The Pulse of Cloud and Cyber — Issue 3: AI bets, phishing wars, and a worm in the npm supply chain

1) SoftBank sells its entire Nvidia stake: rotation inside the AI trade, or early sign of a bubble?

SoftBank has sold all 32.1 million Nvidia shares it held, raising about $5.8 billion in October. In its latest consolidated financial report, the company confirms the exit and frames it as funding for a sweeping AI strategy centered on massive follow-on investments in OpenAI (up to $40B committed) and the proposed $500B "Stargate" data-center project in the U.S.

Markets read it differently. Nvidia fell more than 2% on the news, and commentators immediately asked whether one of the loudest AI bulls is quietly calling the top. Recent warnings from major banks and high-profile short sellers against overheated AI equities amplified the vibe of a possible AI bubble "phase change."

Why it matters if you build or buy AI infrastructure:

• Capex whiplash is coming. When one of the biggest AI allocators rotates from GPU equity into private AI bets and physical infrastructure, it signals how fast "where the money sits" can change. Multi-year cloud and GPU commitments should be stress-tested against both AI-winter and AI-mania scenarios.
• Vendor concentration is still the biggest risk. Nvidia's dominance plus hyperscaler concentration means a single company's portfolio move can ripple into GPU pricing, availability, and timelines. Teams should be actively modeling multi-vendor accelerators, not just "Nvidia everywhere."
• Data-center timelines will shape AI product roadmaps. If projects like Stargate really materialize, the bottleneck shifts from "we can't get enough GPUs" to power, cooling, and regulatory approvals. That's a different risk profile than most AI roadmaps are assuming today.

Action to consider this quarter

• For finance and product leads: simulate 2–3 downside scenarios where AI infra costs spike or capacity is rationed, and decide which features or markets you would cut first.
• For cloud architects: start a GPU diversification plan (cloud + on-prem + alternate vendors) so a single supplier's moves can't stall your roadmap.

2) DanaBot is back: a banking trojan that survived a global takedown

The DanaBot malware—long-running banking trojan turned info-stealer—has resurfaced with a new version 669, roughly six months after law-enforcement's Operation Endgame disrupted its infrastructure in May.

Researchers at Zscaler ThreatLabz and others report:

• A rebuilt C2 infrastructure that leans on Tor (.onion) domains and "backconnect" nodes for remote access.
• Continued focus on credential theft and crypto wallets, plus loader functionality to bring in additional payloads (including ransomware in some chains).
• Familiar initial access: malicious email attachments, SEO-poisoned downloads, and malvertising.

Operation Endgame was one of the largest botnet takedowns to date, hitting multiple malware families and seizing infrastructure—but it didn't put handcuffs on every operator. DanaBot's quick return is proof that disruption without arrests often means "pause," not "game over."

Why it matters for Windows fleets and financial workflows

• MaaS never really dies. DanaBot has operated as malware-as-a-service, which means multiple crews can rent it. A "return of service" moment like this can quietly change your threat model even if you weren't directly hit before.
• Endpoint and email controls must be aligned. If your email defenses are strong but endpoint policies allow arbitrary PowerShell, or vice-versa, you're relying on luck. DanaBot reminds us these campaigns chain multiple weak points.
• Crypto and finance teams are high-value targets. Any organization with traders, treasury, or crypto operations should treat this as another reason to harden workstations with financial access.

Concrete actions

• Import and enforce IOCs from Zscaler and other DanaBot reports into your endpoint, DNS, and email gateways.
• Re-run a Windows hardening baseline (PowerShell, macros, LOLBins, local admin rights) on machines with access to banking portals or wallets.
• Ensure application allow-listing or strong EDR is in place on finance endpoints specifically—those are often exceptions in otherwise well-secured fleets.

3) Google sues "Lighthouse" phishing-as-a-service operators: law meets PhaaS

Google has filed a lawsuit in U.S. federal court (Southern District of New York) against 25 unnamed defendants behind "Lighthouse," a large-scale text-phishing ("smishing") operation.

According to Google's complaint and public statements:

• Lighthouse offered phishing-as-a-service kits that impersonated Google, the U.S. Postal Service, toll systems like E-ZPass, and others.
• The group allegedly created nearly 200,000 fake websites in just 20 days, drawing in over 1 million potential victims across more than 120 countries.
• The operation is accused of stealing personal and financial data at billion-dollar scale, with Google citing estimates over $1B in losses.
• Google is suing under Lanham Act, RICO, and CFAA claims, seeking damages plus court orders to dismantle domains, infrastructure, and payment flows tied to the operation.

Google paired the lawsuit with a policy push—publicly backing U.S. bills intended to toughen action against such scams and help platforms move faster when tearing down criminal infrastructure.

Why it matters for enterprises and SaaS platforms

• PhaaS is the new normal. Lighthouse industrializes phishing in the same way cloud platforms industrialized devops: kits, dashboards, automation, and "support." Your users aren't facing lone scammers—they're facing structured products.
• Brand misuse risk is rising. If you run a well-known SaaS or consumer brand, you're not just a target; your logos and emails are raw material for PhaaS templates.
• Legal + technical is the new playbook. Big platforms increasingly pair civil lawsuits, criminal referrals, and technical takedowns. Expect faster, more coordinated crackdowns—and build your response playbooks to plug into that ecosystem.

