Cybersecurity Headlines – Episode Summary

Date: April 6, 2026
Host: Steve Prentiss, CISO Series
Main Topics: Malicious npm packages, Proposed CISA budget cuts, Hackers exploiting React2Shell, Major global data breaches, and more.

Episode Overview

This episode delivers a fast-paced rundown of the day's most significant cybersecurity news. Key stories include the discovery of malicious npm packages planted to infect developers, proposed US federal budget cuts to CISA, a large-scale credential theft campaign exploiting React2Shell, updates on vulnerabilities, attribution of a major EU Commission breach, and several notable cyberattacks affecting emergency services, telehealth, and corporate environments.

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

Details:
- Researchers at SafeDEP found 36 malicious packages on the npm registry disguised as Strapi CMS plugins.
- Payloads include tools for Redis/PostgreSQL exploitation, reverse shells, credential harvesting, and “persistent implants.”
- Packages used naming conventions like STRAPI-plugin-cron, STRAPI-plugin-database, etc., to deceive developers.
- Reflects a larger trend: As per a Group IB report (Feb 2026), supply chain attacks now pose the most significant risk in cybersecurity, targeting trusted vendor software, SaaS, and browser extensions for widespread infiltration.
Quote:
- "[Software supply chain attacks] have become the dominant force reshaping the global cyber threat landscape, with threat actors pursuing trusted vendors, open source software..." (Steve Prentiss, 01:13)

2. Proposed Budget Cuts to CISA

Details:
- The President’s FY 2027 budget may cut CISA funding by up to $707 million, though some documents suggest $361 million due to calculation discrepancies.
- Prior to current administration, CISA had a $3 billion budget.
- Criticism: The budget summary “recycles identical language” from previous years and includes references to programs already ended.
Quote:
- "...the 2027 budget summary recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered." (Steve Prentiss, 02:37)

3. Automated Credential Theft Exploiting React2Shell

Details:
- Bleeping Computer reports large-scale exploitation using React2Shell.
- At least 766 hosts compromised across various cloud setups to steal database, AWS, SSH, API keys, and environment secrets.
- The attackers use "Nexus Listener" framework for automatic scripts and exfiltration.
- Cisco Talos links this to threat group UAT10608.
Quote:
- "Operation uses a framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications." (Steve Prentiss, 03:20)

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

Details:
- Newly disclosed flaw (CVSS 9.1) in FortiClient EMS (v7.4.5–7.4.6) allows pre-authentication API bypass & privilege escalation.
- Hotfix released; full fix expected in v7.4.7.
- Attackers can bypass authentication and execute code via crafted requests.
Quote:
- "Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication...and execute malicious code or commands via crafted requests." (Steve Prentiss, 04:10)

5. EU Commission Data Breach Attributed to Team PCP

Details:
- ENISA (Certeu) attributes a major European Commission breach to Team PCP.
- Hackers misused an Amazon API key to access the Commission’s AWS, stealing 92 GB of compressed data.
- Shiny Hunters accessed the stolen data afterward.
- Breach affected the Europa EU platform hosting websites for EU bloc entities.
Quote:
- "The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data." (Steve Prentiss, 05:21)

6. Massachusetts Emergency Communications System Cyberattack

Details:
- Impacted Patriot Regional Emergency Communications Center serving multiple towns (Pepperell, Ashby, Dunstable, Groton, etc.).
- 911 lines operational, but business/non-emergency phones down.
- No details yet on attack origin or group responsible.
Quote:
- "...911 phone systems still worked, but non-emergency and business phone lines are out of service." (Steve Prentiss, 06:00)

7. HIMS & HERS Breach via Zendesk

Details:
- US telehealth provider HIMS and Hers had millions of support tickets accessed after an attacker compromised their Octa SSO account and breached Zendesk.
- Exposed info: Names, contact data, likely details from the support request—but not medical records or doctor communications.
Quote:
- "The information exposed may include names, contact information and other unspecified data likely related to the support request..." (Steve Prentiss, 06:44)

8. Engineer Admits to Corporate Extortion via Server Lockout

Details:
- Daniel Ryne (Kansas City, MO) pleads guilty to locking 254 Windows servers, deleting admin accounts, and demanding $750,000 in Bitcoin from his employer.
- Used privileged access; scheduled account deletions and system shutdowns over Nov–Dec 2023.
- Faces up to 15 years in prison.
Quote:
- "...threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time." (Steve Prentiss, 07:28)

