Update: PackageGate Highlights New Ways to Slip Past NPM Supply-Chain Safeguards
Security researchers at Koi, are using the name “PackageGate” to describe six newly reported weaknesses in JavaScript package managers that can undermine two defenses many teams rely on after the 2025 npm supply-chain incidents: disabling install-time scripts and pinning dependencies with lockfiles. This is not evidence of a new Shai-Hulud-style outbreak, but it does show that the controls many teams adopted afterward do not fully prevent install-time code execution in all dependency scenarios. The most concerning scenario centers on Git-based dependencies, where a repository can carry configuration that influences how the package manager performs Git operations during install, creating an opening for code execution even when teams believe scripts are blocked. The same research describes additional issues across pnpm, vlt, and Bun, and notes that several vendors shipped fixes, while npm’s response treated at least one reported behavior as expected. For leadership, the key takeaway is that using ignore-scripts and committed lockfiles is still a strong baseline, but it is not a complete supply-chain control when Git-based dependencies or other external sources are permitted, since those paths can bypass expected safeguards unless they are tightly governed and monitored. This is especially relevant for CI pipelines, where installs run automatically, often with high privileges and access to credentials. The practical risk is that a single risky dependency path can turn a routine build into a compromise, with attackers aiming to steal developer tokens, publish credentials, and expose build secrets that enable broader downstream impact. The research also highlights a lockfile-related concern in some tools: certain remote URL dependencies may be recorded without strong integrity guarantees, allowing the content behind a URL to change without an obvious lockfile change. That creates a realistic path for “clean today, malicious tomorrow” installs that can slip past basic review and scanners that only validate the initial artifact. Recommendations include keeping lockfiles and script restrictions enabled but reduce exposure by limiting or formally approving Git and URL-based dependencies, blocking install-time configuration overrides from untrusted sources, and tightening CI permissions so installs cannot access long-lived tokens. Add monitoring around dependency installation to alert on unexpected outbound network calls, suspicious file writes, or tooling changes during installs, and prioritize rapid updates of package managers since several fixes have already landed in competing tools. If your organization is heavily dependent on npm, assume the ecosystem remains an active target and treat dependency installs as controlled, logged security events rather than routine developer convenience.
Active Exploitation of Mjobtime SQL Injection Exposes Construction Firms
Threat actors are actively targeting construction companies by exploiting a critical SQL injection flaw in Mjobtime, a construction time-tracking platform that runs on Microsoft IIS and relies on a backend Microsoft SQL Server database. The weakness, CVE-2025-51683, enables attackers to send crafted web requests that reach the database layer and escalate into command execution on the underlying server. This incident reinforces a recurring security problem: business applications often install supporting components behind the scenes, and organizations may not realize those components need their own hardening and monitoring. In this case, the “hidden attack surface” is the MSSQL backend, which can become an entry point when exposed through a vulnerable web interface. Researchers observed exploitation activity beginning in February 2025, with additional incidents later in 2025, suggesting sustained attacker interest in this niche but valuable target set. The risk is amplified when the web server and database server run on the same machine, because a single exploit can hand attackers control of both tiers. The observed attack chain starts with a malicious POST request to a specific Mjobtime endpoint that triggers SQL injection, after which attackers attempt to enable xp_cmdshell to run operating system commands through SQL Server. Activity observed during intrusions included basic system discovery, local account enumeration, and outbound connectivity checks to attacker-controlled infrastructure, indicating validation of access and capability rather than immediate data theft. While the documented cases appeared limited in follow-on actions, the underlying capability is severe: once xp_cmdshell is enabled, and the service runs with high privileges, an attacker can pivot to broader compromise paths at will. A major operational challenge is that a vendor patch has not been publicly available, leaving defenders dependent on compensating controls rather than a clean remediation. Recommendations include restricting access to Mjobtime with IP allowlisting and strict firewall rules, add WAF controls to block POST traffic to the vulnerable endpoint, ensure xp_cmdshell is disabled unless explicitly required, separate IIS and SQL Server onto different systems with tight segmentation, and monitor IIS logs plus Windows event logs for repeated calls to the endpoint and any xp_cmdshell enablement activity.
