Autonomous Worm, Unseizable C2, and 19 Million Stolen Identities

31:5413 scenes7 speakersBriefing

01 Cold Open: Autonomous Worm, Unseizable C2, 19 Million Stolen Identities

Chapters

01Cold Open: Autonomous Worm, Unseizable C2, 19 Million Stolen Identities

02Sponsor — Blue Cortex AI

03The Worm That Needs No Human: Namastex vs. UNC1069

04The C2 You Cannot Seize: ICP Canisters Explained

05Attribution Showdown: TeamPCP, Copycat, or Something Else?

06Three Ecosystems Down: The Structural Governance Crisis

07Trusted-Platform C2: When graph.microsoft.com Is the Threat

08ANTS Breach: 19 Million Government Identities, Already on Criminal Forums

09GDPR on the Clock: The Five-Day Gap and What It Costs

10The EU Cascade: Banks, NIS2, and the KYC Reckoning

11The Financial Reckoning: Board-Level Numbers

12The IR Checklist: What You Do in the Next Four Hours

13Synthesis: The Structural Shift and What We Watch Next

Speakers

HalilAlexLenaPierreJamesDr.Dr.

▶01Cold Open: Autonomous Worm, Unseizable C2, 19 Million Stolen Identities00:00

HalilA self-propagating npm worm that needs zero human interaction. C2 infrastructure built on blockchain that no court order can seize. And nineteen million government-verified French identity records already on criminal forums before Paris said a word. Welcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilThree threads today — and all three connect. First: the Namastex Labs npm worm. This is not another social-engineering-dependent supply chain hit. This thing propagates autonomously. That is a structural shift.

HalilSecond: the attribution puzzle. Is this TeamPCP — the criminal crew we covered last week — or someone who studied their playbook and built a knockoff? Alex and Lena actually disagreed on this, and that disagreement matters.

HalilThird: France's ANTS breach. Nineteen million passports and national IDs. A five-day disclosure gap that is a textbook GDPR violation. And downstream fraud exposure that Pierre is pricing at fourteen billion euros.

HalilTying all of this together: a detection crisis. When your C2 runs through Microsoft Graph API and Hugging Face, domain blocklists are useless. James has deployable Sigma rules. We are getting to those.

HalilNote to listeners: we covered the France ANTS breach and TeamPCP's supply chain campaigns in the last two days. Today's delta is significant — a worm that propagates itself, ICP canister C2 that cannot be taken down, and a reconciled attribution verdict. That is where we are focused.

▶02Sponsor — Blue Cortex AI02:04

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03The Worm That Needs No Human: Namastex vs. UNC106903:13

HalilAlex. Last week we covered UNC1069 — that's CrowdStrike's name for the North Korean unit that hit the Axios npm package through a compromised maintainer. Walk me through why Namastex is different.

AlexRight, so — the UNC1069 Axios hit required social engineering. They had to trick a human. Namastex? No human required. You run npm install, the postinstall hook fires, and it's done.

AlexHere is the kill chain. The hook scans for every npm token on the machine — your home directory, environment variables, the npm config. Then it calls the registry API to list every package that token has publish rights to.

LenaAnd then it republishes them. Injects the same malicious hook, bumps the patch version, pushes it as the latest release. Every downstream developer who updates becomes a new infection vector.

HalilExponential spread.

AlexExactly. UNC1069 was linear — one maintainer, one package. This is exponential. And it is already in sixteen-plus Namastex packages, with cross-propagation logic present in PyPI as well.

LenaThe targeting is also deliberate. These are not random high-download packages. The Socket research shows AI coding tooling, PostgreSQL connectors, and — this one caught my eye — the OpenWebConcept design system. That is a Netherlands government digital framework.

HalilSo developer environments with privileged backend access. Not consumers.

AlexCorrect. CI/CD runners, cloud credentials, SSH keys — the full pivot toolkit. Most EDRs do not monitor npm install subprocess activity with enough granularity to catch this at install time. By the time you see it, the hook has already fired.

PierreAnd the cascade math is brutal. Six thousand seven hundred forty-four weekly downloads across the primary packages. If forty percent are in credentialed CI/CD environments, you are looking at over two thousand seven hundred organizations exposed immediately.

AlexPierre, that is conservative. Every compromised dev with publish rights becomes ten to twenty new vectors within the hour. That is why the four-hour containment window is not a suggestion — it is a financial SLA.

PierreRight. Miss that window and the model shifts from seventy-five million in direct remediation costs to north of two billion.

