A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.
Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.
Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.
Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.
A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.
Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.
Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.
Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.
One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.
A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.