Security Affairs Malware Newsletter Round 92 Highlights Surge in npm Supply‑Chain RCE, Cryptomining Proxies, and Government‑Targeted Campaigns
What Happened — The April 12 2026 edition of Security Affairs’ Malware Newsletter aggregates 36 recent malware developments, including 36 malicious npm Strapi packages delivering Redis RCE and data theft, new Python‑based LNK backdoors from the Kimsuky group, and attempts to weaponize ComfyUI servers as cryptomining proxy botnets.
Why It Matters for TPRM —
- Supply‑chain compromises in widely‑used npm packages can cascade to any organization that integrates them, expanding the attack surface of third‑party software.
- Emerging cryptomining proxy tactics target AI‑model hosting environments, potentially exposing cloud‑service contracts to abuse.
- Government‑focused campaigns (e.g., Pawn Storm’s PRISMEX) illustrate heightened geopolitical risk for vendors serving public‑sector clients.
Who Is Affected — Technology/SaaS vendors, cloud service providers, AI/ML platform operators, government contractors, and any organization that relies on npm packages or ComfyUI‑based services.
Recommended Actions —
- Conduct an inventory of npm dependencies and enforce strict version‑pinning and provenance verification.
- Review cloud‑hosted AI/ML workloads for unauthorized outbound connections and implement network‑level egress controls.
- Re‑assess third‑party risk for vendors handling government or critical‑infrastructure data, ensuring they have robust threat‑intel monitoring.
Technical Notes —
- Attack vectors: supply‑chain injection via malicious npm packages, malicious LNK files, abuse of open‑source AI model servers, and targeted phishing for credential harvesting.
- Relevant CVEs: CVE‑2026‑34621 (Adobe Reader RCE) mentioned in the newsletter; no new CVEs directly tied to the npm or ComfyUI incidents.
- Data types exposed: Redis databases, potentially sensitive configuration files, and command‑and‑control (C2) channels for cryptomining.