Today’s roundup
CVE-2026-1731 fuels ongoing attacks on BeyondTrust remote access products
CISA: Recently patched RoundCube flaws now exploited in attacks
Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens
MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP
Leading Semiconductor Supplier Advantest Hit by Ransomware Attack
University of Mississippi Medical Center Still Offline After Ransomware Attack
Jackpotting Surge Costs Banks Over $20m, Warns FBI
Ukraine says cyberattacks on energy grid now used to guide missile strikes
Ransomware gangs advancing Moscow’s geopolitical aims, Romanian cyber chief warns
Arkanix Stealer pops up as short-lived AI info-stealer experiment
Summary
Threat actors are actively exploiting critical vulnerability CVE-2026-1731 (CVSS 9.9) in BeyondTrust Remote Support and Privileged Remote Access products. This pre-authentication remote code execution flaw allows unauthenticated attackers to run system commands. Palo Alto Networks Unit 42 confirms widespread exploitation across multiple sectors and countries, using custom Python scripts, web shells, and other tools. CISA has added it to its Known Exploited Vulnerabilities Catalog due to active exploitation, including in ransomware campaigns.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to U.S. federal agencies to patch two recently identified Roundcube Webmail vulnerabilities within three weeks, confirming their active exploitation in ongoing attacks.
Cybersecurity researchers have uncovered "SANDWORM_MODE," an active supply chain worm campaign leveraging at least 19 malicious npm packages. This campaign facilitates credential harvesting and cryptocurrency key theft, mimicking prior "Shai-Hulud" attack waves.
The Iranian state-sponsored hacking group MuddyWater, also known as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has initiated a new campaign, "Operation Olalampo." Since January 26, 2026, the group has targeted organizations and individuals primarily across the Middle East and North Africa (MENA) region, deploying new malware families including GhostFetch, CHAR, and HTTP_VIP.
Advantest, a major Japanese supplier specializing in testing computer chips for leading semiconductor manufacturers, has confirmed a cybersecurity incident. The company has activated incident response protocols following a ransomware attack.
The University of Mississippi Medical Center (UMMC) remains offline following a ransomware attack that occurred last Thursday. The medical center is currently engaged in recovery efforts to restore affected systems.
The FBI has issued a Flash alert warning banks about a surge in ATM jackpotting attacks, reporting over $20 million in losses attributed to these incidents in 2025 alone.
Ukrainian cybersecurity officials report a strategic shift in Russian cyberattacks targeting Ukraine’s energy infrastructure. These attacks are increasingly focused on gathering intelligence to guide missile strikes, rather than solely aiming for immediate operational disruption.
Romania's top cybersecurity official has warned that recent ransomware attacks targeting the nation's critical infrastructure are likely components of a broader Russian hybrid operation. The objective of these attacks is to destabilize Romania.
A new information-stealing malware, Arkanix Stealer, emerged on dark web forums towards the end of 2025. Researchers indicate it was likely an AI-assisted experiment, though its operational lifespan appears to have been short.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| MuddyWater | Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450 |
| Sandstorm | Iran |
Malware Families