Patch Discipline and Supply Chain Vigilance in 2026

The new year has opened with a stark reminder: cyber resilience is not just about technology, but about the discipline to patch, the wisdom to segment, and the vigilance to scrutinise every link in your supply chain. This week’s threat landscape shows that attackers are thriving on old vulnerabilities, creative phishing, and the weakest points in digital ecosystems. For Australian organisations, the challenge is to turn security fundamentals into a business advantage.

The Threats at the Gates

Attackers are exploiting a mix of long-standing flaws, fresh supply chain compromises, and industrial vulnerabilities. The MongoDB zlib compression bug (CVE-2025-14847) is being actively exploited, leaking in-memory data including credentials from thousands of exposed servers. A five-year-old Fortinet SSL VPN 2FA bypass (CVE-2020-12812) remains unpatched on thousands of devices, offering attackers an easy route in. The Shai-Hulud campaign has trojanised npm packages and a Trust Wallet browser extension, resulting in millions in stolen cryptocurrency. GlassWorm has evolved to target macOS developers via compromised VS Code extensions, while ransomware groups like Qilin continue to harvest sensitive healthcare records. Advanced phishing tactics are on the rise, with attackers abusing cloud platforms and forging attachments to bypass traditional defences. Meanwhile, the RondoDox botnet is exploiting React2Shell to conscript IoT and web servers into cryptomining and Mirai deployments, and ICS/medical devices are exposed to remote-code-execution risks. Kernel-mode rootkits and browser-extension espionage round out a week that demands decisive patching, segmentation, strong authentication, and rigorous supply chain monitoring.

Vulnerabilities and Exploit Developments: The Crumbling Bridges

• MongoDB Remote Data Leak (CVE-2025-14847): A zlib compression flaw enables unauthenticated data exfiltration from memory. Over 87,000 exposed instances are being targeted. Upgrade to the latest secure version, disable zlib if not needed, and restrict internet exposure.
• Fortinet SSL VPN 2FA Bypass (CVE-2020-12812): LDAP casing tricks can bypass second factor; thousands of devices remain exposed. Patch to the latest supported version, restrict management plane, and disable unused VPN interfaces.
• React2Shell (CVE-2025-55182) & RondoDox: A critical RCE exploited across Next.js and IoT, with mass scanning dropping miners and Mirai variants. Update frameworks, isolate IoT on VLANs, and deploy web application firewalls.
• SmarterMail, IBM API Connect, WHILL Bluetooth RCE: Mail server file-upload RCE, API authentication bypass, and proximity control over power chairs. Apply vendor fixes and segment access to admin, API, and Bluetooth interfaces.

Supply Chain and Open-Source Attack Vectors: The Weakest Links

• Shai-Hulud Campaign: Trojanised npm packages and a compromised Trust Wallet Chrome extension exfiltrated wallet mnemonics, with millions lost. Rotate tokens, reinstall extensions from official sources, and audit packages and CI/CD permissions.
• GlassWorm on macOS: Poisoned VS Code/OpenVSX extensions steal developer credentials and tamper with wallet tools. Whitelist extensions, enforce code-signing, reset credentials, and hunt for unauthorised processes.
• Gogs Zero-Day Bypass: Symbolic-link validation bypass leading to RCE across hundreds of self-hosted Git servers. Limit internet exposure, disable open registration, and monitor repository activity.

Malware and Advanced Threat Actor Operations: The Saboteurs Within

• Transparent Tribe (APT36): ZIP/LNK spear-phishing invokes legacy Windows utilities to load RAT payloads in memory, with new variants adding obfuscation. Disable legacy utilities, sandbox attachments, and block known command-and-control infrastructure.
• Mustang Panda: Stolen certificate installs a kernel-mode driver to drop a persistent backdoor. Validate driver signatures, deploy kernel integrity monitoring, and enhance memory forensics.
• Silver Fox / ValleyRAT: Tax-themed phishing uses DLL hijacking to disable Windows Update and maintain persistence. Enforce application whitelisting, block impostor infrastructure, and ensure OS update controls are protected.
• RondoDox & DarkSpectre: Mass exploitation via React2Shell and large-scale browser-extension hijacks affecting millions of users. Patch web stacks promptly and standardise extension vetting.

Data Breaches and Ransomware Attacks: What’s at Stake

• Healthcare: Qilin accessed Covenant Health systems, exposing nearly half a million patient records. Harden remote access, segment networks, maintain offline backups, and rehearse ransomware playbooks.
• Crypto & Wallets: Trust Wallet extension compromise drained millions; ongoing thefts linked to legacy password reuse. Enforce strong, unique passwords, require passkeys for wallet operations, and monitor for anomalous transactions.
• Local Impact: Murray Irrigation in NSW accidentally exposed sensitive landholder and property data via a cloud platform, prompting an investigation and lockdown. Tighten SaaS data-sharing controls and audit public dashboards.

Phishing and Credential Theft Campaigns: Identity is the New Perimeter

Attackers abused cloud platforms to send thousands of phishing emails from trusted-looking senders, routing victims through genuine infrastructure to fake login pages and OAuth consent phishing. Malicious npm packages served credential-harvesting lures with obfuscation and bot filtering. Across the region, APT36 continued spear-phishing tactics that adapt to antivirus presence. Enforce phishing-resistant MFA, scrutinise OAuth approvals, validate email sources, restrict script-launched shortcuts, and continuously monitor open-source dependencies.

Security Advisories and Alerts: Priorities for the Week

• Fortinet SSL VPN: Patch immediately; thousands still exposed.
• MongoDB: Patch or disable zlib; review exposure by January 2026 deadlines.
• IBM API Connect, SmarterMail: Apply vendor fixes; restrict self-service sign-up.
• ICS/Medical Devices: Segment networks and patch per vendor advisories.
• React2Shell / RondoDox: Update frameworks, deploy WAF, and tighten process monitoring.

Building a Resilient City: Business Actions

1. Patch with Purpose: Prioritise actively exploited flaws and track closure.
2. Harden Identity: Move to phishing-resistant MFA, enforce conditional access, and rotate high-risk tokens.
3. Control the Supply Chain: Maintain a live inventory, lock down CI/CD permissions, whitelist extensions, and scan for malicious packages.
4. Segment and Monitor: Isolate OT/IoT, restrict admin/API surfaces, deploy EDR with kernel integrity checks, and monitor cloud-storage and blockchain usage.
5. Prepare for Failure: Test ransomware playbooks, verify offline backups, and rehearse third-party breach response.

Final Word: Make Cyber Resilience a Board Metric

This week’s lesson is clear: speed and discipline in patching, identity management, and supply chain oversight are now board-level concerns. The organisations that measure and improve these areas are the ones best positioned to withstand the next wave of cyber threats.