Coverage: Last 24 hours

Today’s Highlights

This cycle highlights active exploitation of high-impact vulnerabilities in perimeter security, critical supply-chain risks across software dependencies and popular tools, and ongoing threats to SaaS authentication and IoT infrastructure. Defenders must respond decisively to zero-day reports, supply-chain poisoning, and sophisticated adversary tactics blending espionage with ransomware decoys.

Table of Contents

1. Hackers abuse Google ads for GoDaddy ManageWP login phishing
2. Critical vm2 sandbox bug lets attackers execute code on hosts
3. New Cisco DoS flaw requires manual reboot to revive devices
4. DAEMON Tools devs confirm breach, release malware-free version
5. Why ransomware attacks succeed even when backups exist
6. MuddyWater hackers use Chaos ransomware as a decoy in attacks
7. Palo Alto Networks firewall zero-day exploited for nearly a month
8. Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
9. PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux
10. vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

Top Stories

Hackers abuse Google ads for GoDaddy ManageWP login phishing

Source: BleepingComputer | Risk: High | Impacted: GoDaddy ManageWP administrators, Organizations with web assets on ManageWP, SaaS application trust and incident response teams

Summary: Cybercriminals have launched a phishing campaign via Google Ads targeting GoDaddy ManageWP users. They display a malicious sponsored result when users search “ManageWP,” redirecting to a fake login page that acts as an adversary‑in‑the‑middle. Credentials and 2FA codes are intercepted in real time, enabling account takeover. Researchers confirmed at least 200 victims.

Why it matters: Compromised SaaS admin access through adversary-controlled login portals could directly lead to complete loss of control of web assets, with 2FA bypass eliminating a key security barrier.

Practitioner Perspective

GoDaddy ManageWP users are being targeted at the authentication layer via malicious Google Ads, redirecting them to fake login portals and harvesting credentials plus real-time 2FA. At least 200 compromises are confirmed, demonstrating that attackers are leveraging paid ad infrastructure to scale high-impact phishing campaigns. The risk includes loss of control of website management, with downstream impact to site integrity and customer data. Security teams must educate users on official login flows and increase scrutiny of SaaS access logs for signs of unauthorized access, SMS/OTP authentication should no longer be considered adequate in high-risk scenarios.

Recommended Actions

• Review and alert on ManageWP logins from unexpected geolocations or IP ranges, especially after ad campaigns referencing ManageWP
• Investigate OAuth or SSO tokens issued immediately after a user interacts with Google Ads for ManageWP
• Educate website administrators to only authenticate at the official ManageWP domain, never through ad links
• Temporarily heighten monitoring for adversary-in-the-middle techniques intercepting 2FA codes related to SaaS platforms

Critical vm2 sandbox bug lets attackers execute code on hosts

Source: BleepingComputer | Risk: Critical | Impacted: Node.js environments using vm2, Multi-tenant SaaS platforms supporting user code, DevSecOps and application security teams

Summary: A critical vulnerability (CVE‑2026‑26956) in the widely used Node.js sandbox library vm2 (version 3.10.4 and possibly earlier) enables attackers, when running on Node.js 25 with WebAssembly exception handling and JSTag support enabled, to escape the sandbox and execute arbitrary code on the host system; proof‑of‑concept exploit code has been released.

Why it matters: Breakouts from host isolation mechanisms threaten the integrity of multi-tenant systems, letting attackers compromise environments once thought secure by sandboxing.

Practitioner Perspective

Node.js environments using the vm2 library, especially version 3.10.4 and possibly earlier releases, are exposed to a trivial host compromise when running with WebAssembly exception handling and JSTag support. The public availability of a proof-of-concept significantly accelerates attacker adoption, making exploit attempts likely in SaaS, PaaS, and serverless setups utilizing untrusted code execution. Security posture must shift from assuming sandbox isolation to treating vm2 contexts as potentially hostile. Affected environments must update immediately and hunt for any anomalous process activity or lateral movement.

Recommended Actions

• Upgrade vm2 to a patched release (3.11.2 or later) on all Node.js systems, prioritizing those running Node.js 25
• Disable WebAssembly exception handling and JSTag support if patching is not immediately possible
• Hunt for post-exploitation indicators on hosts running untrusted code via vm2
• Audit application deployment logs for any recent abnormal process creation or outbound connectivity originating from sandboxed environments

New Cisco DoS flaw requires manual reboot to revive devices

Source: BleepingComputer | Risk: High | Impacted: Cisco Crosswork Network Controller, Network Services Orchestrator deployments, Service provider network operations

Summary: Cisco has released fixes for a high‑severity denial‑of‑service vulnerability (CVE‑2026‑20188) in its Crosswork Network Controller and Network Services Orchestrator. The flaw allows unauthenticated attackers to crash devices via low‑complexity remote attacks, and recovery requires a manual reboot. Cisco urges customers to upgrade to the fixed software.

