Threat Advisories

A new and active npm supply‑chain attack has been observed abusing compromised maintainer credentials to self‑propagate malicious code across packages in the Node.js ecosystem. The malware steals authentication material (npm tokens, cloud credentials, CI/CD secrets, SSH keys, and wallet data) and uses any discovered publishing tokens to inject itself into additional packages owned by the same maintainer, creating worm‑like lateral spread.

Microsoft has disclosed a critical remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, tracked as CVE‑2026‑33824. The vulnerability is caused by a double‑free memory handling flaw that can be triggered remotely by an unauthenticated attacker sending specially crafted network traffic to a vulnerable system. Successful exploitation could allow arbitrary code execution with system‑level privileges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a high‑severity remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE‑2026‑34197. The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signalling verified malicious activity in the wild and elevating remediation priority for all organizations using affected versions of ActiveMQ.

Threat Type: Actively Exploited ZeroDay
Affected Product: Fortinet FortiClient Enterprise Management Server (EMS)

Google has released emergency security updates addressing CVE20265281, a high severity (CVSS score: N/A), actively exploited zero day impacting its Chrome browser.

A critical supply chain attack has impacted the widely used JavaScript library Axios following the compromise of its primary maintainer’s npm account. Threat actors used the hijacked account to publish two malicious versions, axios@1.14.1 and axios@0.30.4, which introduced a rogue dependency (plain-crypto-js@4.2.1). This dependency was not part of the legitimate Axios codebase and existed solely to execute a post install script that deployed a cross-platform Remote Access Trojan (RAT).

LiteLLM is a highly popular open-source Python library and proxy server that provides a unified interface for calling over 100+ Large Language Model (LLM) APIs, such as OpenAI, Anthropic, Bedrock, and VertexAI, using the standard OpenAI input/output format. It simplifies multi-LLM integration, offering features like automatic fallbacks, retries, and cost tracking. Because it functions as an API gateway, it acts as a credential aggregator by design, securely holding API keys for various LLM providers.

CVE202620963 was originally published in January 2026, but it has recently gained renewed attention due to confirmed active exploitation.

The UK and Ireland are now facing elevated cyber risk as Iranian‑aligned threat actors launch retaliatory operations in response to Operation Epic Fury, the joint US‑Israeli strikes on Iran.

Earlier this week we wrote a blog post on the cyber affairs amidst the US-Israel war on Iran, called Operation Epic Fury. In which we observed that there would be an elevated response from state sponsored threat actors, against the western organisations with a middle eastern presence as a retaliation for these attacks.