Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Self-propagating npm worm hits Namastex Labs packages, steals secrets across npm, PyPI, and crypto wallets

A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.

Check
Search your package-lock and yarn.lock files and private registry caches for any of the listed Namastex Labs versions, and then rotate every credential that has ever been present on a machine that installed them.
Affected
Confirmed malicious versions per Socket: @automagik/genie 4.260421.33 through 4.260421.39; pgserve 1.1.11 through 1.1.13; @fairwords/websocket 1.0.38 through 1.0.39; @fairwords/loopback-connector-es 1.4.3 through 1.4.4; @openwebconcept/theme-owc 1.0.3; @openwebconcept/design-tokens 1.0.3. Any additional npm package republished by an account whose publish token was exfiltrated by this worm is also potentially malicious.
Fix
Remove the listed versions from development environments, CI/CD runners, and private mirrors immediately. Rotate every secret the worm would have seen: npm publish tokens, PyPI tokens, cloud provider keys, CI/CD deploy keys, SSH keys, LLM platform API keys, container registry credentials, and any crypto wallet seeds stored in browser extensions on affected machines. Audit your package caches and internal mirrors for related packages that share the same public.pem file, webhook host, or postinstall pattern (Socket publishes IoCs for this). Pin production dependencies to known-good versions with integrity hashes and deny the newest versions of the affected packages in your package firewall until forensics is complete.

Lotus Wiper destroys Venezuelan energy and utility systems in apparent state-sponsored attack

Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.

Check
Regardless of geography, hunt for the living-off-the-land pattern this wiper uses: 'diskpart clean all', fsutil filling free space, robocopy recursively mirroring empty directories, and attempts to stop UI0Detect on any Windows host.
Affected
Windows environments with long-running Active Directory compromise, particularly those still running pre-Windows 10 1803 builds where the UI0Detect service exists. Operational-technology organisations in energy, utilities, and critical infrastructure - especially in Venezuela but globally given the playbook is reusable.
Fix
Alert on any process chain matching: cmd.exe spawning 'diskpart.exe /s' with 'clean all', fsutil.exe creating zero-sized fill files, or robocopy.exe with /MIR into an empty source. Watch NETLOGON share for new or modified .xml and .bat files arriving on domain controllers. Enforce immutable offline backups - this wiper explicitly destroys restore points, shadow copies, and USN journals, so any backup reachable from the domain is at risk. Review privileged AD admin activity for the past 90 days. Monitor for unauthorized scripts pushed via GPO or scheduled tasks across the domain.

Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

Check
Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.
Affected
Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.
Fix
Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).

Mirai botnet exploits a year-old D-Link PoC to build fresh botnets on discontinued routers (CVE-2025-29635)

Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.

Check
Check your external attack surface (including remote-worker home networks that terminate corporate VPNs) for any D-Link DIR-823X, TP-Link AX21, or ZTE ZXV10 H108L routers facing the internet.
Affected
D-Link DIR-823X firmware 240126 and 24082 (the entire discontinued product line is affected and will not receive a vendor patch). Also actively targeted: TP-Link AX21 routers vulnerable to CVE-2023-1389 and ZTE ZXV10 H108L devices.
Fix
Replace affected D-Link DIR-823X units with a supported model - there is no fix. For TP-Link AX21, apply the vendor firmware addressing CVE-2023-1389. Block outbound traffic to 88.214.20[.]14 and 64.89.161[.]130 at your corporate perimeter and DNS resolver, and hunt for any past connections to them in flow logs. For remote-worker environments, enforce corporate-approved home-router models or at minimum audit for end-of-life consumer hardware terminating VPN tunnels.

Kyber ransomware experiments with post-quantum encryption across Windows and VMware ESXi

A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.

Check
Hunt your Windows estate for files with a '.#~~~' extension, your ESXi hosts for files with a '.xhsyw' extension, and any Hyper-V and ESXi management surface for unexpected crontab entries or defaced login banners.
Affected
Any environment exposing Windows domain controllers or file servers alongside VMware ESXi infrastructure. ESXi variant targets datastore files, VM enumeration, and management interface defacement; Windows variant specifically targets Hyper-V in experimental mode. Organizations relying on shadow-copy-based recovery, SQL/Exchange snapshots, or on-disk backup services without immutable storage.
Fix
Enforce offline, immutable backups for every tier of your environment - Kyber explicitly destroys shadow copies, boot repair, and in-place backup services. Apply the ESXi hardening guidance (disable SSH when not in use, require MFA on vCenter, enable execInstalledOnly, patch to the latest ESXi build) to cut the affiliate's preferred initial-access paths. Alert on: crontab modifications on ESXi hosts, 'vim-cmd vmsvc/getallvms' followed by mass power-off, the '.#~~~' and '.xhsyw' file extensions on any write, and Windows event log clears. Given affiliate-level overlap with other ransomware operations, also review access paths through internet-facing VPN gateways and RDP.

Mandiant outs UNC6692 running IT-helpdesk impersonation over Microsoft Teams to deploy custom SNOW malware suite

Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.

