Executive Summary
- GlassWorm campaign deploying Zig dropper to compromise developer IDEs across multiple machines, targeting software development supply chain
- Critical CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 10 hours of disclosure; Iranian hackers targeting ~4,000 exposed US industrial PLCs
- Supply chain attacks escalating: Smart Slider 3 Pro backdoored via compromised update servers; CPUID API hijacked to distribute CPU-Z and HWMonitor malware
- Russian state-backed actors harvesting Microsoft Office tokens via router exploits; credential-based attacks becoming primary breach vector
- Sensitive healthcare data (PHI) exposed in Hims breach; wiper attacks targeting Iran-linked infrastructure and medical device manufacturers
Top Threats Today
1. GlassWorm Campaign – IDE Infection via Zig Dropper
Severity: Critical Affected: Technology
The evolving GlassWorm campaign now employs a sophisticated Zig-based dropper to stealthily infect all integrated development environments on developer machines. This supply chain attack targets the software development lifecycle by compromising IDEs through Open VSX extensions, enabling attackers to inject malicious code into applications before distribution.
Recommended Action
- Audit all IDE extensions installed across development infrastructure; disable Open VSX and third-party extension sources until verified
- Implement application whitelisting on developer machines and enforce code signing verification for all IDE plugins
- Review recent code commits and build artifacts for indicators of compromise; scan development environments with updated threat signatures
2. Critical Marimo RCE (CVE-2026-39987) – Pre-Auth Code Execution
Severity: Critical Affected: Technology
A pre-authentication remote code execution vulnerability in Marimo (CVSS 9.3) was actively exploited within 10 hours of public disclosure. Data science teams using Marimo for analysis are at immediate risk of complete system compromise without authentication barriers.
Recommended Action
- Immediately patch Marimo to the latest patched version; isolate affected Marimo instances from network if patching is delayed
- Review Marimo instance logs for unauthorized access attempts and code execution artifacts dating back 72 hours minimum
- Disable internet-exposed Marimo instances and require VPN access; implement network segmentation for data science platforms
3. Iranian Hackers Targeting US Industrial Control Systems – 4,000 Exposed PLCs
Severity: Critical Affected: Energy, Manufacturing, Government
Iranian-linked cyber actors are conducting reconnaissance against approximately 4,000 internet-exposed Rockwell Automation programmable logic controllers (PLCs) in US critical infrastructure. This reconnaissance phase precedes potential disruptive attacks on energy, water, and manufacturing sectors.
Recommended Action
- Immediately remove all PLCs and SCADA systems from public internet exposure; implement air-gapped networks or industrial firewalls with strict egress filtering
- Deploy network segmentation isolating operational technology (OT) from information technology (IT) networks; restrict administrative access to OT systems
- Activate industrial control system monitoring; increase logging verbosity for PLC authentication, firmware changes, and unusual command sequences
4. Smart Slider 3 Pro – Backdoored Plugin via Supply Chain Compromise
Severity: Critical Affected: Technology, Retail
Unknown threat actors compromised Nextend servers to push a backdoored version of Smart Slider 3 Pro (v3.5.1.35) to WordPress and Joomla users. The compromised update system distributed malicious code to websites using this popular slider plugin, affecting thousands of web properties.
Recommended Action
- Immediately audit WordPress and Joomla environments for Smart Slider 3 Pro v3.5.1.35; roll back to pre-compromise version or remove plugin
- Scan all web application files for webshell backdoors; review web server logs for suspicious POST requests and file uploads
- Change all WordPress/Joomla administrative credentials and API keys; implement integrity monitoring on plugin directories
5. Russian State Actors Harvesting Office Tokens via Router Exploits
Severity: Critical Affected: Government, Finance, Technology
Russian military intelligence-linked hackers are exploiting known vulnerabilities in older internet routers to intercept and harvest authentication tokens from Microsoft Office users at scale. This campaign enables attackers to maintain persistent access to enterprise cloud services and email systems without detection.
Recommended Action
- Inventory all enterprise routers and network appliances; immediately patch or replace devices running firmware older than 18 months
- Enforce phishing-resistant multi-factor authentication (MFA) such as FIDO2 security keys; disable password-only authentication for Microsoft Office and cloud services
- Implement conditional access policies requiring device health verification and risk-based authentication; monitor for anomalous Office token activity and impossible travel logins
Today’s Action Checklist
- ☐ URGENT: Audit and remove internet-exposed industrial control systems (PLCs, SCADA) from public networks within 24 hours
- ☐ URGENT: Patch or remove Smart Slider 3 Pro v3.5.1.35 from all WordPress/Joomla installations; verify no backdoors remain
- ☐ URGENT: Update Marimo to patched version and isolate public instances; review logs for CVE-2026-39987 exploitation
- ☐ HIGH: Inventory all enterprise routers; prioritize patching devices over 18 months old with known vulnerability history
- ☐ HIGH: Enforce FIDO2 MFA for Microsoft Office 365 and cloud services; disable legacy authentication methods
- ☐ HIGH: Audit developer IDE extensions across all machines; disable Open VSX sources and verify all plugins are signed and trusted
- ☐ MEDIUM: Review Marimo and industrial control system logs for unauthorized access dating back 72+ hours; alert on suspicious patterns
- ☐ MEDIUM: Implement air-gapping or industrial firewalls between OT and IT networks with strict egress filtering rules