Summary5 min read

Podcast Summary: Risky Bulletin – Damaging worm rips through npm ecosystem

Podcast: Risky Bulletin
Host: Risky Business Media
Date: May 13, 2026
Episode Theme: This episode covers major developments in cybersecurity, with a focus on a destructive worm targeting the npm ecosystem, alongside significant attacks on RubyGems, notable ransomware incidents, regulatory updates, and new security initiatives.

Main Theme Overview

The episode centers on ongoing threats facing the global developer and enterprise community, with the primary focus on a sophisticated supply chain attack involving a self-propagating worm in the npm ecosystem. Additional segments discuss related security breaches, ransomware attacks in multiple sectors, newly proposed EU social media regulations, and advancements in digital security tools and practices.

Key Points & Insights

1. Tanstack npm Worm Supply Chain Attack (00:05 – 01:40)

Incident: Attackers compromised the npm packages belonging to the popular Tanstack web development framework, modifying them to deliver a self-propagating worm and credential stealers.
Scope: The attack rapidly spread, impacting almost 400 packages, including critical libraries from AI company Mistral and automation leader UiPath.
Evolution: The attack represents the latest evolution of the "Shai Hulud worm," an ongoing threat since November. It has now become more destructive—actively wiping systems if owners attempt to revoke or rotate stolen tokens.
Quote:
- "The worm has become more destructive and now wipes systems when their owners try to revoke or rotate stolen tokens." — Claire Aird [00:50]

2. RubyGems Attack & Response (01:41 – 02:30)

Event: RubyGems disabled new user signups for security after attackers targeted staff accounts.
Malware Spread: Hundreds of malicious packages were published, aiming XSS attacks and data theft against RubyGems developers.
Ongoing Investigation: The security team is actively working to share more details soon.

3. Major Ransomware Incidents in 2026 (02:31 – 04:10)

Instructure (Canvas):
- Paid ransom to restore the Canvas student management platform after a disruptive cyberattack.
- 9,000+ educational institutions impacted during crucial exam periods.
Foxconn Factories:
- Ransomware disrupted US operations; Nitrogen ransomware group claimed responsibility, alleging theft of 8TB of sensitive data.
West Pharmaceutical Services:
- Ransomware temporarily halted manufacturing and logistics; systems are mostly restored.

4. Data Breach: Best Western International (04:11 – 04:45)

Details: Reservation system exposed for over six months, affecting guests across several hotel brands.
Scope: The breach remained undetected between October and April.

5. Regulatory & Geopolitical Developments (04:46 – 06:10)

EU Child Social Media Ban Proposal:
- Expected to prohibit users under 15 from signing up for new social accounts.
- Considering restrictions on addictive platform features (infinite scroll, autoplay).
Russian GitHub Access Issues:
- Russian authorities denied deliberate blocking despite widespread access problems.
- Accusations and denials fly between Russian lawmakers, Roskomnadzor, and Microsoft.

6. Advanced Threats & Security Research (06:11 – 07:45)

AI-enabled Zero-Day Discovery:
- Google reports a cybercrime group used AI tools to uncover a zero-day in a web-based admin tool.
- The flaw could bypass 2FA if attackers had credentials. Google's security team pre-empted wider exploitation.
Escalation of Threat Tactics:
- Noted rise in threats of physical violence as a tactic by ransomware/extortion groups, particularly in the US.
- Most are delivered via "violence as a service" providers.

7. Gentleman Ransomware Group Hacked (07:46 – 08:30)

Meta-breach: Database and internal comms of the ransomware group were themselves hacked and offered for sale ($10,000) on a dark web forum.
Attribution: Data believed stolen from a shady host known as 4vps.

8. Iranian State-sponsored Attacks (08:31 – 09:05)

Victim: Unnamed major South Korean electronics maker—part of a larger Seedworm/MuddyWater campaign affecting at least eight organizations.

9. Zero-Day Security Research Highlights (09:06 – 09:40)

Researcher: “Nightmare Eclipse” released two new Windows zero-days minutes after Patch Tuesday:
- Privilege escalation bug: "Green Plasma"
- BitLocker bypass: "Yellow Key"
History: Same researcher had previously released "Blue Hammer" and "Red Sun" vulnerabilities.

