eastbaycyber

Interlock Ransomware, PrintSteal, Scattered Spider, and npm Supply-Chain Risks

Threat digests 12 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-28
Week of 28 MAY 2026

TL;DR - Interlock ransomware and social-engineering-led intrusions remain high-priority risks. - Healthcare, customer support environments, developers, and internet-exposed routers need immediate review. - Prioritize IAM hardening, edge-device patching, npm hygiene, and detection tuning today.

Top Stories

Interlock ransomware guidance for healthcare and public health

CISA, FBI, HHS, and MS-ISAC published a joint advisory urging the Healthcare and Public Health sector to strengthen defenses against Interlock ransomware, including reviewing indicators of compromise, TTPs, and mitigations (CISA).

Why it matters:
Healthcare environments remain highly exposed to ransomware because of operational urgency, legacy systems, third-party dependencies, and flat internal networks. Even organizations outside healthcare should pay attention if Interlock tradecraft overlaps with common initial access paths such as phishing, exposed remote services, and credential abuse.

What to do next: - Review the advisory’s IOCs and TTPs and map them to your telemetry coverage. - Validate offline backups and recovery runbooks for critical clinical or business systems. - Restrict RDP, VPN, and remote admin exposure; require MFA where possible. - Hunt for unusual archive creation, lateral movement, and mass file-encryption precursors.

PrintSteal malware reportedly steals biometric data

BleepingComputer reported on newly identified “PrintSteal” malware that allegedly collects biometric data from compromised Windows systems, including fingerprints, facial data, and ID photos (BleepingComputer).

Why it matters:
This is more than routine credential theft. If endpoint compromise can expose biometric templates or identity document images, incident impact expands into identity fraud, compliance exposure, and long-tail user harm. Biometric data is especially sensitive because it cannot be reset like a password.

What to do next: - Identify Windows endpoints or applications that process biometric or identity-document data. - Segment those systems from general-user workstations. - Increase EDR scrutiny on processes accessing camera, document, or local biometric storage paths. - Review data retention and minimize local storage of identity artifacts.

Qantas breach reporting linked to Scattered Spider activity

BleepingComputer reported that Qantas confirmed a cyber incident involving a contact center environment and exposure of customer information tied to millions of service records, with reporting linking the activity to the broader Scattered Spider threat pattern (BleepingComputer).

Why it matters:
Whether or not every attribution detail is finalized, the operational lesson is clear: customer support and help-desk channels remain attractive targets for social engineering, account takeover, and downstream data access. Attackers do not always start with malware; they often start with people and process gaps.

What to do next: - Tighten help-desk identity verification procedures. - Require step-up verification for password resets, MFA resets, and account recovery. - Audit privileged access in CRM, contact center, and customer support tooling. - Monitor for impossible travel, MFA reset bursts, and abnormal access to customer records.

Malicious npm packages installing persistent reverse shells

BleepingComputer reported on five malicious npm packages designed to infect another local package and patch it with a persistent reverse shell, allowing continued access even after the original malicious package is removed (BleepingComputer).

Why it matters:
This is a notable supply-chain pattern because removal of the initially malicious package may not fully remediate the compromise. Persistence inside another local dependency can evade basic cleanup steps and survive routine developer response actions.

What to do next: - Review recent package additions and lockfile changes across CI/CD and developer endpoints. - Rebuild affected projects from known-good sources instead of relying on package removal alone. - Compare package trees and integrity hashes against trusted baselines. - Restrict outbound connectivity from developer build systems where feasible.

Misconfigured JavaScript libraries exposed passwords

KrebsOnSecurity reported that misconfigured applications tied to JavaScript-based tracking and session replay style tooling exposed customer password details at multiple Fortune 1000 firms (KrebsOnSecurity).

Why it matters:
This is a recurring web-application governance issue: sensitive-field redaction is easy to assume and dangerous to leave unverified. A misconfiguration in observability, analytics, or UX tooling can turn normal user flows into a credential leakage event.

What to do next: - Audit all third-party JavaScript on authentication and account pages. - Confirm password, MFA, and secret fields are masked before collection or replay. - Re-test login, signup, password reset, and support workflows with browser instrumentation. - Update vendor risk reviews to include client-side data capture validation.

FBI strategy on sextortion

KrebsOnSecurity covered the FBI’s development of a national strategy to combat sextortion targeting children and teenagers online (KrebsOnSecurity).

Why it matters:
For enterprises, schools, and managed service providers, this is both a user safety and cyber-fraud concern. Sextortion campaigns commonly intersect with compromised accounts, social engineering, data theft, and payment coercion.

What to do next: - Update awareness content for parents, staff, and students. - Improve reporting channels for account compromise and impersonation. - Coordinate with legal, HR, and safeguarding teams on escalation procedures.

Gmail account takeover scam targeting creators

A Google News item surfaced BleepingComputer reporting that Google warned about a Gmail account takeover scam targeting creators (Google News aggregate).

Why it matters:
Creators and public-facing employees often have high-value mailboxes tied to brand channels, monetization, and cross-platform reset paths. A successful email takeover can cascade into YouTube, ad accounts, sponsorship platforms, and cloud storage.

