SonicWall told customers to patch their firewalls immediately. The FBI published a warning about $725 million in cargo stolen through hacked logistics platforms. And two incident response professionals were sentenced to prison for running the ransomware they were hired to fight. Today’s brief covers the firewall advisory, the cargo hijacking campaign, the insider threat sentencing, and a supply chain attack that compromised 1,800 organizations through poisoned npm packages.

In the News

SonicWall Urges Immediate Patching for Firewall Bypass and Crash Vulnerabilities

SonicWall published an urgent advisory for multiple vulnerabilities in its NGFW product line that allow attackers to bypass security controls and crash devices. No CVE identifiers or CVSS scores have been assigned at time of writing, but the vendor’s use of “immediate patching” language — rather than standard disclosure cadence — signals that active threat intelligence drove the accelerated timeline. Multiple firewall models across the SonicWall product line are affected.

The advisory does not specify whether the bypass vulnerabilities allow unauthenticated remote exploitation or require local access, but the crash vulnerabilities present a denial-of-service risk for any organization relying on SonicWall as its primary perimeter device. SonicWall firewalls have been targeted repeatedly by threat actors in recent years — the SonicWall SMA 100 series saw active exploitation in 2021 and the SonicWall PSIRT has issued multiple emergency advisories since.

What defenders should do: Apply the firmware update referenced in the SonicWall advisory immediately. If patching requires a maintenance window, implement compensating controls: restrict management interface access to trusted IPs only, increase logging verbosity on affected devices, and monitor for anomalous device reboots or interface state changes that could indicate crash exploitation. Organizations with mixed-vendor firewall estates should verify their exposure management tooling covers firmware-level vulnerabilities — not just OS-level patches.

Source: SecurityWeek

FBI Warns of $725M in Cargo Theft via Broker Platform Compromises

The FBI issued a warning that cybercriminals are compromising freight broker and carrier management platforms to hijack physical cargo shipments. The attack chain starts with credential theft — typically against logistics platforms that lack multi-factor authentication — followed by the creation of fraudulent shipment listings that redirect cargo to attacker-controlled pickup locations. The FBI estimates $725 million in stolen goods during 2025, a significant increase from prior years.

This is not a traditional data breach. The cyber compromise enables physical theft — stolen credentials on a broker platform translate directly into stolen truckloads of goods. The attack targets the trust model that freight logistics depends on: brokers post loads, carriers accept them, and physical goods move based on digital authorization. When an attacker controls the digital authorization layer, the physical supply chain follows.

The FBI bulletin specifically calls out the absence of MFA on broker platforms as the primary enabler. Many logistics platforms are legacy web applications with username/password authentication and no session monitoring. Threat actors target these platforms via credential stuffing from prior breaches and phishing campaigns tailored to logistics industry terminology.

What defenders should do: Organizations in logistics, retail, and manufacturing should enforce phishing-resistant MFA on all broker and carrier management platforms. Implement network segmentation between logistics/OT systems and corporate IT. Monitor for anomalous login patterns on freight platforms — particularly logins from new geolocations or at unusual hours. Conduct third-party risk assessments of freight broker platform providers with specific focus on authentication controls.

Source: SecurityWeek

Two IR Professionals Sentenced to Four Years for Operating BlackCat Ransomware

Ryan Goldberg, formerly employed at incident response firm Sygnia, and Kevin Martin, formerly at DigitalMint, were each sentenced to four years in federal prison for deploying BlackCat (ALPHV) ransomware while working at their respective employers. The pair operated as ransomware affiliates, leveraging their insider access to victim environments and their knowledge of defensive controls to conduct and profit from attacks.

This case is significant because it is one of the first prosecuted instances of security practitioners actively operating as ransomware affiliates from within incident response organizations. The defendants had legitimate privileged access to victim networks as part of their IR roles — access that provided detailed knowledge of security architectures, detection capabilities, and backup configurations. This is the insider threat model at its most direct: the people hired to defend the network used that same access to attack it.

The sentencing underscores a structural risk in the incident response industry: IR engagements routinely grant practitioners domain admin-equivalent access, often with minimal time-bounding or behavioral monitoring. The trust model assumes that credentialed access during an engagement will be used exclusively for defensive purposes. This case demonstrates that assumption is not self-enforcing.

What defenders should do: Implement time-bound, role-based access controls for all third-party IR and managed security engagements. Log and monitor all privileged actions taken by external IR personnel. Require that IR contractor accounts are disabled immediately upon engagement completion — do not rely on the contractor to self-revoke. Conduct post-engagement access audits. Consider behavioral analytics on accounts with elevated privileges, including vendor accounts, not just internal users.

