Zero Day Wire

Threats

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

Alerts

CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure

Threats

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

Breaches

RedLine Infostealer Administrator Extradited to US, Faces Up to 20 Years for Running MaaS Infrastructure

Armenian national Hambardzum Minasyan has been extradited to the United States for his alleged role in maintaining RedLine's command-and-control infrastructure, managing affiliate payments, and distributing the infostealer — one of the most prolific credential-stealing operations since 2020.

Threats

Coruna iOS Exploit Kit Traced Back to Operation Triangulation Authors as Attacks Shift From Espionage to Mass Exploitation

Kaspersky's GReAT team has established a direct code-level link between the Coruna iOS exploit kit and Operation Triangulation, the sophisticated espionage campaign that targeted iOS devices in 2023. The connection goes beyond shared vulnerabilities — the kernel exploits in both toolchains were created by the same author using a

Threats

Payment Skimmer Abuses WebRTC Channels to Bypass CSP and Steal Card Data

Security researchers at Sansec have uncovered a payment skimmer that represents a significant technical evolution in how attackers steal card data from online stores. Instead of relying on conventional HTTP requests or image beacons to exfiltrate stolen information, the malware abuses WebRTC data channels — a technique that renders Content Security

Alerts

Quest KACE CVSS 10.0 Authentication Bypass Exploited to Hijack Admin Accounts and Target Backup Infrastructure

Arctic Wolf observes active exploitation of CVE-2025-32975 in Quest KACE SMA — a maximum-severity authentication bypass enabling full admin takeover, Mimikatz credential harvesting, and RDP access to Veeam and Veritas backup systems.

Threats

Trivy Supply Chain Attack Escalates — TeamPCP Pushes Infostealers via Docker Hub, Deploys Kubernetes Wiper Targeting Iranian Systems

The supply chain compromise of Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security, has escalated dramatically — with threat actor TeamPCP pushing malicious Docker images to Docker Hub, defacing Aqua Security's internal GitHub organization, distributing a self-propagating worm across dozens of npm packages, and deploying a

Threats

Storm-2561 Distributes Fake Enterprise VPN Clients From Cisco, Fortinet, and Ivanti via SEO Poisoning to Steal Corporate Credentials

Microsoft has disclosed a credential theft campaign by Storm-2561, a criminal group active since May 2025, that distributes fake enterprise VPN clients from major vendors through SEO poisoning — capturing corporate credentials before seamlessly redirecting victims to the real VPN download to erase any indication of compromise. The campaign, running since

Alerts

CISA Adds SolarWinds, Ivanti, and Workspace One Flaws to KEV Catalog — SolarWinds Linked to Warlock Ransomware Activity

CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog — a critical SolarWinds deserialization flaw linked to Warlock ransomware operations, an Ivanti Endpoint Manager authentication bypass, and a long-standing Workspace One SSRF vulnerability now being weaponized in coordinated campaigns. Federal agencies face an accelerated two-day deadline for

Threats

BlackBasta-Linked Actors Deploy New A0Backdoor via Microsoft Teams Social Engineering With DNS MX-Based C2

Threat actors linked to the dissolved BlackBasta ransomware operation are targeting employees at financial and healthcare organizations through Microsoft Teams social engineering to deploy a previously undocumented backdoor called A0Backdoor that hides its command-and-control communications inside DNS MX record queries. The campaign, disclosed by BlueVoyant, has confirmed targets including a

Breaches

ShinyHunters Claims 100 High-Profile Victims in Salesforce Data Heist Using Modified Mandiant Tool to Exploit Experience Cloud Misconfigurations

The ShinyHunters extortion gang claims to have stolen data from approximately 100 high-profile companies — including Salesforce itself, Snowflake, Okta, LastPass, Sony, and AMD — in a months-long campaign exploiting misconfigured Salesforce Experience Cloud sites using a weaponized version of an open-source tool originally developed by Mandiant for defensive purposes. Salesforce confirmed