[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4nH2K2bsX7kFUZMXRkrAMMn4NiirQFeC9NkaAyCE6Eg":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":63,"social_x":64,"article_count":65,"awareness_links":66,"status":127,"published_at":128,"created_at":129,"updated_at":129,"mastodon_posted_at":130,"executive_summary":131,"tagline":132,"cover_image_url":133},"738f0b28-608e-400e-9b21-709d3819dec9","2026-W17","2026-w17","2026-04-20","2026-04-26","🔥 Supply chain attacks evolved with wormable npm malware targeting developer toolchains\n🛡️ Cisco firewalls compromised with persistent backdoors surviving firmware updates\n🎯 Nation-state actors industrializing botnets while exploiting home routers for corporate access\n📱 Mobile and AI threats expanding with fake wallet apps and prompt injection campaigns\n⚖️ Regulatory pressure mounting with DORA compliance and CISA emergency directives\n🏢 Major breaches hit telehealth, insurance, and government agencies across multiple countries","## Supply Chain & Infrastructure\n\n**[Bitwarden CLI npm package compromised to steal developer credentials](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fbitwarden-cli-npm-package-compromised-to-steal-developer-credentials\u002F)**. Attackers injected credential-stealing malware into version 2026.4.0 for 93 minutes, targeting npm tokens, GitHub auth, SSH keys, and cloud credentials via compromised CI\u002FCD pipeline.\n\n**[TeamPCP Hijacks Bitwarden CLI, Uses Dependabot to Deploy Shai-Hulud Malware](https:\u002F\u002Fhackread.com\u002Fteampcp-bitwarden-cli-dependabot-shai-hulud-malware\u002F)**. The attack leveraged a compromised Checkmarx Docker image that GitHub Dependabot automatically pulled, deploying self-propagating worm that uses GitHub as C2.\n\n**[LAPSUS$ Group claims 3 victims including MAPFRE, Vodafone, and Checkmarx](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2048185612209881515)**. The notorious threat group continues high-profile targeting across Spain, UK, and Israel.\n\n### Key Takeaway\nImplement strict dependency scanning, enable npm audit, and review all automated CI\u002FCD workflows for unauthorized changes.\n\n## Vulnerabilities & Exploits\n\n**[Firestarter malware survives Cisco firewall updates, security patches](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffirestarter-malware-survives-cisco-firewall-updates-security-patches\u002F)**. UAT-4356 deployed persistent backdoor on Cisco ASA\u002FFTD devices via CVE-2025-20333 and CVE-2025-20362, surviving firmware updates through LINA process hooking.\n\n**[Hackers exploit file upload bug in Breeze Cache WordPress plugin](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-file-upload-bug-in-breeze-cache-wordpress-plugin\u002F)**. CVE-2026-3844 allows unauthenticated RCE with over 170 exploitation attempts detected.\n\n**[Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable\u002F)**. CVE-2025-48700 added to CISA KEV catalog with active APT28 exploitation.\n\n**[CISA Adds Four Known Exploited Vulnerabilities to Catalog](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F04\u002F24\u002Fcisa-adds-four-known-exploited-vulnerabilities-catalog)**. D-Link DIR-823X command injection and Samsung MagicINFO path traversal among newly cataloged threats.\n\n### Key Takeaway\nPatch Cisco firewalls immediately and perform CISA-mandated memory dumps; federal agencies have until April 30 to comply.\n\n## APT & Nation-State\n\n**[Researchers Uncover Pre-Stuxnet 'fast16' Malware Targeting Engineering Software](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fresearchers-uncover-pre-stuxnet-fast16.html)**. SentinelOne discovered Lua-based sabotage framework from 2005 designed to corrupt high-precision calculations in nuclear and physics software.\n\n**[Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Ftropic-trooper-uses-trojanized.html)**. APT23 targets Chinese-speakers across Taiwan, Hong Kong, and Japan with GitHub as C2 platform.