A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.

The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).

The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025, when it emerged that the adversary had compromised an unnamed victim’s Egnyte Storage Sync system by exploiting a local privilege escalation flaw to deploy BRICKSTORM. The issue was addressed in Storage Sync version 13.13, released in March 2026.

“The appliance had periodically been accessed by VerdantBamboo via IP addresses assigned through the victim organization’s web SSL VPN,” researchers Damien Cash, Paul Rascagneres, Steven Adair, and Tom Lancaster said in a technical report published last week.

“The threat actor used the malware’s proxying capabilities deployed on the Storage Sync system, along with compromised credentials, to access the victim’s Microsoft 365 (M365) environment.”

It’s assessed that these steps were undertaken to blend in with legitimate network traffic and evade Conditional Access policies, with the initial compromise occurring at least 18 months before.

Following the initial remediation, VerdantBamboo is said to have staged a return, breaching the same organization by using stolen administrative credentials to connect to the firewall, and then abusing that access to configure web SSL VPN access to the device, connect to other systems, and deploy additional malware to a Synology Network Attached Storage (NAS) appliance.

Further investigation has since uncovered that the threat actor had in fact compromised the victim organization’s Managed Services Provider (MSP), specifically infecting its MSP’s pfSense firewall with a BSD variant of BRICKSTORM around the same time the victim’s Storage Sync system was also breached.

It’s believed that the victim was compromised through the threat actor’s breach of the MSP. The two malware families deployed to the NAS appliance over SSH are as follows –

• PLENET (aka GRIMBOLT), a cross-platform backdoor developed in .NET Core and a new version of BRICKSTORM compiled using native ahead-of-time (AOT) compilation. It supports interactive shell, remote command execution, file manipulation, and command-and-control (C2) server switching.
• AGENTPSD, a Python-based reverse shell that likely functions as a fallback in case the primary implant ceases to function

It’s worth noting that the use of PLENET in the wild was reported by Google earlier this February in connection with attacks mounted by a suspected China-nexus threat cluster dubbed UNC6201 that exploited a vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS score: 10.0) as a zero-day since mid-2024.

“VerdantBamboo is a highly sophisticated threat actor that seeks to leverage a combination of living-off-the-land techniques and malware deployment on systems that traditionally do not or cannot run EDR software,” Volexity said.

“This threat actor appears to have good knowledge of proprietary appliances, allowing them to deploy malware with customized persistence mechanisms. They also appear to have operational security discipline aimed at leveraging a limited number of domains and IP addresses per victim and setting up customized implant naming and persistence on a per-device basis.”

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026.

The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).

“UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments,” researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said.

“Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities.”

Upon gaining access, the threat actors have been found to either carry out direct searches to locate and exfiltrate files of interest or deceive the victim into carrying out the actions on their behalf. Stolen information includes proprietary legal agreements, personally identifiable information (PII), and financial records.

In some instances, the attackers have accessed victims’ systems in person, echoing an advisory issued by the U.S. Federal Bureau of Investigation (FBI) last month. These physical intrusions involve the threat actors posing as IT technicians to enter corporate offices and attempt to steal data using removable USB media.

“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI said of the new escalation in UNC3753’s capabilities.

Google said UNC3753 shares tactical overlaps with UNC2686, a threat cluster previously known for carrying out BazarCall-style campaigns in 2021. Although the group has been observed deploying LockBit Black ransomware in the past, it has mainly focused on extortion-only operations since 2022, pressuring victims to pay up or risk getting their data published on the LEAKEDDATA data leak site.

Both UNC3753 and UNC2686 are assessed to be offshoots of the now-defunct Conti ransomware gang, with early iterations of the campaigns using subscription cancellation lures as part of callback phishing attacks that aim to install remote access software on victims’ machines.

Beginning around March 2025, the hacking crew has impersonated internal corporate IT help desk staff to trick victims into joining a screen-sharing session on enterprise communication platforms like Zoom, Microsoft Teams, or Quick Assist under the guise of addressing a security issue helping with a corporate data migration project, effectively bypassing traditional security controls.

“The threat group frequently initializes campaigns using benign, invoice-themed email lures sent from actor-controlled consumer email accounts,” Google said. “These messages contain no active links or malicious attachments. Instead, they typically contain a brief, generic message. The primary purpose of these emails is to establish a pretext, raising the target’s internal security concerns so they are more susceptible to follow-up voice calls.”

