This weekly bulletin covers a broad range of active threats including abuse of Claude AI chat links for malware delivery, malicious npm packages acting as C2 infrastructure, device-code phishing campaigns, and fileless macOS attacks. Attackers are increasingly exploiting legitimate platforms and trusted tooling — AI assistants, package registries, and cloud agent frameworks — as delivery and persistence mechanisms. The breadth of this bulletin reflects a threat landscape where well-understood, intentional system behaviours are being weaponised rather than bypassed.

Security Architect’s Take: Audit any cloud agent or AI-integrated workflows for overly permissive execution contexts, and enforce npm package allowlisting or lockfile integrity checks in your CI/CD pipelines. Review browser extension policies for managed devices and ensure device-code authentication flows are restricted where not operationally required.

Original advisory: ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories