Week in Malware: CISA Adds n8n to KEV, Iran-Linked Wiper Hits Medical Giant

Active Exploitation Forces Federal Action

CISA Orders n8n Patching After Active Exploitation

CISA added CVE-2023-50427 to its Known Exploited Vulnerabilities catalog this week, ordering federal agencies to patch the n8n workflow automation platform by March 25, 2026. The remote code execution vulnerability in n8n versions before 1.19.4 allows attackers to execute arbitrary code through crafted HTTP requests. Cisco Talos researchers discovered the flaw, which affects the popular open-source workflow automation tool used across enterprise environments.

Iranian Wipers Target Medical Infrastructure

Medical technology giant Stryker confirmed it was hit by a wiper malware attack claimed by Handala, an Iranian-linked pro-Palestinian hacktivist group. The attack took critical systems offline, impacting the company's operations. Handala has previously targeted Israeli and Western organizations with destructive malware campaigns, marking an escalation in targeting critical healthcare infrastructure providers.

Law Enforcement Continues BlackCat Disruption

Second DigitalMint Employee Charged in BlackCat Scheme

The Department of Justice charged another former DigitalMint employee for participation in an insider scheme supporting BlackCat (ALPHV) ransomware operations. The employee allegedly worked as a ransomware negotiator while secretly partnering with the criminal organization. This follows previous charges against other DigitalMint insiders who facilitated cryptocurrency transactions for ransomware payments, demonstrating the ongoing law enforcement focus on dismantling ransomware support networks.

Supply Chain Attacks Continue

PhantomRaven Expands npm Campaign

Researchers identified a new wave of the PhantomRaven supply-chain campaign targeting the npm registry with 88 malicious packages. The packages exfiltrate sensitive data from JavaScript developers, including environment variables, SSH keys, and authentication tokens. The campaign represents an evolution of previous npm poisoning attacks, with threat actors continuously adapting their techniques to evade detection mechanisms.

Fake Claude Code Ads Spread Cross-Platform Malware

Bitdefender Labs discovered a malicious Google Ads campaign targeting users searching for Claude AI downloads. The campaign serves fake "Claude Code" applications containing malware for both Windows and macOS systems. Attackers exploit the popularity of AI tools to distribute information stealers and remote access trojans, highlighting the growing threat landscape around AI-adjacent software.

WordPress and Authentication Vulnerabilities

SQL Injection Hits 250,000+ WordPress Sites

Elementor's Ally accessibility plugin contains an SQL injection vulnerability affecting over 250,000 WordPress installations. The unauthenticated SQLi flaw allows attackers to extract sensitive database information without requiring login credentials. Site administrators should immediately update to the latest plugin version to prevent data theft.

Microsoft Authenticator Bug Leaks Login Codes

Microsoft patched a vulnerability in its Authenticator app for Android and iOS that could allow malicious applications on the same device to intercept authentication codes and sign-in links. The bug highlights the importance of maintaining updated authentication applications and avoiding installation of untrusted software on devices containing sensitive authentication tools.

Ongoing Threat Intelligence

Multi-Platform Vulnerabilities Disclosed

Cisco Talos disclosed vulnerabilities in BioSig Project Libbiosig library and OpenCFD OpenFOAM, plus an unpatched vulnerability in Microsoft DirectX. The research demonstrates continued focus on identifying security flaws in widely-deployed libraries and frameworks that could impact multiple applications.

Social Engineering Campaigns Evolve

Malwarebytes Labs documented several evolving social engineering campaigns, including IPv6-based phishing link obfuscation in fake United Healthcare toothbrush offers, sextortion emails using passwords harvested from temporary email services, and tax season robocalls promoting fraudulent relief programs. These campaigns show attackers adapting to seasonal opportunities and technical countermeasures.

Platform Security Improvements

Meta deployed new anti-scam protections across WhatsApp, Facebook, and Messenger, while WhatsApp introduced parent-managed accounts for pre-teens with enhanced privacy controls. These defensive measures represent ongoing efforts by major platforms to combat social engineering attacks and protect vulnerable user populations.

Sources

• US charges another ransomware negotiator linked to BlackCat attacks
• CISA orders feds to patch n8n RCE flaw exploited in attacks
• Medtech giant Stryker offline after Iran-linked wiper malware attack
• New PhantomRaven NPM attack wave steals dev data via 88 packages
• SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
• Microsoft Authenticator could leak login codes—update your app now
• Windows and macOS Malware Spreads via Fake "Claude Code" Google Ads
• DirectX, OpenFOAM, Libbiosig vulnerabilities
• WhatsApp introduces parent-managed accounts for pre-teens
• Meta adds new WhatsApp, Facebook, and Messenger anti-scam tools
• Phishers hide scam links with IPv6 trick in "free toothbrush" emails
• Sextortion "I recorded you" emails reuse passwords found in disposable inboxes
• Watch out for tax-season robocalls pushing fake "relief programs"
• Smashing Security podcast #458: How not to steal $46 million from the US government