Energy Sector Faces Rising Risk from Identity Abuse and Disruptive Cyber Operations
Microsoft has identified a coordinated attack pattern targeting organizations that relies on SharePoint, in attempt to perform adversary-in-the-middle phishing and business email compromise rather than traditional malware delivery. The activity begins with phishing messages sent from already compromised, trusted accounts, disguised as routine SharePoint file-sharing notifications, which lowers suspicion and increases click-through rates. Once credentials and session tokens are captured, attackers manipulate inbox rules to hide alerts, delete messages, and maintain quiet control of the account. From there, the compromised mailbox is used to spread additional phishing internally and externally, rapidly expanding the attack’s reach across organizations and partners. In some cases, hundreds of phishing messages were sent from a single compromised account, enabling credential theft at scale. The campaign highlights how identity compromise alone can provide persistence, lateral movement, and monetization without deploying malware. This identity-driven threat activity matters because it targets the same sector that continues to face disruptive nation-state operations. In late December 2025, Polish authorities confirmed a major cyberattack attempt against energy infrastructure attributed to the Russian-linked Sandworm group, involving destructive malware intended to wipe systems supporting power generation and grid management. While the attack was unsuccessful, it reinforces the real-world impact energy-sector intrusions can have when attackers reach operational environments. Taken together, these incidents show a full risk spectrum, including quiet identity abuse that enables long-term access and fraud, alongside covert attacks designed to disrupt physical services. Energy organizations should treat identity systems and email as critical infrastructure, not just IT tooling. Recommendations include enforcing phishing-resistant authentication, revoking session tokens during incident response, monitoring for suspicious inbox rule creation, limiting internal trust abuse, and ensuring rapid coordination between IT and operational teams to contain identity-based intrusions before they escalate into service-impacting events.
Homoglyph Phishing Campaign Exploits Visual Deception to Steal Credentials
CSN Security researchers have identified a sophisticated targeting customers of well-known brands, including Marriott International and Microsoft, by abusing subtle visual tricks in domain names. The attackers register lookalike domains that replace the letter “m” with the characters “r” and “n,” which in many fonts appear almost identical at a glance. This technique exploits how people naturally skim URLs and mentally correct what they expect to see, making fraudulent sites appear legitimate. Victims are redirected to fake login pages that closely mirror official branding, logos, and language, increasing the likelihood of credential theft. The campaign is particularly effective on mobile devices, where smaller screens and truncated URLs make visual inspection even harder. The result is a low-effort yet highly convincing method for harvesting login details and personal data without deploying malware. Recent activity shows this technique being used against Marriott loyalty program users and Microsoft account holders, with phishing emails delivering fake booking notices, security alerts, or invoice messages. Once credentials are entered on spoofed sites, attackers can take over accounts, access sensitive personal or corporate data, and potentially reuse those credentials elsewhere. The simplicity of the attack means it can scale quickly and target a broad audience, while it remains difficult for casual users to spot. This highlights an ongoing risk in which trusted brand familiarity is turned against users through subtle visual manipulations rather than technical exploits. Organizations should block known lookalike domains, strengthen domain monitoring for typosquatting, and educate users to carefully inspect sender addresses and URLs, especially on mobile devices. Users should avoid clicking embedded links in urgent messages, rely on password managers to detect mismatched domains, and manually navigate to trusted websites when prompted for account actions.
Vercel-Hosted Phishing Uses Trusted Links to Deliver Remote Access
Cloudflare identified an active phishing campaign abusing legitimate hosting domain to make malicious links appear routine and slip past basic email controls. The attack relies on “inherited trust,” where short, low-detail emails push a single *[.]vercel[.]app link wrapped in finance or business language tied to invoices, payment statements, document reviews, or account warnings. The landing pages impersonate familiar workflows, such as secure PDF viewers, signing portals, billing pages, or fake software support prompts, to steer users toward a download. What makes this campaign more concerning is its evolution from simple file delivery into a selective infection chain that tries to avoid researchers and automated scanners. Before showing a payload, the page collects basic device and network details, then shares that information to an attacker-controlled Telegram channel to decide whether the target is worth serving. This gating step reduces visibility for defenders and increases success rates against real users. Once the attacker decides a target is “valid,” the victim is prompted to download an executable with an invoice-style filename, but the file is not a typical malware dropper. Instead, the payload is a signed installer for GoTo Resolve, a legitimate remote support product, which gives the attacker hands-on control after installation and functions as a quiet backdoor without needing custom malware. This is effective because many environments trust signed software and are tuned to detect obviously malicious binaries rather than approved remote admin tools deployed at the wrong time. The scale appears meaningful based on recent detection telemetry reported by email security vendors, indicating this is not a one-off operation and is actively hitting inboxes. Defenders should tighten controls around remote support tool installation, restrict who can run installers from user download paths, and alert on first-time installs or unexpected launches of remote support software. Security teams should also treat *[.]vercel[.]app and similar hosting subdomains as higher-risk during investigations, apply time-of-click link inspection, and train users that a trusted-looking domain and a lock icon do not confirm legitimacy.
