News

Rising Credential Theft & Supply Chain Risks

Written by Digital Frontier Partners | 20 January 2026 12:52:25 AM

This week’s developments highlight an increasingly challenging security environment for Australian organisations. Threat actors are shifting toward scalable, low‑friction attack methods—such as credential hijacking via malicious browser extensions, QR‑code–based phishing, and automated botnet activity—while simultaneously exploiting high‑severity software flaws across email gateways, workflow automation tools, Git services, and industrial control systems. For business leaders, the message is clear: traditional security perimeters are no longer enough. Protecting the organisation now requires deeper visibility across endpoints, cloud services, and third‑party components, supported by disciplined patching and robust identity security.

The Threats at the Gates

Organisations worldwide—and increasingly across Australia—faced a surge in credential theft, malware delivery, and supply chain compromise.

North Korea’s Kimsuky group escalated QR‑code phishing (“quishing”) campaigns, using malicious QR codes embedded in emails to harvest cloud identity tokens and bypass URL filtering. Russian group APT28 continued targeting credentials via spoofed Outlook and Google login portals, while China‑linked UAT‑7290 breached telecom providers by exploiting edge‑device vulnerabilities and deploying Linux implants such as RushDrop and SilentRaid.

Sectors like hospitality experienced tailored attacks through the ClickFix campaign, which leveraged fake Booking.com cancellation emails and even a fabricated Blue Screen of Death to deploy DCRat. In Brazil, the Astaroth banking worm spread rapidly through compromised WhatsApp contact lists.

Supply chain compromise remained a major theme. Attackers injected NodeCordRAT into npm libraries, hijacked legitimate Chrome extension namespaces to harvest ChatGPT conversations from more than 900,000 users, and leveraged the React2Shell (CVE‑2025‑55182) flaw within Next.js to facilitate botnet‑driven cryptomining and Mirai deployment.

Critical vulnerabilities in email gateways, workflow automation platforms, industrial controllers, and Git hosting systems underscore the urgent need for vulnerability management and asset hardening across IT and OT environments.

Software Vulnerabilities and Patch Advisories

This week’s patching actions spanned cloud platforms, enterprise tools, open‑source projects, and industrial control systems:

  • Microsoft Patch Tuesday resolved 112 CVEs, including an actively exploited Desktop Window Manager zero‑day (CVE‑2026‑20805) and two critical NTFS RCE flaws.
  • Cisco AsyncOS Zero‑Day RCE (CVE‑2025‑20393)—used since late 2025—received urgent fixes.
  • Palo Alto GlobalProtect addressed a new high‑severity DoS vulnerability (CVE‑2026‑0227).
  • FortiSIEM (CVE‑2025‑64155): A command‑injection flaw is now actively exploited, prompting interim guidance to restrict exposed ports.
  • n8n Workflow Automation: A CVSS 10.0 RCE vulnerability allows full takeover of unpatched instances.
  • Node.js (CVE‑2025‑59466) resolved an async_hooks denial‑of‑service flaw.
  • Gogs Git Hosting (CVE‑2025‑8110) is under real‑world exploitation via path traversal in the repository editor.
  • ICS vendors including AVEVA, Delta Electronics, Schneider Electric, Rockwell, and Siemens released multiple critical advisories affecting energy, water, and manufacturing systems.

Australian organisations—especially those operating critical infrastructure—should prioritise rapid patch adoption, enforce network segmentation, and verify least‑privilege access for all administrative accounts.

Emerging Malware Frameworks and Campaigns

New malware families and updated frameworks demonstrated increasing sophistication:

  • VoidLink: A modular Linux toolkit with kernel‑level evasion targeting container and cloud environments.
  • PLUGGYAPE: A Python backdoor deployed via fake charity lures on Signal and WhatsApp.
  • SHADOW#REACTOR: A fileless payload chain using entirely text‑based delivery via VBScript and PowerShell to load Remcos RAT.
  • Agent Tesla, CryptBot, Lumma Stealer: Delivered through c‑ares DLL side‑loading.
  • GoBruteforcer: Targeted >50,000 Linux servers using AI‑generated default credentials.
  • Mustang Panda’s LOTUSLITE: A spear‑phishing backdoor using DLL side‑loading.

Botnets continued to expand capacity and monetisation models:

  • Kimwolf and AISURU now control over two million Android devices, repurposing them as residential proxies.
  • GhostPoster and HR‑targeting malicious Chrome extensions collectively reached over 840,000 installs, exfiltrating authentication tokens and blocking access to security settings.

State‑Sponsored and Organised Cyber Threats

Multiple APT groups increased operational tempo:

  • Mustang Panda targeted U.S. policy organisations using politically themed phishing with LOTUSLITE malware.
  • UAT‑8837 and UAT‑9686 exploited zero‑days in Sitecore and Cisco AsyncOS to infiltrate North American enterprise networks.
  • Void Blizzard (Russia) deployed PLUGGYAPE against Ukrainian defence entities.
  • Taiwan observed a 6% increase in daily attacks on healthcare and energy operators by Chinese groups including Flax Typhoon.
  • Intelligence agencies warn of heightened nation‑state activity targeting Winter Olympics infrastructure and attendees.

Australian critical‑infrastructure operators should watch for indicators linked to these groups and reinforce patching, monitoring, and phishing defences across operational environments.

Phishing, Social Engineering and Fraud Operations

Criminal groups expanded their use of deceptive techniques:

  • Kimsuky quishing bypasses traditional email scanning by shifting malicious links into QR codes.
  • MEXC API Automator and other malicious browser extensions automatically generated withdrawal‑enabled API keys for cryptocurrency platforms.
  • Pig‑butchering fraud kits sold via Southeast Asian criminal networks offer turnkey playbooks, pre‑registered identities, payment processors, and CRM systems.
  • Tycoon2FA phishing‑as‑a‑service campaigns surge, spoofing Office 365 domains and bypassing MFA using reverse proxies.

Mitigation strategies include enforcing FIDO2‑grade MFA, blocking unvetted browser extensions, logging suspicious API‑key creation, and using QR‑code validation tooling.

Supply Chain and Third‑Party Component Risks

This week’s major supply chain developments include:

  • n8n npm supply chain attack: Eight malicious community nodes—including a fake Google Ads integration—stole OAuth tokens from over 4,000 downloads.
  • AWS CodeBuild misconfiguration (“CodeBreach”): Raised concerns around unauthenticated code injection into AWS‑managed GitHub repositories.
  • zlib (CVE‑2026‑22184): A critical buffer‑overflow affects countless applications dependent on the widely used compression library.

Australian organisations should verify the origin of third‑party software, audit CI/CD configurations regularly, and prioritise updates to foundational libraries.

Recommended Business Actions

  1. Prioritise patching for actively exploited vulnerabilities, especially Cisco AsyncOS, FortiSIEM, MongoDB, n8n, and industrial control products.
  2. Harden identity verification by deploying phishing‑resistant MFA and closely monitoring login anomalies, QR‑code use, and OAuth approvals.
  3. Lock down browser extension usage with enterprise‑wide allowlists and session token monitoring.
  4. Segment and monitor OT environments to prevent lateral movement into critical operational systems.
  5. Strengthen supply chain visibility, including SBOM management, CI/CD auditing, and continual dependency verification.
  6. Prepare for human‑layer attacks through staff training and simulated phishing exercises that now incorporate QR‑code lures and cloud‑identity theft scenarios.
View full post