Threat Report 170

In this week's threat report: a concerning mix of software supply chain compromise, actively exploited vulnerabilities, state-linked espionage, and disruptive attacks on shared public sector services. In the report, we summarise the most significant developments and the practical actions organisations should take now...

Attackers Hijack Widely Used npm Package to Deploy Remote Access Malware

The Axios HTTP client is one of the most popular software libraries in the world. It is used by developers to allow applications to make requests over the internet, and it is downloaded more than 100 million times every week. On 31 March 2026, security researchers confirmed that two versions of Axios — versions 0.30.4 and 1.14.1 — had been compromised as part of a supply chain attack.

A threat actor known as UNC1069 used social engineering to trick the Axios package maintainer into handing over access to the account used to publish updates. The attackers then published malicious versions containing a hidden dependency — a piece of software disguised as a legitimate tool — which installs a remote access trojan (RAT) on the victim's machine. A RAT is a type of malware that gives an attacker full remote control of an infected computer. Once installed, the malware connects to an attacker-controlled server, downloads further tools, and then quietly removes its own traces to make detection harder. NHS England's National CSOC issued alert CC-4764 on 31 March 2026.

Axios is used across countless software development teams, including those building platforms for NHS trusts, NHS suppliers, and digital health companies. Any developer who installed the affected versions — or any automated build pipeline that fetched them — should treat their environment as potentially compromised. This attack follows a pattern of supply chain compromises that have also affected Trivy, LiteLLM, and Telnyx in recent weeks. It shows that attackers are increasingly targeting open-source software tools as a way to reach many organisations at once. The DSPT includes specific requirements around secure software development and supply chain risk management; this type of incident is exactly what those requirements are designed to address.

Recommendations

• Check all development environments and automated build pipelines for Axios versions 0.30.4 or 1.14.1, and remove them immediately.
• Update to the latest clean version of Axios as soon as possible.
• Check build logs for any npm install commands that may have pulled the affected versions — any pipeline that did should be treated as fully compromised.
• Rotate all secrets, API keys, tokens, and credentials that were accessible from any environment where the affected versions were installed.
• If you suspect compromise, report it to NHS England's National CSOC: call 0300 303 5222 or email cybersecurity@nhs.net.
• Use this incident as a prompt to review your organisation's process for monitoring open-source software dependencies for supply chain compromise.

Actively Exploited Flaw in Fortinet Endpoint Management Software — Emergency Patch Released

On 5 April 2026, Fortinet released an emergency security update to fix a critical vulnerability in FortiClient Enterprise Management Server (EMS). The flaw is tracked as CVE-2026-35616 and has a severity score of 9.1 out of 10. It allows an attacker to bypass authentication entirely, meaning they do not need a valid username or password,  and run unauthorised code on the affected system. Security researchers confirmed that attackers were exploiting this as a zero-day vulnerability before the patch was released, meaning there was a window during which organisations running affected software were at risk with no fix available. The flaw affects FortiClient EMS versions 7.4.5 and 7.4.6. A hotfix is now available, and a full fix will follow in version 7.4.7.

FortiClient EMS is used by organisations to centrally manage security software across all the devices on their network. It is essentially the control panel for endpoint protection. Fortinet products are widely used across enterprise organisations, NHS trusts, and NHS suppliers. When the software that manages your security tools is itself compromised, an attacker can potentially affect protections across your entire network. Because exploitation was confirmed before the patch was available, organisations running affected versions should review their logs carefully. The release of an out-of-band (unscheduled, emergency) patch signals that Fortinet considers this issue very serious. Organisations should not wait.

Recommendations

• Check whether your organisation uses FortiClient EMS and confirm the version in use.
• Apply the Fortinet hotfix for CVE-2026-35616 immediately — do not wait for the full release in version 7.4.7.
• If a managed service provider or IT supplier manages Fortinet products on your behalf, ask them to confirm that the hotfix has been applied without delay.
• Review access logs on FortiClient EMS for any unexpected or unauthorised activity, particularly in the period before the patch was applied.
• Monitor Fortinet's security advisories for the release of version 7.4.7 and apply it as soon as it becomes available.

Critical Cisco Vulnerability Allows Attackers to Reset Admin Passwords Without Logging In

On 2 April 2026, Cisco released security updates to fix a critical vulnerability in its Integrated Management Controller (IMC). The IMC is software built into Cisco server hardware that allows IT administrators to manage servers remotely, even when the operating system is not running. The flaw is tracked as CVE-2026-20093 and carries a severity score of 9.8 out of 10, close to the maximum possible. The vulnerability is caused by incorrect handling of password change requests. An attacker with no credentials at all can send a specially crafted request over the network to change the password of any user on the system, including the main administrator account, and then log in as that user. No authentication is required at any stage. Cisco also released a separate patch for a related high-severity flaw in its Smart Software Manager On-Prem (SSM On-Prem) product.

Cisco hardware is deployed across a huge number of organisations worldwide, including NHS trusts, local authorities, and data centres supporting critical infrastructure. Server management controllers like Cisco IMC are often overlooked during routine patching because they operate below the level of the normal operating system. However, they carry a high level of access to the servers they manage. An attacker who can reset the administrator password on a management controller effectively takes full control of the underlying server. This can be used to access data, disrupt services, or move further into the network. Organisations should treat this as a priority patch, particularly where IMC interfaces are accessible from the internet.

