Cybersecurity Headlines – Episode Summary

Date: April 6, 2026
Host: Steve Prentiss, CISO Series
Main Topics: Malicious npm packages, Proposed CISA budget cuts, Hackers exploiting React2Shell, Major global data breaches, and more.

Episode Overview

This episode delivers a fast-paced rundown of the day's most significant cybersecurity news. Key stories include the discovery of malicious npm packages planted to infect developers, proposed US federal budget cuts to CISA, a large-scale credential theft campaign exploiting React2Shell, updates on vulnerabilities, attribution of a major EU Commission breach, and several notable cyberattacks affecting emergency services, telehealth, and corporate environments.

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

Details:
- Researchers at SafeDEP found 36 malicious packages on the npm registry disguised as Strapi CMS plugins.
- Payloads include tools for Redis/PostgreSQL exploitation, reverse shells, credential harvesting, and “persistent implants.”
- Packages used naming conventions like STRAPI-plugin-cron, STRAPI-plugin-database, etc., to deceive developers.
- Reflects a larger trend: As per a Group IB report (Feb 2026), supply chain attacks now pose the most significant risk in cybersecurity, targeting trusted vendor software, SaaS, and browser extensions for widespread infiltration.
Quote:
- "[Software supply chain attacks] have become the dominant force reshaping the global cyber threat landscape, with threat actors pursuing trusted vendors, open source software..." (Steve Prentiss, 01:13)

2. Proposed Budget Cuts to CISA

Details:
- The President’s FY 2027 budget may cut CISA funding by up to $707 million, though some documents suggest $361 million due to calculation discrepancies.
- Prior to current administration, CISA had a $3 billion budget.
- Criticism: The budget summary “recycles identical language” from previous years and includes references to programs already ended.
Quote:
- "...the 2027 budget summary recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered." (Steve Prentiss, 02:37)

3. Automated Credential Theft Exploiting React2Shell

Details:
- Bleeping Computer reports large-scale exploitation using React2Shell.
- At least 766 hosts compromised across various cloud setups to steal database, AWS, SSH, API keys, and environment secrets.
- The attackers use "Nexus Listener" framework for automatic scripts and exfiltration.
- Cisco Talos links this to threat group UAT10608.
Quote:
- "Operation uses a framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications." (Steve Prentiss, 03:20)

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

Details:
- Newly disclosed flaw (CVSS 9.1) in FortiClient EMS (v7.4.5–7.4.6) allows pre-authentication API bypass & privilege escalation.
- Hotfix released; full fix expected in v7.4.7.
- Attackers can bypass authentication and execute code via crafted requests.
Quote:
- "Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication...and execute malicious code or commands via crafted requests." (Steve Prentiss, 04:10)

5. EU Commission Data Breach Attributed to Team PCP

Details:
- ENISA (Certeu) attributes a major European Commission breach to Team PCP.
- Hackers misused an Amazon API key to access the Commission’s AWS, stealing 92 GB of compressed data.
- Shiny Hunters accessed the stolen data afterward.
- Breach affected the Europa EU platform hosting websites for EU bloc entities.
Quote:
- "The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data." (Steve Prentiss, 05:21)

6. Massachusetts Emergency Communications System Cyberattack

Details:
- Impacted Patriot Regional Emergency Communications Center serving multiple towns (Pepperell, Ashby, Dunstable, Groton, etc.).
- 911 lines operational, but business/non-emergency phones down.
- No details yet on attack origin or group responsible.
Quote:
- "...911 phone systems still worked, but non-emergency and business phone lines are out of service." (Steve Prentiss, 06:00)

7. HIMS & HERS Breach via Zendesk

Details:
- US telehealth provider HIMS and Hers had millions of support tickets accessed after an attacker compromised their Octa SSO account and breached Zendesk.
- Exposed info: Names, contact data, likely details from the support request—but not medical records or doctor communications.
Quote:
- "The information exposed may include names, contact information and other unspecified data likely related to the support request..." (Steve Prentiss, 06:44)

