Executive Summary
- Multiple official SAP npm packages compromised in credential-stealing supply chain attack affecting enterprise developers and authentication infrastructure
- Critical authentication bypass vulnerabilities identified in cPanel/WHM affecting all supported versions – requires immediate emergency patching
- Russian state-sponsored actors harvesting Microsoft Office authentication tokens via compromised router infrastructure targeting government and enterprise users
- North Korean threat actors deploying AI-assisted malware through npm ecosystem with credential theft and RAT capabilities
- Widespread exposure of ICS/OT systems through internet-facing VNC/RDP servers creating critical infrastructure risk
Top Threats Today
1. SAP npm Package Supply Chain Attack – Credential Theft Campaign
Severity: CRITICAL Affected: Technology Finance
Multiple official SAP-related npm packages have been compromised in a sophisticated supply chain attack attributed to the “mini Shai-H” campaign. The malicious packages inject credential-stealing malware targeting developers' systems and authentication tokens. This attack directly threatens enterprise development environments and the software supply chain, with victims including major SAP customers across finance, government, and technology sectors. The TeamPCP supply chain attack vector demonstrates attackers' ability to compromise trusted package repositories used by thousands of developers.
Recommended Action
- Audit all npm package dependencies for SAP-related modules; immediately remove and re-audit any packages installed from compromised versions
- Rotate all authentication tokens, credentials, and API keys on systems where SAP npm packages were installed or used in development
- Review npm package registry access logs and implement network monitoring for suspicious credential usage or exfiltration patterns
- Enable 2FA on all npm accounts and restrict package publishing permissions to essential personnel only
2. cPanel/WHM Critical Authentication Bypass – Unauthenticated Access
Severity: CRITICAL Affected: Technology Education Hosting
cPanel and WebHost Manager (WHM) contain a critical authentication bypass vulnerability affecting all currently supported versions. This flaw allows attackers to obtain administrative access to hosting control panels without authentication, exposing sensitive customer data, SSL certificates, email accounts, and database access. Given cPanel's ubiquity across the hosting industry, this vulnerability poses an immediate risk to millions of websites and represents an entry point for widespread hosting infrastructure compromise.
Recommended Action
- Apply emergency cPanel/WHM security updates immediately; prioritize servers handling sensitive data or customer-facing production systems
- Implement network-level access controls restricting cPanel/WHM interface to trusted administrative IP addresses only
- Audit access logs for any unauthorized login attempts or administrative actions prior to patch deployment
- Monitor for post-exploitation indicators including new user accounts, modified DNS records, or certificate changes
3. Russian State-Sponsored Authentication Token Harvesting – Router Exploitation
Severity: CRITICAL Affected: Government Finance Technology
Russian military intelligence-linked threat actors are exploiting known vulnerabilities in older internet routers to mass harvest Microsoft Office authentication tokens from enterprise users. This sophisticated campaign allows state-backed hackers to silently exfiltrate credentials for lateral movement within target organizations. The attack targets the network perimeter at the router level, making detection difficult and enabling persistent unauthorized access to sensitive government and enterprise systems.
Recommended Action
- Audit and immediately update or replace all end-of-life router firmware; prioritize devices handling sensitive network traffic
- Implement conditional access policies in Microsoft 365 to flag and require MFA for token usage from suspicious geographic locations or IPs
- Deploy network segmentation isolating administrative and sensitive systems behind modern firewalls with intrusion detection
- Monitor Office 365 and enterprise email logs for impossible travel scenarios and unusual authentication patterns
4. North Korean AI-Assisted npm Malware – Credential Theft and RAT
Severity: CRITICAL Affected: Technology Finance
Threat actors linked to North Korea are deploying AI-generated malware through npm packages, leveraging large language models like Claude Opus to automate supply chain attacks. The malicious “@validate-sdk/v2” package functions as both a credential stealer and remote access trojan (RAT). This represents a significant evolution in attack sophistication, combining AI-assisted code generation with supply chain distribution to compromise developer environments at scale.
Recommended Action
- Scan all npm package installations for “@validate-sdk/v2” and related DPRK-attributed packages; immediately quarantine affected systems
- Implement software composition analysis (SCA) tools with real-time threat feeds to detect malicious packages before installation
- Review all npm dependencies installed in past 90 days from accounts or sources unfamiliar to the development team
- Implement network egress filtering and DNS sinkholing to block known command-and-control infrastructure
5. Exposed ICS/OT Infrastructure – VNC/RDP Internet Exposure
Severity: CRITICAL Affected: Energy Manufacturing Transportation
Security researchers have identified tens of thousands of internet-facing VNC and RDP servers mapped to industrial control systems (ICS) and operational technology (OT) environments across critical infrastructure sectors. These exposed remote access points create direct attack paths for destructive malware deployment, as evidenced by recent wiper attacks targeting energy infrastructure in Venezuela and Iran. Lack of network segmentation and exposure of legacy ICS systems represents an existential threat to critical services.
Recommended Action
- Scan your organization's public-facing infrastructure using Forescout or similar tools to identify exposed VNC/RDP servers mapped to industrial systems
- Immediately remove internet accessibility for all ICS/OT remote access tools; implement jump host/bastion architectures with MFA and activity logging
- Apply network segmentation isolating OT systems from corporate networks and internet access; restrict to management VLAN with strict access controls
- Deploy intrusion detection systems (IDS) and behavioral monitoring on all remaining RDP/VNC access paths to identify reconnaissance or lateral movement
Today’s Action Checklist
- ☐ URGENT: Patch cPanel/WHM authentication bypass on all hosted servers within 24 hours
- ☐ URGENT: Audit npm package dependencies for SAP and DPRK-attributed malware; rotate all credentials on affected systems
- ☐ URGENT: Scan for exposed ICS/OT VNC/RDP systems and implement immediate network isolation
- ☐ HIGH: Review Microsoft Office 365 authentication logs for impossible travel and token-based attacks; enforce conditional access policies
- ☐ HIGH: Audit router firmware versions on network perimeter; flag end-of-life devices for replacement
- ☐ HIGH: Implement or update software composition analysis (SCA) tools with real-time threat intelligence feeds
- ☐ MEDIUM: Review cPanel/WHM access logs for unauthorized administrative actions prior to patching
- ☐ MEDIUM: Conduct tabletop exercise on supply chain attack response procedures given npm and Checkmarx compromise incidents