LIVETHREAT INTELLIGENCE
NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9
← Blog·Incident Response10 min read2,080 views

Zero-Day in the Supply Chain: How a Compromised npm Package Reached 40,000 Production Servers

A popular open-source npm package used by enterprises across fintech, healthcare, and SaaS was compromised via a maintainer account takeover. The malicious version was downloaded 2.1 million times in 72 hours before detection.

H
HorizonShield Threat Intelligence
February 24, 2026

Attack Vector: Maintainer Account Takeover

The compromised package had 4.2 million weekly downloads and was a dependency of hundreds of enterprise applications. The attack did not require finding a code vulnerability — it required compromising the GitHub account of a sole maintainer who had not enabled multi-factor authentication.

A credential stuffing attack using leaked passwords from an unrelated breach succeeded. The attacker pushed a malicious version that appeared as a minor patch release, injecting a data harvesting module that exfiltrated environment variables — including cloud credentials, API keys, and database connection strings — to an attacker-controlled endpoint on first execution.

The 72-Hour Window

Automated dependency update tools (Dependabot, Renovate) picked up the new version within hours and opened pull requests across thousands of repositories. Many CI/CD pipelines merged and deployed automatically. By the time the malicious code was identified and the package pulled, 2.1 million downloads had occurred.

Why Environment Variables Are So Valuable

Cloud credentials in environment variables — AWS access keys, GCP service account keys, Azure secrets — allow immediate lateral movement to cloud infrastructure. The attacker's harvesting module was specifically designed to collect AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and DATABASE_URL patterns across all deployment environments.

Defensive Controls for Supply Chain

The organizations that contained the damage quickly had implemented: dependency pinning (exact version hashes rather than semver ranges), Software Bill of Materials (SBOM) tracking, automated secrets scanning in CI/CD that would have flagged the exfiltration endpoint pattern, and network egress filtering that blocked the harvesting callback.

The Mandate: MFA on Every Package Maintainer Account

npm, PyPI, and RubyGems now mandate MFA for maintainers of high-download packages. For enterprise environments: vendor risk assessments must include the security posture of critical dependency maintainers, not just the package code itself.

Incident ResponseCybersecurityHorizonShield
← More Articles
H
HorizonShield Threat Intelligence
HorizonShield Security Team

Cybersecurity expert at HorizonShield, specializing in threat intelligence, incident response, and enterprise security architecture.

Related Articles

🚨
🚨