8. Engineer Admits to Corporate Extortion via Server Lockout

Details:
- Daniel Ryne (Kansas City, MO) pleads guilty to locking 254 Windows servers, deleting admin accounts, and demanding $750,000 in Bitcoin from his employer.
- Used privileged access; scheduled account deletions and system shutdowns over Nov–Dec 2023.
- Faces up to 15 years in prison.
Quote:
- "...threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time." (Steve Prentiss, 07:28)

Notable Quotes & Memorable Moments

On supply chain attacks:
- "Software supply chain attacks have become the dominant force reshaping the global cyber threat landscape..." (01:13)
On CISA budget confusion:
- "...makes references to ending programs that CISA has already shuttered." (02:37)
On credential theft automation:
- "Framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data..." (03:20)
On EU data breach scale:
- "...stole about 92 gigabytes of compressed data." (05:21)
On attack consequences:
- "He also scheduled some tasks to shut down random servers and workstations on the network over multiple days..." (07:17)

Timestamps for Key Stories

Malicious npm packages: 00:17 – 01:50
CISA budget cuts: 01:51 – 02:44
React2Shell credential theft: 02:45 – 03:38
Fortinet zero-day exploited: 03:39 – 04:30
EU Commission breach: 05:12 – 05:51
Massachusetts emergency system attack: 05:52 – 06:21
HIMS & HERS Zendesk breach: 06:22 – 07:00
Engineer’s internal extortion plot: 07:01 – 08:08

Summary

This episode spotlights the increasing volume and sophistication of cyberattacks affecting open-source ecosystems, government operations, healthcare platforms, and critical public infrastructure. The prevalence of supply chain attacks and credential theft tactics underscores the heightened risk across all sectors. Budgetary support for cybersecurity agencies remains in flux amid political shifts, raising concerns as attacks become more pervasive.

For more details and the full transcripts, visit cisoseries.com.

Cybersecurity Headlines – Episode Summary

Date: April 6, 2026
Host: Steve Prentiss, CISO Series
Main Topics: Malicious npm packages, Proposed CISA budget cuts, Hackers exploiting React2Shell, Major global data breaches, and more.

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

Details:
- Researchers at SafeDEP found 36 malicious packages on the npm registry disguised as Strapi CMS plugins.
- Payloads include tools for Redis/PostgreSQL exploitation, reverse shells, credential harvesting, and “persistent implants.”
- Packages used naming conventions like STRAPI-plugin-cron, STRAPI-plugin-database, etc., to deceive developers.
- Reflects a larger trend: As per a Group IB report (Feb 2026), supply chain attacks now pose the most significant risk in cybersecurity, targeting trusted vendor software, SaaS, and browser extensions for widespread infiltration.
Quote:
- "[Software supply chain attacks] have become the dominant force reshaping the global cyber threat landscape, with threat actors pursuing trusted vendors, open source software..." (Steve Prentiss, 01:13)

2. Proposed Budget Cuts to CISA

Details:
- The President’s FY 2027 budget may cut CISA funding by up to $707 million, though some documents suggest $361 million due to calculation discrepancies.
- Prior to current administration, CISA had a $3 billion budget.
- Criticism: The budget summary “recycles identical language” from previous years and includes references to programs already ended.
Quote:
- "...the 2027 budget summary recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered." (Steve Prentiss, 02:37)

3. Automated Credential Theft Exploiting React2Shell

Details:
- Bleeping Computer reports large-scale exploitation using React2Shell.
- At least 766 hosts compromised across various cloud setups to steal database, AWS, SSH, API keys, and environment secrets.
- The attackers use "Nexus Listener" framework for automatic scripts and exfiltration.
- Cisco Talos links this to threat group UAT10608.
Quote:
- "Operation uses a framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications." (Steve Prentiss, 03:20)

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

Details:
- Newly disclosed flaw (CVSS 9.1) in FortiClient EMS (v7.4.5–7.4.6) allows pre-authentication API bypass & privilege escalation.
- Hotfix released; full fix expected in v7.4.7.
- Attackers can bypass authentication and execute code via crafted requests.
Quote:
- "Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication...and execute malicious code or commands via crafted requests." (Steve Prentiss, 04:10)