Recommendations

• Check whether your organisation uses Cisco server hardware with an Integrated Management Controller and identify which products and firmware versions are in use.
• Apply Cisco's security update for CVE-2026-20093 as soon as possible.
• Review the network accessibility of all Cisco IMC interfaces — if they are reachable from the open internet or from untrusted network segments, restrict access immediately.
• If a managed service provider manages Cisco server infrastructure on your behalf, ask them to confirm patching status and whether IMC management interfaces are appropriately restricted.
• Review access logs on Cisco IMC interfaces for any unexpected requests, particularly any password change events.

Chinese Espionage Group Targets European Governments and NATO Missions with Malware

Security researchers at Proofpoint published findings on 3 April 2026 documenting an ongoing campaign by a threat group known as TA416, which operates on behalf of China's state intelligence services. The group has been running targeted phishing campaigns against European government bodies, diplomatic missions to the European Union, and NATO member states since mid-2025. The attackers have used a range of techniques to deliver a piece of malware called PlugX, a remote access tool that has been used in Chinese state espionage operations for many years. Notably, the campaign has abused OAuth authentication flows, the "sign in with Google" or "sign in with Microsoft" style prompts that many people consider trustworthy, as a delivery mechanism for malicious payloads. The group has been regularly updating its methods to avoid detection and has also been targeting government and diplomatic entities in the Middle East.

The UK is a member of NATO and is closely integrated with European diplomatic networks. UK government departments, policy organisations, and bodies involved in foreign affairs or defence are plausible targets for TA416. NHS organisations and NHS suppliers working on government contracts — particularly those with access to sensitive data or involved in defence health — should be aware that state-sponsored cyber espionage targeting government-adjacent organisations is an active and ongoing threat. The use of OAuth-based phishing is particularly relevant because many people trust OAuth prompts more than standard phishing links. Staff may not recognise a malicious OAuth request as a threat. Long-term access via PlugX allows attackers to operate quietly inside an organisation's systems for extended periods, potentially exfiltrating sensitive data without detection.

Recommendations

• Ensure staff who handle sensitive, government-related, or commercially valuable information receive regular phishing awareness training, including specific guidance on OAuth-based phishing.
• Remind all staff to be suspicious of unexpected authorisation requests from cloud services, even when the pages appear legitimate.
• Ensure email security controls include anti-phishing detection, link sandboxing, and impersonation protection.
• Review whether your organisation holds government contracts or handles data that could make it a target for state-sponsored espionage — if so, brief your security team on TA416's tactics and indicators of compromise.
• Report any suspected state-sponsored targeting to the NCSC at report@ncsc.gov.uk.
• Check linked and authorised applications in your Microsoft 365 and Google Workspace environments for any unfamiliar or unexpected entries.

Cyberattack on Northern Ireland School Network Disrupts Thousands of Pupils During Exam Season

On Thursday 2 April 2026, a cyberattack struck the C2K network — the IT platform used by every school in Northern Ireland, managed by the Education Authority (EA). The attack locked all pupils and staff out of their accounts, meaning students could not access resources, revision materials, or work set by their teachers. The timing could hardly have been worse: thousands of pupils are due to sit GCSE, AS, and A-Level exams just weeks after the Easter break. The EA carried out a full password reset across the entire school network as a "critical security measure" and said teams worked through the weekend to restore access, beginning with post-primary schools. As of the BBC's report on 5 April 2026, it had not been confirmed whether any personal data was affected. The EA is engaging with the Information Commissioner's Office (ICO) and relevant authorities as part of its response. Individual password resets, for each pupil and member of staff, are being carried out manually, which school principals have described as a "very significant task".

This attack is a clear example of how a cyberattack on a shared, centralised IT platform can cause widespread disruption to an entire public sector, in this case across all schools in a region, affecting pupils, teachers, and parents simultaneously. The C2K model is similar in structure to shared services used across NHS trusts, local authorities, and other public bodies, where a single platform or managed service provides infrastructure to many organisations at once. A successful attack on one centralised provider can have a cascading effect. The timing of this attack, just before a major exam period, illustrates how threat actors can amplify impact by targeting organisations at moments of peak operational pressure. For NHS suppliers and digital health companies that provide shared platforms or managed services to multiple organisations, this is a direct and relevant reminder of the importance of resilience, robust incident response, and rapid communication with affected users. Potential data exposure also triggers ICO reporting obligations.

Recommendations

• Review your organisation's incident response plan and check that it specifically covers scenarios where a shared or centralised platform is compromised, affecting multiple downstream users or organisations.
• Ensure you have a clear, tested communication plan for notifying affected organisations and individuals quickly in the event of a breach or service disruption.
• Assess whether centralised platforms or services you operate or depend upon have appropriate network segmentation and access controls to limit the blast radius of a breach.
• Check your data breach notification procedures — if personal data may have been affected, you have a legal obligation to report to the ICO within 72 hours of becoming aware.
• Consider whether your organisation's business continuity plan accounts for extended loss of access to critical IT systems, particularly during high-pressure operational periods such as end-of-quarter reporting, clinical audits, or exam seasons.
• If you are an NHS supplier providing managed services to multiple organisations, review your contractual obligations around incident notification and service restoration timescales.

Periculo supports organisations across healthcare, defence, and critical services with practical, hands-on cybersecurity assurance — from vulnerability management and secure configuration reviews to incident response readiness and compliance with frameworks such as DSPT and DCC.

Get in touch to assess your current security posture, identify gaps, and ensure your organisation is prepared for the threats that matter most.