Once a session is established, the attackers attempt to establish a persistent foothold by guiding the victims to install legitimate remote desktop software like AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions to install these programs are shared via a legitimate service called “privnote[.]com,” which allows users to send notes that self-destruct after being read by the recipient.

UNC3753 has also been observed establishing Zoom sessions directly on targets’ personal laptops to access corporate virtual desktop infrastructure (VDI) and burrow deeper into corporate file systems with the goal of enumerating local and cloud directories, crawling mapped network drives, and harvesting data from highly sensitive folders, including those related to tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).

In the final stage, the captured data is sent to the threat actors via WinSCP or Rclone, or to email addresses controlled by the threat actor from the target’s mailbox. This is followed by the attackers sending an extortion demand in the form of an email message, typically within 30 minutes of exiting the target environment.

The email messages give victims a three-day deadline to initiate ransom negotiations. They also threaten to call and email target employees and external clients directly to notify them of the data breach should they remain unresponsive, not to mention publish the entire stolen information on the data leak site.

In many incidents investigated by Google’s threat intelligence and incident response teams, the end-to-end operation from initial contact to data extortion is said to have occurred within a single business day. The fast-tempo operational model is exemplified by the fact that the attackers initiate data searches, staging, and theft in under an hour.

“Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports,” Google said.

“Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing. Threat actors recognize that targeting the human element – specifically using voice-guided social engineering-enables them to easily bypass robust technical perimeters, web security gateways, and MFA configurations.”

The findings coincide with a new report from Resecurity about the threat actor’s use of DNS Fast Flux network infrastructure across various countries in Latin America, Eastern Europe, Central Asia, Middle East/Africa, East Asia, and the Caribbean to make its domains harder to block –

• business-data-leaks[.]com, the data leak site that lists close to 100 victim organizations as of June 2026
• ep6pheij[.]com, which stages the stolen data per victim

“By changing the DNS records and using short Time-To-Live (TTL) values, attackers make their malicious infrastructure resilient against takedowns,” the cybersecurity company said.

“Both domains operate on a fast-flux network backed by a botnet spread across 18 countries and 22 ISPs. The two domains share 50-60% of their bot pool, confirming a single threat actor operates both. The infrastructure contains zero datacenter or hosting IPs – every node traces back to a consumer ISP (e.g., Telecentro, Mega Cable, Vodafone) and is flagged as residential or mobile IP address.”

Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats.

“When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases,” Microsoft said.

The new feature is available starting in VS Code 1.123.

The tech giant noted that users still have the option to update any extension immediately at any point in time by using the “Update” button. When extensions have pending updates, a reason for why they haven’t been updated yet will be available in the details view, along with when the automatic update will take place.

That said, this two-hour delay does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI, it added. Extensions from such publishers will continue to be updated immediately.

The development comes days after RubyGems added an opt-in cooldown feature to Bundler 4.0.13 that delays installation of newly published gem versions for a pre-defined period.

Specifically, the feature allows developers to configure Bundler to introduce a time-based install delay with an aim to reduce potential exposure arising from newly published malicious versions.

Over the past year, similar installation controls have also been added to Bun, pnpm, npm, and Yarn –

• Bun – minimumReleaseAge (Bun 1.3+)
• npm – min-release-age (npm v11.10.0+)
• pnpm – minimumReleaseAge (pnpm 10.16+)
• Yarn – npmMinimalAgeGate (Yarn Berry 4.10.0+)

These changes arrive against the backdrop of a surge in software supply chain incidents targeting various ecosystems to breach developer systems and propagate malware to downstream users.

By enforcing a minimum age threshold before a particular package version can be installed, the defensive control minimizes the window during which it spreads before it’s flagged as malicious and taken down by the registry maintainers.

OpenAI has begun rolling out a new Lockdown Mode to ChatGPT for eligible personal accounts to reduce the risk of data exfiltration arising from prompt injection attacks.

The feature is primarily designed for people and organizations that handle sensitive data and require stricter protection guarantees. Lockdown Mode is available to logged-in users across Free, Go, Plus, and Pro, and self-serve ChatGPT Business plans.

“Lockdown Mode is an optional advanced security setting that limits many tools and capabilities in OpenAI products that can connect to the web or external services,” OpenAI said.

“It is designed to reduce the risk of data exfiltration from prompt injection attacks by limiting outbound network requests, at the expense of disabling or limiting some useful features.”

The safeguards are aimed at hardening the attack surface against prompt injections, which continues to be a “frontier” problem impacting all large language models (LLMs).

