described in the research vary in how difficult they are to execute. Some require an attacker to already have low-privilege code execution. PhantomRPC alone does not give initial access but it gives a reliable privilege escalation path once initial access is achieved through any other means. In that context it pairs with the kind of initial access that has appeared repeatedly in this brief: compromised developer credentials, RMM platform exploits, Teams social engineering, OAuth token theft. Any of those initial access paths followed by PhantomRPC escalation produces a SYSTEM-level compromise.
The practical action today is monitoring rather than emergency patching since there is nothing to patch. Kaspersky's released tools allow auditing environments for vulnerable RPC call patterns. Watch for a Microsoft response and keep this item in view.
Recommended actions
- Review the Kaspersky PhantomRPC research and GitHub repository to understand which RPC patterns in your environment may be exploitable. The tools allow direct auditing without waiting for vendor guidance.
- Monitor for unusual RPC server registrations on endpoints. A new process registering an RPC server that mimics a known privileged service is a behavioral indicator worth alerting on.
- Apply principle of least privilege rigorously. PhantomRPC requires an attacker to already have some level of code execution. Reducing the population of processes with impersonation privileges reduces the available exploitation paths.
- Watch Microsoft Security Response Center for an assigned CVE and patch timeline. The disclosure was proper so a response is expected.
Derived from Kaspersky Black Hat Asia 2026 presentation and independent security research disclosure
02 New Supply Chain
GlassWorm escalates with 73 new sleeper extensions in Open VSX. Six already delivering malware. AI coding tools now targeted.
GlassWorm Wave 3
What happened
Socket Research Team published findings today documenting a new cluster of 73 impersonation extensions on the Open VSX marketplace linked to the GlassWorm campaign, which has been running since at least October 2025. This is the third major wave of the campaign. At least six of the tracked extensions have already been activated to deliver malware. The remainder are classified as high-confidence sleepers currently waiting to be weaponized.
The sleeper pattern is the defining feature of this wave. Attackers publish extensions that appear legitimate at first, often by cloning popular developer tools with slightly different namespaces. These extensions build downloads and trust over days or weeks, passing marketplace reviews because they contain no malicious code at launch. Once credibility is established, the extensions are updated to include malicious dependencies or loaders that execute through the normal extension update path. Users who installed the extension before it was weaponized receive the malware automatically through a routine update they did not choose to review.
This wave specifically targets AI developer tooling. Socket researchers noted extensions impersonating tools for Claude Code, OpenAI Codex, and Google Antigravity among the identified packages. GlassWorm's infrastructure uses Solana blockchain transactions as command and control, fetching payload locations from blockchain memos in a way that cannot be taken down because the transactions are immutable. Previous waves stole GitHub credentials, npm tokens, SSH keys, and drained cryptocurrency wallets. The Eclipse Foundation, which manages Open VSX, has been notified and Socket has marked the known extensions on its GlassWorm tracking page.
CyberSip Take
This is Issue 13's Bitwarden supply chain story at a different layer of the same attack surface. Yesterday it was a backdoored CLI package on npm. Today it is weaponized VS Code extensions on Open VSX. Both target the developer environment specifically because a compromised developer machine is not just one endpoint. It is a gateway to every repository, pipeline, and production system that developer touches.
The targeting of AI coding tool extensions is deliberate, and it points to a broader risk that most practitioners have not fully internalized. AI coding tools have compressed the time between "I need a package that does X" and "I have it installed and running." A developer working with Claude Code, Copilot, or Cursor gets a package suggestion and a ready-to-run install command in the same response. The friction of checking what that package actually is before running it feels like it slows things down. That friction gap is exactly what attackers exploit.
This dynamic extends beyond VS Code extensions. Python packages installed via pip carry the same risk. PyPI has been targeted repeatedly with typosquatting attacks where a package name one character off from a legitimate one delivers a credential stealer. A developer who asks an AI tool to help them parse JSON, make an HTTP request, or interact with an API and then runs the suggested pip install command without checking the package is trusting a chain that includes the AI model's training data, PyPI's moderation, and the package maintainer's account security. Any link in that chain can be compromised. The practical habit worth building is treating any unfamiliar package name, whether suggested by an AI tool or found in documentation, as something worth a 30-second check on PyPI or npm before installing. Download count, maintainer history, and publication date catch most malicious packages before they land.
Recommended actions
- Review installed Open VSX extensions across your developer environment against Socket's GlassWorm v2 tracking page at socket.dev/supply-chain-attacks/glassworm-v2.
- Treat extensions published under new namespaces with minimal repository history and familiar tool names as high suspicion regardless of whether they appear on the current tracking list.
- Restrict extension installation in development environments to known, established publishers. VS Code and Cursor both support policy controls on extension installation sources.