Notable Quotes & Memorable Moments

On supply chain attacks:
- "Software supply chain attacks have become the dominant force reshaping the global cyber threat landscape..." (01:13)
On CISA budget confusion:
- "...makes references to ending programs that CISA has already shuttered." (02:37)
On credential theft automation:
- "Framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data..." (03:20)
On EU data breach scale:
- "...stole about 92 gigabytes of compressed data." (05:21)
On attack consequences:
- "He also scheduled some tasks to shut down random servers and workstations on the network over multiple days..." (07:17)

Timestamps for Key Stories

Malicious npm packages: 00:17 – 01:50
CISA budget cuts: 01:51 – 02:44
React2Shell credential theft: 02:45 – 03:38
Fortinet zero-day exploited: 03:39 – 04:30
EU Commission breach: 05:12 – 05:51
Massachusetts emergency system attack: 05:52 – 06:21
HIMS & HERS Zendesk breach: 06:22 – 07:00
Engineer’s internal extortion plot: 07:01 – 08:08

Summary

This episode spotlights the increasing volume and sophistication of cyberattacks affecting open-source ecosystems, government operations, healthcare platforms, and critical public infrastructure. The prevalence of supply chain attacks and credential theft tactics underscores the heightened risk across all sectors. Budgetary support for cybersecurity agencies remains in flux amid political shifts, raising concerns as attacks become more pervasive.

For more details and the full transcripts, visit cisoseries.com.

Transcript

A (0:00)

Are you a security professional in Boston? Then you should join us for a live CISO Series podcast recording. Check out the events page@cisoseries.com for details

B (0:10)

from the CISO Series. It's Cybersecurity Headlines

A (0:17)

these are the cybersecurity headlines for Monday, April 6, 2026. I'm Steve Prentiss. 36 malicious npm packages exploited to deploy persistent implants Researchers at security firm SafeDEP have discovered 36 malicious packages in the NPM registry disguised as strappy CMS plugins, but which come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. They follow a naming convention starting with STRAPI plugin and then phrases like cron, database or server to fool unsuspecting developers into downloading them. A report published by Group IB in February revealed that software supply chain attacks have become the dominant force reshaping the global cyber threat landscape, with threat actors pursuing trusted vendors, open source software, SaaS, platforms, browser extensions and managed service providers to gain inherited access to hundreds of downstream organizations. Hundreds of millions to be cut from CISA in proposed budget According to a summary released Friday, the president's fiscal 2027 budget threatens to slash CESA's budget by $707 million, although a separate budget document suggests a smaller cut of $361 million. The discrepancy is possibly due to the comparison points amid budget uncertainty for CISA's parent agency, the Department of Homeland Security. Prior to the current administration, the agency's budget had been $3 billion. It was noted by CyberScoop that the 2027 budget summary recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered. End quote Hackers exploit React to Shell in automated credential theft Campaign Bleeping Computer is reporting on a wave of exploitation of React to Shell in a large scale campaign to automatically steal credentials. According to its report, at least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets. This operation uses a framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications. Cisco Talos is attributing the campaign to a threat group named UAT10608. Fortinet patches actively exploited vulnerability in FortiClient EMS. Fortnet has released out of band patches for this flaw, which has a CVSS score of 9.1 and which has been described as a pre authentication API access bypass leading to privilege escalation. The issue affects 40 client EMS versions 7.4.5 through 7.4.6. It is expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it in the meantime. Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication and authorization protections and execute malicious code or commands via crafted requests. Huge thanks to our sponsor. Vanta, risk and regulation is ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you are prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that is V A N T A.com CISO Certeu Cyber Agency attributes European Commission data breach to Team PCP following up on two stories we brought to you in the past couple of weeks, the European Union's cybersecurity agency Certeu announced on Thursday that The hacking group TeamPCP conducted the massive data breach at the European Commission. The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data. The hack relied on the misuse of a secret Amazon API key and involved the Commission's Europa EU platform, which lives on AWS cloud infrastructure and is used by EU states to host websites belonging to block entities. It was Shiny Hunters that then accessed the stolen data. Massachusetts Emergency Communications system suffers a cyber attack the specific communications system is used by several small towns across northern Massachusetts. The Patriot Regional Emergency Communications center said the intrusion impacted town and public safety computer systems. 911 phone systems still worked, but non emergency and business phone lines are out of service. The towns affected Pepperell, Ashby, Dunstable, Groton and some others serve as a regional hub for receiving emergency calls and dispatching police, fire or medical services. No further details about the hack or the group behind it have yet been released. HIMS and hers suffers Zendesk related breach HIMS and Hers is an American telehealth company specializing in the direct to consumer healthcare space, providing subscription based treatments for hair loss, ed mental health, skin care, weight loss and other conditions or needs. Bleeping Computer was told that the threat actors used the Octa SSO account to access the HIMS and Hers Zendesk instance where they stole millions of support tickets in early February of this year. The information exposed may include names, contact information and other unspecified data likely related to the support request submitted in each case, but the company underlined that no medical records or doctor communications were compromised. Engineer admits to locking thousands of Windows devices in extortion plot According to court documents, 57 year old Daniel Ryne, R H Y N E From Kansas City, Missouri, has pleaded guilty to locking Windows admin out of 254 servers as part of a failed extortion plot that targeted his employer, an industrial company headquartered in Somerset County, New Jersey. He did so by remotely accessing the company's network without authorization using an administrator account. He allegedly scheduled tasks on the company's Windows domain controller to delete network admin accounts and to change the passwords for 13 domain admin accounts and 301 domain user accounts, which had a cascading effect on the servers of his employer's network. He also scheduled some tasks to shut down random servers and workstations on the network over multiple days, and this all occurred in November and December 2023. He sent emails that threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time. The hacking and extortion charges to which he pleaded guilty carry a maximum penalty of 15 years in prison. Join us later today for the Department of no at 4pm Eastern Time each Monday we feature the biggest news of the week and break down why it could matter for your security team. We stream live on the CISO Series YouTube channel, so join us at 4pm to get involved in the chat. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.