Specifically, they build upon sandboxing and existing controls to combat URL-based data exfiltration mechanisms to limit outbound network requests that could potentially transmit sensitive data to attacker-controlled infrastructure.

The idea is not to stop prompt injections from occurring. Nor does it change the way memory or file uploads work, or the ability to share a conversation. Rather, the goal is to eliminate potential pathways through which the data could be exfiltrated. To that end, Lockdown Mode disables the following features –

• Live web browsing, which is limited to accessing only cached content
• Image support, for displaying images in regular responses or retrieving images from the web
• Deep research
• Agent mode
• Canvas networking, which prevents users from approving Canvas-generated code to access the network
• File downloads, which block downloading files for data analysis

Pointing out the feature is not “intended for everyone,” OpenAI also noted that both Lockdown Mode and Developer Mode cannot be used at the same time, adding that turning on one disables the other.

“Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration in ChatGPT and supported OpenAI products, but it does not guarantee that data exfiltration cannot happen,” the company said. “Risk may remain through enabled Apps, unforeseen combinations of capabilities, or newly discovered techniques.”

“Lockdown Mode also does not prevent all other effects of prompt injection attacks. For example, a malicious instruction hidden in an uploaded file could still affect ChatGPT’s behavior, and cause an incorrect answer.”

The development comes as OpenAI has also launched a new account management feature that enables users to review active ChatGPT sessions and log out of individual or all sessions if signs of unauthorized account activity are detected. The listed sessions include information about the device, the app used, approximate location, sign-in date and time, whether the device is trusted, and whether it’s the current session.

A researcher has reverse-engineered the iOS SDK that Bright Data embeds in consumer apps and documented how it turns devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic for a data business Bright Data markets heavily to the AI industry.

The company, the successor to Luminati, operates what it calls the largest residential proxy network in the world, advertised at more than 400 million residential IPs. Part of that supply comes from this SDK, shipped inside free apps behind an opt-in screen and described as a consent-sourced pool of 150 million-plus IPs.

The findings, published June 5 by Include Security and independent researcher Buchodi, matter because the scraping comes from the user’s home IP, not the customer’s. The immediate risk is not a hacked account or stolen data; it is that a home connection and its bandwidth get used as someone else’s scraping infrastructure.

A connected TV is close to ideal for that: usually plugged in, on a fast connection, effectively unmetered, and unwatched.

The deepest technical evidence is from the iOS SDK; the smart-TV reach rests on Bright Data’s platform support, its public partner list, and earlier reporting. The research found the peer channel that carries scraping jobs has no real authentication, and on iOS, its traffic bypasses a configured VPN.

Inside the peer tunnel

When the app opens, the SDK contacts one of Bright Data’s servers, which hands over its instructions without really checking who is asking. From then on, the server can tell the device to go and fetch pages from other websites, using the user’s home internet connection to do it.

The researcher found the channel that carries those jobs has none of the usual security checks, and described it as Weaker than the command-and-control channels used by most malware.

On iPhones, the researcher found that this traffic slips past a VPN, and that much of what the app does does not show up in the tools security teams normally use to monitor apps. The device can also keep relaying in the background while someone is watching the screen or on a call, as long as the battery is not low.

The consent gap

The opt-in screen does not match what the SDK actually allows. In one Roku app, Petflix, the screen said it would use the device and its connection “occasionally.”

The settings the SDK loads allow up to 200 GB of traffic a month. In a few countries, including Uzbekistan and Oman, the limits are set far higher, and the device is cleared to keep working almost until the battery runs flat. The SDK can also tie together a person’s phone and computers that run the same company’s apps, treating them as one user.

The company publishes its list of app partners on a page anyone can open, and it includes makers of smart-TV apps such as PlayWorks Digital, CloudTV, and Longvision. The researcher is careful to note that being on the list only shows a company worked with Bright Data at some point, not that its app includes the SDK today. Each one would need to be checked on its own.

Bright Data disputes the characterization. In an email to The Hacker News, the company said its opt-in screen is explicit rather than buried in legal text, names Bright Data, links its privacy policy and license, and lets users opt out in two steps and keep using the app either way. It says the SDK reaches only approved domains, collects no personal data or browsing history, uses only the device’s IP address, and runs on average around 50 MB a day on Wi-Fi, pausing when the device is busy or low on battery. Bright Data also points to independent audits and certifications, including a PwC report, AppEsteem certification, and ISO and SOC 2 attestations, published in its Trust Center.

An old model, pulled by AI demand

None of this is new in shape, only in scale. Bright Data is the successor to Luminati, the paid proxy service that grew out of Hola VPN. In 2015 Hola was caught selling its free users’ bandwidth as exit nodes through Luminati, at $20 a gigabyte. The same model now runs on the always-on box in the living room.

What changed is the buyer. Anti-bot defenses from Cloudflare, DataDome, and others block scrapers coming from datacenter IPs, so AI scrapers route through residential connections instead.

Krebs reported in October 2025 that proxies from botnets like Aisuru are fueling large-scale AI data harvesting, and Google dismantled the criminal IPIDEA proxy network in January. Those operations hijack consumer devices; Bright Data says its exit nodes opt in through a consent screen. That consent is the line between the two, and whether it is meaningful is the open question.

Lowpass, syndicated by The Verge, first surfaced the smart-TV angle in February, and this is the technical teardown. Google, Amazon, and Roku have since restricted background proxy SDKs, and Bright Data dropped those platforms, though it still lists Samsung’s Tizen and LG’s webOS.

What to do

The traffic is easy to spot and block. On a home network, the simplest step is to block the web addresses the SDK uses to connect, with a router-level tool like Pi-hole or NextDNS.

The main ones are proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com, clientsdk.bright-sdk.com, and clientsdk.brdtnet.com. According to the research, blocking these stops the device from acting as a relay without affecting its paid service, which runs on separate addresses.

Companies that manage staff phones can also scan for apps that carry the SDK. One catch: on a mobile connection, the traffic sidesteps office Wi-Fi, so a network block alone will not always catch it. The company could also change how the SDK connects in the future, which would mean any blocklist needs updating.

Updated on June 9, 2026, to include Bright Data’s response.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2026-28318 (CVSS score: 7.5), is a denial-of-service (DoS) bug that causes the service to crash under certain conditions. CISA described it as an uncontrolled resource consumption vulnerability that results in a DoS condition.

“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” SolarWinds said in an advisory released earlier this week.

The issue has been addressed in SolarWinds Serv-U version 15.5.4 HF1. As mitigations, it’s advised to limit access to known addresses and block any request containing “content-encoding” since the vulnerable service does not require this functionality.

There are currently no details on how the vulnerability is being exploited in real-world attacks, or who is behind them. It’s also unclear how many internet-exposed Serv-U instances are compromised, if any.

CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to address the flaw by June 19, 2026. In the past, multiple flaws in Serv-U have been exploited by bad actors, including those associated with the Cl0p ransomware gang.

Over 80% of professional sports organizations were targeted by cyber-attacks during the last year and over half of them were hit more than once, researchers have warned.

In a report published on June 11, the day the FIFA World Cup 2026 kicked off, figures from Darktrace revealed that 84% of sports organizations – including teams, venues and event bodies – were targeted by cyber-attacks during the last year.

And for most of them, facing a cyber-attack was not a one-off event: 57% experienced multiple cyder incidents in the 12-month period.

Sports teams and organizations make a tempting target for cybercriminals and other threat actors for a number of reasons. Sports fixtures, especially international events, are highly publicized, meaning that the attackers know exactly when they are happening.

That means that if attackers had the goal of causing maximum disruption, be it via crippling infrastructure with a ransomware attack or disrupting online services with a DDoS attack, they know when to strike.

The importance of keeping operations active is not lost on cybersecurity leaders in the sports industry: a third said that the most important task for cybersecurity teams is to help stadium operations maintain critical functions during live sporting events.

This is crucial, because if a cyber event meant that stadium operations were disrupted, fans may not be able to get through the gates, or the game might not be able to be played, creating multiple issues for the fans, teams, sporting bodies and sponsors.

“Professional sport is a high-pressure environment where timing matters,” said Nathaniel Jones, VP of security and AI strategy at Darktrace.

“A suspicious login, unusual data movement or unexpected AI agent action may look small in isolation, but during a live event it can become operationally significant very quickly.”

Cyber-Attacks Target Fan Data

A further reason why sports organizations are a major target for cyber-attacks is the data they handle. Like any large organization, sports bodies collect and handle information about customers: the fans.  

This includes sensitive information like credit card details and personal information, all of which are major targets for cybercriminals, either to steal and use directly themselves or sell to others on underground forums.  Either way, if this information is stolen, it puts the fans at risk of theft, fraud and more.

Read More: Fake Streams, Counterfeit Merch and Other Scams: How Fraudsters Target F1 Fans

In addition to this, sports organizations carry vast amounts of information about the teams and athletes themselves. This could range from personal data about the athletes to information about contracts and sponsorship deals, or even confidential data around how the organization works, commercial partnerships and relationships with third-party suppliers.

