Weekly Cybersecurity Roundup: CI/CD Backdoors, Dark Web Takedowns, and Emerging Malware Threats

The latest week in cybersecurity underscores the persistent threats targeting software supply chains, IoT devices, mobile platforms, and enterprise infrastructure. Threat actors continue to exploit newly disclosed vulnerabilities within hours, while law enforcement takes aim at criminal networks operating across the dark web.

Supply Chain Attack Hits Trivy Vulnerability Scanner

Attackers have compromised Trivy, a widely used open-source vulnerability scanner, injecting credential-stealing malware into official releases and CI/CD workflows. The breach has sparked secondary compromises, creating a self-propagating worm dubbed CanisterWorm. Trivy, maintained by Aqua Security, is leveraged by thousands of projects and Docker images, highlighting the high impact of supply chain attacks in modern development pipelines.

IoT Botnets Disrupted by U.S. Authorities

A coordinated operation by the U.S. Department of Justice dismantled four major Mirai-based IoT botnets—AISURU, Kimwolf, JackSkid, and Mossad—which collectively controlled over 3 million devices including routers, IP cameras, and DVRs. These botnets were used to execute massive DDoS attacks, targeting U.S. Department of Defense systems and other high-value networks. While no arrests have been publicly reported, investigators identified key operators in Canada and Germany.

Fast-Moving Vulnerability Exploits

• Langflow (CVE-2026-33017) – A critical flaw allowing unauthenticated code injection was exploited within 20 hours of public disclosure. Attackers used the vulnerability to exfiltrate sensitive data from cloud systems.
• Cisco FMC (CVE-2026-20131) – Interlock ransomware leveraged this zero-day to remotely execute Java code as root on affected firewalls, gaining a head start before public patches were available.
• iOS DarkSword Exploit Kit – Targeted users in Ukraine, Saudi Arabia, Turkey, and Malaysia via six previously undocumented iOS vulnerabilities. Devices with Lockdown Mode or iPhone 17 MIE protections remained unaffected.

Mobile Threats and Malware Campaigns

• Perseus Malware – This Android malware masquerades as IPTV apps to steal banking credentials and monitor personal note-taking apps, primarily targeting Turkey and Italy.
• VoidStealer – A Chrome-based infostealer now uses a debugger-based Application-Bound Encryption bypass to extract sensitive browser data without privilege escalation.

Social Engineering and Fraud Operations

• WhatsApp Usernames – WhatsApp is testing a privacy-focused username system to replace phone numbers, expected globally by June 2026.
• Southeast Asia Scam Centers – The FBI, in collaboration with Thai authorities, shut down multiple scam operations exploiting vulnerable workers for cyber fraud, money laundering, and forced scams.
• Energy Sector Phishing (Pakistan) – Targeted attacks deployed malicious PDFs and ClickOnce applications to compromise operations personnel, delivering the Havoc Demon C2 framework.

Open Directories and Threat Actor Activity

• APT28 Exposed SquirrelMail Tools – Open directories revealed XSS payloads and stolen credentials from government and military mailboxes across Eastern Europe.
• Beast Ransomware Infrastructure – Analysis uncovered tools for network reconnaissance, credential harvesting, lateral movement, and exfiltration, highlighting the sophistication of modern ransomware-as-a-service (RaaS) operations.

Emerging Cybersecurity Trends

• Malicious npm Packages – Packages like sbx-mask and touch-adv steal developer secrets via post-install scripts, emphasizing the risks of hijacked publisher accounts.
• Post-Quantum Cryptography in China – Reports indicate China plans to develop national PQC standards within three years, paralleling U.S. initiatives aimed at industry-wide adoption by 2035.
• Tycoon2FA Residual Threats – While law enforcement disrupted the phishing-as-a-service platform, live CAPTCHA pages continue to operate on secondary infrastructure.

Tools for Security Professionals

• MESH – A peer-to-peer encrypted platform for mobile forensics and network monitoring over Android/iOS devices, resistant to firewalls and CGNAT.
• enject – A Rust-based tool for protecting .env secrets during development, ensuring credentials are decrypted in-memory only and never written to disk.