In today’s cybersecurity news…
36 Malicious npm packages exploited to deploy persistent implants
Researchers at security firm SafeDep have discovered 36 malicious packages in the npm registry, “disguised as Strapi CMS plugins but which come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant.” They follow a naming convention, starting with “strapi-plugin-” and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. A report published by Group-IB in February, revealed that software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” with threat actors pursuing “trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.”
Hundreds of millions to be cut from CISA in proposed budget
According to a summary released Friday, the President’s fiscal 2027 budget threatens to slash CISA’s budget by $707 million, although a separate budget document suggests a smaller cut of $361 million. The discrepancy is “possibly due to the comparison points amid budget uncertainty for CISA’s parent agency, the Department of Homeland Security.” Prior to the current administration, the agency’s budget had been $3 billion. The 2027 budget summary “recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered.”
Hackers exploit React2Shell in automated credential theft campaign
BleepingComputer is reporting on a wave of exploitation of React2Shell (CVE-2025-55182) in a large-scale campaign to automatically steal credentials. According to its report, “at least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets.” This operation uses a framework named NEXUS Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications. Cisco Talos is attributing this campaign to a threat group named UAT-10608.
Fortinet patches actively exploited vulnerability FortiClient EMS
Fortinet has released out-of-band patches for this flaw (CVE-2026-35616) which has a CVSS score of 9.1 and which has been described as a pre-authentication API access bypass leading to privilege escalation. The issue affects FortiClient EMS versions 7.4.5 through 7.4.6. “It’s expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it.” Successful exploitation of the flaw “could allow an unauthenticated attacker to sidestep API authentication and authorization protections and execute malicious code or commands via crafted requests.”
Huge thanks to our sponsor, Vanta
CERT-EU cyber agency attributes European Commission data breach to TeamPCP
Following up on two stories a story we brought you last week, the European Union’s cybersecurity agency (CERT-EU) announced on Thursday that the hacking group TeamPCP conducted the massive data breach at the European Commission. The team did so by breaking into the Commissions AWS account and stole about 92 gigabytes of compressed data. The hack “relied on the misuse of a secret Amazon API key, [and] involved the Commission’s Europa.eu platform, which lives on AWS cloud infrastructure and is used by EU states to host websites belonging to bloc entities.” ShinyHunters then accessed the stolen data.
Massachusetts emergency communications system suffers cyberattack
This emergency communications system is by several small towns across northern Massachusetts. The Patriot Regional Emergency Communications Center said, “the intrusion impacted town and public safety computer systems.” 9-1-1 phone systems still worked but non-emergency and business phone lines are out of service. The towns affected, Pepperell, Ashby, Dunstable, Groton and others, serve as a regional hub for receiving emergency calls and dispatching police, fire or medical services. No further details about the hack or the group behind it have been released.
Hims & Hers suffers Zendesk related breach
“Hims & Hers is an American telehealth company specializing in the direct-to-consumer healthcare space, providing subscription-based treatments for hair loss, ED, mental health, skincare, weight loss, and other conditions or needs.” BleepingComputer was told that the threat actors used the Okta SSO account to access the Hims & Hers Zendesk instance, where they stole millions of support tickets in early February 2026. The information exposed “may include names, contact information, and other unspecified data, likely related to the support request submitted in each case,” but the company underlined that no medical records or doctor communications were compromised.
Engineer admits to locking thousands of Windows devices in extortion plot
According to court documents, 57-year-old Daniel Rhyne from Kansas City, Missouri, has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot that targeted his employer, an industrial company headquartered in Somerset County, New Jersey. He did so by remotely accessing the company’s network without authorization using an administrator account. He “allegedly scheduled tasks on the company’s Windows domain controller to delete network admin accounts and to change the passwords for 13 domain admin accounts and 301 domain user accounts,” which had a cascading effect on the servers on his employer’s network. He also scheduled some tasks to shut down random servers and workstations on the network over multiple days in December 2023. He sent emails that threatened to shut down 40 random servers daily over the next ten days unless the company paid a ransom of 20 bitcoin (worth roughly $750,000 at the time).The hacking and extortion charges to which he pleaded guilty carry a maximum penalty of 15 years in prison.(BleepingComputer)