MITRE ATT&CK mapping: T1078 — Valid Accounts, T1486 — Data Encrypted for Impact

Source: SecurityWeek

TeamPCP Supply Chain Attack Compromises SAP, Lightning, and Intercom Packages — 1,800 Orgs Hit

The threat group TeamPCP compromised npm packages associated with SAP, Lightning (PyTorch), and Intercom in an operation dubbed “Mini Shai-Hulud.” The affected packages are downloaded over 10 million times per month collectively. TeamPCP injected a malicious preinstall hook into the packages that fetches the Bun JavaScript runtime binary, which then exfiltrates developer credentials and CI/CD pipeline secrets to attacker-controlled infrastructure. At least 1,800 organizations have confirmed compromise.

The attack is notable for its choice of execution mechanism. The npm preinstall lifecycle hook runs automatically before the package is installed — no user interaction beyond npm install is required. The Bun binary is a legitimate JavaScript runtime, which means it is unlikely to be flagged by signature-based endpoint detection. The exfiltration targets developer credentials, SSH keys, and environment variables containing API tokens and CI/CD secrets — the assets that enable lateral movement into production infrastructure.

This is the third major npm supply chain attack in 2026, following the ua-parser-js and event-stream lineage of package compromise campaigns. The pattern is consistent: compromise a widely-used package, inject code that runs during installation, and harvest credentials that provide access far beyond the development workstation.

What defenders should do: Audit npm dependencies for the affected SAP, Lightning, and Intercom packages. Implement software composition analysis (SCA) in CI/CD pipelines to detect unexpected preinstall hooks. Rotate all developer credentials and CI/CD secrets on affected workstations. Pin package versions and require lockfile integrity checks. Monitor for unexpected outbound connections from build servers and developer machines.

MITRE ATT&CK mapping: T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain, T1059.007 — Command and Scripting Interpreter: JavaScript

Source: SecurityWeek

Today’s Deep Dive — The Insider Threat Model in Incident Response Engagements

The Goldberg-Martin sentencing makes explicit a risk that the security industry has acknowledged abstractly but rarely addresses operationally: the people with the deepest access to your environment during a crisis are the ones least monitored during that crisis.

Incident response engagements operate under emergency conditions. An IR team typically receives domain admin credentials, VPN access, EDR console access, and often direct access to backup systems — all granted under time pressure, often with verbal approval rather than formal access governance. The access is justified: you cannot investigate a breach without visibility into the compromised environment. But the monitoring of that access is almost universally absent.

The standard model assumes trust by credential. If an account is assigned to an IR practitioner, the actions taken under that account are presumed defensive. There is no behavioral baseline for what “normal IR activity” looks like versus “the IR practitioner is exfiltrating data or deploying ransomware.” In most environments, there is no automated detection for an IR account running Mimikatz, because IR accounts are expected to run Mimikatz.

The structural fix is not to stop granting access. It is to instrument that access. Time-bound credentials that expire automatically at engagement end. Separate, audited jump hosts for external IR access rather than direct VPN. Behavioral analytics that flag anomalous data movement even from privileged accounts. Post-engagement access reviews that verify every account created during the IR was disabled and every persistence mechanism was removed — by the IR team, and also by someone who is not on the IR team.

The operational reality is that most organizations do none of this during an active incident, because the incident itself consumes all available attention. That is precisely the condition the insider threat exploits: the moment when monitoring is at its weakest is the moment when access is at its broadest.

MITRE ATT&CK relevance: T1078 — Valid Accounts, T1098 — Account Manipulation, T1070 — Indicator Removal

Detection Spotlight — Monitoring Privileged Third-Party Access During IR Engagements

After the Goldberg-Martin case, a practical detection to implement: flag any account created during an IR engagement that is still active 48 hours after the engagement’s documented end date.

The following Splunk SPL query identifies accounts created within a defined IR engagement window that have authenticated after the engagement closure date. Adjust ir_start, ir_end, and index to match your environment.

| tstats summariesonly=true count from datamodel=Authentication
  where Authentication.action=success Authentication.user=*
  by Authentication.user Authentication.src Authentication.dest _time
| rename Authentication.* as *
| eval ir_start="2026-04-15", ir_end="2026-04-25"
| where _time > strptime(ir_end, "%Y-%m-%d")
| join type=inner user
  [| search index=wineventlog EventCode=4720 earliest="2026-04-15" latest="2026-04-25"
   | rename TargetUserName as user
   | table user]
| stats count earliest(_time) as first_post_ir_auth latest(_time) as last_post_ir_auth by user src dest
| convert ctime(first_post_ir_auth) ctime(last_post_ir_auth)
| where count > 0
| sort -count

What this catches: Accounts provisioned during the IR engagement window (detected via Windows Event ID 4720 — user account creation) that continue to authenticate after the engagement officially ended. A non-zero result means an IR-provisioned account was not disabled — at minimum a hygiene failure, at worst an indicator of persistent unauthorized access.

False positive rate: Low. Accounts created during a defined IR window and authenticating post-engagement should not exist. The primary false positive is an internal account that was coincidentally created during the same window for unrelated purposes. Cross-reference with your IR scoping document to exclude known internal accounts.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.