Cybersecurity Headlines – Episode Summary

Date: April 6, 2026
Host: Steve Prentiss, CISO Series
Main Topics: Malicious npm packages, Proposed CISA budget cuts, Hackers exploiting React2Shell, Major global data breaches, and more.

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

Details:
- Researchers at SafeDEP found 36 malicious packages on the npm registry disguised as Strapi CMS plugins.
- Payloads include tools for Redis/PostgreSQL exploitation, reverse shells, credential harvesting, and “persistent implants.”
- Packages used naming conventions like STRAPI-plugin-cron, STRAPI-plugin-database, etc., to deceive developers.
- Reflects a larger trend: As per a Group IB report (Feb 2026), supply chain attacks now pose the most significant risk in cybersecurity, targeting trusted vendor software, SaaS, and browser extensions for widespread infiltration.
Quote:
- "[Software supply chain attacks] have become the dominant force reshaping the global cyber threat landscape, with threat actors pursuing trusted vendors, open source software..." (Steve Prentiss, 01:13)

2. Proposed Budget Cuts to CISA

Details:
- The President’s FY 2027 budget may cut CISA funding by up to $707 million, though some documents suggest $361 million due to calculation discrepancies.
- Prior to current administration, CISA had a $3 billion budget.
- Criticism: The budget summary “recycles identical language” from previous years and includes references to programs already ended.
Quote:
- "...the 2027 budget summary recycles identical language from the 2026 budget summary and makes references to ending programs that CISA has already shuttered." (Steve Prentiss, 02:37)

3. Automated Credential Theft Exploiting React2Shell

Details:
- Bleeping Computer reports large-scale exploitation using React2Shell.
- At least 766 hosts compromised across various cloud setups to steal database, AWS, SSH, API keys, and environment secrets.
- The attackers use "Nexus Listener" framework for automatic scripts and exfiltration.
- Cisco Talos links this to threat group UAT10608.
Quote:
- "Operation uses a framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data from various applications." (Steve Prentiss, 03:20)

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

Details:
- Newly disclosed flaw (CVSS 9.1) in FortiClient EMS (v7.4.5–7.4.6) allows pre-authentication API bypass & privilege escalation.
- Hotfix released; full fix expected in v7.4.7.
- Attackers can bypass authentication and execute code via crafted requests.
Quote:
- "Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication...and execute malicious code or commands via crafted requests." (Steve Prentiss, 04:10)