▶04The C2 You Cannot Seize: ICP Canisters Explained05:59

HalilAlex, you flagged the ICP canister infrastructure as something that will get widely copied. Explain why for listeners who haven't heard of Internet Computer Protocol before.

AlexSo — ICP is a blockchain platform. A canister is essentially a smart contract running on that network. The attacker deploys their C2 logic there. Three exposed methods: fetch the latest payload URL, serve it over HTTP, and rotate it on demand.

AlexThe critical point: there is no domain registrar to notify. No hosting provider to subpoena. No server to seize. The infrastructure runs on globally distributed blockchain consensus nodes.

LenaAnd the actor can push new payloads or rotate infrastructure in real time without touching any infected package. The worm just polls the canister. It gets new instructions.

HalilSo traditional incident response — seize the server, sinkhole the domain — does not work here.

AlexDoes not work. Network-level blocking is your only option. Block the ICP domains at your proxy or firewall.

JamesThe domains are icp0.io, icp-api.io, and ic0.app. Block those at perimeter unless your organization has legitimate Internet Computer Protocol usage — which, honestly, most do not.

LenaAnd worth noting — the canister ID in Namastex is different from the original CanisterWorm infrastructure DFIR Radar tracked in March twenty twenty-four. Same approach, different canister. They are rotating infrastructure without any traditional takedown pressure.

HalilJames, you mentioned IR runbooks need to be updated for this. How big a change is that?

JamesLook, every playbook I have ever written assumes C2 infrastructure can be taken offline by law enforcement or by us. ICP breaks that assumption entirely. We need a new category in our runbooks — unseizable C2 — and the response is containment at our network edge, not infrastructure takedown.

▶05Attribution Showdown: TeamPCP, Copycat, or Something Else?08:12

HalilNow the attribution debate. Alex, you initially assessed the xinference PyPI compromise as genuine TeamPCP. Lena pushed back. Walk me through how you landed.

AlexYeah, so — I over-indexed on code pattern similarity. The base sixty-four obfuscation, the AI/ML targeting, the hashtag marker in the code. I called it TeamPCP with high confidence. Lena correctly challenged that.

LenaThe missing TTPs are the tell. In March, legitimate TeamPCP operations used WAV steganography — hiding C2 payload delivery inside audio files. They used dot-pth file injection for persistence. Neither is present in xinference.

AlexRight. And I should have weighted those absences more heavily. The xinference attack has a fully embedded payload — static base64 in the init file. No live C2 orchestration. No runtime payload delivery. Someone captured the March playbook but lacks the operational infrastructure.

LenaMy assessment: moderate confidence for copycat or tradecraft appropriation. Low confidence for direct TeamPCP involvement. The public denial from TeamPCP is interesting — legitimate intelligence teams do not typically disclaim ops in public.

HalilCould the hashtag marker itself be deliberate misdirection?

LenaEither false flag or aspirational branding. An unaffiliated cell that studied the public reports from Mend, StepSecurity, and JFrog in late March. The technical progression is off — real TeamPCP iterates fast. WAV steganography appeared within three days of their dot-pth technique. An April attacker using March-grade tooling is not the same team.

AlexAgreed. Revised call: unnamed criminal cluster. TeamPCP copycat. Low confidence for direct attribution, moderate confidence for tradecraft appropriation. Lesson re-learned — missing TTPs matter as much as matching ones.

HalilAnd UNC1069 — the North Korean unit from the Axios hit — any connection?

LenaNone that I can see. Zero infrastructure overlap. UNC1069 used traditional HTTPS JSON-based C2. No ICP canisters, no token-harvest worm mechanics. Different supply chain toolkit entirely.

AlexFor defensive purposes it does not matter who wrote it. Treat xinference versions two point six point zero through two point six point two as compromised. Downgrade to two point five point zero. Do not wait on attribution certainty.

▶06Three Ecosystems Down: The Structural Governance Crisis11:09

HalilElena, you have been developing a thesis about open-source ecosystems as critical infrastructure without critical infrastructure governance. Bring it to this moment — npm, PyPI, and WordPress, all hit in the same window.

Dr.The synchronization is the signal. Spring twenty twenty-six sees coordinated, professionalized attacks across three ecosystems via the same vector: ownership and trust transfer mechanisms. This is not opportunistic. Adversaries recognize that open-source repositories are the soft underbelly of Western digital infrastructure.

LenaThe WordPress case is particularly striking on the dwell time. The attacker purchased thirty-one plugins on Flippa in early twenty twenty-five, planted a dormant PHP deserialization backdoor in August, and activated it eight months later. That is not a grab-and-run operation.