What to do next: - Enforce phishing-resistant MFA for creator, executive, and marketing accounts. - Review delegated mailbox access and OAuth app grants. - Train staff to verify “support” or “copyright” outreach through secondary channels.

CISA extends MITRE CVE Program contract by 11 months

Another Google News item surfaced BleepingComputer reporting that CISA extended MITRE’s CVE Program contract by 11 months (Google News aggregate).

Why it matters:
For defenders, continuity in CVE assignment and publication supports vulnerability management workflows, scanner coverage, prioritization, and vendor coordination.

What to do next: - Continue normal CVE-based triage, but avoid over-relying on IDs alone. - Pair CVE intake with KEV checks, exploit intelligence, asset context, and exposure analysis.

Critical Vulnerabilities

  • Severity: Critical
  • CVSS v3: 9.8
  • CWE: CWE-78
  • Published: 2025-05-27
  • Summary: A vulnerability in TOTOLINK A810R V4.1.2cu.5182_B20201026 allows remote attackers to execute arbitrary commands via crafted input to cstecgi.cgi.
  • References: Gist reference, GitHub write-up

So what?
Internet-exposed SOHO and SMB routers remain common targets because they sit at the edge, are often unmanaged, and may not be centrally monitored. If reachable from untrusted networks, this is a high-priority review item.

What defenders should do: - Determine whether any TOTOLINK A810R devices are in use. - Remove management interfaces from internet exposure immediately. - Restrict admin access to trusted management networks. - If no vendor fix is available or confidence is low, replace the device.

CVE-2025-45607 : Tenda RX2 Pro command execution

  • Severity: Critical
  • CVSS v3: 9.8
  • CWE: CWE-77
  • Published: 2025-05-27
  • Summary: A vulnerability in Tenda RX2 Pro v16.03.30.14 allows arbitrary command execution via the Password parameter in fromSafeSetMacFilterCfg.
  • References: GitHub reference

So what?
As with the TOTOLINK issue, this is edge-device risk. Home-office, branch-office, and unmanaged retail deployments are especially vulnerable if remote administration is enabled.

What defenders should do: - Identify affected Tenda RX2 Pro deployments. - Disable WAN-side administration and UPnP where not required. - Replace or isolate devices pending validated remediation guidance. - Monitor for unexplained configuration changes and outbound beacons.

CVE-2025-5349 : MRCMS 3.1.2 SQL injection

  • Severity: High
  • CVSS v3: 8.8
  • CWE: CWE-89
  • Published: 2025-05-27
  • Affected path: /admin/mall/goods/list
  • Parameter: orderBy
  • References: VulDB record, VulDB entry

CVE-2025-5350 : MRCMS 3.1.2 SQL injection

  • Severity: High
  • CVSS v3: 8.8
  • CWE: CWE-89
  • Published: 2025-05-27
  • Affected path: /admin/sys/menu/list
  • Parameter: orderBy
  • References: VulDB record, VulDB entry

CVE-2025-5351 : MRCMS 3.1.2 SQL injection

  • Severity: High
  • CVSS v3: 8.8
  • CWE: CWE-89
  • Published: 2025-05-27
  • Affected path: /admin/sys/dict/list
  • Parameter: orderBy
  • References: VulDB record, VulDB entry

So what for the MRCMS issues?
Although these are rated High rather than Critical by CVSS, they are still important if MRCMS admin paths are internet-reachable or exposed through weak access control. SQL injection in admin-facing functionality can lead to data exposure, privilege escalation, or full application compromise depending on database permissions and application architecture.

What defenders should do: - Check whether MRCMS 3.1.2 is deployed anywhere in your environment. - Restrict admin interfaces behind VPN or IP allowlists. - Apply vendor or project fixes if available. - Add WAF rules for suspicious orderBy parameter abuse as a temporary mitigation. - Review application and database logs for unusual requests to the listed endpoints.

What Defenders Should Do Today

1) Prioritize edge-device exposure

Create a short list of internet-facing routers, firewalls, VPN concentrators, and web admin panels. The newly disclosed TOTOLINK and Tenda flaws reinforce a basic truth: unmanaged edge gear is often the easiest path in.

Immediate checklist: - Disable remote administration unless absolutely required. - Put management behind VPN. - Inventory firmware versions. - Replace unsupported gear.

2) Harden help-desk and identity workflows

The reporting around Qantas and ongoing Scattered Spider-style tradecraft should push defenders to treat service desk controls as part of the identity perimeter.

Immediate checklist: - Require manager approval or secondary verification for MFA resets. - Log all help-desk identity changes. - Alert on bulk profile lookups and account recovery actions. - Review contractor access in support environments.

3) Audit software supply-chain controls

The npm reverse-shell persistence story is a reminder that dependency removal is not always enough.

Immediate checklist: - Rebuild from trusted source control and clean dependency caches. - Verify lockfiles in CI. - Block direct installs from unapproved registries. - Enable package allowlisting for critical projects.

4) Reduce sensitive data capture on endpoints and web apps

The PrintSteal and JavaScript misconfiguration stories both point to the same theme: unnecessary data collection increases incident blast radius.

