Supply Chain Hijacking, Docker AI Exploits, and NGINX Config Injection

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Software Supply Chains: The Update Mechanism Crisis

The most severe trend this week is the direct compromise of software distribution infrastructure. Attackers are bypassing code vulnerabilities entirely by poisoning the “pipes” that deliver updates to users.

• Notepad++ Update Hijacking & Lotus Blossom Espionage — State-sponsored actors (Lotus Blossom) breached the hosting infrastructure of Notepad++. By intercepting HTTP update requests, they selectively redirected users to malicious servers to deliver the “Chrysalis” backdoor. This infrastructure-level attack persisted for months, proving that even non-vulnerable software can deliver malware if the delivery channel is insecure.

• eScan Antivirus Update Compromise — In a direct attack on security vendors, threat actors compromised MicroWorld Technologies’ update servers. They replaced the legitimate Reload.exe updater with a signed, malicious binary, effectively using the antivirus agent to deploy multi-stage malware and disable its own remediation capabilities.

• Open VSX Registry Poisoning (GlassWorm) — Attackers compromised a legitimate developer account (oorzc) to push malicious updates to four popular VS Code extensions. These extensions, used for SSH and code formatting, delivered the “GlassWorm” loader, compromising developer environments via the trusted Open VSX registry.

2. AI and Developer Tooling: The New Attack Surface

As AI and development tools become integral to workflows, they are introducing novel “meta-context” injection risks and remote code execution vectors.

• DockerDash: AI Prompt Injection (Ask Gordon) — A critical vulnerability in Docker’s “Ask Gordon” AI assistant allows attackers to achieve RCE via malicious Docker images. By embedding weaponized instructions in the image metadata (LABEL fields), attackers can trick the AI into passing executable commands to the MCP Gateway, effectively turning a passive image scan into host compromise.

• Metro4Shell (CVE-2025-11953) — Unauthenticated attackers are actively exploiting the React Native Metro Server. This RCE vulnerability allows command injection via the /open-url endpoint, turning exposed developer workstations into entry points for the enterprise network.

• n8n Workflow Automation Sandbox Escape (CVE-2026-25049) — A failed patch for a previous vulnerability has resulted in a new critical bypass. Authenticated users can abuse the expression engine to escape the sandbox and execute OS commands, a risk magnified by n8n’s webhook capabilities which can trigger these workflows remotely.

3. Configuration Abuse and “Silent” Traffic Hijacking

Attackers are moving away from noisy exploits toward silent configuration manipulation and logic abuse.

• NGINX Configuration Injection Campaign — In a sophisticated campaign requiring no software vulnerabilities, attackers are injecting malicious location blocks into NGINX configuration files. This logic transparently forwards specific web traffic to attacker-controlled backends while preserving the original request headers, making the hijacking nearly invisible to standard monitoring tools.

• SolarWinds Web Help Desk Deserialization (CVE-2025-40551) — CISA has added this critical RCE to its KEV catalog. The vulnerability allows unauthenticated attackers to execute code via insecure deserialization, confirming active exploitation in the wild.

4. Espionage and Advanced Malware Operations

State-aligned groups are rapidly weaponizing new vulnerabilities and using “fileless” techniques to evade detection.

• APT28 “Operation Neusploit” — Russian military intelligence is actively exploiting the Microsoft Office zero-day (CVE-2026-21509) using WebDAV and COM hijacking to deploy the “MiniDoor” and “PixyNetLoader” implants against European government targets.

• Amaranth-Dragon (WinRAR Exploitation) — China-linked actors are targeting Southeast Asia by weaponizing the WinRAR path traversal flaw (CVE-2025-8088). They use malicious archives to drop payloads into the Windows Startup folder.

• DEAD#VAX Campaign — This campaign utilizes IPFS-hosted VHD (Virtual Hard Disk) files to deliver AsyncRAT. By mounting VHDs, the malware avoids “Mark-of-the-Web” restrictions and executes entirely in memory to evade file-based detection.

Proactive Steps for the Week 

• Verify Supply Chain Integrity: Manually download Notepad++ v8.9.1 and check hashes. For eScan users, do not rely on auto-updates; use the vendor’s manual remediation tool if you updated around Jan 20, 2026.

• Hardening Developer Environments: Patch Docker Desktop to v4.50.0 immediately to kill the AI injection vector. Ensure React Native Metro servers are bound to localhost (127.0.0.1) and blocked from the internet to stop Metro4Shell.

• Audit NGINX Configs: Run a diff check on your NGINX sites-enabled and conf.d files against known good backups to detect unauthorized proxy_pass directives or injected location blocks.

• Patch Critical Infrastructure: Update SolarWinds Web Help Desk to 2026.1 and OpenSSL to the latest 3.x release (e.g., 3.4.4) to address the stack buffer overflow (CVE-2025-15467).

• Block “Disk Image” Attacks: Configure email gateways and endpoint policies to block or quarantine .vhd, .iso, and .img file attachments, as they are the primary vector for the DEAD#VAX campaign.

• Isolate n8n Instances: Update to v2.5.2+ and restrict network access to n8n webhooks, as the sandbox is currently a high-risk entry point.