This week’s report highlights five developments with direct implications for digital health and defence organisations:
- Oracle’s April 2026 security update, delivering 481 fixes across business‑critical platforms.
- A major data exposure involving UK Biobank volunteers, with anonymised records advertised for sale on a Chinese marketplace.
- FIRESTARTER, a new backdoor discovered on Cisco firewall appliances that can remain in place even after patches are applied.
- Criminal groups impersonating IT help desks on Microsoft Teams to persuade staff to install malware.
- A supply chain compromise of the Bitwarden command-line tool, widely used by IT and development teams to manage secrets.
Oracle has released its April 2026 Critical Patch Update. This is a scheduled bundle of security fixes that covers 481 separate weaknesses across 28 different Oracle product families. The biggest concerns are in Oracle Communications, which has 139 security holes (93 of which can be attacked from the internet without any login), Oracle Fusion Middleware, which has 46 internet-exploitable flaws that need no login, and Oracle E-Business Suite, which has 18 flaws (8 of them remotely exploitable without a login). NHS England has flagged the update as a medium-severity alert for all healthcare organisations.
Oracle software runs in the background of many UK businesses, hospitals, and NHS suppliers. It is used for finance systems, communications platforms, customer databases, and large healthcare applications. When a vulnerability does not need any login, it means an attacker on the internet can reach the system and try to break in straight away. The number of fixes is also a problem on its own. Big patch sets often slip through busy IT teams, which leaves systems exposed for weeks or months. For DSPT-aligned organisations, missing critical patches is a clear control failure that can affect both audit outcomes and real-world risk.
UK Biobank, a charity that holds one of the world's largest sets of biomedical research data, has confirmed that data on around 500,000 of its volunteers was listed for sale on Chinese e-commerce site Alibaba. UK technology minister Ian Murray told the House of Commons that the data was anonymised, but the charity could not fully guarantee that individuals could never be re-identified. The data was traced back to three Chinese research institutions that had accreditation to use UK Biobank's platform. All three have now had their access revoked. Investigations are ongoing, and there is currently no evidence that the data has been bought or downloaded by other parties. UK Biobank and the UK government worked with the Chinese government and Alibaba to take the listings down.
This case is a stark reminder that "anonymised" data is not the same as "safe" data. Once a large set of health information leaves controlled environments, it can be recombined with other data sources and may eventually identify real people. For UK digital health organisations, NHS suppliers, and any service handling research or clinical data, this incident shows how third-party access — even for legitimate research — can create serious data protection risks. It is also relevant for DSPT and UK GDPR compliance: organisations that share data with researchers, partners, or international institutions must be able to track who has it, what they did with it, and how access can be removed if something goes wrong.
CISA, working with the UK's National Cyber Security Centre (NCSC), has revealed a new piece of malware called FIRESTARTER. It was found on a US federal agency's Cisco Firepower device running ASA (Adaptive Security Appliance) software. FIRESTARTER is a backdoor — a hidden tool that lets attackers come back to the device whenever they want. It is part of a wider campaign by an advanced attacker group, who first broke in by using earlier Cisco flaws (CVE-2025-20333 and CVE-2025-20362). The worrying part is that FIRESTARTER stays in place even after the original holes are patched. Attackers also use a separate toolkit called LINE VIPER to run commands, capture network traffic, bypass VPN access controls, and quietly turn off log messages.
Cisco ASA and Firepower devices are common in UK enterprises, hospitals, NHS suppliers, and managed service environments. They sit at the edge of the network and are trusted with very sensitive jobs, such as VPN access for remote staff and clinicians. If an attacker plants a backdoor on this kit, they can quietly watch traffic, harvest credentials, and step across into clinical or business systems. Because FIRESTARTER survives patching, simply applying the original Cisco fixes is not enough — you also need to check whether the device was already compromised before the patch was installed. This is a strong example of why "patched" does not always mean "clean".
A criminal group tracked as UNC6692 has been spotted using a clever social engineering trick on Microsoft Teams. First, the attackers flood a target's inbox with junk email so the user feels overwhelmed. Then someone pretending to be an "IT help desk" agent sends a chat invitation through Teams from outside the organisation. The user, looking for help with the spam, accepts the message. From there, the attacker walks them through actions that lead to a custom malware suite called SNOW being installed on their device. A separate group, tracked by Cato Networks, uses a similar approach with a backdoor called PhantomBackdoor, delivered through obfuscated PowerShell scripts during a Teams meeting.
Most UK NHS trusts, suppliers, and businesses use Microsoft Teams every day. Staff are used to seeing IT messages there, and many will trust a help desk persona by default. This makes Teams a very attractive channel for attackers compared to traditional email phishing. Where the attacker can join a screen share, they can guide users into running PowerShell, approving installs, or handing over codes — bypassing many email and endpoint controls. For digital health and NHS suppliers, a single successful attack like this can give attackers a foothold inside clinical and administrative systems. It is exactly the kind of human-centred attack that DSPT controls around training, access management, and monitoring are designed to catch.
A malicious version of Bitwarden CLI (the command-line tool for the popular password manager) has been published as part of a wider supply chain campaign affecting a number of open-source projects. Researchers from JFrog and Socket reported that version 2026.4.0 of @bitwarden/cli on npm contained a hidden malicious file called "bw1.js". The attack is believed to have come from a compromised GitHub Action inside Bitwarden's build pipeline, which is the same pattern seen in earlier compromises in this campaign. Bitwarden has released a clean version (2026.4.1), but anyone who installed the bad version may have had secrets and environment variables exposed.
Password managers are a critical control in modern security, and Bitwarden is widely used across UK businesses, IT teams, and NHS suppliers. The CLI tool is often used in scripts, automation, and CI/CD pipelines, where it has access to highly sensitive secrets. A poisoned version of the CLI could quietly steal API keys, tokens, and other secrets used to access cloud, source control, or production systems. Supply chain attacks of this kind are difficult to detect because the malicious code arrives through normal trusted channels, such as npm. For organisations subject to DSPT or working under contracts that require secure development, this is another reason to take open-source dependency hygiene seriously.
Want help staying ahead of threats like these? Contact Periculo, our team supports UK digital health companies and NHS suppliers with practical, hands-on cybersecurity assurance from vulnerability management and DSPT readiness to incident response, AI Assurance and supplier risk reviews.