Executive Summary
- Supply chain security breaches at Checkmarx and widespread malicious extension campaigns (73 fake VS Code extensions) indicate coordinated attacks on developer tools and repositories.
- State-sponsored actors including Russia's military intelligence are harvesting authentication tokens via router exploits targeting Microsoft Office users at scale.
- Critical unpatched vulnerabilities including PhantomRPC privilege escalation and OpenSSH 15-year-old flaw enabling root access pose immediate risks to Windows and Unix systems.
- AI-powered vulnerability discovery tools (Claude Mythos) are outpacing organizational remediation capabilities, creating a dangerous security debt acceleration.
- Social engineering campaigns (Scattered Spider, SMS blasters, phishing infrastructure abuse) continue to bypass technical controls with $2.1 billion in 2025 losses.
Top Threats Today
1. Malicious Developer Tool Supply Chain Attack – GlassWorm v2 via VS Code Extensions
Severity: CRITICAL Affected: Technology
Researchers identified 73 malicious Visual Studio Code extensions on the Open VSX repository masquerading as legitimate tools. The GlassWorm v2 campaign uses “sleeper” extensions that remain dormant until triggered by updates, deploying information-stealing malware to developer machines. This represents a direct supply chain attack on software development pipelines globally.
Recommended Action
- Immediately audit all VS Code extensions in use; cross-reference against published IOC lists for GlassWorm campaign indicators.
- Implement extension whitelist policies and disable auto-update functionality pending security review.
- Scan all developer workstations for presence of malicious extensions and conduct forensic analysis for data exfiltration.
2. Russian State-Sponsored Token Theft Campaign – Router Exploitation for Microsoft Office Access
Severity: CRITICAL Affected: Government, Finance
Russian military intelligence units are exploiting known vulnerabilities in legacy internet routers to mass harvest authentication tokens from Microsoft Office users. The campaign enables silent unauthorized access to corporate email and collaboration platforms without triggering standard endpoint detection mechanisms.
Recommended Action
- Conduct immediate audit of router firmware versions; prioritize patching or replacement of unsupported legacy devices.
- Implement conditional access policies requiring additional verification for legacy Office authentication attempts.
- Deploy network segmentation isolating legacy routers from sensitive credential flows; monitor for suspicious token usage patterns.
3. Critical Windows Privilege Escalation – PhantomRPC Unpatched Flaw
Severity: CRITICAL Affected: Technology, Government
An unpatched architectural weakness in Windows Remote Procedure Call (RPC) mechanism enables five distinct privilege escalation exploit paths. The vulnerability remains unresolved in current Windows versions and allows attackers to elevate from unprivileged to system-level access.
Recommended Action
- Monitor for Microsoft security advisory and prepare emergency patch deployment procedures.
- Implement compensating controls: disable unnecessary RPC services and restrict RPC access via firewall policies.
- Conduct privilege escalation vulnerability assessments on critical Windows systems; prioritize isolation of high-value targets.
4. Checkmarx Supply Chain Data Breach – GitHub Repository Exposed on Dark Web
Severity: HIGH Affected: Technology
Checkmarx disclosed that following the March 23 attack, cybercriminals published company data originating from its GitHub repository on the dark web. This supply chain security incident directly impacts customers relying on Checkmarx's code analysis and security platform.
Recommended Action
- Rotate all credentials and tokens that may have been exposed in Checkmarx GitHub repositories.
- Audit Checkmarx platform access logs for suspicious activity correlating with March 23 incident date.
- Review any proprietary code shared with Checkmarx for exposure indicators; assess intellectual property risk.
5. Coordinated Social Engineering – Scattered Spider Active with Phishing Infrastructure Abuse
Severity: HIGH Affected: Finance, Technology
The Scattered Spider cybercriminal group continues text-message phishing campaigns (confirmed guilty plea from “Tylerb” member). Parallel campaigns exploit legitimate service account creation flows (Robinhood) and SMS spoofing devices to inject phishing messages into legitimate communication channels, bypassing email filtering.
Recommended Action
- Deploy SMS-based MFA with confirmation callbacks; disable SMS as sole authentication factor for sensitive accounts.
- Audit account creation workflows for injection vulnerabilities; implement confirmation email verification before activation.
- Implement SMS filtering and carrier-level phishing detection; educate users on verification procedures before credential entry.
Today’s Action Checklist
- ☐ URGENT: Audit and remove malicious VS Code extensions from all developer environments; implement extension whitelist policy.
- ☐ URGENT: Inventory and patch/replace legacy routers; deploy conditional access controls for Microsoft Office authentication.
- ☐ URGENT: Disable non-essential RPC services on Windows systems; prepare for PhantomRPC emergency patches.
- ☐ HIGH: Rotate credentials potentially exposed in Checkmarx GitHub incident; audit platform access logs.
- ☐ HIGH: Deploy SMS-based MFA with additional verification; audit account creation workflows for injection flaws.
- ☐ Conduct supply chain risk assessment for all development tools and third-party security platforms.
- ☐ Review vulnerability remediation capacity against accelerating AI-powered discovery tools (Claude Mythos impact assessment).