\n\n**[Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia](https:\u002F\u002Fwww.darkreading.com\u002Fcyberattacks-data-breaches\u002Fchinese-apt-abuses-cloud-tools-spy-mongolia)**. State-sponsored actors use Outlook, Slack, Discord, and file.io for C2 to evade detection.\n\n### Key Takeaway\nMonitor for unusual traffic to legitimate cloud services and implement strict egress filtering for critical engineering systems.\n\n## Breaches & Data Theft\n\n**[ADT confirms data breach after ShinyHunters leak threat](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fadt-confirms-data-breach-after-shinyhunters-leak-threat\u002F)**. Vishing attack compromised employee Okta SSO, exposing 10M customer records via Salesforce access.\n\n**[New BlackFile extortion group linked to surge of vishing attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-blackfile-extortion-gang-targets-retail-and-hospitality-orgs\u002F)**. Group targets retail\u002Fhospitality with helpdesk impersonation to steal credentials and exfiltrate data for seven-figure ransoms.\n\n**[AgelessRx telehealth platform breached](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2048139634610254108)**. Patient and prescription data offered for sale on cybercrime forums, raising HIPAA compliance concerns.\n\n### Key Takeaway\nStrengthen vishing awareness training and implement callback verification procedures for all IT support requests.\n\n## Mobile & Emerging Threats\n\n**[26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002F26-fakewallet-apps-found-on-apple-app.html)**. Kaspersky identified malicious apps impersonating popular crypto wallets to steal recovery phrases.\n\n**[Threat actor uses Microsoft Teams to deploy new \"Snow\" malware](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fthreat-actor-uses-microsoft-teams-to-deploy-new-snow-malware\u002F)**. UNC6692 uses email bombing and Teams helpdesk impersonation to distribute modular malware suite.\n\n**[AI threats in the wild: The current state of prompt injections on the web](http:\u002F\u002Fsecurity.googleblog.com\u002F2026\u002F04\u002Fai-threats-in-wild-current-state-of.html)**. Google found 32% increase in malicious prompt injections targeting AI systems.\n\n### Key Takeaway\nReview app store policies for crypto-related downloads and train staff to verify Teams-based IT support requests through separate channels.\n\n## References\n\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fbitwarden-cli-npm-package-compromised-to-steal-developer-credentials\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffirestarter-malware-survives-cisco-firewall-updates-security-patches\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fresearchers-uncover-pre-stuxnet-fast16.html\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fadt-confirms-data-breach-after-shinyhunters-leak-threat\u002F\n- https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F04\u002F24\u002Fcisa-adds-four-known-exploited-vulnerabilities-catalog\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002F26-fakewallet-apps-found-on-apple-app.html\n- http:\u002F\u002Fsecurity.googleblog.com\u002F2026\u002F04\u002Fai-threats-in-wild-current-state-of.html\n- https:\u002F\u002Fhackread.com\u002Fteampcp-bitwarden-cli-dependabot-shai-hulud-malware\u002F",[13,17,20,23,26,30,33,36,39,43,46,49,52,56,59],{"type":14,"value":15,"context":16},"malware","fast16","Nation-state malware compiled in 2005, predating Stuxnet",{"type":14,"value":18,"context":19},"Shai-Hulud","NPM worm referenced in Bitwarden payload with 'The Third Coming' string; previously infected 180+ packages in Sept and 640+ in Nov",{"type":14,"value":21,"context":22},"Firestarter","Custom backdoor malware persisting on Cisco ASA\u002FFTD devices via LINA process hooking",{"type":14,"value":24,"context":25},"Line Viper","Separate implant used to exfiltrate device configs, credentials, and encryption keys",{"type":27,"value":28,"context":29},"cve","CVE-2025-20333","Remote code execution in Cisco VPN web server