TL;DR
Progress ShareFile administrators must immediately shut down Storage Zone Controllers due to a credible external security threat. Injective Labs' GitHub repository was compromised to distribute malicious npm packages stealing cryptocurrency wallet keys. Six new U-Boot bootloader vulnerabilities could enable stealthy firmware attacks on routers, cameras, and servers.
Executive Summary
- Progress Software issued an urgent directive to ShareFile customers to shut down Storage Zone Controller servers in response to a credible external security threat, with affected accounts temporarily disabled.
- Threat actors compromised the Injective Labs SDK GitHub repository and published a malicious npm package (@injectivelabs/sdk-ts@1.20.21) designed to steal cryptocurrency wallet private keys and mnemonic seed phrases.
- Researchers at Binarly disclosed six new vulnerabilities in U-Boot affecting widely deployed firmware on routers, cameras, and data-center management systems, with four capable of crashing devices and two enabling arbitrary code execution.
- A Ryuk ransomware operator pleaded guilty in U.S. federal court and faces 15 years in prison; separately, a BlackCat/ALPHV conspirator received a 70-month sentence.
- Dutch police identified strong indications that domestic hackers were involved in the February Odido telecommunications breach affecting more than 6 million customers.
Top Threats Today
1. Progress ShareFile Emergency: Immediate Server Shutdown Required
Severity: HIGH Affected: Technology
Progress Software has directed ShareFile customers running Storage Zone Controllers to immediately shut down their Windows servers in response to what the company confirms is a “credible external security threat.” [1][2] The company has temporarily disabled access to affected accounts as part of its response to the incident [1]. Specifics regarding the nature of the threat, attack vector, or affected customer count remain unconfirmed at this time.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- If you operate ShareFile Storage Zone Controllers, immediately power down affected Windows servers and follow Progress guidance on safe restoration procedures
- Contact Progress Software support for incident-specific technical details and timeline for safe server restart
- Review access logs and authentication records for any suspicious activity on ShareFile accounts during the threat window
- Notify your change management and business continuity teams of the outage to coordinate customer communications
2. Injective Labs GitHub Compromise Distributes Crypto-Stealing Malware via npm
Severity: HIGH Affected: Finance
Unknown threat actors compromised the Injective Labs SDK project repository on GitHub and used the access to publish a malicious npm package designed to steal cryptocurrency wallet private keys and mnemonic seed phrases [1]. The compromised package version @injectivelabs/sdk-ts@1.20.21 was published to the npm registry, putting any developer or application that installed this version at risk of wallet compromise [1].
Sources:[1] The Hacker News
Recommended Action
- Immediately audit your npm package dependencies for @injectivelabs/sdk-ts version 1.20.21 and remove it from all development and production environments
- Regenerate any cryptocurrency wallet keys that may have been used on systems where the malicious package was installed
- Review GitHub organization audit logs to confirm no unauthorized SSH keys or OAuth applications were created during the compromise window
- Implement software composition analysis (SCA) and npm package scanning in your CI/CD pipeline to detect malicious packages in real-time
3. Six U-Boot Vulnerabilities Enable Firmware Attacks on IoT and Data-Center Devices
Severity: HIGH Affected: Technology
Researchers at firmware security firm Binarly have discovered six new flaws in U-Boot, the bootloader used in home routers, smart cameras, and data-center management systems [1]. Four of the vulnerabilities can crash a device; the other two could allow attackers to execute arbitrary code during device boot, potentially enabling stealthy firmware attacks that install persistent malware and bypass security protections [1][2].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Identify devices in your environment running U-Boot (including network appliances, IoT devices, and server management interfaces) and determine current firmware versions
- Contact your hardware vendors for patched U-Boot versions and firmware updates addressing these six flaws
- Prioritize firmware updates for devices with internet-facing or critical network roles, starting with those managing sensitive infrastructure
- Monitor device logs for unexpected reboots or malformed boot messages that could indicate exploitation attempts
4. Ransomware Operators Sentenced: Ryuk Member and BlackCat/ALPHV Conspirator Face Prison Time
Severity: HIGH Affected: Government
A 34-year-old Armenian man pleaded guilty in U.S. federal court to hacking companies and deploying Ryuk ransomware, facing up to 15 years in prison ⚠[1]. Separately, Angelo Martino, a ransomware negotiator, received a 70-month federal sentence for assisting the BlackCat/ALPHV ransomware gang in extorting multiple ⚠ victims [2].
Sources:[1] BleepingComputer[2] The Record
Recommended Action
- Review your organization’s ransomware incident response plan and ensure backup and recovery procedures are tested and offline
- Strengthen monitoring of ransom negotiation communications to detect insider threat indicators or unauthorized contact with threat actors
- Enforce zero-trust principles for administrative access and restrict lateral movement capabilities
5. Dutch Police Link Odido Telecom Breach to Domestic Hackers
Severity: HIGH Affected: Telecom
The Dutch National Police found “strong indications” that Dutch hackers were involved in a February breach at telecommunications provider Odido that exposed personal data of more than 6 million customers [1][2]. The investigation suggests domestic criminal involvement in the attack [2].
Sources:[1] BleepingComputer[2] The Record
Recommended Action
- If you are an Odido customer, monitor your credit profile and personal data for signs of misuse and consider placing fraud alerts with credit bureaus
- Review whether your organization has supplier or vendor relationships with Odido that could create secondary exposure to the compromised data
- Implement enhanced identity verification procedures for any services that rely on telecom customer data
Ongoing
- Gitea Docker Authentication Bypass: Hackers are actively exploiting a critical vulnerability in the official Gitea Docker image that allows attackers to impersonate any user, including administrators [10]. See earlier coverage for remediation details.
- Scattered Spider Sentencing: Two members of the prolific Scattered Spider cybercrime group pleaded guilty in the United Kingdom to charges related to the August 2024 cyberattack on Transport for London [13].
- Tangem Wallet Laser Attack: Researchers from Ledger’s Donjon security team demonstrated that a precisely timed laser pulse can reset passwords on Tangem cryptocurrency wallet hardware cards, which cannot be patched [4].
- OpenClaw AI Assistant Vulnerabilities: Three now-patched flaws in the OpenClaw personal AI assistant could enable credential theft, privilege escalation, and arbitrary code execution if exploited together in a WhatsApp-to-host attack chain [5].
Today’s Action Checklist
- ☐ URGENT: If you operate Progress ShareFile Storage Zone Controllers, verify compliance with the immediate shutdown directive and coordinate with Progress for safe recovery procedures
- ☐ URGENT: Audit your development and production environments for @injectivelabs/sdk-ts@1.20.21 and remove it; regenerate cryptocurrency wallet keys used on affected systems
- ☐ HIGH: Inventory U-Boot devices in your network (routers, cameras, data-center management interfaces) and request patched firmware from your hardware vendors
- ☐ MEDIUM: Verify your ransomware incident response plan includes offline backup validation and enhanced monitoring for ransom negotiation communication
- ☐ MEDIUM: If you are an Odido customer, place a credit bureau fraud alert and monitor personal data exposure databases