Dr.Exactly. And the structural gaps are unchanged. WordPress still has no ownership-change notification for plugin consumers. npm still accepts legacy token publishing alongside modern OIDC — that is the exact vector the Namastex worm exploits.

HalilHmm. Same conversation we were having a week ago.

Dr.And that is the problem. These are policy failures, not technical ones. npm and PyPI collectively serve tens of millions of developers. WordPress powers forty percent of the web. These are critical infrastructure by any reasonable definition — except the legal one.

PierreWhich means no mandatory security baseline, no breach notification obligation, no regulator with jurisdiction. I find that extraordinary given the financial exposure.

Dr.My provocative thesis: the ANTS breach and the supply chain attacks share a structural logic. Both exploit trust transfer mechanisms designed for efficiency, not adversarial resilience. France's identity infrastructure, the global software supply chain — different theaters of the same war.

JamesWhich is why min-release-age matters. Setting a seven-day hold on newly published package versions in your npm configuration does not solve the governance gap, but it breaks the exponential propagation window. Buy time while the ecosystem catches up.

▶07Trusted-Platform C2: When graph.microsoft.com Is the Threat13:37

HalilBefore we get to the ANTS breach, I want to close out the detection problem. James flagged this as urgent — when your C2 runs through Microsoft Graph API and Hugging Face, the old playbook is dead. James, explain the GoGra backdoor and why this matters.

JamesSo GoGra — this is a Linux backdoor attributed to the Harvester threat actor — uses Microsoft Graph API as its command-and-control channel. It polls the mail endpoint every two seconds, looking for messages with the subject prefix 'Input dot' to receive commands.

AlexAnd the traffic looks completely legitimate. You are seeing HTTPS to graph.microsoft.com with valid TLS and a valid access token. A traditional domain or IP reputation block does nothing.

JamesRight. So the detection anchor is behavioral. Linux hosts polling Graph API mail endpoints more than ten times per minute — that is anomalous. That is your Sigma rule. Also: Azure AD client credentials flow from non-approved Linux hosts.

HalilAnd the Hugging Face exfiltration vector?

JamesThe Namastex worm and the js-logger-pack family use Hugging Face private dataset uploads for exfiltration. You are looking for POST requests to the Hugging Face datasets API, uploads over ten megabytes, and — a filename pattern JFrog flagged — 'keylog' in the upload path.

LenaThis is not isolated to one actor. Prior campaigns used Slack webhooks and AWS API Gateway. The pattern is: find a trusted cloud platform with high API call volume, blend in. Detection has to follow API telemetry, not infrastructure reputation.

AlexWhich means you need seven days of legitimate traffic baseline before you tune those thresholds. If you have Linux build agents doing real Graph API work, the false positive rate on the polling rule is forty percent without baseline filtering.

JamesSeven-day baseline, then deploy. That is the correct sequence. Do not skip the baseline and generate alert fatigue on day one.

HalilThe fundamental shift — from domain and IP blocking to behavioral API telemetry analytics. That is the headline.

▶08ANTS Breach: 19 Million Government Identities, Already on Criminal Forums16:05

HalilWe covered the ANTS breach yesterday — the France national ID agency, nineteen million records. Quick note: today's discussion has materially new angles on the downstream cascade and the regulatory enforcement posture. Elena, the identity profile matters here. Why are these records different from a typical data breach?

Dr.Because these are government-certified. Full names, dates of birth, birthplaces, passport data, and a field in the dataset that reads 'certifie: true' — meaning the French state has verified this identity. That trust marker is what makes these records premium on criminal markets.

PierreAnd that is why my numbers are where they are. Standard breach cost per record in France — LexisNexis data shows every euro of fraud costs three euros sixty-four in total impact. At nineteen million government-verified records, you are looking at twelve to sixteen billion euros in ninety-day exposure.

Dr.Think beyond credit fraud. EU freedom of movement means a compromised French identity is effectively a compromised European identity. Schengen borders become vectors, not barriers.

LenaAnd the timing of the forum advertisement is damning. The threat actor listed the data for sale between April sixteenth and nineteenth. ANTS did not disclose until April twentieth. The adversary beat the data controller to public disclosure.

HalilWow.

Dr.This mirrors the strategic consequence of the 2015 OPM breach in the US — not in attribution, but in scope. Every French diplomat, intelligence officer, and military official who ever applied for a passport is now in datasets being traded internationally.

