GlassWorm Hijacks Python Repos via Stolen GitHub Tokens, Stryker Wiper Attack Hits Tens of Thousands, CISA Flags Wing FTP Zero-Day, Oracle EBS Hack Expands
The GlassWorm ForceMemo campaign weaponizes stolen GitHub tokens to inject malware into hundreds of Python repositories. Stryker suffers a devastating wiper attack remotely erasing tens of thousands of employee devices. CISA adds Wing FTP Server flaw to KEV as actively exploited. Oracle EBS breach leaves four corporate giants still silent. UK Companies House confirms months-long data exposure. Plus: DRILLAPP backdoor targets Ukraine via Microsoft Edge, ClickFix campaigns spread MacSync macOS stealer, and VPN credential theft via SEO poisoning.
🐍 GlassWorm ForceMemo: Stolen GitHub Tokens Weaponize Python Repositories
⚠️ CRITICAL — SUPPLY-CHAIN ATTACK — ACTIVE CAMPAIGN
The GlassWorm malware campaign has evolved into ForceMemo — a supply-chain attack using stolen GitHub credentials to inject obfuscated malware into hundreds of Python repositories. Anyone running pip install from a compromised repo or cloning and executing the code triggers the malware. The earliest injections date back to March 8, 2026.
Regulation Impact: CRA Software Supply Chain — NIS2 Supply-Chain Security — EU AI Act (ML Repos at Risk)
The GlassWorm campaign, originally tracked as a VS Code extension compromise, has spawned a dangerous new offshoot dubbed ForceMemo by StepSecurity researchers. The attackers are leveraging GitHub tokens stolen in the original GlassWorm campaign to access developer accounts and inject malicious code into legitimate Python repositories.
The attack methodology is particularly insidious: attackers rebase the latest legitimate commits on the default branch with malicious code, then force-push the changes — critically preserving the original commit message, author, and author date. This means developers reviewing their repository history see nothing unusual. The commits appear to be from the original trusted contributors.
Targeted repositories include Django applications, ML research code, Streamlit dashboards, and PyPI packages. The malware is appended to common entry points like setup.py, main.py, and app.py. The obfuscated payload activates on execution, establishing persistence and exfiltrating credentials.
Why This Is Especially Dangerous
- Invisible to normal review. Force-pushed commits with preserved metadata are nearly impossible to detect through casual code review or GitHub's web interface.
- ML/AI repositories at risk. Machine learning research code is frequently cloned and run without rigorous security review. Under the EU AI Act, organizations deploying AI systems must ensure software supply-chain integrity.
- PyPI packages amplify blast radius. If compromised repositories are published as PyPI packages, the malware spreads to every downstream consumer.
- NIS2 third-party liability. Organizations using open-source Python dependencies in critical infrastructure must now validate that their repositories haven't been compromised by ForceMemo.
⚡ DACH Takeaway
German Mittelstand companies and Swiss research institutions using Python ML pipelines should immediately audit all recently updated GitHub dependencies. Enable GitHub's commit signing enforcement and required status checks. Under NIS2, organizations must demonstrate supply-chain due diligence — a ForceMemo-compromised dependency in production infrastructure could trigger mandatory incident reporting within 24 hours.
🏥 Stryker Wiper Attack Remotely Erases Tens of Thousands of Devices
⚠️ HIGH — DESTRUCTIVE WIPER ATTACK — MEDICAL TECHNOLOGY
Medical technology giant Stryker confirmed that last week's cyberattack was limited to its internal Microsoft environment but resulted in the remote wiping of tens of thousands of employee devices. No malware was deployed — the attackers used legitimate management tools to execute the wipe.
Regulation Impact: NIS2 Healthcare Essential Entities — MDR Medical Devices — DORA (Financial Supply Chain)
Stryker Corporation, one of the world's largest medical technology companies with $20B+ in annual revenue, has disclosed that last week's cyberattack resulted in the remote wiping of tens of thousands of employee devices. In a twist that security researchers find increasingly common, the attackers deployed no traditional malware — instead, they abused legitimate Microsoft management tools already present in Stryker's environment to remotely erase devices.
This "living off the land" approach to destructive attacks is becoming a hallmark of sophisticated threat actors. By using tools that organizations already trust and whitelist — Microsoft Intune, SCCM, or Azure AD device management — attackers can execute devastating operations while evading endpoint detection and response (EDR) solutions.
The attack was contained to Stryker's internal Microsoft environment, and the company has stated that no patient data or medical device systems were affected. However, the operational disruption of wiping tens of thousands of employee workstations across a global enterprise is enormous — impacting supply chain coordination, manufacturing operations, and customer support.
