North Korea, Snowflake, and the Signing Cert That Shouldn't Have Been There

31:1012 scenes8 speakersBriefing

01 Cold Open: North Korea Touched Your Build Pipeline

Chapters

01Cold Open: North Korea Touched Your Build Pipeline

02Sponsor — Blue Cortex AI

03The Axios Kill Chain: How a Maintainer Takeover Reached OpenAI's Signing Cert

04The Certificate Question: Did North Korea Get OpenAI's Signing Keys?

05What Is DPRK Actually After? Crypto vs. IT Worker Infrastructure

06Attribution: UNC1069 vs. Stardust Chollima — Does the Name Matter?

07ShinyHunters' Anodot Playbook: One SaaS Tool, Dozens of Victims

08SaaS-to-Cloud Is Now a Repeatable Playbook

09CVE 2026-3584: When Disclosure and Exploitation Happen in the Same Hour

10Claude Mythos: Real Capability Threshold or 'The Boy Who Cried Vulnerability'?

11Regulatory: Who's on the Clock and When Did It Start?

12Synthesis: What You Do in the Next 24 Hours

Speakers

HalilAlexLenaDr.Dr.PierreJamesDr.

▶01Cold Open: North Korea Touched Your Build Pipeline00:00

HalilNorth Korea compromised the most-downloaded HTTP library on npm. That code ran inside OpenAI's signing workflow — with the certificate for ChatGPT Desktop already in memory. That's not a near-miss. That's a direct hit on the software trust chain.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilToday is April 14, 2026. The board is heavy. Three threads driving this episode.

HalilFirst: the Axios npm supply chain attack — attributed to UNC1069, North Korea's Stardust Chollima unit — and what it means that a DPRK RAT ran with OpenAI signing privileges for three hours.

HalilSecond: ShinyHunters. The extortion deadline for Rockstar Games was today. Seventy-eight-point-six million records. Gone. And over a dozen other companies caught in the same net — all because of one SaaS cost monitoring tool.

HalilThird: CVE 2026-3584. A Kali Forms plugin. CVSS nine-point-eight. Exploited within hours of patch disclosure. Three hundred twelve thousand blocked attempts and counting.

HalilWe'll also cover Claude Mythos — Anthropic's new AI offensive capability claim. Credible signal, but the numbers need unpacking before you change your threat posture.

HalilJoining me: Alex Mercer on offensive tradecraft, Lena Hartmann on attribution, Dr. Elena Rossi on geopolitics, James Okafor on defense, Pierre Lefevre on financial exposure, Dr. Sofia Andersen on regulatory obligations, and Dr. Arjun Patel on the AI angle. Let's go.

▶02Sponsor — Blue Cortex AI02:14

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03The Axios Kill Chain: How a Maintainer Takeover Reached OpenAI's Signing Cert03:20

HalilAlex, walk us through the kill chain. Axios — a hundred million weekly downloads — how does a maintainer account takeover end up inside OpenAI's build pipeline?

AlexSo — the attacker compromised one maintainer account via social engineering. Pushed two malicious versions: axios at 1.14.1 and axios at 0.30.4. Published March 31st, midnight UTC. Removed by 03:29 UTC.

AlexThree-hour window. But in that window, OpenAI's GitHub Actions workflow ran npm install during a macOS app-signing job. And the signing certificate was already injected into that job context.

LenaAnd the payload fires immediately. The postinstall hook executes in about one-point-one seconds. So by the time anyone noticed, the RAT had already beaconed.

AlexRight. Three misconfigurations working together. Floating tag instead of a pinned commit hash. No minimumReleaseAge configured — which would have caught a three-hour-old package. And npm install running inside the signing job itself.

HalilWhat does the RAT actually do once it's running?

AlexThis is WAVESHAPER.V2. Cross-platform. Windows, macOS, Linux. Remote shell via reverse connection. It goes straight for the .ssh directory, the .aws directory — credential harvest focus. Then it self-deletes to wipe forensics.

AlexDouble-obfuscated payload — reversed base64 into XOR cipher. After C2 contact, the dropper swaps the malicious package.json with a clean pre-staged version. APT-level anti-forensics.

LenaAnd that's why Huntress saw only 135 confirmed endpoints beaconing to C2. Self-deletion means you're hunting ghosts after the fact.

Halil135 confirmed. But Wiz is reporting three percent execution rate across cloud environments. That's a different number entirely.

AlexDifferent data sources. Huntress is their own telemetry. Wiz is estimating across the broader cloud exposure. Axios is in roughly eighty percent of cloud environments — three percent of that is millions of potentially affected instances.

