New npm supply-chain attack self-spreads to steal auth tokens
Researchers say a new npm supply-chain campaign hit at least 16 packages tied to Namastex Labs, with malware designed to steal secrets like API keys, SSH keys, cloud and CI/CD credentials, browser-stored wallet data, and npm publishing tokens, then use those tokens to propagate into additional packages. The important wrinkle is that this isn’t just credential theft. It behaves like a supply-chain worm aimed at high-value developer and AI tooling environments.
Recent Microsoft Defender Vulnerability Exploited as Zero-Day
A Microsoft Defender privilege escalation flaw tracked as CVE-2026-33825 is now being reported as exploited in the wild after public proof-of-concept code circulated earlier this month. SecurityWeek says the bug, nicknamed BlueHammer, lets a low-privilege attacker reach System, and Huntress observed attacks on April 10 and April 16, which makes this a good reminder to treat local privesc bugs in default security tooling as patch-now issues, not background hygiene.
Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector
Kaspersky researchers have tied a previously unknown destructive malware, Lotus Wiper, to attacks against Venezuela’s energy and utilities sector. The malware is built to erase data across physical drives and delete files broadly enough to make systems unrecoverable, and technical evidence suggests the operation had been staged for months before discovery, pointing to a targeted destructive campaign rather than a financially motivated intrusion.
Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk
Dark Reading reports a sharp uptick in attacks exploiting CVE-2026-1731 in Bomgar Remote Support, now part of BeyondTrust, where unauthenticated remote code execution on an upstream RMM server can cascade into downstream customer environments. Huntress cited one April 15 incident that affected an MSP and led to mass isolation across 78 businesses plus follow-on exploitation at four downstream customers, which shows how quickly a single remote management foothold can become a multi-org supply-chain event.
Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876)
Progress patched five high-severity issues in MOVEit WAF and LoadMaster, including CVE-2026-21876, a flaw in the OWASP Core Rule Set that can let unauthenticated attackers bypass WAF detection with a specially crafted multipart request carrying an encoded payload. Public proof-of-concept code is already out, and while Progress says it has no reports of active exploitation, the combination of WAF bypass and public exploit details makes this one worth prioritizing anywhere those products are exposed.
The post InfoSec News Nuggets 04/23/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
