Threat Analysis: BlackFile Extortion and Supply Chain Poisoning — UK Cyber Threats, 27 Apr 2026
Hello, Mauven here.
Two campaigns are running simultaneously today that, taken together, illustrate exactly why the UK’s cyber threat landscape is not primarily about nation-state zero-days. It is about financially motivated groups using ordinary techniques against organisations that have not done the basics. Neither of today’s threats requires a sophisticated exploit. Both are working.
BlackFile: The Group That Phones Before It Steals
Since February 2026, a cluster tracked under the names BlackFile, UNC6671, and Cordial Spider — believed to be loosely associated with the ‘The Com’ collective — has been running data theft and extortion operations against businesses across multiple sectors. The attribution is to a financially motivated group, not a state actor, though that distinction matters less than you might think when they have your client data.
The playbook is straightforward and effective. Attackers conduct voice-based phishing — they phone your staff, claim to be IT support or a help desk operative, and walk the target through a process that ends with them entering credentials into a convincing fake login page. Once they have credentials, they exfiltrate data. Then they ask for money.
What the reports about this campaign do not always make clear is the operational implication for small businesses: this works especially well on organisations where staff have no established protocol for verifying the identity of someone calling from ‘IT.’ If your business does not have a helpdesk callback procedure, your staff have no way to distinguish a legitimate internal IT call from a BlackFile operator. That is not a technology problem. That is a process problem, and it costs nothing to fix.
The campaign targets SaaS platforms specifically. The credential harvesting pages are built to mimic Microsoft 365, Okta, and similar services with high fidelity. Once inside a SaaS environment, exfiltration can happen quickly and quietly — inbox rules, SharePoint downloads, Teams export. By the time a victim realises something is wrong, the data is already gone.
The NCSC has guidance on defending against social engineering. The fact that a campaign using these exact techniques has been running continuously since February and generating enough incidents to warrant a formal intelligence write-up tells you how many organisations have read that guidance and implemented it.
PyPI Supply Chain Poisoning: Your Developer’s Next Install May Not Be What It Claims
The second story today is a pattern rather than a single incident, and it is accelerating.
On 22 April 2026, attackers compromised the PyPI release credentials of maintainers for Xinference — an open-source distributed AI inference framework used across professional services, fintech, and technology businesses — and published three malicious versions: 2.6.0, 2.6.1, and 2.6.2. The malicious code was embedded in Base64 layers inside the package’s __init__.py file. It executes automatically when the library is installed or imported. It collects cloud credentials. Those credentials leave the machine.
This is not an isolated event. The same week, Socket.dev reported that the Telnyx Python SDK had been compromised — malicious versions 4.87.1 and 4.87.2 published to PyPI, carrying a three-stage credential harvesting chain using audio steganography on Linux and macOS, and a persistent Windows binary dropped to the Startup folder. Separately, the GlassWorm campaign has now placed 73 sleeper extensions in the Open VSX marketplace, at least six of which have been activated to deliver malware through normal update mechanisms.
Unit 42 has documented the broader npm ecosystem story: since September 2025, coordinated supply chain attacks have moved from isolated incidents to systematic campaigns. The TeamPCP group in April 2026 distributed a malicious @bitwarden/cli package across Docker Hub, GitHub Actions, and VS Code extensions simultaneously.
The connective tissue here is credential compromise at the maintainer level. Attackers are not finding vulnerabilities in popular packages. They are stealing the login credentials of the people who maintain those packages, then publishing malicious versions through legitimate channels. Your security tooling may not flag a package from a known maintainer account.
For UK SMBs with development staff, or businesses using managed service providers who deploy Python-based tooling, the exposure is real. You may never know a malicious version transited your environment unless you are checking package hashes.
What These Two Threats Have in Common
They both exploit trust. BlackFile exploits the trust employees place in internal IT support calls. PyPI attackers exploit the trust developers place in packages from known maintainers. Neither requires a vulnerability in the traditional sense. Both require only that the target behaves normally.
This is the pattern the NCSC’s guidance has been pointing at for years. The technical controls — MFA, endpoint detection, network monitoring — are necessary but not sufficient when the attacker is operating through a legitimate account or a legitimate communication channel.
What to Do Today
On BlackFile:
- Implement a helpdesk verification procedure. Any call from ‘IT support’ asking for credentials or requesting that a staff member navigate to a login page should trigger a callback to a known internal number. This costs nothing and would stop the BlackFile TTP dead.
- Enable phishing-resistant MFA — FIDO2 or hardware tokens — on all SaaS platforms. Standard SMS and TOTP codes can be harvested in real time by a live attacker on the phone. They offer limited protection against this specific technique.
- Review SaaS inbox rules and sharing permissions now. If a BlackFile operator has already been through your environment, the first sign may be a forwarding rule you did not set.
On supply chain poisoning:
- Pin your Python package versions and verify hashes before deploying to production. PyPI supports hash verification natively. Use it.
- Audit your developer tooling for recently installed or updated Python packages. If Xinference 2.6.0, 2.6.1, or 2.6.2, or Telnyx 4.87.1 or 4.87.2 are in your environment, treat your cloud credentials as compromised and rotate them immediately.
- Restrict developer workstations from having direct outbound internet access to package repositories in production environments. A staging environment with a reviewed package mirror is not excessive caution; it is standard practice in any regulated sector.
- Brief your MSP if they manage your development or deployment infrastructure. Ask them specifically what controls they have over third-party package installation. If they cannot answer the question, that is your answer.
The window between a malicious package being published and being flagged by security tooling is not always short. In the Xinference case, three versions shipped before the compromise was identified. Your best protection is process, not detection.
Sources
| Source | Title | URL |
|---|---|---|
| RH-ISAC | Extortion in the Enterprise: Defending Against BlackFile Attacks | https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/ |
| Socket.dev | 73 Open VSX Sleeper Extensions Linked to Malware Show New Activations | https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm |
| Socket.dev | Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware | https://socket.dev/blog/telnyx-python-sdk-compromised |
| Unit 42 / Palo Alto Networks | The npm Threat Landscape: Attack Surface and Mitigations | https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/ |
| BleepingComputer | FTC: Americans lost over $2.1 billion to social media scams in 2025 | https://www.bleepingcomputer.com/news/security/ftc-americans-lost-over-21-billion-to-social-media-scams-in-2025/ |
| AlienVault OTX | Supply Chain Poisoning via PyPI Repository Compromise (Xinference) | https://otx.alienvault.com |