PierreAnd the downstream exposure does not stop at France. Banks across the EU that relied on ANTS-verified identity for KYC purposes now need to assess whether their verification baseline is compromised. That is a significant re-verification burden.

▶09GDPR on the Clock: The Five-Day Gap and What It Costs18:17

HalilSofia. GDPR Article thirty-three requires notification to the supervisory authority within seventy-two hours of detection. ANTS detected on April fifteenth, disclosed on April twentieth. Walk us through the enforcement exposure.

Dr.This is a textbook Article thirty-three one infringement. The seventy-two hour window is clear. The phrase 'where feasible' in the regulation allows for some flexibility, but the bar for justification is high. A five-day gap requires explanation.

Dr.And ANTS must provide those reasons for delay alongside their notification — that is mandatory under the second sentence of Article thirty-three one when the window is missed. The CNIL will scrutinize that documentation carefully.

HalilThe CNIL — that is France's data protection authority. Recent enforcement patterns?

Dr.Harsh. Twenty-seven million euros and fifteen million euros against Free Mobile and its parent for a 2024 breach. Five million against France Travail for inadequate security. The CNIL treats government bodies and critical operators as examples. For ANTS, the fine ceiling under Article eighty-three four is ten million euros — but the reputational and operational consequences of a formal sanction decision against a public body are substantial.

PierreSofia, does the forum advertisement factor into the penalty calculation?

Dr.Yes, significantly. Under Article eighty-three two, the authority considers the manner in which the infringement became known. The threat actor's forum post effectively blew the whistle. That is not a favorable fact pattern for ANTS's cooperation assessment.

Dr.And there is an Article thirty-four dimension. When a breach is likely to result in high risk to individuals, controllers must communicate directly to data subjects without undue delay. The practical reality: French citizens learned of their exposure from dark web monitors and press coverage before official channels.

Dr.Which compounds the public trust damage. Three major French government databases breached in twelve months — France Travail, FICOBA, now ANTS. This is a pattern that suggests France is being systematically pressure-tested.

▶10The EU Cascade: Banks, NIS2, and the KYC Reckoning20:41

HalilSofia, you flagged that the regulatory web extends well beyond ANTS itself. Walk through the downstream obligations.

Dr.Three distinct downstream categories. Banks and financial institutions first — they face enhanced customer due diligence obligations and potential re-verification requirements under the Anti-Money Laundering Fifth Directive if ANTS-verified data was their sole KYC source.

Dr.Second: EU government agencies that qualify as Essential or Important entities under NIS2 must assess whether the ANTS breach constitutes a significant cyber threat and communicate accordingly to service recipients under Article twenty-three two.

Dr.Third: private KYC service providers. They have contractual audit obligations under GDPR Article twenty-eight and potential processor-to-controller notification duties. And here is the liability exposure — the CJEU's 2024 Scalable Capital ruling allows data subjects to claim compensation for non-material damage. A synthetic identity attack that succeeds because a bank relied on a compromised ANTS-verified record — that bank faces its own GDPR scrutiny.

PierreThe Dutch government angle is also live here. The OpenWebConcept design system in the npm worm is a Netherlands government digital framework. NIS2 essential entity notification obligations potentially extend to Dutch public sector organizations who had that package in their build pipelines.

HalilSo the ANTS breach and the supply chain worm both create NIS2 exposure simultaneously, in different EU member states.

Dr.Correct. Organizations in other member states that process ANTS-verified data must conduct their own risk assessments — that is not automatic DPA notification, but it is documentation that supervisory authorities can and will request.

JamesFrom a practical standpoint: if you have French customers and your KYC flow relied on ANTS-verified data, brief your identity fraud and AML teams today. Assess whether re-verification is required. Document that assessment. That documentation is your GDPR audit trail.

▶11The Financial Reckoning: Board-Level Numbers23:06

HalilPierre, you built a board-ready financial model. Give me the headline numbers and the key assumptions.

PierreTwo exposure tracks. Namastex worm: eight hundred million to two point one billion dollars across the affected ecosystem over ninety days. ANTS identity fraud: twelve to sixteen billion euros over ninety days. Both of those are conservative given confirmation of nineteen million records and active forum monetization.

HalilThe spread on the worm exposure is wide. What drives it to two billion versus eight hundred million?

PierreThe four-hour window Alex flagged. Best case: twenty-five hundred organizations respond within four hours — seventy-five million in direct credential rotation and IR costs. Miss that window and the self-propagation cascade compounds the exposure. At seventy-two hours, third-generation compromise across federated publishing chains. Two billion, maybe more.