10. Router Vulnerabilities (09:41 – 10:10)

Threat: Attackers can hijack home routers via CWMP/TR-069 protocol without authentication.
Vendor Response: No acknowledgment received to date.

11. Security Advancements & Industry Initiatives (10:11 – End)

Android Forensics Logging:
- Google is launching privacy-preserving forensics logs in Android 16 December update (built with Amnesty International and Reporters Without Borders).
RCS Encryption Rollout:
- End-to-end encrypted RCS messaging now available in Apple’s iOS 26.5, supporting secure cross-platform messages.
OpenAI’s Daybreak Project:
- Automation of vulnerability detection/patching in open source using GPT 5.5 and additional models.
- "OpenAI has launched Daybreak, a project to deploy frontier AI models in popular software projects to detect and patch vulnerabilities." — Claire Aird [11:45]

Notable Quotes & Memorable Moments

On expanding malware risks:
- "Yawn. This is the risky bulletin..." — Claire Aird wryly noting the fatigue even among seasoned cybersecurity reporters as supply chain attacks continue to escalate. [00:10]
On system-wiping worm escalation:
- "The worm has become more destructive and now wipes systems when their owners try to revoke or rotate stolen tokens." — Claire Aird [00:50]
On threats becoming more personal:
- "An increasing number of ransomware and data extortion groups are now using threats of physical violence to intimidate victims into paying up." — Claire Aird [07:01]
On state-sponsored espionage:
- "Symantec didn't name the company but linked the attacks to a group known as Seedworm, or Muddy Water." — Claire Aird [08:50]
On promising security tech:
- "Google is rolling out a new security feature to Android smartphones to aid malware investigations... privacy preserving forensics logs..." — Claire Aird [10:15]
On AI-powered vulnerability scanning:
- "Daybreak will use multiple OpenAI models, including the company's new GPT 5.5 cyber specialized model." — Claire Aird [11:50]

Timeline of Important Segments

| Timestamp | Topic | |-----------|--------------------------------------| | 00:05 | npm ecosystem worm supply chain attack | | 01:41 | RubyGems staff targeted, signups disabled | | 02:31 | Ransomware on Instructure (Canvas), Foxconn, West Pharma | | 04:11 | Best Western guest data breach | | 04:46 | EU social media regulations for children | | 05:25 | Russian GitHub access issues | | 06:11 | AI finds zero-day; rise in physical threats | | 07:46 | Gentleman ransomware group breached | | 08:31 | Iranian campaign on Korean electronics firm | | 09:06 | "Nightmare Eclipse" two new Windows zero-days | | 09:41 | Router vulnerabilities (TR-069) | | 10:11 | Google and OpenAI new security features |

Conclusion

This Risky Bulletin episode provides a comprehensive review of escalating cybersecurity risks, with an expert yet accessible tone. Major incidents, like the npm Tanstack worm and rising extortion tactics, are contextualized alongside promising industry responses, from privacy tools to AI-powered defense. The episode offers cybersecurity professionals and lay audiences alike a brisk, practical orientation to the rapidly-shifting threat landscape as of mid-2026.

Loading summary

Transcript1 lines

[00:04]
A
RubyGems disables signups after an attack on staff Instructure paid the ransom, the gentleman ransomware operation gets hacked and another major supply chain attack on npm. Yawn. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 13th of May and this podcast episode is brought to you by Knock Knock, which has built and shipped a grey Noise integration. More details are in this week's sponsor interview. In today's top story, the NPM packages of the popular Tanstack web development framework were compromised to deliver a self propagating worm and credential stealers. Tanstack NPM packages were modified on Monday in a supply chain attack that quickly spread across the NPM ecosystem. Almost 400 packages were compromised, including libraries from AI company Mistral and and business automation giant UiPath. The incident is the latest chapter in the Shai Hulud worm infestation that's plagued the developer ecosystem since November. The worm has become more destructive and now wipes systems when their owners try to revoke or rotate stolen tokens. In other news, the RubyGems package repository has disabled new user signups after a cyber attack targeted its staff. Hundreds of malicious packages were published on Monday containing malicious code aimed at RubyGems developers. The code tried to execute cross site scripting attacks and steal data. The RubyGems security team is investigating and will share more details soon. Edtech company Instructure has paid the hackers who took down its Canvas student management platform. The company emailed schools and colleges about the payment and the platform was restored over the weekend or almost 9,000 universities, schools and school districts were impacted by the hack and couldn't access the platform during end of year exams. It's unknown how much Instructure paid. A ransomware attack disrupted the activity of Foxconn's North American factories earlier this month. The company confirmed the incident after workers leaked some of its internal messages on social media last week. The nitrogen ransomware group claimed responsibility for the attack in a blog post on Tuesday, the group group claims it stole eight terabytes of data, including confidential projects and chip drawings for Apple, Google and Nvidia orders. A ransomware attack has also disrupted the operations of a major manufacturer of pharmaceutical drug packaging. The incident took place last week and impacted West Pharmaceutical Services. The attack impacted West's global business operations. Manufacturing, shipping and receiving operations have been restored at some locations, per an SEC filing. Best Western International is notifying guests who stayed at its hotels of a security breach. The hotel chain says A hacker had access to its reservation system for over six months between October and April this year. The company operates several hotel brands such as Best Western, Shaw Hotels and World Hotels. The EU is expected to propose a block wide social media ban for children as early as this summer. The new regulations will ban children under the age of 15 from creating new accounts on social media platforms. The EU is also considering banning social media platforms from using certain addictive design features such as infinite scrolling and autoplay. Russia's Internet watchdog has denied blocking access to GitHub after access to the site has deteriorated over the past week. Alexander Gorelkin, a Russian lawmaker behind the bans of Western tech services in Russia, blamed the issue on Microsoft. Roscomnadzol also denied it would ban YouTube and WhatsApp prior to banning them. Google says a CyberCrime Group used AI tools to discover a zero day in a popular open source web based system administration tool. The zero day in the unnamed utility would have allowed the group to bypass two FA during logins if they had valid credentials. Google's security team says it detected the zero day before it was used in widespread attacks. An increasing number of ransomware and data extortion groups are now using threats of physical violence to intimidate victims into paying up. Threats of violence doubled last year and are more prevalent in the us. Threats are being sent to staff, executives and even ransomware negotiators. Most threats are being sent through violence as a service operations. The database and internal comms of the Gentleman Ransomware operation has been hacked and put up for sale on an underground hacking forum. The data was being offered for just $10,000 before the forum's admins took it down. The data is believed to have been stolen from the ransomware web hosting provider. A shady service known as 4vps. Iranian state sponsored hackers breached an unnamed major South Korean electronics maker. The intrusion took place in February and lasted for a week. It was part of a sprawling cyber espionage campaign that breached at least eight other organisations across the globe. Symantec didn't name the company but linked the attacks to a group known as Seedworm, or Muddy Water. A security researcher dropped two Windows zero days minutes after Microsoft released this month's patch Tuesday. The two zero days include a privilege escalation bug named Green plasma and a BitLocker bypass bug named Yellow Key. The same researcher, going by the nickname of Nightmare Eclipse, also dropped the Blue Hammer and Red Sun Zero Days last month. Attackers can take over IP time home routers via the protocol used by ISPs to manage the devices. The attack doesn't require authentication and targets the CWMP protocol, also known as TR069. The vendor did not respond to the security researchers who reported the vulnerabilities. Google is rolling out a new security feature to Android smartphones to aid malware investigations. The new intrusion logging feature allows Android to create privacy preserving forensics logs that don't expose users sensitive data. The feature was designed in conjunction with the security teams at Amnesty International and Reporters Without Borders. It's rolling out to all devices running the Android 16 December update and newer support for end to end encrypted RCS messaging rolled out to Apple devices On Monday in iOS 26.5 E2EE, RCS has been supported on Android for several years. The feature will allow Android and iPhone users to exchange encrypted messages between each other. RCS was designed as a replacement for for SMS. And finally, OpenAI has launched Daybreak, a project to deploy frontier AI models in popular software projects to detect and patch vulnerabilities. Daybreak will use multiple OpenAI models, including the company's new GPT 5.5 cyber specialized model. And that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at Knock Knock. That's KNOC KNOCIO. Thanks for your company.