component, exploited by UAT-4356",{"type":27,"value":31,"context":32},"CVE-2025-20362","Unauthorized access vulnerability in Cisco firewalls, exploited by UAT-4356",{"type":27,"value":34,"context":35},"CVE-2026-3844","Critical file upload vulnerability in Breeze Cache WordPress plugin allowing unauthenticated RCE",{"type":27,"value":37,"context":38},"CVE-2025-29635","D-Link DIR-823X command injection vulnerability",{"type":40,"value":41,"context":42},"domain","audit.checkmarx.cx","Malware C2 endpoint used for telemetry exfiltration in both Checkmarx and Bitwarden attacks",{"type":40,"value":44,"context":45},"cs2.ip.thc.org","C2\u002Fpayload distribution domain hosting target feed ZIP archives",{"type":40,"value":47,"context":48},"lepetitvapoteur.com","Breached French vape retailer domain",{"type":40,"value":50,"context":51},"checkmarx.cx","Exfiltration domain used in Checkmarx attack malware",{"type":53,"value":54,"context":55},"mitre_attack","T1087 - Account Discovery","Attacker reconnaissance to list available Code Interpreters",{"type":53,"value":57,"context":58},"T1528 - Steal Application Access Token","Exfiltration of agent memories and ECR images",{"type":60,"value":61,"context":62},"ip","151.245.195.142","C2 server delivering malicious DLL (demo.dll) via UNC path; server was offline at time of publication","This week brought unprecedented supply chain sophistication and infrastructure persistence:\n\n• TeamPCP compromised Bitwarden CLI via automated CI\u002FCD workflows, deploying self-propagating Shai-Hulud worm\n• Chinese APT deployed Firestarter backdoor on Cisco firewalls that survives firmware updates\n• Pre-Stuxnet fast16 malware discovered, targeting nuclear engineering calculations since 2005\n• LAPSUS$ claimed major breaches across Spain, UK, and Israel\n• BlackFile group escalated vishing attacks against retail and hospitality sectors\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w17\n\n#Cybersecurity #SupplyChain #ThreatIntelligence #APT #CriticalInfrastructure","Supply chains got weaponized this week. TeamPCP deployed wormable npm malware via CI\u002FCD, Chinese APT embedded persistent Cisco backdoors, and researchers found pre-Stuxnet sabotage from 2005. Plus LAPSUS$ claims 3 new victims.\n\nhttps:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w17",80,[67,70,73,76,79,82,85,88,91,94,97,100,103,106,109,112,115,118,121,124],{"slug":68,"title":69},"npm-ecosystem-under-siege-advanced-supply-chain-attacks-target-developer-infrastructure","npm Ecosystem Under Siege: Advanced Supply Chain Attacks Target Developer Infrastructure",{"slug":71,"title":72},"persistent-malware-exploits-cisco-firewall-zero-days-survives-updates","Persistent Malware Exploits Cisco Firewall Zero-Days, Survives Updates",{"slug":74,"title":75},"advanced-phaas-toolkit-kali365-v2-targets-organizations-with-ai-generated-phishing","Advanced PhaaS Toolkit Kali365 v2 Targets Organizations with AI-Generated Phishing",{"slug":77,"title":78},"critical-vulnerabilities-added-to-cisa-kev-catalog-require-immediate-action","Critical Vulnerabilities Added to CISA KEV Catalog Require Immediate Action",{"slug":80,"title":81},"apt-group-exploits-home-router-vulnerabilities-for-corporate-access","APT Group Exploits Home Router Vulnerabilities for Corporate Access",{"slug":83,"title":84},"vishing-attack-leads-to-major-customer-data-breach-at-adt","Vishing Attack Leads to Major Customer Data Breach at ADT",{"slug":86,"title":87},"threat-actors-actively-recruiting-corporate-network-access-brokers","Threat Actors Actively Recruiting Corporate Network Access Brokers",{"slug":89,"title":90},"advanced-npm-supply-chain-attack-uses-wormable-propagation","Advanced npm Supply Chain Attack Uses Wormable Propagation",{"slug":92,"title":93},"aws-bedrock-agent-privilege-escalation-via-overprivileged-iam-roles","AWS Bedrock Agent Privilege Escalation via Overprivileged IAM Roles",{"slug":95,"title":96},"amazon-bedrock-agent-god-mode-iam-over-privilege-vulnerability","Amazon