Why it matters: Vulnerabilities that force operators to intervene physically for restoration disrupt services and raise operational risks, especially when no remote recovery is possible.

Practitioner Perspective

Cisco Crosswork Network Controller and Network Services Orchestrator deployments are exposed to unauthenticated remote attacks that can crash devices, necessitating a manual reboot for service restoration. This creates a risk of sustained downtime, especially in environments with limited remote hands or where physical access is challenging. Adversaries do not need credentials and can trigger disruption with low effort. Security teams must assess patch levels and prepare contingency plans for on-site response. The most important consideration is identifying and hardening any exposed management interfaces before an outage occurs.

Recommended Actions

• Apply Cisco patches for CVE-2026-20188 across Crosswork and NSO systems
• Audit device exposure, remove internet-facing access to management interfaces where possible
• Prepare onsite personnel or remote hands to perform manual reboots on affected devices
• Pre-stage configuration backups and out-of-band communications for recovery operations

DAEMON Tools devs confirm breach, release malware-free version

Source: BleepingComputer | Risk: High | Impacted: Endpoints with DAEMON Tools Lite installed, Organizations allowing end-user software installation, Teams without software allowlists

Summary: Disc Soft confirmed that DAEMON Tools Lite was compromised in a supply‑chain attack, with trojanized installers distributed from April 8; the issue was confined to the free Lite version, not affecting paid products. A clean, malware‑free Lite version 12.6 was released on May 5 to replace the compromised builds.

Why it matters: Widespread software download compromise can deliver malware organization-wide, particularly where update verification is weak or allowlisting is absent.

Practitioner Perspective

DAEMON Tools Lite users who installed or updated from April 8 until May 5 may have been exposed to malware via trojanized installers, a classic software supply-chain attack. This risk is acute for environments lacking application whitelisting or download provenance controls, as malicious code can propagate quickly during mass software updates. The compromise, limited to the free Lite branch, underscores the need for immediate inventory and remediation actions. Security teams should focus on confirming the presence of compromised versions, replacing them with the clean 12.6 build, and hunting for post-installation persistence or lateral tooling.

Recommended Actions

• Identify endpoints running DAEMON Tools Lite and verify installer hashes against known clean versions
• Replace all DAEMON Tools Lite installs with version 12.6 or later to ensure removal of trojanized code
• Scan affected systems for indicators associated with the supply-chain malware retroactively to April 8
• Implement controls to prevent end users from downloading and executing software installers from unverified sources

Why ransomware attacks succeed even when backups exist

Source: BleepingComputer | Risk: High | Impacted: Organizations relying on traditional backup solutions, Ransomware response teams, IT disaster recovery planners

Summary: The article explains that ransomware attacks often succeed despite having backups because attackers compromise and destroy backup systems, typically exposed and unprotected, before launching encryption. It emphasizes that traditional backups fail not due to absence but vulnerability. Organizational resilience requires backup immutability, isolation, access controls, monitoring, and integration with security tools.

Why it matters: Destruction of accessible backup repositories leaves organizations with no path to recovery after ransomware, even when backup processes are mature.

Practitioner Perspective

Ransomware actors now routinely seek out and destroy backups before triggering file encryption, making standard backup policies insufficient. Weaknesses such as lack of immutability, poor isolation, or excessive access permissions turn backups into a liability rather than a failsafe. Modern ransomware groups will persist in environments long enough to map and destroy local, cloud, and offsite backups. Security teams must harden backup processes at the infrastructure level, enforce strict controls, and treat backup integrity as a central pillar of ransomware resilience. Failing to do so means even rigorous backup practices may not guarantee recovery.

Recommended Actions

• Enforce backup immutability controls at the storage or cloud provider level
• Segregate backup accounts, networks, and administrative credentials from production environments
• Deploy monitoring and alerting for anomalous backup deletion or modification activity
• Simulate ransomware scenarios that include backup compromise as part of tabletop exercises

MuddyWater hackers use Chaos ransomware as a decoy in attacks

Source: BleepingComputer | Risk: High | Impacted: Organizations with Microsoft Teams deployments, Entities of interest to Iranian APTs, Incident response and digital forensics teams

Summary: Iran-linked MuddyWater threat actors masqueraded their espionage campaign as a Chaos ransomware operation, using Microsoft Teams social engineering to steal credentials, establish persistence, exfiltrate data, and send extortion messages, with Rapid7 noting that the ransomware served as a decoy rather than the primary objective.