LenaAnd most orgs don't know they ran it. Loose SemVer — axios at caret 1.14.0 — auto-resolves to the poisoned version. Lockfile hygiene is terrible across the industry.

▶04The Certificate Question: Did North Korea Get OpenAI's Signing Keys?05:58

HalilArjun — the certificate. OpenAI says 'no evidence of exfiltration.' They're rotating it anyway, deadline May 8th. How worried should we actually be?

Dr.So, I want to separate what's demonstrated from what's possible. OpenAI's own analysis says the cert was 'likely not exfiltrated' due to timing and job sequencing. The cert injection and payload execution didn't overlap perfectly.

AlexThat's good luck, not good architecture.

Dr.Exactly. And here's the problem with code-signing breaches — you often can't prove a negative. The certificate was in a compromised execution context for three hours.

HalilWorst case — if they have it. What's the attack?

AlexIf UNC1069 exfiltrated that cert, they have until May 8th to use an Apple-notarized OpenAI signing certificate. A malicious ChatGPT Desktop update, signed with a legitimate cert — macOS Gatekeeper waves it through. Social engineering basically writes itself.

Dr.And it's not just the binary. ChatGPT Desktop stores conversation history locally, mirrors cloud sessions, maintains persistent authentication. A trojanized update doesn't need memory corruption exploits — it reads the SQLite database directly and exfiltrates via DNS tunneling.

HalilThe local conversation database.

Dr.Right. Organizational knowledge. Workspaces with team prompts, custom GPT configurations, internal workflows — it reveals what proprietary data companies are feeding the model. That's competitive intelligence.

LenaAnd this is the second major supply chain hit on AI infrastructure in two months. LiteLLM, Trivy, TeamPCP — that was UNC6780, also DPRK. Google explicitly noted those campaigns ran simultaneously and show 'strategic alignment at a higher organizational level.'

HalilSo this isn't a one-off.

LenaThe Axios attack is a template. North Korea is systematically targeting AI software supply chain infrastructure. That's the pattern we need to track.

▶05What Is DPRK Actually After? Crypto vs. IT Worker Infrastructure08:22

HalilElena — the geopolitical read. Is this about stealing cryptocurrency, or is something bigger going on with North Korea's strategy here?

Dr.I'll be honest — I had to revise my initial assessment. I came in framing this as incidental crypto theft. I was wrong.

LenaHmm.

Dr.The evidence that shifted me: Treasury's OFAC sanctions in March 2026 — just weeks before the Axios compromise — explicitly targeted IT worker networks generating eight hundred million dollars in 2024. That's approaching or exceeding crypto theft in some estimates.

HalilEight hundred million dollars from fake IT workers.

Dr.One hundred thousand operatives. Sustainable, recurring, attribution-resistant. DPRK has bifurcated their revenue model. Labyrinth Chollima — that's the unit behind the Bybit and Drift heists — does the high-yield crypto grabs. Stardust Chollima builds the infrastructure for the worker fraud ecosystem.

LenaAnd that's exactly what the Axios compromise serves. When a DPRK operative poses as a remote developer, they need legitimate-seeming commit histories, IDE environments, real machine fingerprints. Compromising Axios gives them access to actual developer workflows to mimic.

Dr.And the code-signing reconnaissance at OpenAI — I now read that as intelligence gathering for future operations. Understanding how major AI firms handle software provenance. Inserting fraudulent workers into AI supply chains.

HalilSo the timing — March 31st, weeks after the OFAC sanctions — that's not coincidence.

Dr.Adaptive pressure response. When Treasury squeezes one revenue stream, Bureau 121 accelerates the others. This is what sanctions pressure looks like in the cyber domain.

LenaGoogle's phrasing is careful but significant — 'strategic alignment at higher organizational level' between the Axios and LiteLLM campaigns. Two units. One unified operational architecture.

▶06Attribution: UNC1069 vs. Stardust Chollima — Does the Name Matter?10:31

HalilLena, vendor naming is creating noise here. Google says UNC1069. CrowdStrike says Stardust Chollima. Are these the same group? And crucially — is this the same unit that did the Drift hack?

LenaSo — UNC1069 and Stardust Chollima are overlapping designations for the same cluster. Different vendors, different naming conventions. Open-source reporting explicitly notes UNC1069 has relationships with BlueNoroff, Sapphire Sleet, Stardust Chollima — not identical, but cluster overlap within DPRK's loosely organized ecosystem.

HalilAnd versus Labyrinth Chollima — the Drift attackers?