What leaders can do

• If you have a consumer-facing brand, build a "brand abuse" process: how you detect spoofed domains, file takedowns, and notify users.
• Implement FIDO2/WebAuthn wherever possible so credential theft alone doesn't equal account takeover.
• Add PhaaS-style scenarios into your security awareness training, including SMS phishing and QR-code phishing, not just classic email.

4) Payroll Pirates & fake search ads: when "sponsored" means "stolen paycheck"

A long-running campaign dubbed "Payroll Pirates" has been abusing Google and Bing ads to spoof HR and payroll portals, then steal credentials and multi-factor codes at scale.

From Check Point, Microsoft, and other researchers:

• Attackers run sponsored search ads that mimic portals for payroll, HR, credit unions, and trading platforms. Users who search instead of using bookmarks see the fake site first.
• The campaign has targeted 200+ platforms and is estimated to have lured in roughly half a million users over time.
• Recent Microsoft reporting shows a related "payroll pirate" actor (Storm-2657) compromising university accounts to redirect salary payments to attacker-controlled bank accounts.
• The infrastructure uses "white page" redirects, domains hosted in places like Kazakhstan and Vietnam, cloaking, and Telegram bots to capture MFA codes in real time.

Why it matters for any org that pays people online

• Search ads are now a primary attack surface. Even technically savvy users often click the top result, assuming ad vetting will protect them. That assumption is no longer safe.
• Payroll, benefits, and HR SaaS are high-value crown jewels. A compromised Workday or similar account can silently reroute paychecks, change bank details, or expose sensitive HR data.
• Trust boundaries are blurring. Users mix browser address bars, bookmarks, password managers, and search habits. Attackers exploit the gaps.

Practical actions

• Tell people to bookmark payroll and HR portals and never reach them via search—yes, explicitly, in onboarding and security training.
• Work with finance/HR to implement out-of-band verification for bank-account changes (e.g., a second channel confirmation).
• On the technical side, deploy browser URL protections: warn when domains are near-lookalikes of your real portals, and use SSO with strong phishing-resistant MFA (e.g., security keys) where possible to make credential replay less useful.
• If you run a public brand that's attractive to Payroll Pirates, monitor for malicious ads and phishing domains using threat-intel feeds or a third-party brand-protection service.

5) npm under pressure: tens of thousands of fake packages and a TEA-farming worm

The npm registry is being hit by a large-scale spam and "worm-like" campaign that has published tens of thousands of fake packages—many named after Indonesian foods—since early 2024.

Key points from The Hacker News, AWS, and Endor Labs:

• Early waves were spotted by Endor Labs, which analyzed a campaign they call the "Indonesian Foods" worm, tied to TEA token farming.
• Amazon Inspector now reports over 150,000 packages linked to a coordinated TEA.xyz token-farming campaign, calling it one of the largest package-flooding incidents in open-source history.
• Many packages are not overtly malicious, but some contain scripts that auto-generate and publish more packages, creating a self-replicating spam loop that inflates download counts and TEA rewards.
• The net effect is an npm ecosystem polluted with junk, making it harder to discover legitimate libraries and easier for truly malicious packages to hide in the noise.

Why it matters for engineering and supply-chain security

• "Harmless" spam still hurts you. Even if a package doesn't steal data, it can introduce unnecessary dependencies, longer install times, and confusion in dependency resolution—especially when names look similar to real projects.
• Economic incentives now shape your dependency tree. This campaign isn't about your app; it's about gaming a token economy. That means attacks can scale much faster than traditional targeted malware.
• This sits on top of more traditional npm compromises. While this campaign is mostly spammy, we've already seen 2025 supply-chain attacks that backdoored widely-used packages to steal credentials and crypto.

What to do if you ship JavaScript

Move from "npm install by vibe" to policy-driven dependency management:

• Pin versions and use lockfiles checked into source.
• Require a minimum maturity bar (stars, contributors, age) for new packages before allowing them into production systems.
• Deploy a software composition analysis (SCA) or supply-chain tool that ingests malicious-package feeds (AWS Inspector, OpenSSF/OSV, vendor intel) and flags risky dependencies.
• Treat build pipelines as high-value assets: isolate them, use least privilege, and add integrity controls (sigstore, checksums, reproducible builds) so a single malicious dependency can't silently alter production artifacts.

Editor's wrap

• AI capital is rotating, not retreating. SoftBank exiting Nvidia to double-down on OpenAI and data-center mega-projects is a reminder that the AI story is shifting from chips to full stacks—from GPUs to power, real estate, and regulation.
• Takedowns are a speed bump, not a finish line. DanaBot's return six months after Operation Endgame shows that without arrests or sustained pressure, MaaS crews can rebuild—and your controls need to assume that.
• Cybercrime is now a service business. Lighthouse, Payroll Pirates, and even TEA-farming npm spam all monetize at scale, turning phishing and package noise into repeatable products. The job for defenders is to break their business model, not just block individual IOCs.
• Ads, SMS, and dev tooling are front-line attack surfaces. If your threat model still focuses only on classic email phishing and perimeter firewalls, you're missing where modern attackers actually live.

If you only do three things this week:

1. For leadership: stress-test your AI-infrastructure and GPU dependency assumptions against a cooler market or delayed capacity.
2. For security: update detections for DanaBot, Lighthouse-style PhaaS, and Payroll Pirates, with special attention to SMS, ads, and HR/payroll portals.
3. For engineering: tighten npm hygiene—lockfiles, SCA, and stronger controls around introducing new packages into production builds.

Primary sources