Today’s roundup
Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk of Code and Credential Leaks
U.S. CISA adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog
Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
CVE-2025-6978: Arbitrary Code Execution in the Arista NG Firewall
AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
Romania’s oil pipeline operator confirms cyberattack as hackers claim data theft
Spain's Ministry of Science shuts down systems after breach claims
Ransomware gang uses ISPsystem VMs for stealthy payload delivery
Summary
Palo Alto Networks Unit 42 identified TGR-STA-1030, an Asian state-backed cyber espionage group, breaching 70 government and critical infrastructure organizations across 37 countries over the past year. They also conducted active reconnaissance against 155 government infrastructures.
A Mysterium VPN study found nearly 5 million public web servers exposing Git repository metadata, with 250,000 leaking active deployment credentials via `.git/config` files. This widespread misconfiguration in regions like the US, Germany, and France, enables code theft and credential abuse.
CISA added CVE-2025-11953 (React Native CLI OS Command Injection, "Metro4Shell" actively deploying Rust malware) and CVE-2026-24423 (critical unauthenticated RCE in SmarterTools SmarterMail < build 9511) to its KEV catalog, with a Feb 26, 2026, deadline.
Cybersecurity researchers reported a supply chain attack on npm and PyPI, compromising legitimate packages like `@dydxprotocol/v4-client-js`. Malicious versions were pushed for wallet credential theft and remote code execution, posing a significant risk to developers and crypto users.
A critical command injection vulnerability (CVE-2025-6978) in Arista NG Firewall allows remote, authenticated root RCE. Fixed in version 17.4+, it stems from improper user data validation in the `runTroubleshooting()` method.
The AISURU/Kimwolf DDoS botnet launched a record-setting HTTP DDoS attack, peaking at 31.4 Terabits per second (Tbps) for 35 seconds. Cloudflare detected and mitigated this hyper-volumetric event, part of a Q4 2025 trend.
Anthropic's new LLM, Claude Opus 4.6, discovered over 500 previously unknown high-severity security flaws in open-source libraries (e.g., Ghostscript, OpenSC, CGIF). This demonstrates AI's growing role and enhanced capabilities in proactive vulnerability discovery.
Conpet, Romania's national oil pipeline operator, confirmed a cyberattack disrupting its technology infrastructure and website. While oil transport remained unaffected, hackers claimed data theft, highlighting persistent threats to critical national infrastructure.
Spain's Ministry of Science partially shut down its IT systems following data breach claims. The disruption impacts several citizen- and company-facing services, indicating a significant cyber incident affecting government operations.
Ransomware operators are abusing ISPsystem virtual machines (VMs) for stealthy, at-scale hosting and delivery of malicious payloads. This tactic complicates detection and mitigation efforts for organizations, presenting new challenges in defending against ransomware.
Want to dig deeper?
Vulnerabilities
Malware Families