LenaDistinct. Different malware families — WAVESHAPER.V2 and SILKBELL here versus the Drift tooling. Different targeting modality. Drift was six months of in-person social engineering into a crypto firm. Axios is supply chain staging.

AlexRight. And I want to flag — CrowdStrike's claim of infrastructure overlap between sfrclak dot com and prior Stardust Chollima campaigns? I found no independent verification. Their 'moderate confidence' appears based on service banner similarity — not observed IP reuse, not certificate transparency patterns.

LenaI ran the same check. The overlap claim is unverified. We'd need to observe that signing material deployed in subsequent DPRK malware samples to establish a definitive link.

HalilSo where does attribution confidence land?

LenaUNC1069 or Stardust Chollima as the actor — moderate confidence. Infrastructure definitively tied to prior campaigns — low confidence. Distinct from Labyrinth Chollima — moderate-high. This is Bureau 121 convergence, not a false flag.

AlexWhich for defenders doesn't change the response. The malware is real. The C2 is real. Rotate credentials, rebuild compromised systems. Attribution is Intel's problem.

LenaIt matters for threat modeling. If you know this is the IT worker infrastructure unit and not the direct crypto heist unit, your risk profile is different.

▶07ShinyHunters' Anodot Playbook: One SaaS Tool, Dozens of Victims13:02

HalilLet's move to ShinyHunters. Today was the deadline. Pierre — the Rockstar number. Seventy-eight-point-six million records. What's the actual damage?

PierreSo, Take-Two is already down twenty-one-point-seven-nine percent year-to-date. GTA VI launches in November — seven months out. This data includes marketing timelines, contracts with Sony and Microsoft, voice actor deals, fraud detection systems. That's competitor-grade intelligence.

HalilDollar figures.

PierreBase case — data published, no player personal information — a hundred fifty to two hundred fifty million in operational exposure. If GTA VI marketing is disrupted, you're looking at five to seven billion in market cap risk. The 2022 breach cost them six months of development time.

HalilLena — Rockstar is confirmed. But this isn't just one victim. How does the Anodot vector work?

LenaCloud cost monitoring platforms — Anodot is an analytics platform that was acquired by Glassbox — require extensive IAM permissions to function. Service-to-service authentication tokens. Those tokens bypass MFA by design. That's not a vulnerability — it's an architectural blind spot.

LenaAnodot's status page showed connectors down April 4th — Snowflake, Amazon S3, Amazon Kinesis all affected. ShinyHunters compromised the platform, extracted tokens, then pivoted into customer cloud environments appearing as legitimate authenticated services.

HalilOver a dozen companies.

LenaShinyHunters is claiming dozens. Confirmed: Cisco, Telus, Hallmark, Infinite Campus, Amtrak, McGraw Hill. The common thread — companies with high-value analytics data in Snowflake warehouses connected to Anodot.

PierreWhy steal credit cards when you can steal corporate analytics? Financial metrics, player behavior data, fraud detection algorithms, travel booking patterns — this is insider-trader-level intelligence for sale.

HalilIs Booking.com part of this same campaign? The timing is suspicious.

LenaNo operational link. I found zero attribution data connecting Booking.com to ShinyHunters or to Anodot. Different attack vector — direct unauthorized access to reservation data, no extortion pattern. The concurrent timing appears coincidental.

▶08SaaS-to-Cloud Is Now a Repeatable Playbook15:46

HalilJames — how is this different from the 2024 Snowflake campaign? Is this an evolution or just the same attack with different packaging?

JamesIt's an evolution. The 2024 UNC5537 campaign — that was infostealer malware stealing credentials from personal devices, then credential-stuffing Snowflake accounts that had no MFA. Classic brute force.

JamesThis is supply chain-level access. They're not phishing individual Snowflake admins. They're breaching one upstream platform and getting trusted service accounts into dozens of customer environments simultaneously.

LenaAnd Lena's point stands — ShinyHunters is likely an umbrella designation for the same cybercriminal ecosystem that ran UNC5537. They've graduated from credential stuffing to SaaS supply chain compromise.

AlexThe operational logic is clean. Why do sixty targeted phishing campaigns when you can breach one integration point and own sixty environments at once?

JamesAnd your SIEM won't catch it. The tokens appear as legitimate service accounts. Normal query patterns — until they start doing bulk exports at two in the morning.

HalilSo what's the detection window?

JamesSnowflake query history. Anomalous bulk exports. Off-hours access patterns. Tables your SaaS platform has no business querying. That's your signal — but only if you're looking for it.

PierreAnd most organizations have no idea what their SaaS vendors are actually touching inside their cloud environments. Token sprawl is invisible risk.