Targeting the Supply Chain

Indeed, it is the supply chain around these third-party suppliers which are commonly targeted by threat actors who view them as weak point to be exploited.

Ticketing providers, broadcasters, cloud services and stadium technology software suppliers are all potential targets for attackers, who could leverage the trusted relationship with the sports organization to help conduct an attack.

Social engineering is a key attack technique deployed against sports organizations. According to Darktrace, sports organizations received 19% more phishing emails than those in other sectors.

Analysis of 116,000 phishing emails which targeted sports organizations found that 21% directly targeted executives and other VIPs, while 37% involved ‘novel’ social engineering techniques which leveraged AI-powered assistance. Meanwhile, 84% of phishing emails detected successfully bypassed DMARC authentication, highlighting the challenge that organizations face.

As sporting organizations face increasing pressures from cyber threats, the report concluded that they must take action to ensure that they don’t become a high-profile victim of cyber-crime: especially at the key moment when the eyes of the world are watching.

“The most effective way to mitigate the risks facing sports organizations both internally and from external actors today is to adapt a behavioral approach to security. That means shifting away from rules and signatures and focusing on understanding both human and AI behavior inside your environment,” said Jones.

Image credit: katatonia82 / Shutterstock.com

Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent.

The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release.

Only the FFmpeg bugs were found by AI. Chrome’s record landed after Google overhauled its bounty program to cope with a flood of AI-generated reports. The mechanisms differ, but the pressure is the same: AI is putting more vulnerabilities in front of the people who have to deal with them, and faster than before.

The FFmpeg findings come from depthfirst, whose autonomous security agent scanned the project’s roughly 1.5 million lines of C and produced 21 confirmed zero-days, each with a reproducible proof-of-concept input.

The company puts the cost of the run at around $1,000. Several of the bugs had been latent for 15 to 20 years; one stack overflow in the service-description-table code dates to 2003 and sat untouched for 23 years.

Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder. depthfirst says some already carry CVE identifiers; its writeup lists nine, CVE-2026-39210 through CVE-2026-39218, and notes the rest are fixed but not yet numbered. It also published a PoC.

In separate news, Chrome 149 fixes 429 vulnerabilities, a record for a single release. Over 100 are critical or high severity, mostly use-after-free and insufficient input validation.

The worst, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write in the ANGLE graphics engine that lets a crafted page escape the sandbox and run code on the host. Google paid $97,000 for it.

The highest-severity bugs were mostly internal finds: of roughly 90 high-severity bugs, only 10 came from outside researchers, and 19 of the 22 critical ones were Google’s own. The AI connection is more about volume than authorship.

Google hasn’t tied the 429 to AI; the on-record signal is the bounty overhaul it made in April, prompted by a flood of AI-generated submissions and now asking for a concise reproducer over the long writeups AI churns out.

Google’s Big Sleep agent reported a run of FFmpeg bugs last year, now visible on the project’s security page tagged BIGSLEEP, and Anthropic’s Mythos model pulled a 16-year-old H.264 flaw and others out of FFmpeg for about $10,000, three of which shipped in FFmpeg 8.1, per its own writeup.

Days ago, another autonomous tool found an authenticated RCE in Redis that had been present since version 7.2.0, unnoticed for over two years. The research points the same way: a February study had an agent reproduce working PoCs for more than half of 100 real Linux kernel N-day bugs, beating fuzzing.

For FFmpeg, pull the fixed upstream build or your distribution’s security update as soon as it lands, and prioritize anything that ingests untrusted RTSP or AV1-over-RTP. FFmpeg is widely bundled in media pipelines, Python wheels, container images, and appliances, so do not stop at system packages; those embedded copies need patching too.

For Chrome, update to 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS, or confirm auto-update has run.

The response has to match the new pace: shorter patch cycles, auto-update wherever it exists, and dependency bumps that carry CVE fixes treated as security work, not routine maintenance.

The hard part is shifting, though. Finding these bugs has gotten cheap; triaging the reports, shipping the fixes, and getting them installed has not, and much of that work still falls to volunteers and a thin layer of human triagers now expected to keep pace with machines.

NPM has announced new version (v12) of the npm package manager in a bid to prevent software supply chain attacks.

In a blog post published on June 9, The team of npm developers at Microsoft-owned GitHub announced three security-focused breaking changes that will transition the package manager from a model of implicit trust to explicit opt-in.

