36 Malicious npm Packages Target Guardarian Infrastructure via Strapi Plugins

A coordinated supply chain attack involving 36 malicious npm packages targeted the cryptocurrency platform Guardarian to steal database credentials and wallet keys. The campaign exploited Redis and Docker vulnerabilities to deploy persistent, fileless backdoors on production Strapi CMS servers.

**If you use Strapi, immediately audit your node_modules for any of these 36 malicious packages: legitimate Strapi plugins are always scoped under @strapi/, so any unscoped strapi-plugin-* package should be treated as suspicious and removed. If any were installed, assume full compromise: rotate all credentials, secrets, and keys, revoke database and API tokens, and investigate your environment for reverse shells or unauthorized cron jobs.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/36-malicious-npm-packages-target-guardarian-infrastructure-via-strapi-plugins-0-y-5-g-3/gD2P6Ple2L

Fortinet Issues Emergency Hotfix for Actively Exploited FortiClient EMS Zero-Day

Fortinet has released emergency hotfix for an actively exploited critical zero-day vulnerability (CVE-2026-35616) in FortiClient EMS that allows unauthenticated attackers to bypass API security and run arbitrary commands.

**If you use FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet's emergency hotfix ASAP. It's being actively exploited andcan give attackers full control of your endpoint management server. While you're at it, check your EMS API logs for any signs of unauthorized access or unusual command execution that might indicate you've already been compromised.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/fortinet-issues-emergency-hotfix-for-actively-exploited-forticlient-ems-zero-day-p-2-q-w-2/gD2P6Ple2L

TrueConf Zero-Day Exploited in Targeted Government Attacks

China-nexus attackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf's update mechanism to deploy the Havoc C2 framework across Southeast Asian government networks. The flaw allows attackers who compromise an on-premises server to push malicious updates to all connected clients without verification.

**If you use TrueConf for videoconferencing, update all Windows clients to version 8.5.3 immediately. Also check your systems for signs of compromise. Look for files like poweriso.exe or iscsiexe.dll in unexpected folders, and make sure any trueconf_windows_update.exe file has a valid digital signature before allowing it to run.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/trueconf-zero-day-exploited-in-targeted-government-attacks-9-4-c-x-v/gD2P6Ple2L

Critical Citrix NetScaler Vulnerability CVE-2026-3055 Exploited in the Wild

Citrix NetScaler ADC and Gateway are facing active exploitation of a critical memory overread vulnerability, CVE-2026-3055 (CVSS score 9.3), which allows unauthenticated attackers to steal administrative session IDs and sensitive data.

**If you are using NetScaler, this is now urgent - the devices are under attack. If possible, make sure your NetScaler ADC and Gateway appliances are isolated from the internet and accessible from trusted networks only. Them plan an urgent update. Update the firmware to the fixed versions (14.1-66.59, 13.1-62.23, or 13.1-37.262 for FIPS/NDcPP).**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-citrix-netscaler-memory-overread-vulnerability-exploited-in-the-wild-l-i-k-1-a/gD2P6Ple2L

F5 Warns of Critical BIG-IP APM Zero-Day Exploited by Nation-State Actors

F5 re-categorized a BIG-IP APM vulnerability (CVE-2025-53521) from a DoS to a critical 9.8 RCE after discovering active exploitation by a nation-state actor using memory-only webshells and lateral movement tools. The flaw allows unauthenticated attackers to execute code and gain full control over network access infrastructure.

**If you have F5 BIG-IP APM devices, if possible make sure they are isolated from the internet and accessible from trusted networks only. Then immediately update to the fixed firmware versions (17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8). If you suspect a device has already been compromised, rebuild it from scratch - don't restore from backups, as they may contain persistent malware. Also, audit for disabled SELinux and unauthorized webshells.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/f5-warns-of-critical-big-ip-apm-zero-day-exploited-by-nation-state-actors-4-j-u-k-9/gD2P6Ple2L

Oracle WebLogic Servers Face Immediate Exploitation of Critical RCE Vulnerabilities

Oracle WebLogic Server is under active attack following the rapid weaponization of CVE-2026-21962, a critical RCE flaw exploited the same day its exploit code was released. Attackers are using automated tools and VPS infrastructure to target both new and legacy vulnerabilities.

