This week’s activity highlights several active threats...
Attackers are currently breaking into Citrix NetScaler devices using two separate flaws, and one of these is already being used by a ransomware group against dozens of organisations.
Criminal groups, including ransomware gangs are actively exploiting a serious vulnerability in Microsoft SharePoint.
A widely used remote support tool, SimpleHelp, has a critical weakness that lets attackers take full control of managed devices without needing a password at all.
Threat actors linked to North Korea have seeded widely used open-source code libraries with more than 100 fake or malicious packages designed to steal information from software developers.
A US healthcare supplier was also breached after attackers social-engineered their way in through a third-party contractor, a reminder of the risk NHS suppliers carry through their own vendors.
Full report below...
Citrix NetScaler is a device many organisations use to let staff, partners and sometimes patients log in securely from outside the office, a bit like a digital front door. Two separate weaknesses have now been found in it. The first, nicknamed "Citrix Bleed 2" (CVE-2025-5777), lets an attacker read small pieces of the device's memory without logging in at all. Those pieces can include session tokens, which work like a spare key that lets someone into an account even with the right password changed, and multi-factor authentication turned on. A ransomware gang called Anubis has been using this flaw for months and has now hit at least 91 organisations, more than half in the United States, with the rest spread across the UK, Australia, France and Canada. The second flaw (CVE-2026-8451) is brand new, and attackers started using it within 24 hours of it becoming public. NHS England issued alert CC-4805 in response and says further attacks are highly likely.
NetScaler devices usually sit right at the edge of a network, guarding remote access into the systems behind them. Because this flaw can be used to steal session tokens, even well-protected accounts with multi-factor authentication can still be broken into. For NHS suppliers and digital health organisations that use NetScaler to give staff or systems remote access, this is a DSPT-relevant risk: a successful break-in could count as a reportable incident, and healthcare has already been one of the sectors most targeted by the Anubis gang.
Recommendations
Microsoft SharePoint, used by many organisations including NHS trusts to store and share documents, has a serious flaw known as CVE-2026-45659. Someone who already has even a very basic SharePoint account, nothing more than ordinary "site member" access, can use this flaw to run their own code on the server and effectively take it over. Microsoft fixed the flaw back in May, but the US Cybersecurity and Infrastructure Security Agency has now confirmed that criminal groups, including ransomware gangs, are actively exploiting it on servers that have not yet been patched. NHS England issued alert CC-4806 on 2 July 2026 and assesses further exploitation as highly likely.
SharePoint often holds sensitive material such as patient information, HR records, contracts and policies. Because this attack only needs a low-level account rather than an administrator one, any organisation running its own SharePoint server (this does not affect Microsoft 365's SharePoint Online) is at real risk if it has not patched. Once inside, attackers can use SharePoint as a launchpad into the wider network, which is exactly the kind of foothold ransomware gangs look for. NHS suppliers running on-premises SharePoint should treat patching as urgent.
Recommendations
SimpleHelp is remote monitoring and management software, the kind of tool IT support teams and managed service providers use to connect to and control other people's computers to fix problems. A critical flaw (CVE-2026-48558) means that, where a certain login method is switched on, an attacker with no account at all can forge a login token and get full "technician" access, which is enough to control every computer the tool manages. Criminals are already using this flaw to install information-stealing malware known as Djinn Stealer. It has been given one of the highest possible severity scores, and the NHS England National CSOC assesses that further exploitation is highly likely.
Remote support tools like SimpleHelp are often used by third-party IT providers and managed service providers to look after many client organisations at once, including NHS suppliers and smaller digital health companies who outsource their IT support. If an attacker breaks into the support platform itself, they can potentially reach every computer it manages in one go. This is a textbook supply chain risk, and it deserves urgent attention from anyone using SimpleHelp directly, or indirectly through a support provider.
Recommendations
Security researchers at Socket have found that hackers linked to North Korea published 108 fake or booby-trapped software packages and browser add-ons across several free, widely used code libraries, including npm, Packagist, Go and the Google Chrome Web Store. The campaign, called PolinRider, is linked to an older North Korean operation known for tricking software developers with fake job offers and interviews. The bad packages are made to look like normal, trustworthy tools that a developer might download without checking too closely, and researchers expect more to keep appearing.
Many NHS suppliers and digital health companies build their own software, and almost all modern software is built using hundreds of small, free code packages written by other people. If a developer accidentally installs one of these fake packages, attackers can gain a foothold inside the company's own systems or steal passwords and access keys that can later be used to attack the company's customers, including NHS organisations. It only takes one bad building block to put everything built on top of it at risk.
Recommendations
AdaptHealth, a US company that supplies home medical equipment, has said criminals tricked one of its outside contractors into handing over access to its cloud systems. Once inside, the attackers reached the company's patient management system, its document storage, and portals linked to electronic health records. They stole a file of passwords used for insurance billing, along with personal and health information belonging to patients. AdaptHealth found out about the break-in when the attackers contacted the company directly in mid-June to say they had stolen data. A criminal group called ShinyHunters has since claimed responsibility and listed AdaptHealth on its leak site, threatening to publish the stolen data if a ransom is not paid.
This breach was not caused by a software bug. It happened because someone was tricked into handing over access, which shows that even well-patched systems can be broken through people rather than technology. NHS suppliers and digital health companies often rely on third-party contractors and cloud platforms in the same way AdaptHealth did, so this is a reminder that supplier and contractor access needs the same scrutiny as staff accounts. ShinyHunters has targeted healthcare and other data-rich organisations before, and stolen password files can be reused to break into other connected systems, so any organisation with shared supplier relationships should treat this as a warning sign.
Recommendations
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.