Threat Advisories

A critical supply chain attack has impacted the widely used JavaScript library Axios following the compromise of its primary maintainer’s npm account. Threat actors used the hijacked account to publish two malicious versions, axios@1.14.1 and axios@0.30.4, which introduced a rogue dependency (plain-crypto-js@4.2.1). This dependency was not part of the legitimate Axios codebase and existed solely to execute a post install script that deployed a cross-platform Remote Access Trojan (RAT).

LiteLLM is a highly popular open-source Python library and proxy server that provides a unified interface for calling over 100+ Large Language Model (LLM) APIs, such as OpenAI, Anthropic, Bedrock, and VertexAI, using the standard OpenAI input/output format. It simplifies multi-LLM integration, offering features like automatic fallbacks, retries, and cost tracking. Because it functions as an API gateway, it acts as a credential aggregator by design, securely holding API keys for various LLM providers.

CVE202620963 was originally published in January 2026, but it has recently gained renewed attention due to confirmed active exploitation.

The UK and Ireland are now facing elevated cyber risk as Iranian‑aligned threat actors launch retaliatory operations in response to Operation Epic Fury, the joint US‑Israeli strikes on Iran.

Earlier this week we wrote a blog post on the cyber affairs amidst the US-Israel war on Iran, called Operation Epic Fury. In which we observed that there would be an elevated response from state sponsored threat actors, against the western organisations with a middle eastern presence as a retaliation for these attacks.  

Cisco has released emergency patches for two maximum‑severity (CVSS 10.0) vulnerabilities affecting Cisco Secure Firewall Management Center (FMC). These flaws tracked as CVE‑2026‑20079 and CVE‑2026‑20131, allow unauthenticated, remote attackers to obtain root‑level control over FMC appliances, posing a severe risk to enterprise firewall infrastructure. No exploitation in the wild has been observed yet, but the critical nature and ease of exploitation elevate these vulnerabilities to immediate remediation priority.

Cybersecurity researchers have uncovered a new wave of supply-chain attacks attributed to North Korean state aligned threat actors, involving the publication of 26 malicious npm packages posing as legitimate developer tools. The campaign tracked as “StegaBin”, uses Pastebin based steganography to conceal command and control (C2) endpoints and ultimately deploy credential stealers and a cross platform remote access trojan (RAT). The infrastructure supporting these operations spans 31 Vercel deployments, highlighting a sophisticated and evolving threat to the global software supply chain.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed VMware Aria Operations vulnerability, tracked as CVE‑2026‑22719to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw is a command injection vulnerability enabling unauthenticated remote code execution (RCE) under certain conditions. VMware (Broadcom) released patches on February 24, 2026, but reports indicate attackers are now leveraging the issue against unpatched systems. Federal civilian agencies have been mandated to remediate the vulnerability by March 24, 2026.

The global geopolitical and cybersecurity landscape has shifted dramatically following the February 28, 2026 launch of Operation “Epic Fury” by the United States and the parallel Israeli campaign Operation “Roaring Lion” against Iran. The coordinated military strikes successfully eliminated key Iranian leadership, including Supreme Leader Ayatollah Ali Khamenei, and heavily degraded Iran's conventional military and nuclear infrastructure.

Cisco Catalyst SD-WAN platforms are widely deployed across enterprises, governments, and service providers, often serving as the core infrastructure that links remote offices, data centers, and cloud environments. Because these controllers are frequently reachable from external networks to support distributed operations, they represent a highly visible and attractive target for threat actors.