Check
Block external Microsoft Teams chat invites to staff who do not need external collaboration (this should be the default for most organizations) and brief senior staff this week that an IT-helpdesk message over Teams asking them to install a fix is almost certainly hostile.
Affected
Any organization using Microsoft Teams with federated/external chat enabled by default, especially those without a standing 'IT never messages you on Teams without a pre-existing ticket' policy. Senior employees are disproportionately targeted. Windows endpoints are the payload platform, but the human layer is the actual vulnerability.
Fix
In Teams Admin Center, restrict external access so that external users cannot initiate chats with internal staff - require an internal user to invite them first. Alert on AutoHotkey binary execution from any path, on unexpected Chromium/Edge extensions appearing under Scheduled Tasks or Startup folders (especially ones named 'Heartbeat'), and on new outbound WebSocket traffic to AWS S3, CloudFront, or Heroku-hosted endpoints from user endpoints. Run a targeted awareness push to senior staff: show them the 'Mailbox Repair Utility' lure screenshots, emphasize that IT will never ask them to run a 'local patch' over Teams, and give them a one-click way to report a suspicious Teams DM.

Microsoft warns of external Teams chats abused for helpdesk impersonation - 9-stage attack chain uses Quick Assist and Rclone for data theft

Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.

Check
Audit your Teams tenant configuration today. Do external users from unknown tenants have the ability to start chats with your employees? If yes, this attack vector is open.
Affected
Any organization using Microsoft Teams with external collaboration enabled, particularly with 'Anyone' or broad external access allowed. Non-technical staff who may not recognize the pattern of an external Teams contact impersonating IT. Environments where Quick Assist is not restricted and WinRM is widely enabled.
Fix
In Teams Admin Center, set External Access to allow only specific trusted domains (not 'Anyone'). Train staff to treat any external Teams contact claiming to be IT as hostile by default - legitimate internal IT does not chat from an external tenant. Restrict or audit Quick Assist: if you don't use it, disable it via GPO or Intune. Limit WinRM to specific admin jump boxes rather than allowing it across the domain. Monitor for Rclone execution (filename and parent process) - there's essentially no legitimate business reason for Rclone to run on endpoint machines. Flag any outbound HTTPS traffic from endpoints to consumer cloud storage domains (Mega, Dropbox, Google Drive) that doesn't match expected user behavior.

The Gentlemen ransomware operation hiding 1,570+ unreported victims per Check Point C2 analysis - 5x larger than leak site suggests

Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.

Check
Audit your environment for SystemBC indicators and GPO abuse patterns. The Gentlemen's 1,570+ victim count means there's a meaningful chance you or your peers are already compromised without knowing it.
Affected
Any organization with internet-facing services (VPN gateways, RDP, remote admin portals) or weak credential hygiene is at risk of initial access. Environments where Windows Defender exclusions can be modified via GPO, where SMB1 can be re-enabled, or where LSA anonymous access controls can be loosened are at acute risk of the full attack chain. VMware ESXi environments are specifically targeted by a Linux variant.
Fix
Hunt for SystemBC: look for outbound SOCKS5 connections to non-corporate destinations, RC4-encrypted traffic patterns, and unexpected tunneling processes. Alert on any GPO modification that adds Windows Defender exclusions, disables real-time monitoring, re-enables SMB1, or loosens LSA anonymous access settings - these are near-certain indicators of ransomware staging. For ESXi, monitor for unauthorized crontab modifications and VM shutdown commands. Review privileged credentials used in GPO management - compromise of a single GPO admin account gives attackers domain-wide ransomware deployment capability. Confirm backups are offline and immutable; The Gentlemen's ESXi variant actively inhibits recovery.

Attacker bought 30+ WordPress plugins on Flippa, planted backdoor in August 2025, activated it 8 months later across hundreds of thousands of sites

One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.

Check
Check if any of your WordPress sites use plugins from the Essential Plugin / WP Online Support author. The full list of 31 affected plugins includes Starter Templates, Starter Templates for Starter Template, Blog Designer, Countdown Timer Ultimate, Starter Templates Manager, and many more.
Affected
WordPress sites running any of the 31 Essential Plugin plugins that were active before April 8, 2026. The backdoor was present since version 2.6.7 (August 2025). Affected plugins include: Starter Templates for starter template themes, Blog Designer for Post and Widget, Countdown Timer Ultimate, Album and Image Gallery Plus Lightbox, Audio Player with Playlist Ultimate, and 26+ others.
Fix
If any affected plugin was active on your site: (1) Check wp-config.php for injected code and clean it manually - the WordPress.org forced update did NOT fix this. (2) Search for and remove wp-comments-posts.php if present. (3) Scan all files for additional payloads. (4) Rotate all admin and database credentials. (5) Check for hidden admin accounts. The WordPress.org forced update to 2.6.9.1 disabled the phone-home mechanism but did not remediate existing compromise. Treat affected sites as fully compromised.

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.