This Week in Issue

This week highlights how attackers are exploiting weak links in both developer ecosystems and enterprise platforms. Malicious npm packages are being weaponized to steal crypto assets, CISA flagged WhatsApp and TP-Link vulnerabilities as actively exploited, and Microsoft has enforced mandatory MFA across Azure tenants. Most concerning, researchers confirmed in-the-wild exploitation of a critical SAP S/4HANA flaw that enables full system compromise with minimal effort. For SMBs, the lesson is clear: dependency hygiene, patch discipline, and identity security must remain top priorities.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys
A group of npm packages disguised as Flashbots tools exfiltrate Ethereum wallet keys and mnemonic seeds to attacker-controlled channels. Still available in the npm registry, they pose a major supply-chain risk for developers in Web3 and blockchain sectors. Nexus-Dragon stresses that SMBs using open-source libraries must audit dependencies regularly, as even one compromised package can lead to financial loss.
Read more: The Hacker News

Malicious npm Package nodejs-smtp Mimics Nodemailer to Target Wallets
The nodejs-smtp package, posing as nodemailer, infects Windows systems and tampers with Electron-based crypto wallets, redirecting transactions to attackers. The attack leverages legitimate app behavior to evade detection. SMBs developing or using Electron applications should validate all dependencies to prevent hidden malware insertion.
Read more: The Hacker News

CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation
CISA confirmed that both a Wi-Fi extender flaw and a zero-click WhatsApp bug are under exploitation. The TP-Link flaw allows attackers to take over devices on the same network, while the WhatsApp issue enables spyware installation on iOS and macOS. Nexus-Dragon recommends SMBs retire unsupported hardware and ensure mobile apps are kept fully updated.
Read more: The Hacker News

Government Alerts & ICS Advisories

CVE-2025-38352
CVE-2025-48543
CVE-2025-53690

Cyber Hygiene

• Audit all npm and open-source dependencies to identify impersonated or malicious packages.

• Retire or replace unsupported TP-Link devices to eliminate known backdoors.

• Keep WhatsApp on iOS and macOS fully patched to block zero-click spyware.

• Enforce multi-factor authentication across all accounts, with priority on Azure and cloud services.

• Verify third-party Electron-based applications for signs of tampering before deployment.

• Monitor SAP systems for unusual activity and ensure all security patches are applied promptly.

• Apply least-privilege access controls to limit attacker movement within networks.

• Enable detailed logging and maintain continuous monitoring of authentication events.

Why This Matters
Attackers are combining supply-chain compromises with zero-click exploits, creating pressure on defenders to secure both development pipelines and user endpoints. With Microsoft now enforcing MFA across Azure and SAP vulnerabilities actively exploited, the standard for “basic cyber hygiene” has moved higher. For SMBs with limited resources, survival depends on prioritizing patching, enforcing MFA, and maintaining strict control over software dependencies.

Vulnerability Deep Dive

Threat Intelligence Brief: SAP S/4HANA CVE-2025-42957 Exploitation

Overview
CVE-2025-42957 is a critical code injection flaw in SAP’s S/4HANA ERP software, scored 9.9 CVSS. It allows attackers with low-privileged access to inject ABAP code, leading to full compromise of both the SAP system and underlying OS. Researchers at SecurityBridge and Pathlock confirmed exploitation is already occurring in the wild, affecting both cloud and on-premise systems.

Threat Actor Profile
No confirmed attribution at this time. Current evidence suggests opportunistic exploitation by financially motivated attackers scanning for unpatched SAP systems. Insiders threat once actor is on prem.

Tools and Techniques

• Exploitation of RFC-exposed function modules.

• Injection of ABAP code for privilege escalation and persistence.

• Abuse of low-privileged accounts to bypass authorization controls.

Mapped MITRE ATT&CK Techniques

• T1059.007: Command and Scripting Interpreter (Custom Code – ABAP)

• T1190: Exploit Public-Facing Application

• T1068: Exploitation for Privilege Escalation

• T1078: Valid Accounts

Technical Summary

• Vulnerable versions: S4CORE 102–108.

• Root cause: improper control of code generation (CWE-94).

• Exploit chain: attacker authenticates with low privileges → injects ABAP → escalates → gains OS-level control.

• SAP patch 3627998 addresses the issue but is reportedly easy to reverse-engineer.

Recent Exploitation Activity

• SecurityBridge confirmed verified in-the-wild abuse.

• Pathlock observed anomalous activity consistent with exploit attempts.

• Exploitation has not yet reached mass scale but is confirmed active.

IOCs / Observed Hosts
No public indicators of compromise have been released by SAP, SecurityBridge, or Pathlock as of this writing.

Tags Associated with Activity
SAP ABAP Injection CVE-2025-42957 ERP Exploitation

Strategic Implications
ERP platforms underpin core operations across industries. A compromise can disrupt supply chains, financials, and HR processes. For SMBs using SAP, exploitation could cause crippling downtime or regulatory exposure. The ease of exploitation raises concern that this will soon be weaponized at scale.

Defensive Recommendations

• Apply SAP patch 3627998 immediately.

• Restrict RFC exposure and monitor for unusual ABAP code execution.

• Enforce least privilege on SAP accounts.

• Audit SAP logs for unauthorized code injections or privilege escalations.

• Segment ERP systems from internet-facing environments.

Threat Modeling Summary

• Likely Targets: SMBs and enterprises running SAP S/4HANA (on-premise or private cloud).

• Attacker Goals: System takeover, data theft, operational disruption.

• Attack Vector: Exploitation of unpatched RFC modules using low-privileged access.

Why This Matters
SAP compromises affect the backbone of business operations. With confirmed in-the-wild exploitation and an easily reverse-engineered patch, time is limited. SMBs relying on SAP must treat this as an immediate priority or risk full operational compromise.

Disclaimer
Findings are based on open-source intelligence and vendor reporting. Organizations should validate their own exposure and act accordingly.

Source
Dark Reading – SAP S/4HANA Vulnerability Under Attack

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations so you can act fast and stay protected. Get intelligence built for action.

www.nexus-dragon.com 

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk. Fill your security gaps fast. www.nexus-dragon.com

Sponsor Spotlight

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Monday Streamline your cybersecurity projects and team workflows with Monday is the flexible work OS built to help small businesses and IT teams stay organized, aligned, and efficient. From managing incident response tasks to tracking compliance milestones, Monday makes it easy to visualize progress and stay ahead of threats.
Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:
Or explore our solutions directly at:

Meet the Nexus-Dragon

A Comprehensive Training and Security Platform

Nexus-Dragon stands apart by delivering more than just tools—it builds defenders. We combine cybersecurity training, information security, and real-world operations into one platform. Our focus spans network security, cloud security, and endpoint security, with added strength in penetration testing, incident response, and risk management. Every service is tied to core standards like the NIST Cybersecurity Framework, ISO 27001, PCI-DSS, HIPAA, and GDPR, ensuring both compliance and resilience.

Advanced Operations and Intelligence

Our operations cover the full spectrum of modern defense. The Nexus-Dragon team runs advanced security operations, integrating endpoint detection and response (EDR), extended detection and response (XDR), SIEM, and SOAR to catch and contain threats quickly. Capabilities include threat hunting, cyber threat intelligence, and vulnerability management, while our security architecture applies zero trust, multi-factor authentication (MFA), single sign-on (SSO), and identity governance to protect critical digital identity systems.

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278