Bedrock Agent God Mode: IAM Over-Privilege Vulnerability",{"slug":98,"title":99},"mobile-malware-toolkit-targets-android-and-ios-devices","Mobile Malware Toolkit Targets Android and iOS Devices",{"slug":101,"title":102},"clickfix-campaign-exploits-user-trust-and-windows-tools-for-stealth-attacks","ClickFix Campaign Exploits User Trust and Windows Tools for Stealth Attacks",{"slug":104,"title":105},"peruvian-university-database-breach-exposes-student-records","Peruvian University Database Breach Exposes Student Records",{"slug":107,"title":108},"blackfile-group-exploits-human-vulnerabilities-through-vishing-campaigns","BlackFile Group Exploits Human Vulnerabilities Through Vishing Campaigns",{"slug":110,"title":111},"microsoft-entra-passkeys-strengthen-phishing-resistant-authentication","Microsoft Entra Passkeys Strengthen Phishing-Resistant Authentication",{"slug":113,"title":114},"advanced-persistent-threats-target-critical-infrastructure-for-decades","Advanced Persistent Threats Target Critical Infrastructure for Decades",{"slug":116,"title":117},"novel-malware-targets-scientific-computing-integrity","Novel Malware Targets Scientific Computing Integrity",{"slug":119,"title":120},"windows-usb-printing-driver-privilege-escalation-vulnerability","Windows USB Printing Driver Privilege Escalation Vulnerability",{"slug":122,"title":123},"packagekit-vulnerability-exposes-12-year-authentication-bypass-risk","PackageKit Vulnerability Exposes 12-Year Authentication Bypass Risk",{"slug":125,"title":126},"cybercrime-group-communications-exposed-due-to-poor-operational-security","Cybercrime Group Communications Exposed Due to Poor Operational Security","published","2026-04-26T07:59:38.626127+00:00","2026-04-26T07:59:12.542269+00:00","2026-04-26T08:00:19.411+00:00","### The week in one line\nSupply chain attacks evolved while nation-state actors embedded persistent infrastructure backdoors.\n\n### What happened\nAttackers sophisticated their supply chain tactics with wormable npm malware and automated CI\u002FCD compromise. Meanwhile, state-sponsored groups achieved new levels of persistence and stealth.\n\n- TeamPCP compromised Bitwarden CLI npm package via poisoned Checkmarx Docker image, deploying Shai-Hulud worm\n- Chinese threat actor UAT-4356 deployed Firestarter backdoor on Cisco firewalls that survives firmware updates\n- SentinelOne discovered fast16, a 2005 sabotage framework targeting nuclear engineering software, predating Stuxnet\n- LAPSUS$ claimed breaches of MAPFRE, Vodafone, and Checkmarx across three countries\n- BlackFile extortion group launched vishing campaigns against retail and hospitality organizations\n\n### Why it matters for defenders and leaders\nThese incidents reveal fundamental gaps in supply chain trust models and infrastructure security. Attackers are weaponizing the tools defenders rely on daily while achieving unprecedented persistence.\n\n- Developer toolchain compromise can instantly propagate across entire organizations via automated workflows\n- Network security appliances themselves becoming long-term attack platforms despite regular patching\n- Nation-state capabilities dating back two decades suggest current threat models significantly underestimate adversary sophistication\n- Social engineering attacks bypassing technical controls through human manipulation of trusted communication channels\n\n### What to do this week\n- Audit all Cisco ASA and Firepower devices following CISA Emergency Directive 25-03 requirements\n- Review npm dependencies and enable strict package integrity verification in CI\u002FCD pipelines\n- Implement callback verification procedures for all IT support requests received via Teams or phone\n- Scan for CVE-2026-3844 in WordPress Breeze Cache plugin and patch immediately\n- Train employees on vishing tactics targeting helpdesk impersonation scenarios","Supply chains weaponized, firewalls compromised","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w17-cover.png"]