JamesExactly. No service token should have a lifetime over twenty-four hours in production. That's the architectural change that matters here.

▶09CVE 2026-3584: When Disclosure and Exploitation Happen in the Same Hour17:40

HalilCVE 2026-3584. Kali Forms WordPress plugin. CVSS nine-point-eight. Alex — this was exploited the same day the patch dropped. What happened?

AlexPatch disclosed March 20th. Exploitation started within hours. Three hundred twelve thousand-plus blocked attempts documented. Single IP generated a hundred fifty-two thousand of those — that's fully automated, scripted mass exploitation.

HalilWhat's the vulnerability class?

AlexPre-auth remote code execution. No credentials needed. You send a crafted POST to admin-ajax.php with the kaliforms_form_process action and a malicious entryCounter parameter — triggers a call_user_func pattern. Persistent backdoor dropped into functions.php.

JamesAnd peak exploitation was April 4th through the 10th. That's not random — that's deliberate targeting of the Wordfence free-tier protection delay window. Wordfence free users get firewall rules thirty days after paid users.

HalilThey timed the campaign to hit organizations in the protection gap.

JamesExactly. If you're on Wordfence free, you were unprotected for two weeks after the patch existed. Attackers know the free tier delay schedule.

AlexThat's the pattern that should alarm people. This isn't just fast exploitation — it's exploitation timed to maximize the victim pool. The window between disclosure and protection is now an attack surface.

HalilWhat does this mean for organizations that can't patch in twenty-four hours?

JamesHonestly? Permanent breach posture. If you can't patch CVSS nine-plus vulnerabilities on internet-facing systems within twenty-four hours, you're operating with the assumption that exploitation happens before you act. That has to change the way you architect exposure.

AlexAnd check functions.php now. If you ran Kali Forms and didn't patch on March 20th — look for base64 blobs or eval blocks added after that date. The backdoor is persistent.

▶10Claude Mythos: Real Capability Threshold or 'The Boy Who Cried Vulnerability'?19:57

HalilArjun — Claude Mythos. Anthropic's claim: an AI system that found a twenty-seven-year-old OpenBSD TCP stack bug and achieved seventy-three percent on expert CTF tasks. Real, or hype?

Dr.Both, depending on which claim you're evaluating. The UK AI Security Institute gave it seventy-three percent on expert-level CTF tasks that 'no AI model could complete before April 2025.' That institution has no incentive to inflate Anthropic's marketing. That number is credible.

HalilSo what's the problem?

Dr.The metric collapse. Mythos claims seventy-two-point-four percent success on full Firefox RCE exploits. But when you require the model to actually select the correct exploit components — not just generate something that works by statistical coverage — the success rate drops to four-point-four percent.

AlexWait — seventy-two down to four? That's not a rounding error.

Dr.No, it isn't. It tells you the shape of the capability. It's generating a lot of scaffolded attempts and succeeding through volume, not through reliable, repeatable understanding of vulnerability patterns.

Dr.And there are grading-correction footnotes on Cybench where every correction moved scores upward in Anthropic's favor. No independent audit of the re-grade methodology. That's a citation circle problem.

HalilSo should defenders change their threat posture based on Mythos?

Dr.Treat it as a credible inflection point, not as confirmed evidence that AI can now autonomously compromise any major OS. What Mythos genuinely does better than previous tools is agentic closure — it discovers, validates by execution, iterates, and exploits within a controlled container. That's the intern who can read code, run it, see it crash, add instrumentation, and hand you a working exploit.

Dr.The watch signal I'd set: whether any of the forty Glasswing partners produce independently verifiable CVE disclosures in the next ninety days crediting Anthropic's model. Firefox, OpenBSD, Linux kernel maintainers. If we see those CVEs — capability is validated. If we don't, that's also data.

HalilWhat's the threat trajectory if open-weight models catch up in six to twelve months?

Dr.Vulnerability discovery democratization in an era where patching velocity is already outpaced by exploitation windows. That's the scenario worth running tabletops for now, before it's operational reality.

▶11Regulatory: Who's on the Clock and When Did It Start?22:53

HalilSofia — three separate incidents, three different legal questions. Rockstar's seventy-eight million records. Booking.com's reservation data. OpenAI's 'no evidence' certificate situation. Where does each one stand on notification obligations?

Dr.Starting with Rockstar. Under GDPR Article 33, the notification obligation cascades but ultimately lands on Rockstar as the controller. Anodot, as the processor, must notify Rockstar without undue delay — and Rockstar's seventy-two-hour clock to the Dutch DPA starts when Anodot tells them, not when Anodot first discovered the breach.

