Zero-Days and Supply Chain Attacks: A Rough Week for Defense Teams

Page content

Zero-Days and Supply Chain Attacks: A Rough Week for Defense Teams

This past week has been particularly brutal for security teams, with multiple zero-day vulnerabilities hitting production environments and some concerning trends in attack methods. Let me walk through what happened and why it matters for our day-to-day operations.

The Fortinet Emergency Patch You Need to Know About

Fortinet just pushed out an emergency patch for FortiClient that addresses CVE-2026-35616, an authentication bypass vulnerability that’s already being exploited in the wild. If you’re running FortiClient in your environment, this should be at the top of your patching queue.

What makes this particularly concerning is that it’s yet another in a series of Fortinet vulnerabilities that attackers have actively targeted. We’ve seen this pattern before with FortiOS and FortiGate devices, where threat actors specifically hunt for Fortinet infrastructure because of its prevalence in enterprise environments. The authentication bypass nature of this flaw means attackers could potentially sidestep your VPN protections entirely.

If you’re managing FortiClient deployments, I’d recommend treating this as a drop-everything-and-patch situation. The fact that it’s already being exploited means the clock is ticking, and you can bet that exploit code will be widely available soon if it isn’t already.

Windows Zero-Day Drama: When Researchers Go Rogue

Here’s something that should make us all uncomfortable: a researcher just leaked exploit code for an unpatched Windows privilege escalation vulnerability after becoming frustrated with Microsoft’s response process. The vulnerability, dubbed “BlueHammer,” allows attackers to gain SYSTEM-level permissions on Windows machines.

This situation highlights a real problem we face in coordinated disclosure. While I understand the researcher’s frustration with slow vendor response times, releasing working exploit code for an unpatched vulnerability puts all of us in a tough spot. We now have a publicly available privilege escalation exploit that Microsoft hasn’t had time to address.

For now, your best bet is implementing defense-in-depth strategies around privilege escalation. Monitor for unusual elevation attempts, ensure your endpoint detection is tuned for privilege escalation behaviors, and consider additional application control measures for critical systems until Microsoft releases a patch.

DPRK Attackers Get Creative with GitHub

North Korean threat actors are showing some interesting innovation in their latest campaign targeting South Korean organizations. They’re using GitHub as command-and-control infrastructure, which is honestly pretty clever from an evasion standpoint.

The attack chain starts with obfuscated LNK files that drop decoy PDFs while establishing the GitHub-based C2 channel. What makes this approach particularly sneaky is that GitHub traffic looks completely legitimate in most environments. Unless you’re doing deep packet inspection or have specific behavioral analytics looking for unusual GitHub API usage patterns, this could easily fly under the radar.

This technique should make us rethink how we monitor outbound connections to legitimate services. We might need to start looking more closely at the volume and patterns of connections to code repositories, especially from endpoints that don’t typically need that access.

Supply Chain Attacks Hit the NPM Ecosystem Again

The supply chain attack surface expanded this week with 36 malicious NPM packages targeting Guardarian users. These packages masqueraded as legitimate Strapi plugins but were designed to execute shells, escape containers, and harvest credentials.

This is exactly the kind of attack that keeps me up at night. Developers pull in dependencies constantly, and it’s incredibly difficult to verify the legitimacy of every package, especially when they’re designed to look like legitimate plugins for popular frameworks like Strapi.

If you’re managing development environments, this is a good reminder to implement package scanning and maintain an inventory of approved dependencies. Consider using tools that can detect suspicious package behavior and establish clear processes for vetting new dependencies before they make it into production.

The Redirect Problem Gets Worse

Finally, there’s some interesting research showing that redirect-based phishing attacks are becoming more sophisticated. Attackers are actively hunting for open redirect vulnerabilities and chaining them together to create more convincing phishing campaigns.

This trend matters because redirects can make malicious URLs much harder to detect. When a phishing email contains a link to a legitimate domain that then redirects to the malicious site, traditional URL filtering becomes less effective. Users are more likely to trust the initial legitimate domain, and security tools might not follow the redirect chain to evaluate the final destination.

What This Means for Your Tuesday Morning

Looking at these incidents together, I see a few themes that should inform our defensive strategies. First, the time between vulnerability disclosure and active exploitation continues to shrink. The Fortinet and Windows zero-days remind us that emergency patching capabilities aren’t optional anymore.

Second, attackers are getting more creative with legitimate infrastructure. The GitHub C2 technique and the NPM supply chain attack both leverage trusted platforms in ways that traditional security controls might miss.

We need to evolve our monitoring and detection capabilities to account for these trends. That means better behavioral analytics, more sophisticated supply chain security, and incident response plans that can handle zero-day scenarios.

Sources