UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
Google’s Cloud Threat Horizons Report for H1 2026 details how a threat actor tracked as UNC6426 weaponized credentials stolen during the August 2025 “s1ngularity” supply chain compromise of the popular Nx build system npm package to completely devastate a victim’s cloud environment — escalating from a single stolen GitHub Personal Access Token to full AWS administrator privileges in under 72 hours, culminating in the exfiltration of S3 bucket contents, termination of production EC2 and RDS instances, decryption of application keys, and the renaming of all internal GitHub repositories to public, randomly-suffixed strings. The attack chain is a stark case study in how overly permissive CI/CD OIDC trust relationships can cascade into total cloud compromise: the threat actor used a legitimate open-source secret-scanning tool called Nord Stream to extract credentials from the victim’s CI/CD environment, then abused a GitHub Actions role that had been granted excessive CloudFormation permissions to mint a new AWS administrator role with no standing controls to prevent it. The incident reinforces several urgent hardening recommendations: enforce least-privilege on all CI/CD-linked IAM roles, rotate and scope-limit GitHub PATs aggressively, implement anomaly detection on IAM role creation events, and consider sandboxed package managers that block postinstall script execution before a supply chain compromise can become a cloud incident.
New BeatBanker Android Malware Poses as Starlink App to Hijack Devices
Kaspersky researchers have disclosed BeatBanker, a newly discovered Android malware strain currently targeting Brazilian users by distributing a fake Starlink application through websites designed to impersonate the official Google Play Store — combining banking trojan credential theft, Monero cryptomining via a modified XMRig build, and full device takeover via the commodity BTMOB RAT, which provides operators with keylogging, screen recording, camera and microphone access, and GPS tracking. What makes BeatBanker particularly notable from an evasion standpoint is its persistence mechanism: the malware continuously plays a nearly inaudible looping audio file of Chinese speech in the background through Android’s MediaPlayer API, exploiting a system quirk that prevents Android from suspending or killing active foreground services, effectively ensuring the malware remains running indefinitely without triggering standard battery-optimization kills. Kaspersky warns that while all confirmed infections to date have been in Brazil, the modular design and effectiveness of the campaign suggest expansion to additional markets is likely, and urges Android users to avoid sideloading APKs from outside official storefronts and to scrutinize app permission requests carefully. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
235,000 Affected by Cyberattack on Largest Ambulance Provider in Wisconsin
Bell Ambulance, the largest ambulance service in Wisconsin with over 750 employees handling approximately 140,000 emergency calls annually across Milwaukee, Wauwatosa, Waukesha, Racine, and surrounding cities, has filed breach notifications in Maine confirming that 237,830 individuals had their data stolen in a cyberattack that was first discovered in February 2025 — meaning victims waited over a year from the initial breach discovery before final notifications were issued, as additional affected individuals continued to be identified through the fall. The stolen data includes Social Security numbers, driver’s license numbers, financial account information, medical records, and health insurance details, representing the full spectrum of sensitive personal data and creating long-term identity theft and fraud risk for hundreds of thousands of patients who interacted with the service. The delayed notification timeline will likely draw scrutiny under state and federal breach reporting standards, and the incident adds Bell Ambulance to a growing list of emergency medical services providers that have suffered significant data breaches in recent years — a sector that holds exceptionally sensitive data while often operating with IT security resources far below what its data custodianship responsibilities demand.
China-Based Espionage Group Compromised Notepad++ for Six Months
Rapid7 researchers have determined that Lotus Blossom — a Chinese APT group active since at least 2009, also tracked as Billbug, Thrip, and Raspberry Typhoon — gained recurring unauthorized access to the internal infrastructure of Notepad++, one of the world’s most widely used open-source text editors, for a six-month window beginning in June 2025, during which the attackers deployed a custom backdoor and used the compromised hosting environment to redirect Notepad++ auto-update traffic to malicious servers — a technique that potentially exposed any user running an older version of the tool who accepted an update prompt during the attack window. Rapid7 assessed the intrusion as consistent with targeted intelligence collection rather than a mass-compromise campaign, finding no evidence of bulk data exfiltration, and described post-compromise behavior as focused on “system profiling, persistence mechanisms, and remote command execution” — consistent with Lotus Blossom’s historical focus on government, telecom, critical infrastructure, and media organizations, all of which are disproportionately represented among Notepad++ users. Notepad++ creator Don Ho confirmed the breach, released a software update in December 2025 addressing the authentication weaknesses that allowed update traffic hijacking, and migrated the project to a new hosting provider with stronger security controls; Rapid7 confirmed that Lotus Blossom’s known campaign infrastructure has since gone dark.
France’s Cybersecurity Agency Reports Ransomware Attack Drop in 2025
France’s national cybersecurity agency ANSSI published its annual threat report on March 11, recording 128 ransomware incidents affecting French public and private organizations in 2025 — a modest decline from 141 in 2024 — but warning that the raw numbers likely understate the true threat landscape because ANSSI counts only incidents formally reported to the agency, and because the broader cybercriminal ecosystem is increasingly shifting toward “encryption-less extortion,” where data is stolen and monetized through ransom demands without deploying file-encrypting ransomware, a technique that often flies under traditional ransomware detection and reporting frameworks. The report also highlights a significant increase in espionage activity targeting French critical infrastructure, supply chain compromise attempts against defense-sector subcontractors, and an uptick in hacktivism campaigns linked to geopolitical flashpoints including the ongoing conflict in Ukraine — underscoring that France’s relatively stable ransomware headline number masks a threat environment that is becoming simultaneously broader and more sophisticated across all other dimensions.