**If you're running Oracle WebLogic Server, patch immediately. CVE-2026-21962 is being exploited in the wild on the same day exploit code dropped, and attackers are also chaining older flaws like CVE-2020-14882 and CVE-2017-10271 that still work on unpatched systems. Restrict WebLogic admin console access to internal networks or VPN only, disable protocols you don't need (IIOP, T3), and prioritize getting those patches applied today. These attacks are fully automated, require no login, and give attackers complete control of your server.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/oracle-weblogic-servers-face-immediate-exploitation-of-critical-rce-vulnerabilities-0-0-m-z-c/gD2P6Ple2L

PTC Warns of Imminent RCE Threat in Windchill and FlexPLM Systems

PTC reports a critical RCE vulnerability (CVE-2026-4681) in Windchill and FlexPLM software, leading to emergency warnings from German police due to an imminent threat of exploitation.

**If you're running PTC Windchill or FlexPLM, make sure these systems are isolated from the internet and accessible from trusted networks only. This one is a perfect 10.0 severity with no patch yet, so apply the recommended rewrite rules to block the WindchillGW and WindchillAuthGW servlet paths immediately. Also check your servers for signs of compromise like GW.class, payload.bin, or dpr_*.jsp files, and if you can't apply the workarounds, shut down the affected services until PTC releases an official patch.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/ptc-warns-of-imminent-rce-threat-in-windchill-and-flexplm-systems-8-k-p-i-c/gD2P6Ple2L

Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours

Researchers report active exploitation of a critical RCE vulnerability (CVE-2026-33017) in Langflow that allows unauthenticated attackers to execute arbitrary Python code and steal sensitive API keys. The flaw was weaponized within 20 hours of disclosure, targeting exposed AI orchestration pipelines to harvest credentials and environment variables.

**If you're running Langflow, this is urgent. Update immediately to version 1.9.0.dev8 or later to patch CVE-2026-33017, and disable the AUTO_LOGIN=true default setting. Until you can update, restrict network access to the vulnerable endpoint, place Langflow behind a reverse proxy with authentication. Regardless if you patch or isolate, make sure to rotate all API keys and credentials the platform uses after isolating.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-langflow-rce-vulnerability-cve-2026-33017-exploited-within-hours-q-n-c-a-6/gD2P6Ple2L

Attackers Exploit Critical Quest KACE SMA Authentication Bypass

Arctic Wolf reports attacks exploiting a critical authentication bypass (CVE-2025-32975) in Quest KACE SMA to gain administrative control and move laterally into domain controllers and backup systems.

**If you are using Quest KACE SMA, this is urgent. Make sure your Quest KACE SMA is off the public internet and behind a VPN immediately. Check your logs for new unknown admin accounts, as these are signs that attackers have already taken over your management system. Then patch ASAP.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/attackers-exploit-critical-quest-kace-sma-authentication-bypass-z-3-u-b-2/gD2P6Ple2L

Critical Microsoft SharePoint RCE Vulnerability CVE-2026-20963 Under Active Exploitation

Microsoft SharePoint is under active exploitation of a critical RCE vulnerability (CVE-2026-20963) that allows unauthenticated attackers to take over servers via a deserialization flaw.

**Your SharePoint servers are under attack. Ideally, isolate them from the internet and make them accessible only from internal networks. Them apply the January 2026 patch ASAP. If you are still using SharePoint 2013 or older, isolate them and upgrade to a newer version. Those old systems are permanently vulnerable.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-microsoft-sharepoint-rce-vulnerability-cve-2026-20963-under-active-exploitation-l-r-5-d-h/gD2P6Ple2L