In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. Prominent examples include the malicious modification of Axios, a popular HTTP client library for JavaScript, as well as cascading compromises from TeamPCP, a “chaos-as-a-service” group that injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, an open-source security scanner.

The impact of these supply chain attacks can be vast. Axios receives 100 million downloads weekly and innumerable organizations rely on the frameworks and libraries compromised by TeamPCP. The headache they pose to organizations and their security personnel is considerable as well; affected utilities can be integrated so deeply that it may be difficult to fully catalog, let alone remediate.

Although the timing, scale, and severity of these attacks can be shocking, this is not a new phenomenon. The supply chain has remained an attractive target for some time because of its fragility and the fact that a successful compromise can lead to countless additional downstream victims.

Findings from the recently published Talos 2025 Year in Review illustrate these long-standing trends. Nearly 25% of the top 100 targeted vulnerabilities we observed in 2025 affect widely used frameworks and libraries. Digging deeper into the list reveals additional insights. The React2Shell vulnerability affecting React Server Components became the top-targeted vulnerability of 2025 despite being disclosed in December, reflecting the speed at which these supply chain attacks can reach massive scale. The presence of Log4j vulnerabilities shows how deeply embedded these utilities can be and therefore how difficult it can be to reduce the attack surface. Although these particular examples represent extant vulnerabilities that can be weaponized by numerous adversaries versus a deliberate attack carried out by a single adversary, they show how impactful and disruptive threats to the supply chain can be. Follow-on attacks can range from ransomware to espionage, which is reflective of the broad swath of adversaries that carry them out — from sophisticated state-sponsored groups to teenage cyber criminals.

If we are all building on such shaky foundation, what can we do to keep safe? After all, it certainly seems dire when a tool such as Trivy that we could normally use to scan for supply chain vulnerabilities becomes compromised itself. But there are concrete steps we can take to improve our security posture.

As highlighted in the Year in Review, protecting identity is key. This includes securing CI/CD pipelines to prevent these types of compromises from occurring in the first place, as well as limiting the impact and lateral movement of an adversary should they obtain access to a downstream victim.

In addition, organizations must try to the best of their abilities to inventory the software libraries and frameworks they employ, stay informed of security incidents, and respond rapidly to implement patching and other mitigations.

Just as supply chain attacks are evergreen, so too is the efficacy of security fundamentals, such as segmentation, robust logging, multi-factor authentication (MFA), and the implementation of emergency response plans.

As trust continues to break down, the only viable solution may be to double down on vigilance. Since this recent spate of attacks represents a trend that will likely only grow in intensity and breadth, the time for action and planning is now.

Coverage

Below, find a sample of the some of the recent coverage we offer to protect against these threats:

ClamAV:
Txt.Trojan.TeamPCP-10059839-0

Txt.Trojan.TeamPCP-10059839-0

Behavioral Protections:
LiteLLM Supply Chain Compromise – alerts during installation of compromised packages

Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements — a notable decrease from over 60 percent last quarter, when engagements involving ToolShell surged. This quarter included exploitation of Oracle E-Business Suite (EBS) and React2Shell, as well as the deployment of malware implants previously associated with advanced persistent threat (APT) groups.  

Phishing was the second-most common tactic for initial access, and this quarter included a campaign specifically targeting Native American tribal organizations for credential harvesting. Once the adversaries compromised a legitimate account, they leverage it to send out further internal phishes and gain more credentials.  

Ransomware incidents made up only approximately 13 percent of engagements this quarter, a decrease from 20 percent last quarter and a steep drop from nearly 50 percent in Q1 and Q2. Talos IR did not respond to any previously unseen ransomware variants. Qilin continues to be a dominant player in these engagements, a continuation from the previous few quarters.   