- Apply the same scrutiny to Python packages installed via pip. Before running any install command suggested by an AI tool, check the package name on pypi.org and verify the download count, maintainer history, and recent publication activity. A package with low download counts and a recent upload is worth treating as suspicious.
- Any developer who installed extensions from Open VSX or unfamiliar pip packages in the past 30 days should rotate GitHub tokens, npm tokens, SSH keys, and cloud credentials as a precaution given the scope of credentials GlassWorm and related campaigns target.
Derived from Socket Research Team disclosure and GlassWorm campaign tracking documentation
03 New Breach
ADT confirms breach. ShinyHunters claims 10 million security customer records stolen.
ADT Breach · Apr 2026
What happened
ADT, one of the largest home and business security monitoring companies in North America with over six million customers, confirmed a data breach after ShinyHunters posted records on breach forums claiming to have stolen over 10 million customer records. ADT confirmed the incident is under investigation and that customer data was accessed. The company has not yet disclosed the specific data categories exposed, though ShinyHunters' posted samples include names, addresses, email addresses, phone numbers, and account details including service plan information. ADT provides physical security monitoring services including alarm systems, smart home access controls, and commercial security installations. This is the third ADT breach disclosure in the past three years.
CyberSip Take
The category of data exposed in a security monitoring breach is different from a typical retail or financial breach and deserves specific attention. ADT's business is knowing where customers live, what their alarm codes and access schedules are, which entry points are monitored, and when properties are typically occupied or vacant. That operational intelligence has value beyond identity theft. Physical security researchers and law enforcement have documented cases where breach data from security monitoring companies was used to plan burglaries, circumvent alarm systems, and time physical access to properties when they were known to be unoccupied.
For businesses that use ADT for commercial monitoring, the concern extends to understanding which employees have alarm codes, when buildings are typically secured, and what the monitored access points are. A breach notification in this category should prompt a review of physical access codes and procedures, not just a credential rotation exercise. This is the third time ADT has disclosed a breach in three years, which raises a different set of questions for any customer about the maturity of their security operations. The immediate practical step is to rotate alarm codes and access credentials for any property monitored by ADT regardless of whether you receive a direct breach notification.
Recommended actions
- If your organization or employees use ADT monitoring services, rotate alarm codes and physical access credentials as a precaution. Do not wait for a direct notification from ADT.
- Review which employees hold ADT account credentials and alarm access codes. Limit access to those with a current operational need.
- Monitor for targeted phishing or social engineering attempts against employees at facilities covered by ADT monitoring. Breach data can be used to add physical context that makes social engineering more convincing.
- Review the ADT breach notification page and your account for any unauthorized changes to monitoring configurations, contact information, or access schedules.
Derived from ADT breach confirmation and ShinyHunters threat actor reporting
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Bitwarden CLI supply chain attack (Issue 13). If developers in your environment installed @bitwarden/cli@2026.4.0 between April 22, 5:57 and 7:30 PM ET, treat all credentials on that machine as compromised and rotate immediately.
Day 2
SimpleHelp CVE-2024-57726 and CVE-2024-57728 (Issue 13). Update to version 5.5.8. DragonForce and Medusa actively using this chain against MSPs and their downstream clients.
Day 2
China-nexus covert device network advisory (Issue 12). Map edge devices and baseline VPN connection patterns. Static IP blocklists are becoming less effective against this tactic.
Day 3
Cross-source standouts
What connects this week
01
April closed with the developer environment as the most targeted attack surface of the month
Looking across April, the supply chain attack surface received more coverage than any other category. Bitwarden CLI backdoored through a compromised GitHub Action. GlassWorm weaponizing VS Code extensions through three successive waves. Marimo Python notebook RCE exploited in AI development environments. The Vercel breach entering through a developer's OAuth-connected productivity tool. Each of these attacks targeted the environment where software is built and the credentials that control what gets deployed. The combined picture is that developer environments are now among the highest-value targets for sophisticated actors and the security controls in most organizations do not reflect that prioritization yet.
02
Architecture flaws with no patch timeline deserve a different response than CVEs
PhantomRPC joins Defender RedSun and UnDefend on a growing list of unpatched Windows privilege escalation issues in active research circulation. None of them are emergencies in the way a KEV entry is. All of them represent a real gap in the defensive picture. The appropriate response to a disclosed architectural flaw with no patch is not to wait. It is to understand the exploitation preconditions and reduce them. PhantomRPC requires initial code execution before it can escalate. Reducing the initial access surface through every means available, patching known initial access vectors, enforcing least privilege, and monitoring for anomalous RPC behavior are all actions that reduce the exposure now rather than after a patch arrives.
Past issues · 7-day archive