Why it matters: Attackers using ransomware as a diversion for espionage may outmaneuver incident responders and maintain access after an apparent extortion event.

Practitioner Perspective

Organizations exposed to Iran-linked threat actors, particularly those using Microsoft Teams, face a dual-threat scenario: credential theft and data exfiltration masked by ransomware activity. By leveraging a Chaos ransomware decoy, MuddyWater complicates detection, as responders may focus on ransomware containment while underlying stealthier actions persist. This tactic blends espionage with disruptive techniques, requiring incident responders to always hunt for secondary objectives in high-profile or state-linked cases. The lesson for defenders is to look beyond encryption events to uncover the scope of compromise.

Recommended Actions

• Audit Teams authentication logs and investigate anomalous access patterns linked to credential harvesting campaigns
• Hunt for credential reuse or unexpected accounts established shortly before or after Chaos ransomware deployment
• Correlate ransomware incident timelines with data access and exfiltration events
• Update detection content to flag known MuddyWater TTPs, including combo social engineering and ransomware masking

Emerging Signals

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux

Source: The Hacker News | Risk: High | Impacted: Python development environments using PyPI, DevOps pipelines integrated with open-source packages, Endpoints with Zulip clients or API access

Summary: Cybersecurity researchers found three malicious PyPI wheel packages that secretly deliver a new malware called ZiChatBot on Windows and Linux systems by abusing Zulip’s REST APIs as command-and-control infrastructure, instead of a traditional C2 server. The packages were uploaded between July 16–22, 2025, and have since been removed.

Why it matters: Compromised open-source packages using SaaS APIs for C2 hide attacker command channels from ordinary network monitoring and threaten both developer and production systems.

Practitioner Perspective

The presence of tainted Python wheel packages on PyPI, embedding ZiChatBot and using Zulip’s REST APIs for command-and-control, shows attackers innovating around traditional detection pathways. Both Windows and Linux systems are at risk, particularly where unvetted packages are allowed in DevOps or automation workflows. Common network defenses may miss this activity because the C2 traffic blends in as legitimate SaaS API calls. Developers and security teams must review software provenance and treat modern package supply-chain threats as a primary attack vector. The takeaway: assume attacker creativity in C2 infrastructure and detect by endpoint and process behavior.

Recommended Actions

• Inventory historic and current environments for the specific compromised PyPI wheel packages reported between July 16–22, 2025
• Scan endpoints for ZiChatBot artifacts and review Zulip API traffic for unrecognized activity
• Implement controls restricting PyPI package installation to vetted and internally mirrored repositories
• Monitor application logs for abnormal REST API usage linked to Zulip outside sanctioned automation

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

Source: The Hacker News | Risk: Critical | Impacted: Node.js applications using untrusted code plugins, SaaS and PaaS platforms leveraging vm2, Teams responsible for app container security

Summary: Twelve critical vulnerabilities were disclosed in the vm2 Node.js library on May 7 2026, enabling sandbox escapes and arbitrary code execution on affected systems; users are urged to upgrade to version 3.11.2.

Why it matters: The presence of multiple critical sandbox escape flaws places SaaS infrastructure that runs user code at extreme risk of total system compromise.

Practitioner Perspective

With disclosure of a dozen critical bugs in vm2, organizations running Node.js environments that execute any untrusted code are in a race to update. These vulnerabilities directly threaten SaaS, workflow automation tools, and platforms where customer, plugin, or partner code may run in controlled sandboxes. Real-world consequences include lateral movement from user plugins into core application infrastructure. Update timelines must be measured in hours, not days, as exploit research is public and mass scanning is likely. Security teams must reassess trust in any process thought shielded by vm2 sandboxing.

Recommended Actions

• Upgrade all vm2 deployments to version 3.11.2 or higher across your estate
• Disable any user-provided plugin or script capabilities until patches are validated and deployed
• Retroactively review system and container logs for execution anomalies or unexpected child processes via Node.js sandboxes
• Flag and contain application instances running outdated vm2 versions, prioritizing external-facing workloads

Exploits & CVEs

Palo Alto Networks firewall zero-day exploited for nearly a month

Source: BleepingComputer | Risk: Critical | Impacted: Palo Alto Networks PAN-OS firewalls, Network perimeter security teams, Hybrid and remote-access environments

Summary: The article reports that a remote code execution zero‑day vulnerability in Palo Alto Networks PAN‑OS firewalls has been actively exploited since around April 9, allowing unauthenticated attackers to execute arbitrary code as root on affected devices.

