Multiple Zero‑Day and Supply‑Chain Attacks Hit Exchange, npm, Cisco and AI Repositories – Broad Enterprise Exposure
What Happened – A series of active exploits were disclosed this week: a critical remote‑code‑execution (RCE) zero‑day in Microsoft Exchange Server, a malicious npm package worm that injects credential‑stealing payloads, a counterfeit AI model repository used to deliver a stealer, and a newly‑found Cisco network‑control‑system vulnerability. In addition, a ransomware group claimed to have returned stolen data after a breach.
Why It Matters for TPRM –
- Critical email infrastructure (Exchange) is a common third‑party service; a breach can expose all downstream partners.
- Supply‑chain compromises of open‑source packages (npm) can propagate malicious code to dozens of downstream SaaS applications.
- Fake AI model pages illustrate how social engineering can be used to harvest credentials from vendor‑managed research environments.
- Network‑device exploits (Cisco) threaten the integrity of on‑prem and cloud‑connected environments that many vendors rely on.
Who Is Affected – Cloud‑hosted SaaS providers, enterprise IT departments, software development firms using npm, telecom/network equipment vendors, AI/ML research platforms, and any organization that integrates with Microsoft Exchange.
Recommended Actions –
- Verify that all Exchange servers are patched to the latest security update; enforce MFA for admin accounts.
- Conduct an inventory of npm dependencies; block unapproved packages and scan for known malicious signatures.
- Review third‑party AI model sources; enforce code‑signing and provenance verification.
- Apply Cisco advisory patches and segment network‑control traffic.
- Update incident‑response playbooks to include supply‑chain compromise scenarios.
Technical Notes –
- Exchange zero‑day exploits CVE‑2026‑XXXX (RCE via crafted HTTP request).
- npm worm leverages a malicious post‑install script that exfiltrates npm tokens and SSH keys.
- Fake AI repository hosted on a compromised GitHub account, delivering a PowerShell stealer.
- Cisco vulnerability (CVE‑2026‑YYYY) allows unauthenticated command injection on network‑control appliances.
Source: The Hacker News – Weekly Recap