Today’s security landscape is dominated by a sophisticated, large-scale supply chain attack targeting Red Hat’s official npm packages and a stark government warning about active cyberattacks on critical fuel infrastructure. These threats, combined with a novel Android Gemini hijack technique and a sanctioned crypto exchange facilitating ransomware payments, create a multi-faceted risk environment requiring immediate defensive action.
Red Hat npm Miasma: A Credential-Stealing Worm in the Supply Chain
A severe supply chain compromise has infected over 90 versions of official @redhat-cloud-services npm packages. This campaign, dubbed ‘Miasma’, operates by silently stealing credentials from GitHub, cloud platforms, and local developer machines within CI/CD environments. The malicious code then exhibits worm-like behavior by republishing trusted packages to propagate further. This attack undermines trust in a core, enterprise-grade software repository and poses a direct threat to the integrity of development pipelines and the secrets they manage. Organizations must immediately scan for compromised packages (versions 2026.2.1 and earlier), revoke exposed credentials, and tighten dependency controls.
Critical Infrastructure Alert: Hackers Actively Targeting Fuel Tank Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and NSA, has issued a joint warning that threat actors are actively targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems monitor fuel and liquid storage tanks across multiple critical infrastructure sectors, including energy. Attackers are exploiting weak security postures to potentially disrupt fuel supply or gather intelligence. The recommended action is clear: isolate these OT systems from the public internet immediately, apply all vendor patches (e.g., for Wayne Ovation or Veeder-Root systems), and implement strict network segmentation following the Purdue Model to limit lateral movement.
Notification to Malware: Hijacking Google Gemini on Android
A newly disclosed vulnerability allows a single poisoned notification from popular apps like WhatsApp, Slack, or Signal to hijack the Google Gemini voice assistant on Android devices. This exploit could force the assistant to open connected smart home windows, fake messages, initiate calls, or even corrupt its long-term memory. The attack vector—abusing notification access permissions—highlights the risks of tightly integrated AI assistants. Until a patch is released (likely assigned CVE-2026-XXXXX), the most effective mitigation is to disable the Gemini voice assistant via Mobile Device Management (MDM) policy in enterprise environments and restrict its notification access permissions.
Evasive Malware and Sanctioned Finance
The threat ecosystem continues to evolve with novel evasion tactics. A new malspam campaign is abusing Google’s legitimate DoubleClick ad domain (doubleclick.net) as an initial redirect point to deliver the DesckVB Remote Access Trojan (RAT). This technique helps the malicious payload evade email security filters by routing through a trusted domain first. Concurrently, the U.S. Treasury’s sanctions against Iran’s Nobitex cryptocurrency exchange reveal its role in facilitating ransomware payments. Security teams must now block transactions to known Nobitex wallet addresses and update threat intelligence feeds to flag associated financial activity.
Patching Priority: OpenClaw and Legacy Netlogon Vulnerabilities
While the above threats are trending, foundational vulnerabilities still require attention. Two OpenClaw vulnerabilities—CVE-2026-28474 (allowlist bypass in Nextcloud Talk) and CVE-2026-28470 (command injection)—should be patched by upgrading to versions 2026.2.6 and 2026.2.2, respectively. Furthermore, the SANS Stormcast highlights continued exploitation of legacy Windows Netlogon vulnerabilities (CVE-2020-1472, CVE-2022-38023). Organizations that have not fully enforced Secure RPC signing should treat this as a high priority.
First, scan all development and CI/CD environments for compromised @redhat-cloud-services npm packages (version 2026.2.1 and earlier) and immediately rotate all associated credentials. Second, ensure all Operational Technology (OT) networks, particularly those managing fuel tank monitoring systems, are segmented and isolated from the internet, with all ATG system patches applied. Third, deploy MDM policies to disable the Google Gemini voice assistant on enterprise Android devices and restrict its notification access until a patch for the hijack vulnerability is available.