5. EU Commission Data Breach Attributed to Team PCP

Details:
- ENISA (Certeu) attributes a major European Commission breach to Team PCP.
- Hackers misused an Amazon API key to access the Commission’s AWS, stealing 92 GB of compressed data.
- Shiny Hunters accessed the stolen data afterward.
- Breach affected the Europa EU platform hosting websites for EU bloc entities.
Quote:
- "The hackers did so by breaking into the Commission's AWS account. It stole about 92 gigabytes of compressed data." (Steve Prentiss, 05:21)

6. Massachusetts Emergency Communications System Cyberattack

Details:
- Impacted Patriot Regional Emergency Communications Center serving multiple towns (Pepperell, Ashby, Dunstable, Groton, etc.).
- 911 lines operational, but business/non-emergency phones down.
- No details yet on attack origin or group responsible.
Quote:
- "...911 phone systems still worked, but non-emergency and business phone lines are out of service." (Steve Prentiss, 06:00)

7. HIMS & HERS Breach via Zendesk

Details:
- US telehealth provider HIMS and Hers had millions of support tickets accessed after an attacker compromised their Octa SSO account and breached Zendesk.
- Exposed info: Names, contact data, likely details from the support request—but not medical records or doctor communications.
Quote:
- "The information exposed may include names, contact information and other unspecified data likely related to the support request..." (Steve Prentiss, 06:44)

8. Engineer Admits to Corporate Extortion via Server Lockout

Details:
- Daniel Ryne (Kansas City, MO) pleads guilty to locking 254 Windows servers, deleting admin accounts, and demanding $750,000 in Bitcoin from his employer.
- Used privileged access; scheduled account deletions and system shutdowns over Nov–Dec 2023.
- Faces up to 15 years in prison.
Quote:
- "...threatened to shut down 40 random servers daily over the next 10 days unless the company paid a ransom of 20 bitcoin, which was worth about $750,000 at the time." (Steve Prentiss, 07:28)

Notable Quotes & Memorable Moments

On supply chain attacks:
- "Software supply chain attacks have become the dominant force reshaping the global cyber threat landscape..." (01:13)
On CISA budget confusion:
- "...makes references to ending programs that CISA has already shuttered." (02:37)
On credential theft automation:
- "Framework named Nexus Listener and sends automated scripts to extract and exfiltrate sensitive data..." (03:20)
On EU data breach scale:
- "...stole about 92 gigabytes of compressed data." (05:21)
On attack consequences:
- "He also scheduled some tasks to shut down random servers and workstations on the network over multiple days..." (07:17)

Timestamps for Key Stories

Malicious npm packages: 00:17 – 01:50
CISA budget cuts: 01:51 – 02:44
React2Shell credential theft: 02:45 – 03:38
Fortinet zero-day exploited: 03:39 – 04:30
EU Commission breach: 05:12 – 05:51
Massachusetts emergency system attack: 05:52 – 06:21
HIMS & HERS Zendesk breach: 06:22 – 07:00
Engineer’s internal extortion plot: 07:01 – 08:08

Summary

For more details and the full transcripts, visit cisoseries.com.

wavePod

Malicious npm packages, CISA budget cuts, hackers exploit React2Shell

Summary

Cybersecurity Headlines – Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

2. Proposed Budget Cuts to CISA

3. Automated Credential Theft Exploiting React2Shell

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

5. EU Commission Data Breach Attributed to Team PCP

6. Massachusetts Emergency Communications System Cyberattack

7. HIMS & HERS Breach via Zendesk

8. Engineer Admits to Corporate Extortion via Server Lockout

Notable Quotes & Memorable Moments

Timestamps for Key Stories

Summary

Transcript

Summary

Cybersecurity Headlines – Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Malicious npm Packages for Persistent Implants

2. Proposed Budget Cuts to CISA

3. Automated Credential Theft Exploiting React2Shell

4. Fortinet Patches Actively Exploited Vulnerability in FortiClient EMS

5. EU Commission Data Breach Attributed to Team PCP

6. Massachusetts Emergency Communications System Cyberattack

7. HIMS & HERS Breach via Zendesk

8. Engineer Admits to Corporate Extortion via Server Lockout

Notable Quotes & Memorable Moments

Timestamps for Key Stories

Summary