One hijacked npm contributor account. 144 poisoned packages. Every developer who pulled an update from the Mastra AI framework namespace during the compromise window got credential-harvesting code injected into their build pipeline — no CVE needed, no exploit required, just a trust model that treats a single account as the key to an entire ecosystem. That supply chain story leads today alongside a CVSS 10.0 Joomla flaw under active exploitation, a household-name breach, and a ransomware group hiding inside Microsoft Teams.

In the News

144 Mastra npm Packages Compromised via Hijacked Contributor Account

Attackers compromised a contributor account for the Mastra AI framework and used it to publish malicious versions of 144 npm packages under the project’s namespace. The attack chain started through the ’easy-day-js’ dependency — once the contributor’s credentials were compromised, the attackers had publish rights to every package the account maintained.

The injected code harvested environment variables, API keys, and cloud credentials from developer machines and CI/CD pipelines, then exfiltrated them to attacker-controlled infrastructure. Because npm’s auto-update mechanisms pulled the poisoned versions into downstream projects without manual review, the blast radius extended far beyond Mastra’s direct users.

This is not a novel attack class — it mirrors the event-stream incident and the ua-parser-js compromise — but the scale is notable. 144 packages in a single namespace means one account compromise cascaded across an entire AI framework ecosystem. The operational lesson: contributor account security is the single highest-leverage control in any open-source supply chain. If a maintainer account lacks phishing-resistant MFA and access token rotation, the entire downstream dependency tree inherits that risk.

What defenders should do: Audit npm dependencies for Mastra namespace packages immediately. Pin package versions and require lockfile integrity checks in CI/CD pipelines. Enforce phishing-resistant MFA on all package registry accounts. Implement software composition analysis to detect unexpected dependency changes before they reach production.

CISA Orders Emergency Joomla JCE Plugin Patch — CVE-2026-48907, CVSS 10.0

CISA added CVE-2026-48907 to the Known Exploited Vulnerabilities catalog with a Friday patching deadline for federal agencies. The flaw is in the Widget Factory Joomla Content Editor (JCE) plugin and allows unauthenticated arbitrary PHP execution — a perfect 10.0 CVSS score with active exploitation confirmed.

The vulnerability requires no authentication and no user interaction. An attacker sends a crafted request to the JCE upload handler, achieves PHP code execution, and has full control of the web server. For organizations running Joomla with JCE — and many legacy marketing sites, intranets, and partner portals still do — this is a drop-everything patching event. Web application firewalls configured to block suspicious upload path requests serve as the compensating control while patching is underway.

CISA simultaneously flagged CVE-2026-54420, a root privilege escalation in the LiteSpeed cPanel plugin (CVSS 8.5), also actively exploited. Shared hosting providers and MSPs running cPanel infrastructure need to patch within the same window.

What defenders should do: Patch JCE immediately or disable the plugin. Deploy WAF rules blocking exploitation of Joomla upload paths. Inventory all Joomla instances across the organization — including forgotten marketing and event microsites. Patch LiteSpeed cPanel plugin on all shared hosting infrastructure.

Kodak Confirms Data Breach Claimed by ShinyHunters

Kodak confirmed a data breach after the ShinyHunters extortion group claimed responsibility and began publishing evidence of stolen data. The initial access vector has not been disclosed. ShinyHunters has a well-documented playbook: credential theft, lateral movement, mass data exfiltration, then extortion demands backed by public data leaks.

The group is responsible for the 2024 Ticketmaster breach and the Santander compromise that same year, both of which involved stolen credentials as the initial access mechanism. For manufacturing and enterprise organizations watching this headline, the question is not whether ShinyHunters will target their sector — the group is opportunistic and sector-agnostic — but whether their identity security controls and data exfiltration detection would catch the playbook before the extortion demand arrives.

What defenders should do: Review credential hygiene across all externally accessible services. Enforce phishing-resistant MFA. Implement network detection for bulk data exfiltration patterns. Validate incident response playbooks specifically against extortion scenarios where data theft precedes ransomware deployment.

