Executive Summary
- Iran-linked threat actors launched three waves of password-spraying attacks targeting 300+ Microsoft 365 organizations in Israel and UAE amid ongoing Middle East conflict.
- DPRK-linked hackers using GitHub as command-and-control infrastructure in multi-stage attacks against South Korean organizations, with concurrent targeting of Node.js maintainers via sophisticated social engineering.
- Multiple zero-day vulnerabilities disclosed and actively exploited, including BlueHammer Windows privilege escalation, Fortinet FortiClient authentication bypass (CVE-2026-35616), and GPUBreach GPU rowhammer attacks.
- Medusa ransomware group achieving data exfiltration and deployment within 24 hours of initial breach using zero-day exploits, demonstrating unprecedented operational speed.
- Supply-chain attacks industrialized through AI-assisted targeting and malicious package distribution (Axios NPM, Strapi plugins), with European Commission confirming 300GB+ data theft linked to Trivy attack.
Top Threats Today
1. Iran-Linked Microsoft 365 Password-Spraying Campaign
Severity: CRITICAL Affected: Government Technology
An Iran-nexus threat actor is conducting ongoing password-spraying attacks against Microsoft 365 environments in Israel and the UAE. Three distinct attack waves have been observed, targeting 300+ organizations during a period of heightened geopolitical tension. This represents a direct targeting of critical communication infrastructure and poses immediate risks to organizational operations and sensitive data exposure.
Recommended Action
- Enable and enforce multi-factor authentication (MFA) across all Microsoft 365 accounts immediately, with hardware tokens prioritized for sensitive accounts.
- Implement conditional access policies blocking sign-ins from high-risk countries and requiring step-up authentication for administrative actions.
- Monitor Microsoft 365 sign-in logs and credential exposure reports; reset credentials for any accounts showing suspicious activity patterns.
2. DPRK-Linked GitHub C2 Supply-Chain Attack
Severity: CRITICAL Affected: Technology Government
Threat actors associated with North Korea have been observed using GitHub repositories as command-and-control infrastructure in multi-stage attacks targeting South Korean organizations. Concurrent social engineering campaigns targeting high-profile Node.js maintainers have been identified, including the sophisticated Axios NPM package supply-chain compromise. This dual-vector approach leverages trusted development platforms to achieve persistent code execution at scale.
Recommended Action
- Audit all third-party npm and package dependencies; implement Software Bill of Materials (SBOM) scanning for known compromised packages (Axios, Strapi variants, PRT-scan).
- Implement strict code repository access controls, branch protections, and require multi-reviewer approval for all production deployments.
- Deploy GitHub-specific monitoring for suspicious repository activity, token exfiltration, and unusual CI/CD pipeline modifications.
3. Medusa Ransomware – 24-Hour Breach-to-Encryption Pipeline
Severity: CRITICAL Affected: Finance Healthcare Technology
The Medusa ransomware group has demonstrated the ability to progress from initial access to data exfiltration and ransomware deployment within 24 hours, leveraging zero-day exploits to accelerate lateral movement and privilege escalation. This unprecedented operational speed leaves minimal detection and response windows for defenders, requiring real-time threat hunting and breach response capabilities.
Recommended Action
- Implement 24/7 security operations monitoring with automated incident response for credential compromise, lateral movement, and data staging activities.
- Deploy endpoint detection and response (EDR) with behavioral analysis capabilities tuned to detect ransomware precursor activities (credential harvesting, batch file execution, shadow copy deletion).
- Establish immutable backup systems isolated from production networks and test recovery procedures weekly to ensure ransomware resilience.
4. Disclosed Windows Zero-Days and GPU Rowhammer Attacks
Severity: CRITICAL Affected: Technology Defense
Multiple critical zero-day vulnerabilities have been disclosed or are actively exploited in the wild: BlueHammer (Windows privilege escalation), Fortinet FortiClient authentication bypass (CVE-2026-35616), and GPUBreach (GPU GDDR6 rowhammer for system takeover). These span kernel-level attacks to hardware-based exploits, providing attackers multiple paths to system compromise and privilege escalation.
Recommended Action
- Apply Fortinet emergency patches for FortiClient immediately; audit all FortiClient EMS deployments for unauthorized access logs and lateral movement indicators.
- Prioritize Windows kernel updates and implement kernel exploit mitigations; isolate systems requiring extended Windows versions for legacy support onto air-gapped networks.
- Evaluate GPU virtualization settings and memory isolation; consult vendors on GPU rowhammer mitigation for deployed hardware platforms.
5. Industrialized Supply-Chain Attacks via AI-Assisted Targeting
Severity: HIGH Affected: Technology Government
Threat actors are leveraging AI-assisted automation to identify and exploit misconfigurations at scale across GitHub, npm, and containerized environments. The Trivy supply-chain attack resulted in 300GB+ data theft from European Commission AWS infrastructure. Malicious Strapi npm packages (36 variants) and PRT-scan demonstrate how attackers are automating discovery and exploitation of vulnerable developer platforms.
Recommended Action
- Implement registry scanning for supply-chain attacks; block or quarantine any packages published immediately after account compromise indicators.
- Require software provenance verification using signed releases and cryptographic validation; audit all open-source dependencies for suspicious publisher activity.
- Deploy cloud infrastructure scanning for AWS, Azure, and GCP misconfigurations; enforce least-privilege IAM policies and secrets isolation for development environments.
Today’s Action Checklist
- ☐ URGENT: Enable MFA across all Microsoft 365 and GitHub organizational accounts; audit recent authentication logs for compromise indicators.
- ☐ URGENT: Scan npm, pip, and container registries for compromised Axios, Strapi, and PRT-scan packages; block and rotate any exposed credentials.
- ☐ URGENT: Patch Fortinet FortiClient EMS (CVE-2026-35616) and prioritize Windows kernel updates; monitor EDR for exploitation attempts.
- ☐ Audit backup systems for immutability and test ransomware recovery procedures; validate no backdoors exist in recovery infrastructure.
- ☐ Conduct threat hunting for lateral movement, credential staging, and shadow copy deletion patterns consistent with Medusa pre-encryption activity.
- ☐ Review supply-chain security: implement SBOM generation, dependency verification, and publisher reputation scoring for all development artifacts.
- ☐ Brief executive leadership on geopolitical attack escalation and accelerated breach timelines; ensure incident response retainer and out-of-hours escalation procedures are active.