Urgent Threats & Advisories

Active and archived focus items for SOC teams and threat hunters

ACTIVE RIGHT NOW

CRITICALADVISORY14h ago

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Miasma malware is actively compromising npm packages and GitHub Actions workflows to steal developer credentials and secrets. Developers using affected packages or GitHub Actions are at immediate risk of credential theft and account takeover. This supply chain attack can cascade across organizations through compromised dependencies and CI/CD pipelines.

Action required
Audit all npm package dependencies and GitHub Actions in your CI/CD pipelines for suspicious updates or modifications from the last 30 days. Rotate all developer credentials, GitHub tokens, and secrets that may have been exposed through build environments. Block execution of unsigned or unverified GitHub Actions workflows.
npmGo
CRITICALADVISORY14h ago

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

SharkLoader malware is actively deploying Cobalt Strike Beacon in the StrikeShark campaign targeting government, diplomatic, and software development organizations in Indonesia, Taiwan, and beyond. Attackers are exploiting known Exchange vulnerabilities (ProxyLogon, ProxyNotShell) for initial access. Successful compromise leads to command and control via Cobalt Strike, enabling lateral movement and data exfiltration.

Action required
Hunt for and block SharkLoader and Cobalt Strike IOCs across your network. Prioritize monitoring Exchange servers for exploitation attempts and suspicious authentication patterns. Scan for lateral movement and beacon callbacks.
KasperskyExchange ServerOpenfireGeoServer
HIGHADVISORY14h ago

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

Amazon Q Developer contained a code execution vulnerability (CVE-2026-12957, CVSS 8.5) that allowed attackers to run arbitrary code and steal AWS credentials through malicious MCP config files in cloned repositories. All four IDE plugins (VS Code, JetBrains, Eclipse, Visual Studio) were affected. Developers who opened untrusted repos and approved workspace trust were at risk.

Action required
Patch Language Servers for AWS to version 1.69.0 or later immediately across all development environments. Review developer activity logs for suspicious MCP server launches or credential access in the past 30 days.
AmazonAmazon Q DeveloperLanguage Servers for AWSWiz Research

ARCHIVE

Category:
Severity:
No focus items found.
Try a different filter.