DragonForce Ransomware Hides C2 Inside Microsoft Teams Relay Servers

The DragonForce ransomware group is routing command-and-control traffic through Microsoft Teams relay infrastructure using custom malware dubbed ‘Backdoor.Turn.’ The technique exploits the trust organizations place in Microsoft 365 traffic — because the destination domains are legitimate Microsoft infrastructure, traditional egress filtering and domain reputation systems classify the traffic as benign.

At the network layer, the C2 traffic is indistinguishable from normal Teams collaboration data. Detection requires behavioral analytics that baseline normal Teams relay patterns and flag anomalies: unusual session durations, atypical data volumes, connections from endpoints that do not normally use Teams, or relay connections to geographic regions inconsistent with the organization’s user base. This is a network detection and response problem, not a signature problem.

What defenders should do: Implement protocol-level inspection for Microsoft 365 traffic rather than blanket allowlisting. Deploy NDR with behavioral baselining for Teams relay patterns. Monitor for Backdoor.Turn indicators through endpoint detection. Review TLS inspection policies to ensure visibility into traffic destined for Microsoft infrastructure.

Defender Action Items

  • npm supply chain: Audit all Mastra namespace dependencies. Pin versions, enforce lockfile integrity, and require phishing-resistant MFA on all registry accounts.
  • CVE-2026-48907 (Joomla JCE): Patch or disable JCE immediately. Deploy WAF rules for upload path exploitation as a compensating control.
  • CVE-2026-54420 (LiteSpeed cPanel): Patch all cPanel infrastructure running the LiteSpeed plugin. Audit for root-level compromise indicators.
  • CVE-2026-39813 (FortiSandbox): Patch FortiSandbox and check for exploitation of CVE-2026-39808 and CVE-2026-25089. Review JRPC API access controls.
  • CVE-2026-20262 (Cisco SD-WAN Manager): Apply Cisco advisory patches. Restrict management plane access to trusted networks only.
  • DragonForce Teams C2: Review Microsoft 365 egress policies. Deploy behavioral NDR for Teams relay traffic anomalies.
  • Kodak / ShinyHunters: Validate identity controls and data exfiltration detection against credential-theft-to-extortion playbooks.

Detection Queries

The following Splunk SPL query identifies anomalous npm package version changes in CI/CD pipeline logs — useful for detecting supply chain compromises like the Mastra attack where legitimate package names receive malicious version bumps:

index=cicd sourcetype="npm_audit" OR sourcetype="package_lock_changes"
| eval version_change=if(previous_version!=current_version, "changed", "unchanged")
| where version_change="changed"
| stats count AS version_bumps dc(package_name) AS unique_packages BY repo_name, _time
| where unique_packages > 10 AND version_bumps > 20
| sort -version_bumps
| table _time, repo_name, unique_packages, version_bumps

This query flags repositories where an unusually high number of packages received version changes in a single update cycle — a signature pattern of namespace-wide supply chain compromise. Expect false positives during legitimate framework major-version upgrades; tune the threshold based on your normal update cadence.

For detecting Teams relay abuse (DragonForce Backdoor.Turn), the following KQL query identifies endpoints making anomalous connections to Teams relay infrastructure:

DeviceNetworkEvents
| where RemoteUrl has_any ("teams.microsoft.com", "relay.teams.microsoft.com", "turn.teams.microsoft.com")
| summarize ConnectionCount=count(), TotalBytesSent=sum(SentBytes), UniqueHours=dcount(bin(Timestamp, 1h)) by DeviceName, RemoteUrl
| where UniqueHours > 18 or TotalBytesSent > 500000000
| sort by TotalBytesSent desc

This surfaces endpoints maintaining near-continuous relay connections or transferring unusually large volumes through Teams infrastructure — both indicators of C2 channel abuse rather than normal collaboration.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.