Multiple breaches announced, vulnerabilities exploited ITW, attacks in Italy

NoName057(16) targets Italy, new cybercrime offensives, the latest from Moscow and Pyongyang

 View all
Threat Intelligence, News

PCPJack and infected npm packages observed, new attacks targeting the peninsula, several vulnerabilities reported

Weekly Threats hor Telsy

Threat: PCPJack worm and several supply chain attacks tracked

Security researchers have tracked an active credential theft campaign that uses a worm called PCPJack and targets exposed Linux cloud infrastructure, while also removing any artifacts linked to the TeamPCP group from target environments. Unlike most cloud worms previously observed, PCPJack does not engage in cryptomining but focuses on monetizing stolen credentials through financial fraud, spam, extortion, or resale. In May 2026, the official jdownloader[.]org website was compromised, allowing attackers to modify some software installer download links. Specifically, the adversaries gained access to the site’s CMS and altered the published download links, redirecting them to malicious files hosted externally, without modifying the original installer packages or accessing the server filesystem or underlying operating system. The jdownloader[.]org site is currently safe and operational with correct links. On May 11, 2026, security researchers tracked the fifth wave of the Mini Shai-Hulud campaign orchestrated by the TeamPCP group, which published 84 malicious versions of 42 packages belonging to the @tanstack namespace on the npm registry. The attack compromised widely used libraries, including @tanstack/react-router with over 12 million weekly downloads, potentially exposing millions of developers and production environments. The TanStack team responded promptly: all 84 versions and the related tarballs were removed from the npm registry within hours of discovery. Finally, during the same month, the TeamPCP group was observed releasing a Mini Shai-Hulud variant during a new supply chain attack against Checkmarx, compromising the official Checkmarx AST Scanner plugin for the Jenkins platform. The impact of this compromise is particularly significant because the Checkmarx AST Scanner plugin is specifically designed to perform security analysis within CI/CD pipelines.

 

Italy: several malicious activities observed

Security researchers identified a campaign targeting Android users of banking, fintech, wallet, and authentication applications in France, Italy, and Austria; the campaign is aimed at deploying a new variant of TrickMo, called TrickMo C (or Variant C), a known banking trojan active since 2019. Its main capabilities include credential phishing through fullscreen WebView overlays; keylogging with associated metadata; screen recording and streaming in VNC style; notification interception and suppression, including SMS and OTPs; as well as enumeration of installed applications and file exfiltration. Since the beginning of this week, 14 new smishing campaigns have been tracked in Italy using the name of INPS to collect credit card data, presumably to carry out unauthorized charges. The fraudulent flow first collects personal information, including full name, address, city, postal code, and phone number, and then requests payment card details, including cardholder, card number, expiration date, and CVV. The distinguishing feature of these operations compared with previous similar activity is their focus on stealing credit card data, rather than identity documents, CUD forms, or employment information. In addition, a new phishing campaign delivered via WhatsApp messages was detected, using the theme of unpaid motorway tolls to lure potential victims into entering their payment card details, with a message containing a link that leads to a landing page graphically very similar to the official Autostrade per l’Italia website. Finally, Unoaerre Industries S.p.A., a historic Arezzo-based goldsmith company and one of the leading European groups in the jewelry sector, was hit on Friday, May 8, 2026, by a cyberattack that paralyzed its internal operating systems. The attackers later demanded a payment of €3.8 million in bitcoin to unlock the entire IT infrastructure and to refrain from releasing any stolen confidential data. Unoaerre rejected the demand without entering into any negotiations. Media sources report that initial investigations indicate possible links to countries in the Middle East and Eastern Europe. The main infrastructures were nevertheless restored within a few days.

 

Vulnerabilities: flaws affecting Linux, F5 Networks, Apache, n8n, Ivanti, and Microsoft Windows reported

A Proof-of-Concept exploit has been released for a vulnerability called Dirty Frag and identified as CVE-2026-43284 in the Linux kernel. As a deterministic logic bug, it does not depend on a critical timing window: it does not require any Race Condition, does not crash the system if the exploit fails, and has a very high success rate. On May 13, 2026, a critical vulnerability was disclosed in F5 Networks’ NGINX web server, named NGINX Rift. Tracked as CVE-2026-42945 (CVSS 9.2), it is a Heap-based Buffer Overflow present in the ngx_http_rewrite_module for approximately eighteen years, since 2008. This flaw allows an unauthenticated remote attacker to send specially crafted HTTP requests that cause heap corruption in NGINX worker processes. Possible consequences include the crash of worker processes, resulting in Denial of Service for all sites served by the instance, or, under favorable conditions such as the absence of ASLR, remote arbitrary code execution (RCE) in the context of the worker process. Proof-of-Concepts are also publicly available for CVE-2026-23918 and CVE-2026-34486, affecting Apache HTTP Server and Apache Tomcat respectively, and for CVE-2026-42231 (CVSS 9.4) in n8n. Ivanti released updates for Ivanti Endpoint Manager Mobile (EPMM) that address five vulnerabilities, including a 0-day exploited in the wild. The vendor reported being aware of a very limited number of customers who were victims of attacks exploiting CVE-2026-6973. Successful exploitation requires authentication as an administrator. Finally, the researcher known as Nightmare Eclipse (alias Chaotic Eclipse, Deadeclipse666) disclosed on their blog two still-unpatched Microsoft Windows 0-day vulnerabilities without CVE identifiers, named YellowKey and GreenPlasma, releasing the related Proof-of-Concept (PoC) exploits on GitHub. While awaiting official patches, organizations are advised to strengthen encryption policies and closely monitor for the possible presence of FsTx files on removable media or EFI partitions as a potential indicator of an exploit attempt.

 

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about our Cyber Threat Intelligence solution.