Why it matters: Attackers gaining root access to perimeter firewalls may already control critical network gateways, allowing movement deeper into organizations and exposing them to covert attacks.

Practitioner Perspective

Organizations using Palo Alto Networks PAN-OS firewalls are at immediate risk, especially if management interfaces are internet-accessible. Active in-the-wild exploitation moves this from a patching priority to an incident response trigger, assume compromise and review for post-exploitation activity. Attackers with device access can deploy payloads, manipulate traffic, and evade detection using root privileges. This changes the calculus on firewall trust boundaries and raises the potential that attackers already have a foothold inside environments relying on these devices. Immediate containment and threat hunting are essential, even after patching.

Recommended Actions

• Enumerate all PAN-OS deployments and restrict management interface exposure to trusted IPs only
• Check official PAN-OS security advisories for mitigation guidance and deploy patches as soon as released
• Pull forensic artifacts (config, logs, memory) from devices exposed to the Internet since April 9 for retrospective intrusion hunting
• Review authentication and network routing logs for signs of device compromise or configuration drift
• Monitor for unusual traffic patterns originating from firewalls, especially outbound connections to untrusted IPs

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Source: The Hacker News | Risk: High | Impacted: IoT device fleets (Android TV boxes, smart TVs, routers), Service providers hosting consumer endpoints, Networks with ADB exposed to the public internet

Summary: Security researchers have uncovered a Mirai-derived botnet named xlabs_v1 that exploits internet-exposed Android Debug Bridge (ADB) services on IoT devices, including Android TV boxes, smart TVs, routers and set‑top boxes, to hijack them for paid DDoS attacks against game servers, employing bandwidth profiling and a “killer” subsystem to eliminate competing malware. The malware lacks persistence and is re‑deployed per attack.

Why it matters: Attackers rapidly conscripting exposed IoT endpoints using Mirai variants for DDoS can amplify threats without long-term persistence, evading simple cleanup efforts.

Practitioner Perspective

Operators of IoT devices, including Android TV boxes and routers, should prioritize exposure analysis due to the xlabs_v1 botnet leveraging Mirai-DNA to hijack hardware for paid DDoS services. These campaigns take advantage of insecure ADB exposure, often a legacy misconfiguration, to rapidly conscript devices without long-term persistence, making ongoing compromise detection challenging. The use of a ‘killer’ subsystem to terminate competitor malware shows attackers iterating on control and profitability. Defenders must focus on ADB lockdown, network segmentation, and rapid identification of reused credentials or exposed telnet-style services.

Recommended Actions

• Scan for externally accessible ADB ports and immediately restrict access to trusted internal networks
• Update firmware and apply security patches to all Android-based IoT devices as relevant vendors release updates
• Monitor for traffic patterns consistent with DDoS sourcing from your IP ranges, especially from devices with ADB enabled
• Harden device configurations, disable exposed debug or remote administration interfaces whenever possible

Defensive Actions

• Enumerate Palo Alto Networks PAN-OS deployments and limit management exposure; follow published advisory remediation guidance
• Upgrade all vulnerable vm2 Node.js libraries and disable risky features until patching is done
• Review and alert on ManageWP logins from unexpected sources and educate admin users about phishing through ad links
• Audit Cisco Crosswork/NSO deployments for CVE-2026-20188; stage recovery methods and restrict management interfaces
• Confirm DAEMON Tools Lite installations are updated to the safe 12.6 version and hunt for indicators from April 8 forward
• Enforce immutability, segregation, and monitoring for backup infrastructure to withstand targeted ransomware attacks
• Audit Microsoft Teams authentication and correlate ransomware attempts with data exfiltration for threat actor tactics
• Investigate PyPI environments for contaminated packages and restrict third-party installations to verified repositories
• Harden IoT device networks by scanning for ADB exposure and immediately patching all exposed endpoints
• Flag and isolate outdated Node.js/vm2 workloads, prioritizing those that process untrusted user code

What We’re Watching

Ongoing monitoring will focus on perimeter device exploits, SaaS abuse via phishing and token theft, emerging supply-chain malware, and the resilience of backup systems in ransomware scenarios. Visibility into IoT fleet security, developer pipeline exposure, and rapid patch adoption in open-source components will remain top priorities for defenders facing increasingly sophisticated adversaries.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: backup, cve, cybersecurity, Incident Response, IoT, Node.js, perimeter security, Phishing, Ransomware, supply-chain