AlexAnd the xinference vector multiplies that. Six hundred thousand-plus PyPI downloads. If fifteen percent are enterprise ML infrastructure — production model serving for fraud detection, trading systems, biotech — operational disruption dwarfs the credential rotation cost.

PierreI have five hundred million to one billion in GMV at risk from ML serving infrastructure disruption alone. If a fintech's fraud detection model goes offline because the serving framework is compromised, that is not a security cost — that is a business continuity event.

HalilAnd there is a parallel crypto wallet theft track.

PierreRight. The payload specifically targets Bitcoin, Ethereum, Litecoin, Dogecoin, and Monero wallets. Fifty to one hundred fifty million dollars in direct crypto theft from developer wallets over thirty days. Developers hold more crypto than most people assume.

LenaThat targeting pattern is consistent with the MLOps and cloud infrastructure focus. These are developers at AI and fintech firms. The wallet targeting is a secondary monetization layer on top of credential theft.

▶12The IR Checklist: What You Do in the Next Four Hours25:32

HalilJames. Practical actions. Someone is listening to this and they have npm in their CI/CD pipeline. What do they do right now?

JamesFirst: check your dependency tree immediately. Run npm ls against these package names — pgserve, at-automagik-slash-genie, the fairwords and openwebconcept scoped packages. Check xinference in your Python environments. If you find a match, you are in incident response mode.

JamesRotation order matters. npm tokens first — that is the worm's propagation vector. Block it from spreading further. Then GitHub and GitLab tokens, cloud provider credentials, SSH keys, CI/CD secrets. In that exact order.

AlexAnd hunt for the persistence mechanism. The worm drops a systemd service called pgmon — masquerades as a PostgreSQL monitoring service. Check for that file under the user's config directory. Also check temp directories for Python payloads.

JamesTwo configuration changes that matter immediately — add ignore-scripts equals true to your dot-npmrc file for all CI/CD pipelines. Switch to npm ci instead of npm install. That disables postinstall hooks during lockfile-only installs. Set min-release-age to seven days to hold newly published versions.

HalilThese are not ideal world measures. These are right now measures.

JamesExactly. And critically — you cannot patch your way out of this. The vulnerability is stolen credentials with write access to your software supply chain. Rotate first, hunt for persistence second, harden third.

AlexAnd for xinference — downgrade to version two point five point zero immediately. Do not wait for clarity on whether you were targeted. The compromised versions are two point six point zero through two point six point two. Treat any installation in that range as full credential compromise.

PierreThe board needs to approve emergency patching budget by Friday. That four-hour SLA is now a financial boundary, not just a security recommendation. Miss it and you are in the two-billion-dollar scenario, not the seventy-five-million one.

▶13Synthesis: The Structural Shift and What We Watch Next28:05

HalilLet me pull the threads together. Three interconnected stories today, and they all point at the same structural failure.

HalilThe Namastex worm is a genuine step-function escalation. Not because of its sophistication — the code is not revolutionary. But because it removed the human from the attack chain. Social engineering was the bottleneck for supply chain attacks. That bottleneck is gone.

HalilThe ICP canister C2 is the piece that will keep security teams up at night. Alex is right — this will be widely copied. Traditional incident response assumes you can seize or sinkhole infrastructure. ICP breaks that assumption by design. Update your runbooks.

HalilAttribution landed at moderate confidence for a TeamPCP copycat — not direct TeamPCP, not North Korea. What matters more than attribution: the tooling is now public knowledge, documented in detail by JFrog, StepSecurity, and Socket Security. The barrier to replication is low.

HalilThe ANTS breach: nineteen million government-verified identities. A five-day disclosure gap that CNIL will not overlook. And downstream cascade obligations across every EU bank, government agency, and KYC provider that touched ANTS-verified data.

HalilElena's thesis holds: these are not unrelated incidents. Open-source package registries and government identity infrastructure were both designed for trust efficiency, not adversarial resilience. Adversaries noticed before regulators did.

HalilActions to take today: scan for the affected packages — pgserve, automagik genie, fairwords, openwebconcept, xinference versions two-six-zero through two-six-two. If found, rotate npm tokens within four hours. Block ICP canister domains at your perimeter. Deploy James's Sigma rules for Graph API polling anomalies and Hugging Face upload detection.

HalilWhat we are watching tomorrow: whether npm and PyPI take structural action on token publishing controls and ownership-change notification — or whether this wave passes without governance response, and we have this conversation again in thirty days.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline