TL;DR
Red Hat npm packages compromised with Miasma credential-stealing worm; WordPress sites under attack via WP Maps Pro RCE; Instagram accounts hijacked via Meta's AI support bot. Patch immediately where available, enforce MFA on developer and social accounts.
Executive Summary
- Red Hat's npm package registry compromised with over 30 malicious packages distributing Miasma, a credential-stealing worm variant.
- WordPress installations actively exploited via CVE-2026-8732 in WP Maps Pro plugin; unauthenticated attackers creating admin accounts.
- High-profile Instagram accounts (Obama White House, U.S. Space Force) briefly defaced after attackers exploited Meta's AI support bot account recovery system.
- Critical Windows Netlogon vulnerability (CVE-2026-41089) showing signs of potential exploitation; immediate patching advised.
- Nearly 2,000 WordPress sites infected with malware using Steam Community profiles to hide C2 communications.
Top Threats Today
1. Red Hat npm Supply-Chain Attack (Miasma Worm)
Severity: HIGH Affected: Technology
More than 30 npm packages under Red Hat's @redhat-cloud-services namespace have been compromised to distribute Miasma, a new variant of the Shai-Hulud credential-stealing malware [1][2]. The campaign targets developer machines to steal credentials and secrets, with the worm capable of self-propagating across development environments ⚠[1]. Researchers attribute this to a Mini Shai-Hulud campaign using identical tactics [1].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Audit all @redhat-cloud-services npm dependencies in your package.json and lock files immediately.
- Regenerate API tokens, credentials, and secrets for any developer machines that may have installed affected packages.
- Enable npm audit and use tools to detect malicious package installations in your supply chain.
- Monitor for suspicious outbound connections and credential-based API calls from development environments.
2. WordPress WP Maps Pro Remote Code Execution (CVE-2026-8732)
Severity: HIGH Affected: Technology
A security defect in the WP Maps Pro plugin (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on affected WordPress installations ⚠ [1]. The vulnerability is being actively exploited in the wild.
Sources:[1] SecurityWeek
Recommended Action
- Update WP Maps Pro to the latest patched version immediately.
- Audit WordPress user accounts for unauthorized admin-level accounts created recently.
- Review WordPress login logs and access patterns for signs of unauthorized administrative activity.
- Implement IP-based access controls or Web Application Firewall (WAF) rules to restrict admin panel access.
3. Instagram Account Takeover via Meta AI Support Bot
Severity: HIGH Affected: Government
The Instagram accounts of the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages after attackers exploited Meta's “AI support assistant” bot [1]. Instructions for exploiting the AI bot's account reset function have circulated on Telegram [1].
Sources:[1] Krebs on Security
Recommended Action
- Enable two-factor authentication on all high-profile social media accounts, prioritizing government and public-facing accounts.
- Disable or restrict automated account recovery features until Meta patches the AI support bot vulnerability.
- Review recent account activity and password changes on all social media accounts for unauthorized modifications.
- Monitor Telegram and other channels for published exploit instructions; report active abuse to Meta.
4. Critical Windows Netlogon Vulnerability (CVE-2026-41089)
Severity: HIGH Affected: Technology
A critical vulnerability in Windows Netlogon (CVE-2026-41089) is under active scrutiny due to its severity and signs of potential ongoing exploitation [1]. Organizations are advised to patch as soon as possible [1].
Sources:[1] SecurityWeek
Recommended Action
- Prioritize patching all Windows domain controllers and systems vulnerable to CVE-2026-41089.
- Monitor Windows Event Logs for Netlogon authentication anomalies and privilege escalation attempts.
- Segment domain controller access and enforce network segmentation where possible.
- Review CISA's Known Exploited Vulnerabilities catalog for the latest exploitation intelligence.
5. WordPress Malware Using Steam Community Profiles for C2
Severity: MEDIUM Affected: Technology
Nearly 2,000 WordPress websites have been infected with malware that hides command-and-control (C2) data in Steam Community profile comments [1]. The technique exploits a legitimate third-party platform to evade network-based detection.
Sources:[1] BleepingComputer
Recommended Action
- Scan all WordPress installations for suspicious plugins, themes, and injected code; use security plugins with malware detection.
- Review WordPress file integrity and search for web shells or injected scripts in standard directories.
- Implement outbound network monitoring to detect communication with known malicious domains and Steam profile URLs.
- Backup clean copies of affected sites and restore from known-good backups if infection is confirmed.
Today’s Action Checklist
- ☐ URGENT: If using @redhat-cloud-services npm packages, audit your node_modules, rotate credentials, and regenerate API tokens.
- ☐ URGENT: Patch WP Maps Pro on all WordPress instances; audit for unauthorized admin accounts.
- ☐ URGENT: Enable two-factor authentication on high-profile social media and Meta accounts; monitor for account recovery exploits.
- ☐ HIGH: Patch CVE-2026-41089 (Windows Netlogon) on domain controllers and critical systems.
- ☐ HIGH: Scan WordPress installations for malware using Steam profile C2 communications; monitor outbound traffic.
- ☐ ROUTINE: Review CISA Known Exploited Vulnerabilities catalog for additional patching priorities.