Threat Analysis: Fox Tempest Malware-Signing Service, Supply Chain npm Attacks, and a Maximum-Severity Cisco Flaw
Hello, Mauven here.
This is your Daily Threat Analysis for 21st May 2026.
Today has three stories worth your attention. Two of them are about the same underlying problem, your trust in software is being weaponised against you, and one is a straightforward critical patch that needs to happen today.
Fox Tempest: When Malware Comes With a Valid Signature
Microsoft published its exposure of Fox Tempest on Monday, and it deserves more attention than it has received.
Fox Tempest is a financially motivated threat actor running what can only be described as a professional service. They abuse Microsoft Artifact Signing to generate fraudulent code-signing certificates, and they sell access to those certificates to other criminal groups. The customers include ransomware operators. The confirmed downstream actor is Akira.
The number that matters here: over one thousand fraudulent certificates generated. Hundreds of associated fake personas and infrastructure to support them.
What the advisory says is that this is a malware-signing service. What it does not spell out is what that means practically for most UK businesses.
The majority of endpoint security deployed by SMBs, whether managed by an IT provider or in-house, relies heavily on signature-based detection and reputation scoring. A signed binary from what appears to be a legitimate publisher carries implicit trust in most environments. Windows Defender allows it. Many EDR products reduce their scrutiny of it. The certificate chains back to something that looked legitimate when it was issued.
This is not new as a technique. It is the scaling and commercialisation of it that has changed. Fox Tempest is not using this to target one organisation. They are running it as a business, selling to whoever pays. That means the same infrastructure that delivered ransomware to a US enterprise last month can be used to deliver it to a professional services firm in Leeds next week.
The NCSC has published guidance on the risks of over-relying on signature-based controls. The fact that a threat actor has now built a commercial operation specifically designed to defeat those controls tells you how much headroom that guidance still has to travel.
What to do: Ask your endpoint security provider directly whether their product has behavioural detection that operates independently of code-signing status. If they say yes, ask for evidence. If your organisationβs controls would treat a signed binary from an unknown publisher as trusted without further scrutiny, that is the conversation to have this week.
The npm Supply Chain: 1.1 Million Weekly Downloads Compromised
The Mini Shai-Hulud campaign is active and expanding.
The immediate incident involves the @antv package ecosystem on npm, where the maintainer account βatoolβ was compromised. The resulting attack has affected 639 package versions across 323 unique packages. The headline number is echarts-for-react: 1.1 million weekly downloads. The affected @antv data visualisation packages are also widely used.
A Shai-Hulud copycat appeared five days after the original worm was open-sourced, meaning the technique is now being replicated independently. The copycat targeted chalk-tempalte (note the typo, deliberate) alongside three additional malicious packages containing infostealer code.
Separately, Wiz Research has documented a supply chain attack against the Microsoft DurableTask Python client, affecting versions 1.4.1 through 1.4.3 on PyPI. The attack vector was a compromised GitHub account that had previously been used in other attacks, the attacker used stolen credentials to access GitHub secrets containing PyPI tokens. The payload targets Linux systems and steals credentials from AWS, Azure, GCP, Kubernetes, and Vault.
These are three distinct incidents, Mini Shai-Hulud on npm, the copycat campaign, and the DurableTask compromise on PyPI, but they point at the same structural problem: the open-source package ecosystem is being systematically targeted, and the attack surface is your development toolchain and everything downstream of it.
For UK SMBs, the direct exposure is lower than for organisations running internal development teams. But the indirect exposure is real. Your website platform, your SaaS tools, your managed services providers, many of them have developers who use these packages. If one of those suppliers was running affected code, your data may have been in scope.
This is the supply chain risk conversation that tends to get deferred until after something goes wrong.
What to do: If your organisation uses JavaScript or Python tooling, or if you procure software from suppliers who do, this week is a reasonable time to ask whether they have dependency scanning in their build pipelines and whether they have reviewed their exposure to these specific campaigns. Socketβs advisory and the Wiz Research post both contain specific package indicators. Pass them to your development team or IT supplier today.
Cisco Secure Workload: CVSS 10.0, Patch It
Cisco has disclosed CVE-2026-20223, a maximum-severity vulnerability in Cisco Secure Workload. CVSS 10.0. The vulnerability allows an attacker to gain Site Admin privileges through vulnerable internal APIs, enabling access to sensitive data and configuration changes across tenant boundaries.
Cisco Secure Workload is not the most common product in the SMB stack, it is primarily deployed in larger enterprise and data centre environments. However, it is used by managed service providers and cloud infrastructure operators. If your managed services provider runs Cisco Secure Workload in a multi-tenant environment and has not patched, the tenant boundary protections you are relying on may not hold.
There is no confirmed exploitation in the wild at time of writing. Given this is a CVSS 10.0, that window will not stay open.
What to do: If Cisco Secure Workload is in your estate, patch immediately. If you use a managed service provider, ask them today whether they run this product and whether the patch has been applied. A CVSS 10.0 with cross-tenant access implications is not a question that can wait for the next quarterly review.
The Pattern Today
Fox Tempest and the npm supply chain attacks are different mechanisms but the same strategic problem: the things you trust, signed certificates, published packages from established maintainers, are being systematically compromised. The attackers are not trying to break through your perimeter. They are being delivered through it.
The NCSC has guidance on software supply chain security. It was updated in 2023. Most SMBs have not read it. Most IT providers working with SMBs have not operationalised it. Todayβs intelligence is a reminder of what happens in that gap.