Available from July 2026, these changes represent a fundamental shift in how the ecosystem handles dependencies.

In npm v12, three historically permissive defaults will be flipped:

• Blocked install scripts: Running npm install will no longer automatically execute background scripts (such as preinstall, install, postinstall or native C/C++ builds like node-gyp rebuild), preventing malicious code from immediately executing during installation
• Blocked Git dependencies: Resolving dependencies directly from custom Git URLs will be blocked by default to prevent attackers from using custom Git configurations to bypass script restrictions
• Blocked remote URLs: Sourcing packages directly from external URLs or HTTPS tarballs instead of official registries will be forbidden by default unless explicitly permitted

To prepare for this transition, developers can already upgrade to the current npm version 11.16.0 or newer to receive optional warnings. They can also use the new npm approve-scripts command to audit their dependencies, identify blocked scripts and build a local policy allowlist directly in their package.json file.

Closing One Door May Open Others, Security Experts Caution

Isaac Evans, founder and CEO of Semgrep, supported this shift, and noted that the economic realities of software supply chain attacks demand structural defenses rather than relying on developers to individually catch every threat.

“It’s become clear that the economics of supply chain attacks have shifted. Worms like Miasma do not need a perfect hit rate. They are cheap to modify, cheap to rerun, and easier to extend now that parts of the playbook have been exposed,” he said.

“That makes stronger defaults around install scripts and non-registry dependencies a meaningful step.”

He also noted that the overall response is moving toward structural guardrails instead of asking every developer to catch every bad package in time.

However, Evans warned that as public package managers close these doors, attackers will pivot to private corporate repositories like Artifactory and Nexus. As he put it, “If npm and PyPI close off easier paths, attackers will look for the next trusted layer.”

Vulnerability researcher Paul McCarty, also known as 6mile, offered a more cautious perspective, warning that while the updates address long-standing flaws, they could also border on security theatre if they lead to developer friction.

In an analysis published on his website, Open Source Malware, on June 10, McCarty commended GitHub for retiring these three highly vulnerable defaults but said he remains concerned about the timeline for widespread adoption.

Furthermore, he added fearing that because build completion is a developer’s primary objective, many will simply blind-approve blocked scripts to bypass the warnings.

“When the choice is ‘this builds’ and ‘this is less prone to malware’, the former will always win,” McCarty cautioned.

He also highlighted an unintended consequence for security researchers, warning that benign package maintainers may resort to suspicious-looking workarounds to bypass the new blocks.

“The benign and the malicious converge on the same suspicious-looking pattern. We end up triaging a flood of weird-but-fine packages to find the weird-and-actually-bad ones and the bad ones get better cover precisely because so much legitimate behavior now looks the same way,” he warned.

Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.

The vulnerability, tracked as CVE-2026-20245, carries a CVSS score of 7.8 out of a maximum of 10.0. It affects the following deployment types –

• On-Prem Deployment
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

“A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Cisco said in an advisory.

The network security company said the vulnerability is the result of insufficient validation of user-supplied input, which an attacker could exploit by uploading a crafted file to the affected system. This, in turn, could permit the attacker to perform command injection attacks and elevate their privileges as the root user.

“To exploit this vulnerability, the attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods.”

CVE-2026-20182 (CVSS score: 10.0) was disclosed last month by Rapid7, describing it as an authentication bypass that could enable unauthenticated, remote attackers to obtain administrative privileges on susceptible systems. It’s also assessed to be similar to CVE-2026-20127, another case of authentication bypass impacting the same component.

Both vulnerabilities have been exploited in the wild as zero-days, with a threat activity cluster dubbed UAT-8616 linked to the abuse of CVE-2026-20127 as far back as 2023.

In its advisory released Thursday, Cisco said it observed limited cases where the exploitation of CVE-2026-20245 resulted in a configuration change pushed to edge devices. It credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the new vulnerability. It is unknown who is behind the latest exploitation efforts.

There are currently no patches or mitigations available for CVE-2026-20245. Customers are recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026.

Cisco has also warned that internet-exposed systems are at heightened risk of compromise. To look for indicators of compromise (IoCs), users are advised to check the “/var/log/scripts.log” file for entries like below –

Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

Jun  5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv

Jun  5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv

CVE-2026-20245 is the seventh flaw impacting Cisco SD-WAN to be flagged as active exploited this year alone after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775.

The disclosure comes days after Cisco addressed another high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6), for which it said a proof-of-concept exploit code is public. There is no evidence that the vulnerability has come under active exploitation.