Back to Intelligence

ClickFix, PyPI Supply Chain, and AI Agent Abuse: Multi-Vector Infostealer Campaign — Detection Pack

SA
Security Arsenal Team
April 27, 2026
6 min read

Current OTX pulse data indicates a convergence of high-risk delivery mechanisms aimed at credential theft and initial access. Threat actors are leveraging a triad of sophisticated vectors: the "ClickFix" social engineering technique (impersonating Intuit/Booking.com to force native tool execution), supply chain compromise via Python Package Index (PyPI) targeting the AI framework Xinference, and the exploitation of AI agent sessions (Cursor/Claude) to deliver AMOS Stealer.

Collectively, these campaigns demonstrate a shift toward "living-off-the-land" (LotL) and trusted-platform abuse to bypass traditional signature-based defenses. The objective is overwhelmingly focused on harvesting cloud credentials, cryptocurrency wallets, and session tokens for infostealers like Lumma, Vidar, and RedLine, while establishing persistence via RATs (GlassWorm) or fake browser extensions.

Threat Actor / Malware Profile

ClickFix & Infostealers (Lumma, Vidar, RedLine)

  • Distribution: Social engineering via fake browser updates or CAPTCHA pages instructing users to run PowerShell/Bash commands.
  • Behavior: Steals browser cookies, passwords, and 2FA sessions. Often acts as a loader for subsequent payloads like NetSupport RAT.
  • Technique: Uses obfuscated PowerShell commands to download payloads from domains like ustazazharidrus.com or account-help.info.

GlassWorm

  • Distribution: Compromised code repositories/package managers targeting developers.
  • Behavior: Fingerprinting the host, fetching payloads via the Solana blockchain (unconventional C2), and installing fake browser extensions for surveillance.
  • Target: Blockchain developers and cryptocurrency users.

Xinference (PyPI Compromise)

  • Distribution: Malicious versions 2.6.0, 2.6.1, and 2.6.2 of the xinference library uploaded on April 22, 2026.
  • Behavior: Base64-encoded code in __init__.py executes upon import, stealing cloud credentials (AWS/Azure/GCP).

AMOS Stealer

  • Distribution: Delivered via "Cursor" AI agent sessions by tricking operators into accepting malicious AppleScript.
  • Behavior: Keylogging, clipboard hijacking, and stealing data from macOS Keychain and crypto wallets.

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Domains (TLDs): A mix of compromised legitimate domains and typo-squatting (e.g., cibcsecurity2fa.com, rbcdevice-login.com targeting financial sectors). These serve as C2 nodes or landing pages for ClickFix.
  • IP Addresses: Specific IPs (45.94.47.204) associated with AMOS Stealer C2 infrastructure.
  • File Hashes: Numerous MD5 and SHA256 hashes corresponding to the malicious PyPI packages (xinference) and AMOS payloads.
  • URLs: Specific endpoints like https://arkypc.com/n8n/update used for payload retrieval.

Operational Guidance: SOC teams should immediately ingest these hashes into EDR solutions for scanning and block the listed domains/IPs at the perimeter firewall and secure web gateways (SWG). Decoding the Base64 strings found in the Xinference samples requires standard scripting tools (Python or CyberChef).

Detection Engineering

YAML
title: Suspicious PowerShell Encoded Command - ClickFix Pattern
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects PowerShell commands often used in ClickFix campaigns involving Base64 decoding or obfuscation to download stealers like Vidar or Lumma.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/28
modified: 2026/04/28
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
            - 'Hidden'
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: selection
falsepositives:
    - Administrator scripting
level: high
---
title: Malicious PyPI Package Installation - Xinference Supply Chain
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects installation or import of known compromised versions of the 'xinference' package (2.6.0 - 2.6.2) delivering credential theft payloads.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/28
logsource:
    category: process_creation
    product: linux
detection:
    selection_pip:
        Image|endswith:
            - '/python'
            - '/python3'
            - '/pip'
            - '/pip3'
        CommandLine|contains: 'xinference'
        CommandLine|contains:
            - '2.6.0'
            - '2.6.1'
            - '2.6.2'
    selection_import:
        Image|endswith:
            - '/python'
            - '/python3'
        CommandLine|contains: 'import xinference'
    condition: 1 of selection_
falsepositives:
    - Legitimate developer installation of specific versions (unlikely given compromise)
level: critical
---
title: AppleScript Execution via AI IDE - AMOS Stealer
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
status: experimental
description: Detects execution of AppleScript potentially linked to AMOS Stealer delivery via AI agents like Cursor, often involving obfuscated loaders.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/28
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/osascript'
        ParentImage|contains:
            - 'Cursor'
            - 'cursor'
    condition: selection
falsepositives:
    - Legitimate AI agent automation
level: high


kql
// Hunt for ClickFix and AMOS Stealer Network IOCs
let IOCs = dynamic(["ustazazharidrus.com", "account-help.info", "quiptly.com", "elive123go.com", "visitbundala.com", "nhacaired88.com", "subsgod.com", "ariciversontile.com", "mpasvw.com", "arkypc.com", "ucaboodle.com", "someotherbox.com", "your-link.online", "linda-makeup.com", "cibcsecurity2fa.com", "rbcdevice-login.com", "yellowusheart.net"]);
let IPs = dynamic(["45.94.47.204", "92.246.136.14"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP in (IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend FullURL = strcat(RemoteUrl, RemotePort)


powershell
# Hunt for compromised Xinference versions and suspicious AMOS Stealer processes
Write-Host "Checking for compromised Xinference package versions..."
try {
    $pipList = pip list 2>&1
    if ($pipList -match "xinference") {
        $versionLine = $pipList -match "xinference"
        if ($versionLine -match "2\.6\.[0-2]") {
            Write-Host "[CRITICAL] Compromised version of Xinference detected: $versionLine" -ForegroundColor Red
        } else {
            Write-Host "Xinference installed, but version is not in the compromised range (2.6.0-2.6.2)." -ForegroundColor Green
        }
    } else {
        Write-Host "Xinference not found." -ForegroundColor Green
    }
} catch {
    Write-Host "Error checking pip list. Ensure Python/pip is in PATH."
}

Write-Host "\nChecking for suspicious processes related to AMOS Stealer (osascript from Cursor)..."
$procs = Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -eq "osascript" }
if ($procs) {
    foreach ($proc in $procs) {
        try {
            $parent = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $($proc.Parent.Id)"
            if ($parent.Name -like "*Cursor*" -or $parent.Name -like "*cursor*") {
                Write-Host "[ALERT] Suspicious osascript execution detected under Cursor process PID $($parent.ProcessId)." -ForegroundColor Red
            }
        } catch {
            # Access denied or process exited
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the network perimeter.
    • Scan all developer workstations and build servers for the specified MD5/SHA256 file hashes related to Xinference and AMOS Stealer.
    • Identify and quarantine systems running Xinference versions 2.6.0–2.6.2.

  • 24 Hours:

    • Initiate credential resets for developers and cloud accounts (AWS/Azure/GCP) if the Xinference package was present in the environment.
    • Review browser extensions on endpoints for fake or unknown extensions (potential GlassWorm artifacts).

  • 1 Week:

    • Architect controls to restrict the usage of AI coding assistants (Cursor) in sensitive environments or strictly sandbox their execution context.
    • Implement PyPI package pinning and signing verification in build pipelines to prevent supply chain poisoning.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsclickfixinfostealersupply-chainglasswormamos-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
ClickFix, PyPI Supply Chain, and AI Agent Abuse: Multi-Vector Infostealer Campaign — Detection Pack | Security Arsenal | Security Arsenal