Critical Exploits: npm Supply Chain, WordPress Plugin, SolarWinds, IIS Attacks

Severity● Medium

ThreatsSupply Chain Vuln Exploit Malware IoT / OT Credential Theft

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

Actionable · Verified facts

NVD-published · CISA KEV cross-checked

CVE	CVSS	Vendor · Product	Exploitation	Refs
🛡️CVE-2026-3300	9.8 NVD 3.1	Everest Forms Pro (WordPress Plugin)	No exploitation reported	[1] [2]

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

npm supply chain under active attack via IronWorm information stealer and Miasma worm variant; WordPress Everest Forms Pro exploited in the wild (CVE-2026-3300); SolarWinds Serv-U flaw now weaponized for denial-of-service attacks. Three distinct critical risks demanding immediate patching and dependency audits.

THREAT LEVEL: CRITICAL – Active exploitation of widely-deployed supply-chain and web infrastructure targets requires immediate patching and monitoring.

Executive Summary

npm ecosystem targeted by coordinated supply chain attacks using over 50 poisoned packages to distribute IronWorm (Rust-based credential stealer) and a self-propagating Miasma worm variant.
WordPress Everest Forms Pro (CVE-2026-3300, CVSS 9.8) actively exploited in the wild for remote code execution; approximately 4,000 active installations at risk.
CISA warns of active exploitation of SolarWinds Serv-U flaw targeting server availability; patch status and exploitation timeline not yet confirmed in available ⚠ sources.
Threat cluster OP-512 conducting sustained campaigns against Microsoft IIS infrastructure using custom web shell deployment framework.
Critical infrastructure exposure: over 900 US automatic tank gauge (ATG) systems for fuel and chemical monitoring discovered internet-exposed and vulnerable to attack.

Top Threats Today

1. IronWorm and Miasma Worm Supply Chain Attacks on npm

Severity: CRITICAL Affected: Technology

Multiple threat actors are conducting coordinated supply chain poisoning attacks against the npm ecosystem, with JFrog reporting malicious and poisoned versions of over 50 legitimate packages being used to distribute both IronWorm, a Rust-based information stealer, and a new variant of the self-spreading Miasma worm ^[1]^[2]. The attacks leverage compromised or cloned legitimate packages to reach developer environments, enabling credential harvesting and potential lateral movement across downstream supply chains.
Sources:[1] The Hacker News[2] Dark Reading

Recommended Action

Immediately audit all npm dependencies in your codebase for suspicious package versions; prioritize packages updated within the last 48 hours.
Review npm audit logs and CI/CD pipeline execution logs for credential exfiltration or unexpected code execution.
Rotate all npm registry credentials and GitHub tokens that may have been exposed through development environments.
Subscribe to npm security advisories and monitor JFrog threat intelligence for emerging IoC updates related to IronWorm and Miasma.

2. WordPress Everest Forms Pro Remote Code Execution (CVE-2026-3300)

Severity: CRITICAL Affected: Technology

A critical vulnerability in Everest Forms Pro (CVE-2026-3300, CVSS 9.8) is being actively exploited in the wild to achieve remote code execution and complete site compromise ^[1]. The plugin maintains approximately 4,000 active installations, making exploitation a direct path to widespread WordPress site takeover.
Sources:[1] The Hacker News

Recommended Action

Disable or remove Everest Forms Pro immediately on all affected WordPress installations if a patch is not yet available.
Review WordPress admin logs and database activity logs for signs of unauthorized code injection or shell uploads dating back to the vulnerability disclosure date.
If exploitation is suspected, initiate incident response: isolate affected servers, preserve forensic evidence, and engage incident response resources.
Monitor Everest Forms security advisories for patch availability and apply immediately upon release.

3. SolarWinds Serv-U Active Exploitation for Denial of Service

Severity: HIGH Affected: Technology

CISA has warned that attackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U vulnerability to crash servers ^[1]. The transition from patch availability to active exploitation indicates rapid attacker adoption.
Sources:[1] BleepingComputer

Recommended Action

Verify that all SolarWinds Serv-U instances have been updated to the latest patched version.
Monitor for abnormal Serv-U process behavior, unexpected service restarts, and denial-of-service indicators in network traffic.
If Serv-U is exposed to untrusted networks, segment access to trusted IP ranges pending patch confirmation.

4. Threat Cluster OP-512 Targeting Microsoft IIS with Custom Web Shell Framework

Severity: HIGH Affected: Technology

A previously unreported threat cluster designated OP-512 has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a proprietary web shell framework, according to findings by ReliaQuest ^[1]. The campaign represents sustained infrastructure compromise activity.
Sources:[1] The Hacker News

Recommended Action

Audit all IIS server logs for suspicious HTTP requests targeting known web shell upload paths or exploitation techniques (e.g., unusual POST requests to aspx or config files).
Scan IIS directories for unauthorized webshell files, particularly .aspx, .asmx, or other executable formats.
Apply the latest Windows Server and IIS security patches to close known exploitation vectors.
Implement network-level egress filtering to detect command-and-control communication from compromised IIS servers.

5. Internet-Exposed Fuel Tank Gauge Systems Under Active Attack

Severity: HIGH Affected: Energy

Over 900 automatic tank gauge (ATG) systems used to monitor fuel and chemical storage tanks across US critical infrastructure have been discovered exposed online and are currently under active attack ^[1]^[2]. Threat actors are exploiting direct internet exposure to breach gas stations and gain operational control over tank monitoring systems.
Sources:[1] BleepingComputer[2] Dark Reading

Recommended Action

Immediately identify and inventory all ATG systems in your organization; verify none are directly internet-accessible.
Isolate all ATG systems behind firewall rules permitting only authorized monitoring and administrative access.
Apply network segmentation between ATG systems and corporate IT infrastructure to contain lateral movement.
Contact your ATG vendor for available security patches and firmware updates.

Today’s Action Checklist

☐ URGENT: Audit npm dependencies for malicious IronWorm/Miasma packages; rotate registry and GitHub credentials.
☐ URGENT: Disable Everest Forms Pro on WordPress sites or await patch; inspect logs for exploitation indicators.
☐ URGENT: Confirm all SolarWinds Serv-U instances patched; monitor for DoS activity.
☐ Search IIS logs and filesystems for OP-512 web shell artifacts; apply latest Windows/IIS patches.
☐ Inventory ATG systems; isolate from internet and corporate networks; request vendor security updates.

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

TL;DR

Executive Summary

Top Threats Today

1. IronWorm and Miasma Worm Supply Chain Attacks on npm

Recommended Action

2. WordPress Everest Forms Pro Remote Code Execution (CVE-2026-3300)

Recommended Action

3. SolarWinds Serv-U Active Exploitation for Denial of Service

Recommended Action

4. Threat Cluster OP-512 Targeting Microsoft IIS with Custom Web Shell Framework

Recommended Action

5. Internet-Exposed Fuel Tank Gauge Systems Under Active Attack

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox