Over 12 months, we tracked a massive North Korean operation targeting crypto dev teams through fake job interviews to deploy malware on their machines. 26 operators, 379 malicious npm packages, 6 coordinated series.
Hereβs everything we learned about their operations:
1/4 Strong evidence that North Korean operators use vibe-coding tools like @Lovable to build convincing interview project scaffolding. Fake companies, websites, and coding tests all look real now. What once required real effort; proper structure, realistic configs, clean code - AI handles instantly.
Today we're launching Reaper. Your company can be doing everything right, SSO, MFA, endpoint protection, security training, and still have your employees' names sitting on the dark web next to old passwords, phone numbers and home addresses. Reaper shows you that exposure before someone uses it.
Friendly reminder that audits don't catch everything.
Cetus had three. Ronin had been audited. Bybit's Safe contracts were fine. Combined losses still cleared $1.6 B.
An audit tells you what your code looked like on the day someone read it. Everything that happened after is on you.
You don't know what you don't know.
Friendly reminder that North Korean exploits haven't slowed.
$577M stolen in the first four months of 2026 alone, 76% of all crypto hack losses this year.
You don't know what you don't know.
Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments.
The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran.
To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.
April 2026 set the monthly record for crypto exploits. 28 incidents, $635M stolen. We pulled data on 512 incidents across 2024-2026 to understand how billion-dollar crypto hacks actually happen now.
Five trends from the past two years π§΅
Pains me when AI slop uses quietly as a modifier for everything.
"Quietly building legitimacy not asking for it."
"Quietly subversive."
"Quietly creating a retail empire."
This post is a bit misleading.
The reporting does NOT show AI autonomously discovering some universal βMFA bypassβ zero-day impacting organizations at scale. The article primarily discusses attackers leveraging AI to accelerate existing workflows such as phishing, malware development, scripting, social engineering, and vulnerability research.
MFA itself is not βbroken.β Most modern MFA bypasses still overwhelmingly come from:
> AiTM phishing frameworks (ex: Evilginx)
> Session token theft
> Social engineering
> Malware on compromised endpoints
These are known attack paths the industry has dealt with for years and are not new βAI-exclusiveβ capabilities.
For our clients specifically, many of these attack paths are already areas we continuously monitor and assess