← Back to Security Blog
Security Briefing 8 min read

Hospital Ransomware Shuts 36 Clinics + Wormable XMRig Spreads via Air-Gap

Mississippi hospital system closes all 36 clinics after ransomware attack. Wormable XMRig cryptojacker spreads to air-gapped systems via USB. PayPal breach exposed SSNs for 6 months. Hundreds of FortiGate firewalls hacked with AI. Malicious npm supply chain worm targets AI coding assistants.


Critical: Ransomware Shuts Down Entire Hospital System

University of Mississippi Medical Center — All Clinics Closed

A ransomware attack forced the University of Mississippi Medical Center to close all ~36 clinics statewide and cancel elective procedures. Patient care is actively disrupted.

This is one of the most impactful healthcare ransomware incidents this year. The attack demonstrates that ransomware operators continue to target critical healthcare infrastructure without hesitation.

Healthcare organizations should ensure:


Wormable XMRig Campaign Jumps Air-Gaps

BYOVD Exploit + USB Propagation + Time-Based Logic Bomb

Trellix researchers discovered a sophisticated cryptojacking campaign that spreads like a worm via external storage devices, enabling lateral movement even in air-gapped environments.

Key technical details:

Organizations with air-gapped networks should enforce strict removable media policies and monitor for unusual CPU consumption patterns.


Hundreds of FortiGate Firewalls Hacked with AI

AI-Powered Attacks Targeting Exposed Ports and Weak Credentials

AWS reports that threat actors leveraging AI-assisted techniques have compromised hundreds of FortiGate firewall devices by exploiting exposed management ports and weak credentials.

Attack Vector Mitigation
Exposed management interfaces Restrict to internal/VPN-only access
Default/weak credentials Enforce MFA + strong password policies
AI-automated reconnaissance Rate-limit and monitor auth attempts

This follows last week's reporting on a Russian-speaking hacker breaching 600+ FortiGate devices — the campaign is clearly expanding.


npm Supply Chain Worm Targets AI Coding Assistants

SANDWORM_MODE: 19+ Malicious Packages with MCP Server Injection

Socket discovered an active supply chain worm campaign using at least 19 malicious npm packages that harvest credentials, crypto keys, and now specifically target AI coding assistants via MCP server injection.

New capabilities in this wave:

Developers using AI coding assistants (Copilot, Cursor, etc.) should audit their npm dependencies and review MCP server configurations immediately.


PayPal Breach: SSNs Exposed for 6 Months

Application Error Led to Fraudulent Transactions

PayPal has disclosed that an application error exposed customer personal information — including Social Security numbers — for nearly 6 months, leading to fraudulent transactions.

The prolonged exposure window is concerning. Affected users should:


More Headlines

Healthcare Diagnostic Firm Breach — 140K Affected

US healthcare firm Vikor Scientific (now Vanta Diagnostics) confirms 140,000 individuals affected by a data breach. The Everest ransomware group has claimed responsibility.

Mental Health Apps: 14.7M Downloads, Zero Security

Multiple mental health apps on Google Play with 14.7 million combined installs found to contain severe security vulnerabilities that could expose users' sensitive medical information.

Grandstream Phone RCE — CVE-2026-2329

Critical vulnerability in Grandstream VoIP phones allows unauthenticated remote code execution with root privileges. Calls can be intercepted. Patch immediately.

Spain Arrests Hacktivist Group

Spanish authorities arrested four alleged members of Anonymous Fenix for DDoSing government ministries, political parties, and public institutions.

Ukrainian Sentenced for North Korean IT Fraud

Oleksandr Didenko received 5 years in US prison for selling stolen US identities to North Korean operatives, enabling them to get hired on freelance platforms.


Vulnerability Watch

Product Issue Status
BeyondTrust (CVE-2026-1731) RCE exploited in ransomware attacks 🔴 Active exploitation
RoundCube Webmail XSS via SVG animate tags 🔴 Active exploitation
Grandstream Phones (CVE-2026-2329) Unauth RCE with root 🟡 Patch available
FortiGate Firewalls AI-assisted credential attacks 🔴 Mass exploitation

Breaches & Ransomware

Target Impact Actor
Univ. of Mississippi Medical Center 36 clinics closed, procedures cancelled Ransomware (TBD)
Vanta Diagnostics (Vikor) 140,000 individuals affected Everest
PayPal SSNs exposed 6 months, fraud occurred Application error
Optimizely Customer data via vishing attack Social engineering

Law enforcement wins: Romanian hacker Catalin Dragomir pleaded guilty to selling access to an Oregon state government network. FBI reports $20M in losses from 700 ATM jackpotting attacks using Ploutus malware in 2025.


Today's Numbers

Metric Value
Hospital clinics shut down 36
Mental health app installs at risk 14.7M
PayPal SSN exposure duration ~6 months
Malicious npm packages (SANDWORM_MODE) 19+
FortiGate devices compromised Hundreds
ATM jackpotting losses (2025) $20M

Today's Priorities

  1. PATCH: BeyondTrust CVE-2026-1731 + RoundCube + Grandstream phones
  2. LOCK DOWN: FortiGate management interfaces — disable external access immediately
  3. AUDIT: npm dependencies for SANDWORM_MODE indicators; review MCP server configs
  4. MONITOR: Healthcare sector — expect copycat attacks following Mississippi incident
  5. REVIEW: Removable media policies for air-gapped environments (XMRig worm)

Protect Your Organization with KENSAI

AI-powered vulnerability management with 333,000+ CVEs indexed.

Start Free Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →