A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.
Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.
Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.
Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.
A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.
Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.
CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.
Deutsche Telekom's Red Team disclosed CVE-2026-41651, a local privilege escalation in the PackageKit daemon that has shipped in default Linux installations since November 2014. Any unprivileged local user can invoke 'pkcon install' without a polkit prompt, install or remove arbitrary packages, and escalate to root. CVSS 8.8. Confirmed-vulnerable defaults include Ubuntu Desktop and Server LTS, Debian Trixie, Rocky Linux 10.1, and Fedora 43; any RHEL server running Cockpit is also exposed because Cockpit loads PackageKit on demand via D-Bus. PackageKit 1.3.5 fixes it. The researchers credited Anthropic's Claude Opus with helping guide the discovery.
CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.
Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.
TrustStrike Labs