The Afterlife, AWS, ClickFix, Agentic AI, Robot Lumberjacks, Robocalls, Aaran Leyland – SWN #522

Doug White

1. AWS services recover after daylong outage hits major sites
2. Google ads for fake Homebrew, LogMeIn sites push infostealers
3. TikTok videos continue to push infostealers in ClickFix attacks
4. AdaptixC2 spread through malicious npm package
5. AI agents gone rogue: Why businesses need Security Centers of Excellence
6. Trust the AI, says new coding manifesto by Kim and Yegge
7. We Finally Have Free Anti-Robocall Tools That Work
8. Should an AI copy of you help decide if you live or die?

Aaran Leyland

1. North Korea Uses Blockchain For Covert Hacks, Disguises Agents as Job Recruiters

   What actually works, in order of impact:

   RPC egress: default-deny JSON-RPC from user and CI/CD (continuous integration/continuous delivery) networks; allow-list only your custodians and your own nodes. Add detections for unexpected ethcall, ethgetCode, and eth_getLogs from non-wallet hosts. Short explainer: JSON-RPC is the API wallets use to talk to chains—don’t let random desktops do it.

   Wallet operations: enforce N-of-M (N approvals out of M total keys) for treasury with at least one HSM (hardware security module)-backed signer and one air-gapped signer. Pre-authorised address books only. Keep the hot-wallet float tiny. Wire real-time chain-analytics alerts to a human stop-button that can freeze withdrawals immediately.

   Endpoint hygiene: separate browser profiles; remove wallet extensions on corporate endpoints; block unsanctioned extensions enterprise-wide. Use CSP (content security policy) and SRI (sub-resource integrity) on every public website; many infections start with compromised CMS.

   Dev isolation: no direct internet from build agents; package mirrors only; detonate coding-challenge archives in disposable VMs with full packet capture before anyone runs them locally.

   Driver control: turn on the Microsoft/OSR/EDR vulnerable-driver blocklists; alert on NtLoadDriver from non-IT workstations; weekly sweeps for unsigned or weakly signed drivers.

   Hiring exposure: sanctions screening plus device-telemetry checks for contractors—time-zone drift, keyboard layout anomalies, geolocation. Do live coding on a managed host you provide. Hold access until identity artefacts pass secondary review.

   User protections for finance: hardware wallets for any serious holdings; seed phrases stored offline; a dedicated “finance” user account or a separate machine; physical security keys on exchanges; disable “remember this device”; review active sessions weekly; strict per-day transfer caps and withdrawal allow-lists at the venue.