Continued exploitation campaigns show the importance of timely patching  

As mentioned above, threat actors exploited public-facing applications for initial access in nearly 40 percent of engagements this quarter. While there was no dominant exploitation campaign as there was last quarter with ToolShell, Talos IR did observe activity targeting Oracle EBS (CVE-2025-61882) as well as React Server Components, Next.js, and related frameworks (CVE-2025-55182 aka React2Shell). In both cases, exploitation activity occurred around the time the vulnerability became public, demonstrating actors’ speed in capitalizing on these opportunities as well as the inherent risks of internet-facing enterprise applications and default deployments embedded in widely used frameworks.    

Talos IR responded to an organization that had an internet-facing server vulnerable to CVE-2025-61882. Exploitation began very shortly after the vulnerability was made public and was likely related to a large-scale campaign aiming to extort executives. After exploiting the vulnerability, the threat actors deployed multi-stage web shells related to the SAGE* infection chain.   

In another incident, we observed a threat actor successfully exploit the React2Shell vulnerability to compromise the victim organization, gain shell access to the web server, and download and install XMRig Monero cryptomining malware. Cryptocurrency mining is one of the many types of operations we expect to see as threat actors race to quickly capitalize on unpatched systems. Public reporting on React2Shell exploitation also revealed targeting by state-sponsored groups, ransomware affiliates, and more, highlighting the diverse array of threat actors who look to leverage new exploits and the importance of timely patching and other mitigations, such as robust segmentation.   

Exploitation activity this quarter also involved implants previously tied to APT groups. In one incident, Talos IR observed activity consistent with the BadCandy implant targeting Cisco IOS XE. The threat actors leveraged this implant to create an unauthorized account, though the activity appeared to be automated with no interactive access or additional malicious activity observed outside the router.   

In an incident in which exploitation of the organization’s Cisco Secure Management Appliance (SMA) was suspected, the adversaries deployed AquaShell, a lightweight Python backdoor capable of receiving encoded commands through unauthenticated HTTP POST requests and executing them in the system shell, a backdoor which Talos has connected to UAT-9686. Similar to the incident described above, there was no follow-on activity observed. In both incidents, Talos IR commended the customers for their quick responses, which likely helped mitigate any further damage.

Phishing campaigns target Native American tribal organizations for potential credential harvesting operation   

Phishing was the second-most common means of initial access this quarter, and Talos IR responded to a phishing campaign that appeared to target Native American tribal organizations.   

In one incident affecting a tribal organization, Talos IR observed adversaries use compromised email accounts, alongside a legitimate but compromised web domain, to distribute lures themed around sexual harassment training. Although initial waves were unsuccessful, once the adversaries compromised an account, they used it to propagate further phishing internally and externally. In the latter phases of this campaign, the adversary leveraged a web shell directory hosted on a legitimate third-party domain to distribute phishing content and facilitate broader targeting. We suspect that the attacker gained a foothold within the victim environment due to lack of multi-factor authentication (MFA), and while no lateral movement beyond email account abuse could be confirmed, the exposure of additional accounts within the victim's environment and external recipients indicates the potential for a wider impact.   

In a second related incident affecting another tribal organization, Talos IR observed the victim receive a wave of external phishing emails, with one user targeted with numerous Outlook Web Access (OWA) login attempts, resulting in subsequent MFA prompts, one of which was approved. Afterwards, the compromised user’s account was used to issue a flood of follow-on phishing emails. After the customer removed the compromised account, the campaign continued, leveraging an external email address that was spoofed to resemble the disabled account.   

Beyond similar victimology, there were overlaps in the indicators of compromise for these incidents, suggesting they may have originated from the same campaign. Both incidents also highlight a trend observed last quarter of compromised accounts being used to distribute further phishing attacks. Talos IR urges tribal organizations to be especially vigilant of this threat, scrutinizing all emails and MFA pushes.

Ransomware trends 

Ransomware and pre-ransomware incidents made up just 13 percent of engagements this quarter, a decline from 20 percent last quarter, and a sharp drop from 50 percent in Q1 and Q2. Qilin ransomware, which we responded to for the first time in Q2, remains dominant and was observed in the majority of ransomware incidents, confirming our predictions in Q2 and Q3 that the group would continue to hold a heavy presence. We also responded to DragonForce ransomware, a variant we had not observed in Talos IR engagements for over a year.

Talos IR responded to a ransomware incident in which the adversary deployed multiple remote monitoring and management (RMM) tools across the attack chain. After leveraging valid accounts for initial access, they relied on ScreenConnect for persistence, SoftPerfect Network Scanner for reconnaissance, and rclone to exfiltrate data. This is a trend we have observed in other threat activity as well, such as a social engineering campaign this quarter in which the threat actors used multiple RMM tools for initial access and persistence. Relying on multiple tools can better facilitate the attack in case one is detected or blocked by security controls. In addition, because these tools may be legitimately used in an environment, they may be harder for defenders to detect in the first place.

Targeting

Consistent with last quarter, public administration was the most-targeted industry vertical. This is noteworthy as last quarter was the first time since we began publishing these reports that public administration held this position. Organizations within the public administration sector are attractive targets as they are often underfunded and use legacy equipment. These entities may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups. We observed exploitation and phishing campaigns targeting these organizations, with one successful phishing campaign leveraging a compromised account to send out follow-on internal and external phishes, making them appear more legitimate.

Initial access

Also consistent with last quarter, the most observed means of gaining initial access was exploitation of public-facing applications, accounting for over a third of the engagements where initial access could be determined. As mentioned, this is a sharp drop from 62 percent last quarter in which widespread ToolShell exploitation occurred. Other observed means of initial access included phishing, which increased from 23 percent last quarter to 32 percent, as well as valid accounts and brute forcing.

Recommendations for addressing top security weaknesses

Conduct robust patch management  

35 percent of engagements this quarter involved vulnerable or exposed infrastructure, aligning with the percentage of engagements in which Talos IR observed exploitation of publicly facing applications. This included exploitation of the React2Shell vulnerability, Oracle EBS, as well as exposed Cisco products such as Cisco IOS XE WebUI. These latter incidents underscore the importance of limiting the exposure of vulnerable and high-value servers. Though some of these vulnerabilities were older, once again highlighting the fact that adversaries can find success with years-old exploits, others were targeted right around disclosure, showing the importance of timely patching. Relatedly, there were several incidents in which exposed GitHub secrets were leveraged to access and exfiltrate sensitive data.

Implement detections to identify MFA abuse and strong MFA policies  

MFA issues, including misconfigured MFA, lack of MFA, and MFA bypass, were another top security weakness this quarter, aligning with phishing being the second-most prominent initial access technique. This included issues such as a lack of MFA as well as MFA fatigue. Talos IR recommends configuring systems to monitor and alert on the following for effective MFA deployment: abuse of bypass codes, registration of new devices, creation of accounts designed to bypass or be exempt from MFA, and removal of accounts from MFA.

Configure centralized logging capabilities across the environment  

Insufficient logging capabilities once again hindered investigative efforts by Talos IR. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. Talos IR recommends that organizations implement a Security Information and Event Management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support forensic investigation.

Timely response is paramount  

Finally, several incidents this quarter revealed the value of quick responses, such as several exploitation attacks against Cisco products in which timely cooperation with Talos IR helped prevent follow-on attacks. This quarter, we also responded to a ransomware incident in which an organization delayed engaging with Talos IR, and thus were unable to prevent encryption or exfiltration of sensitive data. For more information on how timely response can dramatically improve outcomes, please see the this blog.

Top-observed MITRE ATT&CK techniques  

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include:  

• Adversaries leveraged a wider variety of techniques for credential access this quarter compared to last quarter, including discovery of remote systems, domain trust relationships, and valid accounts.   
• This was the second quarter in a row where exploitation of public-facing applications was the top initial access technique.   
• Use of Remote Desktop Protocol (RDP) was the top technique for lateral movement for the second quarter in a row.