Implications for Healthcare and Medical Device Security
- NIS2 classifies healthcare as essential. Stryker's European operations fall directly under NIS2's essential entities category. A wiper attack of this scale triggers mandatory incident reporting within 24 hours of detection.
- MDR device security implications. While Stryker confirmed medical devices weren't affected, the EU Medical Device Regulation (MDR) requires manufacturers to demonstrate cybersecurity resilience across their entire digital ecosystem.
- Living-off-the-land attacks bypass traditional security. EDR solutions that whitelist Microsoft management tools cannot detect abuse of those same tools. Organizations need behavioral analytics and anomaly detection on privileged management operations.
- Supply-chain impact for hospitals. Stryker supplies surgical instruments, implants, and medical equipment globally. Operational disruption at Stryker can cascade into surgery delays and equipment shortages at hospitals.
⚡ DACH Takeaway
German hospitals and Austrian clinics relying on Stryker equipment should verify their supply chains. Swiss medical device distributors should assess whether Stryker's operational disruption affects delivery timelines. For DACH enterprises: audit your Microsoft Intune and device management policies. If an attacker gains admin access, can they mass-wipe your fleet? Implement conditional access policies, break-glass accounts with hardware tokens, and real-time alerting on bulk device management operations.
📂 CISA Flags Wing FTP Server Flaw as Actively Exploited
⚠️ HIGH — ACTIVELY EXPLOITED — ADDED TO KEV
CISA has warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks. The flaw has been added to the Known Exploited Vulnerabilities (KEV) catalog.
Regulation Impact: NIS2 Vulnerability Management — CISA BOD 22-01 — BSI Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) has added a Wing FTP Server vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Wing FTP Server is a popular cross-platform FTP server used by enterprises for secure file transfer operations.
The vulnerability can be chained with other flaws to achieve remote code execution, making it particularly dangerous for organizations that expose FTP services to the internet. CISA's Binding Operational Directive (BOD) 22-01 requires federal agencies to patch KEV-listed vulnerabilities within strict timelines.
File transfer services have become a prime target for attackers in recent years, with the MOVEit, GoAnywhere, and Accellion breaches demonstrating the devastating consequences of compromised file transfer infrastructure. Wing FTP Server now joins this growing list of targeted file transfer platforms.
File Transfer Security Under Regulatory Pressure
- NIS2 mandates vulnerability management. Organizations using Wing FTP Server in critical infrastructure or essential services must patch immediately and document their response under NIS2's vulnerability handling requirements.
- BSI should issue guidance. The German Federal Office for Information Security (BSI) should assess Wing FTP Server usage in German critical infrastructure and issue patching advisories.
- File transfer platforms are high-value targets. These systems by definition handle sensitive data being moved between organizations. A compromise grants access to data in transit — often bypassing encryption at rest protections.
⚡ DACH Takeaway
DACH organizations using Wing FTP Server should patch immediately and audit access logs for signs of exploitation. Consider migrating to hardened managed file transfer solutions with built-in intrusion detection. Under NIS2, any exploitation of file transfer infrastructure handling personal or classified data triggers mandatory breach notification.
🏢 Oracle EBS Hack: Four Corporate Giants Still Silent
⚠️ HIGH — DATA BREACH — ENTERPRISE ERP
The Oracle E-Business Suite (EBS) hack continues to expand in scope. Broadcom, Bechtel, Estée Lauder, and Abbott Technologies are the only major companies that have yet to issue a public statement on potential impact. The breach targeted Oracle's enterprise resource planning platform used by thousands of Fortune 500 companies.
Regulation Impact: GDPR Data Breach Notification — NIS2 Incident Reporting — SOX Financial Systems
The Oracle E-Business Suite breach that surfaced in recent weeks continues to send shockwaves through enterprise IT. While most affected organizations have now issued public statements confirming or denying impact, four major corporations remain silent: Broadcom (semiconductor giant), Bechtel (global engineering), Estée Lauder (cosmetics conglomerate), and Abbott Technologies (medical devices).
Oracle EBS is a comprehensive ERP system handling financials, supply chain, HR, and manufacturing operations. A breach of EBS potentially exposes financial records, employee data, supplier information, and manufacturing secrets. The silence from these four companies is particularly concerning given their regulatory obligations.
Regulatory Implications of Silence
- GDPR requires 72-hour notification. If EU personal data was exposed, affected companies must notify supervisory authorities within 72 hours of becoming aware. Extended silence raises questions about compliance.
- NIS2 incident reporting. Companies operating in NIS2-regulated sectors (Broadcom in digital infrastructure, Abbott in healthcare) face mandatory 24-hour early warning and 72-hour incident notification requirements.
- SOX compliance for financial systems. Oracle EBS handles financial data subject to Sarbanes-Oxley. A breach of financial ERP systems may require disclosure in SEC filings.
