TL;DR
Critical vulnerabilities in Funnel Builder, Cisco SD-WAN, and Microsoft Exchange are under active exploitation. Multiple supply chain attacks targeting npm packages and TanStack threaten developer environments. Immediate patching required across WordPress, network infrastructure, and cloud systems.
Executive Summary
- Funnel Builder WordPress plugin vulnerability actively exploited to inject malicious JavaScript into WooCommerce checkout pages for payment data theft
- Cisco SD-WAN maximum severity (CVSS 10.0) vulnerability under active exploitation; CISA mandated federal agency patching by deadline
- Supply chain attacks compromised TanStack npm package and node-ipc, affecting OpenAI and other AI/developer organizations with credential theft
- Microsoft Exchange Server zero-day (CVE-2026-42897) exploited in the wild; temporary mitigations released pending patch availability
- Russian state-sponsored Turla APT evolved Kazuar backdoor into modular P2P botnet for persistent access and data collection
Top Threats Today
1. Funnel Builder WooCommerce Checkout Skimming Campaign
Severity: Critical Affected: Retail, Technology
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited in the wild to inject malicious JavaScript into WooCommerce checkout pages. Attackers are stealing payment card data and customer credentials from compromised online stores. This represents a direct threat to financial data integrity and customer trust.
Recommended Action
- Immediately update Funnel Builder plugin to patched version; disable plugin if patch unavailable
- Audit WooCommerce checkout pages for injected JavaScript and suspicious code modifications
- Review payment processor logs for unauthorized transactions; notify affected customers
- Implement Web Application Firewall (WAF) rules to detect malicious checkout injection patterns
2. Cisco SD-WAN Authentication Bypass & Remote Code Execution
Severity: Critical Affected: Government, Technology, Telecom
A CVSS 10.0 vulnerability in Cisco SD-WAN allows unauthenticated remote attackers to bypass authentication and obtain administrative privileges. This is the second maximum-severity exploitation in Cisco's network control system this year. CISA has mandated all federal agencies patch by Sunday. Active exploitation confirmed in the wild with immediate impact on network infrastructure integrity.
Recommended Action
- Apply Cisco security patch immediately; prioritize SD-WAN controllers and vManage systems
- Isolate affected SD-WAN infrastructure from untrusted networks pending patch deployment
- Monitor network access logs for unauthorized administrative account creation or privilege escalation
- Verify integrity of SD-WAN configuration and routing policies post-patch
3. TanStack and node-ipc Supply Chain Attack & Credential Theft
Severity: Critical Affected: Technology
Malicious versions of TanStack npm package and node-ipc have been injected into npm registry, compromising developer environments across multiple organizations including OpenAI. Attackers harvested credentials from code repositories, SSH keys, and authentication tokens. This supply chain compromise affects the software development lifecycle at scale and threatens intellectual property and production systems.
Recommended Action
- Audit npm package dependencies; identify and update/remove compromised TanStack and node-ipc versions
- Rotate all exposed credentials: SSH keys, API tokens, repository credentials, cloud authentication materials
- Review git commit history and code repository access logs for unauthorized access during compromise window
- Implement software composition analysis (SCA) tooling and dependency pinning to prevent automatic updates from malicious releases
- Force macOS system updates for affected developer machines
4. Microsoft Exchange Server Zero-Day Active Exploitation
Severity: Critical Affected: Government, Finance, Technology
Microsoft Exchange Server zero-day vulnerability (CVE-2026-42897) is under active exploitation in the wild. Microsoft has released temporary mitigation guidance only; permanent patch pending. Exchange servers are high-value targets for espionage, ransomware deployment, and persistent access. Exploitation enables complete email system compromise.
Recommended Action
- Implement Microsoft's published mitigations immediately; monitor Microsoft security advisory for permanent patch release timeline
- Review Exchange server access logs for suspicious administrative actions, email forwarding rules, or OWA authentication anomalies
- Segment Exchange infrastructure from critical systems; restrict network access to authenticated users only
- Prepare patch deployment infrastructure for critical security update when released
5. Turla APT: Kazuar Backdoor Evolved into Modular P2P Botnet
Severity: High Affected: Government, Defense, Technology
Russian state-sponsored APT group Turla has transformed its Kazuar backdoor into a modular peer-to-peer botnet engineered for stealth and persistent access. This evolution enables long-term data exfiltration, lateral movement, and resilient command-and-control communications. Turla targets government, defense, and critical infrastructure entities with nation-state collection objectives.
Recommended Action
- Cross-reference threat intelligence indicators of compromise (IoCs) against network traffic and endpoint telemetry
- Implement behavioral detection for peer-to-peer communications, suspicious process injection, and lateral movement patterns
- Hunt for Kazuar artifacts: registry modifications, persistence mechanisms, and communication patterns in EDR/SIEM platforms
- Enhance monitoring of privileged account activity and administrative tool usage (PowerShell, WMI, Certutil)
Today’s Action Checklist
- ☑ URGENT: Patch Cisco SD-WAN systems before Sunday CISA deadline; verify federal agency compliance
- ☑ URGENT: Remove/update compromised npm packages (TanStack, node-ipc); rotate all repository and deployment credentials
- ☑ URGENT: Disable or patch Funnel Builder WordPress plugin; audit WooCommerce checkout pages for injected code
- ☐ HIGH: Implement Microsoft Exchange Server CVE-2026-42897 mitigations; stage permanent patch for deployment
- ☐ HIGH: Hunt for Turla Kazuar indicators; enhance EDR/behavioral detection for APT activity patterns
- ☐ HIGH: Review all payment processor and email system logs for unauthorized access during last 48 hours
- ☐ MEDIUM: Update security awareness training to address supply chain and admin tool abuse attack vectors
- ☐ MEDIUM: Conduct supply chain risk assessment; enhance third-party software inventory and dependency tracking