HalilSo the processor delay eats into the controller's window.

Dr.Precisely. And there's a gray area here worth examining — the leaked data appears largely business analytics, not personal data of identifiable individuals. If no personal data is involved, GDPR notification obligations may not be triggered at all. That's the first thing Rockstar's legal team should determine.

HalilBooking.com — more straightforward?

Dr.Much more straightforward, and much more dangerous for them. Booking.com is headquartered in Amsterdam. Dutch DPA is the lead authority. And the Dutch DPA has already fined Booking.com four hundred seventy-five thousand euros for a 2019 late notification — twenty-two days instead of seventy-two hours. They are a repeat target for this specific regulator.

Dr.Names, addresses, travel itineraries — that's high-risk personal data that almost certainly triggers both DPA notification and data subject notification under Article 34. And under NIS2, as a digital service provider, there's also a twenty-four-hour early warning requirement for significant incidents.

HalilAnd OpenAI — 'no evidence of compromise.' Do they have a disclosure obligation?

Dr.This is the most analytically interesting question. Under SEC rules, Form 8-K Item 1.05 requires disclosure within four business days of determining an incident is 'material.' The trigger is whether there's a 'reasonably likely material impact' on the registrant's financial condition.

Dr.OpenAI's 'no evidence' finding is legally defensible. But — and this is important — the precautionary certificate rotation and forced app update are themselves evidence they treated this as serious. A plaintiff's attorney or later SEC review could frame those responses as an implicit acknowledgment of material risk.

Dr.My advice: file the 8-K anyway. Over-disclosure costs almost nothing. The alternative is a materiality challenge in a securities fraud lawsuit three years from now.

▶12Synthesis: What You Do in the Next 24 Hours25:52

HalilLet's pull this together. James — you've been listening to everything. Prioritization. What does the next twenty-four hours look like?

JamesThree things in the next four hours. First — audit every CI/CD pipeline and developer environment for Axios. Any system that resolved axios at 1.14.1 or axios at 0.30.4 between March 31st and April 2nd is confirmed compromised. Do not clean it. Rebuild from scratch. Rotate everything — cloud keys, API tokens, GitHub PATs, npm publish tokens, SSH keys.

JamesSecond — patch Kali Forms to version 2.4.10 on every WordPress installation right now. Then scan server logs for POST requests to admin-ajax.php with the kaliforms_form_process action. Check functions.php for injected base64 blobs or eval blocks added since March 20th.

JamesThird — emergency inventory of every third-party SaaS platform with authentication tokens to Snowflake, S3, or Kinesis. Force-rotate all service tokens exceeding twenty-four-hour lifetime. If your organization uses Anodot — assume compromise and engage incident response immediately.

HalilNext seven days — the OpenAI certificate window.

JamesVerify all macOS OpenAI apps — ChatGPT Desktop, Codex, Codex-cli, Atlas — are updated to versions signed with the new certificate. Any pre-April-12 version is on an untrusted signing chain. Create YARA rules for legitimate signed OpenAI binaries to detect repacked malicious versions. In regulated environments, document this as an audit finding.

HalilPierre — one number that should focus executive attention.

PierreToken sprawl. Most organizations have no idea what their SaaS vendors are touching inside their cloud environments. This Anodot campaign hit over a dozen companies through one integration point. The contingent liability for any company with long-lived service tokens into Snowflake or S3 is real and it's now.

HalilElena — the bigger picture on DPRK. What are we watching for?

Dr.Bureau 121 is in a sustained adaptive cycle. Every sanctions action generates an operational response. The IT worker army — a hundred thousand operatives — is not slowing down; it's professionalizing. Watch for DPRK-affiliated developers appearing in AI company pipelines specifically. That's the next phase of this campaign.

HalilAnd Arjun — Claude Mythos in thirty seconds.

Dr.Real capability crossing, real benchmark skepticism. Run tabletops for AI-assisted zero-day discovery scenarios within thirty days. Set the ninety-day watch on Glasswing CVE disclosures. Don't change your threat posture based on headlines — change it based on verified evidence.

HalilHere's the thread that runs through everything today: trust is being systematically attacked. Trust in npm packages. Trust in code-signing certificates. Trust in SaaS integrations. Trust in AI capability claims. The perimeter isn't a firewall anymore — it's every dependency, every token, every vendor relationship your organization has.

HalilWhat we'll be watching tomorrow: whether any more Anodot victims go public, whether OpenAI-signed malware samples surface before May 8th, and whether CVE 2026-3584 exploitation expands beyond the current IP cluster. Those are the early warning signals.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline