T1552 Unsecured CredentialsT1555 Credentials from Stores
Command and Control
T1105 Ingress Tool TransferT1071 Web Protocols
TTPs over time
Monthly ATT&CK technique observations
Mar 20265
Apr 20268
May 202612
⌘ K
Status:
Show actioned
4 advisories
AC3-ADV-2026-024 · No CVE - TeamPCP campaign
Mini Shai-Hulud: SAP CAP npm supply chain attack targeting CI/CD credential harvesting
HighMonitoring
Summary
AC3 is aware of an active supply chain campaign targeting SAP CAP npm packages. Malicious preinstall scripts harvest GitHub, npm, and cloud credentials from developer workstations and build agents. We are assessing exposure across client environments and will issue per-client advisories where impacted dependencies are detected.
Version information
Affected
@cap-js/sqlite <= 1.10.2, @cap-js/postgres <= 1.6.1, several related packages
Fixed
Upstream maintainers have published clean versions. Confirm checksums against npm registry signatures.
Recommended actions
Audit lockfiles for the affected @cap-js/* package versions.
Rotate any GitHub, npm, and cloud credentials accessible from CI build agents that have run installs in the last 14 days.
Block the known C2 GitHub repositories listed in the indicators section.
Pin npm install to use --ignore-scripts on untrusted CI jobs.
Attribution
TeamPCPCybercriminal collective
Motivation
Financial - credential and access broker
Confidence
Medium
First observed
2026-03
Region / origin
Unknown
Linked to prior npm supply chain campaigns active across Q1 2026. Group appears to specialise in CI/CD credential harvesting via preinstall scripts. No confirmed link to nation-state activity. Tradecraft overlaps with the original Shai-Hulud worm of 2024, hence the 'mini' naming.
A critical authentication bypass in Cisco IOS XE WebUI is being actively exploited in the wild. Successful exploitation allows unauthenticated attackers to create privileged accounts on affected devices. AC3 has completed assessment of all managed Cisco IOS XE devices and remediation is in progress.
Version information
Affected
Cisco IOS XE 17.6.x, 17.9.x, 17.12.x prior to patched releases
Fixed
17.6.6a, 17.9.4a, 17.12.2 and later
Recommended actions
Apply the patched Cisco IOS XE release matching your maintenance train immediately.
If patching cannot proceed within 24 hours, disable the HTTP/HTTPS server on the device using 'no ip http server' and 'no ip http secure-server'.
Review device configuration for unauthorised user accounts created since the disclosure date.
Enable AAA logging and forward to your SIEM for correlation.
Attribution
Salt TyphoonNation-state APT
Motivation
Espionage - targeting telecommunications and critical infrastructure
Confidence
High
First observed
2023-09
Region / origin
PRC-aligned
Activity consistent with the Salt Typhoon group attributed by Microsoft and Western intelligence agencies to the People's Republic of China. The group has been linked to large-scale telecommunications intrusions across multiple jurisdictions. Exploitation of this CVE chains with previously observed post-exploitation tooling.
Microsoft Exchange Server hybrid configuration privilege escalation
HighInvestigating
Summary
Microsoft has disclosed a privilege escalation flaw in Exchange Server hybrid configurations that could allow on-premises attackers to gain elevated permissions in connected Exchange Online tenants. AC3 is assessing exposure across clients running hybrid Exchange deployments.
Version information
Affected
Exchange Server 2019 CU13, CU14 with hybrid configuration enabled
Fixed
Microsoft has released a hotfix and updated hybrid configuration wizard. Apply both.
Recommended actions
Run the updated Hybrid Configuration Wizard to apply the corrected trust configuration.
Apply the Exchange Server hotfix released with the May security update.
Review Exchange Online audit logs for unexpected app role assignments in the last 30 days.
A heap-based buffer overflow in FortiGate SSL VPN may allow unauthenticated remote code execution. Fortinet has released patches across all affected branches. AC3 has confirmed all managed FortiGate devices are patched.
Version information
Affected
FortiOS 7.0.0 through 7.0.14, 7.2.0 through 7.2.7, 7.4.0 through 7.4.2
Fixed
FortiOS 7.0.15, 7.2.8, 7.4.3 and later
Recommended actions
Verify FortiGate firmware is at the patched version using 'get system status'.
If patching cannot occur, disable SSL VPN as a workaround.
Review SSL VPN authentication logs for the indicators of compromise listed by Fortinet PSIRT.
Financial - initial access for ransomware deployment
Confidence
Medium
First observed
2026-04
Region / origin
Global
Exploitation observed by multiple distinct ransomware affiliate groups, including operators linked to Akira and BlackBasta-derivative ecosystems. Attribution is to a class of actors rather than a single named group. AC3 has not observed targeted use against any specific managed client.
Atlassian Confluence Data Center template injection
HighClosed
Summary
A template injection vulnerability in Confluence Data Center allowed authenticated users to execute arbitrary code on the server. Atlassian released patches and AC3 confirmed all managed Confluence instances were updated.
Version information
Affected
Confluence Data Center 8.5.x prior to 8.5.9, 9.0.x prior to 9.0.4
Fixed
8.5.9, 9.0.4, 9.1.0 and later
Recommended actions
Confirm Confluence is at the patched version.
Audit recently uploaded user macros for suspicious template syntax.
An information disclosure vulnerability in Citrix NetScaler ADC could leak memory contents to unauthenticated attackers under specific configurations. AC3 patched all managed NetScaler appliances and the advisory is now closed.
Version information
Affected
NetScaler ADC and Gateway 13.1 prior to 13.1-49.15, 14.1 prior to 14.1-12.30
Fixed
13.1-49.15, 14.1-12.30 and later
Recommended actions
Confirm NetScaler firmware version against the patched release.
Rotate any session tokens or keys handled by the appliance in the affected window.
An authenticated remote code execution flaw in vCenter Server was patched in the April security release. AC3 confirmed remediation across all managed vCenter instances.
Version information
Affected
vCenter Server 7.0 U3 prior to U3p, 8.0 prior to U2c
Fixed
vCenter 7.0 U3p, 8.0 U2c and later
Recommended actions
Apply the vCenter Server security patch.
Review vCenter audit events for unexpected privileged sessions in the prior 30 days.
Under specific job configurations, GitLab CE/EE could write masked secrets to CI job logs in cleartext. GitLab patched the issue and AC3 reviewed all managed GitLab tenants for log exposure.
Version information
Affected
GitLab CE/EE 16.8 to 16.11 prior to patched releases
Fixed
16.11.3, 17.0.1 and later
Recommended actions
Upgrade GitLab to the patched release.
Rotate any secrets previously stored as masked CI variables.
A command injection flaw in Palo Alto GlobalProtect allowed attackers with valid VPN credentials to execute arbitrary commands on the gateway. Patches were applied across all managed gateways.
Version information
Affected
PAN-OS 10.2.x, 11.0.x, 11.1.x prior to patched releases
Fixed
PAN-OS 10.2.10, 11.0.5, 11.1.3 and later
Recommended actions
Verify GlobalProtect gateway firmware version.
Force re-authentication of all VPN sessions and rotate any compromised credentials.
Apache Tomcat releases prior to the March patch could be susceptible to HTTP/2 request smuggling under specific proxy configurations. Affected managed services were patched and monitored.
Version information
Affected
Tomcat 9.0.x prior to 9.0.92, 10.1.x prior to 10.1.25, 11.0.x prior to 11.0.0-M22
Fixed
9.0.92, 10.1.25, 11.0.0-M22 and later
Recommended actions
Upgrade Apache Tomcat to the patched release.
Audit reverse proxy logs for unusual request patterns consistent with smuggling.
An XML external entity flaw in the Ivanti Connect Secure admin console could be abused by authenticated admins to read arbitrary files. Patches were applied to all managed instances.
Version information
Affected
Ivanti Connect Secure 22.6R1 through 22.6R3
Fixed
22.6R4 and later
Recommended actions
Upgrade Ivanti Connect Secure to the patched release.
Review admin audit logs for unexpected administrative activity.
Splunk released a fix for a SAML response signature handling flaw that could allow authentication bypass under non-default configurations. Splunk environments under AC3 management were reviewed and confirmed not exposed.
Version information
Affected
Splunk Enterprise 9.0.x through 9.2.0 with SAML authentication enabled
Fixed
9.2.1 and later
Recommended actions
Apply the Splunk patch when convenient (low severity for AC3-managed configurations).
Review SAML configuration for non-default request settings.