- Supply-chain exposure. Each of these companies has thousands of suppliers and partners whose data may reside in the compromised EBS instances.
⚡ DACH Takeaway
DACH enterprises using Oracle EBS should conduct immediate forensic assessments of their instances, even if not directly named. Oracle EBS is widely deployed in German automotive, Austrian manufacturing, and Swiss pharmaceutical sectors. Check for indicators of compromise shared by Oracle's security team. Under GDPR and NIS2, proactive assessment is not optional — it's a regulatory obligation.
🇬🇧 UK Companies House Confirms Months-Long Data Exposure
Regulation Impact: UK Data Protection Act — GDPR Adequacy — NIS2 Government Services
Companies House, the British government agency operating the registry for all UK companies, has confirmed that its WebFiling service exposed business data due to a security flaw that persisted since October 2025. The service was taken offline Friday to fix the vulnerability and has since been restored.
The months-long exposure of company registration data — including director details, registered addresses, and filing information — represents a significant government data protection failure. While company registration data is largely public, the flaw may have exposed additional information not intended for public access, and the extended timeline raises serious questions about vulnerability detection capabilities in government digital services.
🇺🇦 DRILLAPP Backdoor Targets Ukraine via Microsoft Edge Debugging
Regulation Impact: EU Cyber Solidarity Act — NATO Cooperative Cyber Defence
Ukrainian entities are being targeted by a new campaign linked to Russian threat actors, deploying a JavaScript-based backdoor dubbed DRILLAPP. The campaign, attributed to Laundry Bear (UAC-0190/Void Blizzard), uses judicial and charity-themed lures to deploy the backdoor through Microsoft Edge browser debugging features.
DRILLAPP is capable of uploading and downloading files, capturing microphone audio, and taking webcam images — all leveraging the web browser's built-in capabilities. By running through Edge's debugging interface, the malware avoids traditional endpoint detection that monitors executable files and system calls.
Two campaign iterations have been identified: the first using Windows shortcut (LNK) files, and a refined version using HTML application (HTA) files. The use of browser debugging as a persistence and C2 mechanism represents an evolution in espionage tooling.
🍎 ClickFix Campaigns Spread MacSync macOS Stealer
Regulation Impact: CRA Consumer Product Security — EU Digital Markets Act
Three distinct ClickFix campaigns are distributing the MacSync macOS information stealer through fake AI tool installers. The campaigns rely entirely on social engineering — tricking users into copying and executing obfuscated terminal commands — making them particularly effective against non-technical users.
Key campaigns identified by Sophos researchers:
- November 2025: Fake "OpenAI Atlas" browser bait via sponsored Google search results, directing users to fake Google Sites pages.
- Subsequent campaigns: Similar lures using AI tool themes to exploit user interest in AI applications.
The ClickFix technique — getting users to voluntarily execute malicious commands — bypasses all traditional security controls because the user themselves initiates the action. This social engineering approach has been flagged by Jamf Threat Labs as an emerging macOS threat vector.
🔐 VPN Credential Theft Campaign Targets Enterprise Users
Regulation Impact: NIS2 Access Control — DORA Authentication Security
Microsoft has identified threat actor Storm-2561 distributing fake VPN clients through SEO poisoning techniques. The campaign deploys trojans disguised as legitimate VPN applications to steal enterprise login credentials.
By poisoning search engine results for popular VPN clients, the attackers target users searching for VPN software — often remote workers setting up access to corporate networks. The fake clients install functional VPN software alongside credential-stealing malware, making the compromise difficult to detect.
📊 Quick Hits
- HPE AOS-CX Critical Vulnerability: A critical flaw in HPE Aruba AOS-CX network switches allows unauthenticated remote admin password resets. Patch immediately if running AOS-CX infrastructure.
- Microsoft Exchange Online Outage: Exchange Online experienced an outage blocking mailbox and calendar access. While not a security incident, it underscores dependency risks on cloud email infrastructure.
- Iran-Linked Hackers Expand Targeting: Pro-Iranian hacker groups are stretching operations from Middle Eastern targets into U.S. defense contractors, power stations, and water plants during ongoing regional conflict.
- Security Firm Executive Phished: A sophisticated phishing attack targeted a security firm executive using DKIM-signed emails, trusted redirect infrastructure, and Cloudflare-protected phishing pages — proving that security professionals are not immune.
- Starbucks Employee Data Breach: Phishing attacks targeting a Starbucks employee portal have affected hundreds of employees' personal data.
- Loblaw Customer Data Breach: Canadian grocery giant Loblaw confirms hackers accessed customer names, email addresses, and phone numbers.
- Betterleaks Open-Source Scanner: A new open-source secrets scanner called Betterleaks aims to replace Gitleaks with improved detection using customizable rules.