Immediate checklist: - Minimize local storage of biometric and ID data. - Review browser-side scripts on login and support forms. - Validate data masking in analytics/replay tools. - Update retention policies for sensitive files and screenshots.

5) Tune detection around ransomware precursors

Interlock guidance should translate into practical telemetry review.

Immediate checklist: - Hunt for unusual use of remote admin tools. - Alert on shadow copy deletion, mass file rename activity, and archive staging. - Review service creation, scheduled task abuse, and admin share access. - Confirm backup immutability and test restores.

Technical Deep Dive

Technical Notes: Hunting for suspicious web requests tied to MRCMS SQL injection attempts

If you operate reverse proxies, WAFs, or app logs, search for requests to the disclosed MRCMS paths with suspicious orderBy values.

# Example grep for suspicious orderBy patterns in access logs
grep -E '(/admin/mall/goods/list|/admin/sys/menu/list|/admin/sys/dict/list)' /var/log/nginx/access.log   
  | grep -Ei 'orderBy=.*(%27|%22|--|union|select|sleep\(|benchmark\(|;|/)'
# Example with zgrep for rotated logs
zgrep -E '(/admin/mall/goods/list|/admin/sys/menu/list|/admin/sys/dict/list)' /var/log/nginx/access.log*   
  | grep -Ei 'orderBy=.*(%27|%22|--|union|select|sleep\(|benchmark\(|;|/)'

Suspicious patterns to review: - orderBy=... union select ... - orderBy=... sleep(5) ... - URL-encoded quotes, comments, or semicolons in sort parameters - Repeated 500 responses on admin list endpoints from the same source IP

Technical Notes: Basic reverse proxy block rule for suspicious orderBy abuse

As a temporary mitigation, defenders can block obvious attack strings at the edge while pursuing a proper application fix.

location ~* ^/admin/(mall/goods/list|sys/menu/list|sys/dict/list)$ {
    if ($arg_orderBy ~* "(union|select|sleep\(|benchmark\(|--|/\*|;|%27|%22)") {
        return 403;
    }
}

This is not a substitute for patching, input validation, and parameterized queries, but it can reduce opportunistic exploitation.

Technical Notes: Finding exposed router admin interfaces

Use external attack surface management or internal scanning to identify HTTP/HTTPS admin interfaces before attackers do.

# Example nmap sweep for common web admin ports on a known subnet
nmap -Pn -sV -p 80,443,8080,8443 192.168.1.0/24
# Example curl header check for a suspected device
curl -k -I https://router-ip-or-hostname/

What to look for: - Vendor-branded login pages - Unauthenticated access to CGI endpoints - Legacy firmware banners - Admin panels accessible from non-management networks

Technical Notes: npm package hygiene and clean rebuild workflow

Where malicious package persistence is suspected, avoid partial cleanup.

# Remove local modules and lockfile, then rebuild from a known-good commit
rm -rf node_modules
rm -f package-lock.json

# Reinstall after validating package.json against source control
npm install
# List dependencies and inspect unexpected additions
npm ls --all
npm audit
# Compare current package manifest to the main branch
git diff origin/main -- package.json package-lock.json

Operational advice: - Rebuild in a clean environment. - Rotate secrets accessible from the compromised build host. - Review shell history, CI variables, and SSH keys if a reverse shell may have executed.

Technical Notes: Sample detections for ransomware precursor activity

Examples below are generic patterns defenders can adapt to SIEM queries.

Process execution indicators:
- vssadmin delete shadows /all /quiet
- wbadmin delete catalog -quiet
- bcdedit /set {default} recoveryenabled no
- 7z.exe, rar.exe, or winrar.exe creating large archives in temp or public directories
- psexec, wmiexec, or remote service creation from unusual admin workstations
File and access indicators:
- Sudden spikes in file rename/write activity
- Access to many shares from a single user or host in a short interval
- New scheduled tasks or services with random names
- Security tooling tamper alerts or service stops

Technical Notes: Help-desk controls for social-engineering-resistant IAM

For organizations concerned about Scattered Spider-style tactics, document and enforce a stricter reset workflow.

Password/MFA reset minimum controls:
1. Verify identity with at least two independent factors not provided by the caller.
2. Do not trust inbound phone number or email alone.
3. Require step-up approval for privileged, executive, or high-risk accounts.
4. Log analyst, timestamp, method, and approval chain for every reset.
5. Generate alert when multiple reset requests target the same user in 24 hours.

Bottom Line

Today’s risk picture is defined by three themes: ransomware readiness, identity-centric intrusion paths, and software or edge-device trust failures. The most practical actions for defenders are to reduce exposure at the network edge, harden account recovery workflows, validate client-side data handling, and treat developer environments as production-relevant attack surface.

If your team only has time for a short sprint today, do these first: 1. Identify any exposed TOTOLINK or Tenda routers and remove remote administration. 2. Review help-desk and MFA reset procedures. 3. Audit recent npm dependency changes and rebuild suspicious projects from clean sources. 4. Search web logs for MRCMS orderBy SQL injection attempts. 5. Validate backup recovery and ransomware telemetry coverage against the Interlock guidance.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-28

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.