5. EU Commission Data Breach Attributed to Team PCP

Details:
- ENISA (Certeu) attributes a major European Commission breach to Team PCP.
- Hackers misused an Amazon API key to access the Commission’s AWS, stealing 92 GB of compressed data.
- Shiny Hunters accessed the stolen data afterward.
- Breach affected the Europa EU platform hosting websites for EU bloc entities.
Quote:
- "The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data." (Steve Prentiss, 05:21)

6. Massachusetts Emergency Communications System Cyberattack

Details:
- Impacted Patriot Regional Emergency Communications Center serving multiple towns (Pepperell, Ashby, Dunstable, Groton, etc.).
- 911 lines operational, but business/non-emergency phones down.
- No details yet on attack origin or group responsible.
Quote:
- "...911 phone systems still worked, but non-emergency and business phone lines are out of service." (Steve Prentiss, 06:00)

7. HIMS & HERS Breach via Zendesk

Details:
- US telehealth provider HIMS and Hers had millions of support tickets accessed after an attacker compromised their Octa SSO account and breached Zendesk.
- Exposed info: Names, contact data, likely details from the support request—but not medical records or doctor communications.
Quote:
- "The information exposed may include names, contact information and other unspecified data likely related to the support request..." (Steve Prentiss, 06:44)

8. Engineer Admits to Corporate Extortion via Server Lockout

Details:
- Daniel Ryne (Kansas City, MO) pleads guilty to locking 254 Windows servers, deleting admin accounts, and demanding $750,000 in Bitcoin from his employer.
- Used privileged access; scheduled account deletions and system shutdowns over Nov–Dec 2023.
- Faces up to 15 years in prison.
Quote:
- "...threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time." (Steve Prentiss, 07:28)

Notable Quotes & Memorable Moments

On supply chain attacks:
- "Software supply chain attacks have become the dominant force reshaping the global cyber threat landscape..." (01:13)
On CISA budget confusion:
- "...makes references to ending programs that CISA has already shuttered." (02:37)
On credential theft automation:
- "Framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data..." (03:20)
On EU data breach scale:
- "...stole about 92 gigabytes of compressed data." (05:21)
On attack consequences:
- "He also scheduled some tasks to shut down random servers and workstations on the network over multiple days..." (07:17)

Timestamps for Key Stories

Malicious npm packages: 00:17 – 01:50
CISA budget cuts: 01:51 – 02:44
React2Shell credential theft: 02:45 – 03:38
Fortinet zero-day exploited: 03:39 – 04:30
EU Commission breach: 05:12 – 05:51
Massachusetts emergency system attack: 05:52 – 06:21
HIMS & HERS Zendesk breach: 06:22 – 07:00
Engineer’s internal extortion plot: 07:01 – 08:08

Summary

For more details and the full transcripts, visit cisoseries.com.

wavePod

Malicious npm packages, CISA budget cuts, hackers exploit React2Shell

Summary

Cybersecurity Headlines – Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

2. Proposed Budget Cuts to CISA

3. Automated Credential Theft Exploiting React2Shell

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

5. EU Commission Data Breach Attributed to Team PCP

6. Massachusetts Emergency Communications System Cyberattack

7. HIMS & HERS Breach via Zendesk

8. Engineer Admits to Corporate Extortion via Server Lockout

Notable Quotes & Memorable Moments

Timestamps for Key Stories

Summary

Summary

Cybersecurity Headlines – Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

2. Proposed Budget Cuts to CISA

3. Automated Credential Theft Exploiting React2Shell

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

5. EU Commission Data Breach Attributed to Team PCP

6. Massachusetts Emergency Communications System Cyberattack

7. HIMS & HERS Breach via Zendesk

8. Engineer Admits to Corporate Extortion via Server Lockout

Notable Quotes & Memorable Moments

Timestamps for Key Stories

Summary