Threat Analysis: Nimbus RAT via Teams Vishing, Oracle WebLogic KEV, and the npm Supply Chain Under Active Attack
Hello, Mauven here.
This is your Daily Threat Analysis for 2nd June 2026.
Three items today. Two of them have active exploitation confirmed. The third has been running since the end of May and is still live. None of them require sophisticated infrastructure to defend against, they require awareness, patching, and someone actually checking.
Nimbus RAT: Microsoft Teams Is Being Used as a Vishing Platform Against UK Professional Services
Let me describe the attack so it is clear what we are talking about.
A target, in the confirmed case, someone working in the legal sector, receives a flood of emails. In the documented incident, that was 282 emails in 90 minutes. This is deliberate. The volume overwhelms normal filtering behaviour and creates genuine confusion about what is happening. Crucially, it gives an attacker a plausible reason to call.
Then comes the call. Via Microsoft Teams. From someone presenting as IT helpdesk support, calling to help with the email problem the target is now actively experiencing.
The target is asked to open Quick Assist, Microsoft’s built-in remote access tool, and to grant access to the caller. Quick Assist is legitimate software. It is on most Windows machines. Your security tools are unlikely to flag it.
Within 20 minutes, a Java-based remote access trojan is deployed. The malware, Nimbus RAT, communicates back to its operators using Google Drive and Google Sheets as its command-and-control channel. Standard network monitoring looking for unusual outbound connections to unknown infrastructure will not see this. It looks like someone using Google.
What the threat intelligence does not lead with is the targeting profile. This campaign was documented against a legal sector target, but the technique maps precisely onto any professional services environment where staff expect IT support to contact them, where Microsoft Teams is the internal communications platform, and where employees have been trained to accept remote access requests from the helpdesk. Which is, in my assessment, the majority of UK professional services firms.
The NCSC has published guidance on protecting against social engineering attacks and on safe use of remote access tools. That guidance has been available for years. The fact that an attacker can still get a member of staff to hand over remote access to their machine in under twenty minutes via a phone call tells you everything about the gap between published guidance and implemented practice.
What to do:
- Brief staff now on this specific pattern: email flooding followed by a Teams call from apparent IT support is a known attack technique, not a coincidence.
- Establish a verification process. If IT support contacts you unexpectedly, call them back on a number from your internal directory, not the one they provided.
- Review whether Quick Assist needs to be enabled on endpoints where it is not actively used by your support team. If your IT provider does not use Quick Assist, consider whether it should be present at all.
- Confirm with your managed service provider how they will identify themselves when initiating remote support sessions. Get that answer in writing.
Oracle WebLogic CVE-2024-21182: Two Years Old, Now Confirmed Actively Exploited
CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalogue today. Oracle patched this in their Critical Patch Update in January 2024.
To be direct about what this means: there are systems running unpatched Oracle WebLogic Server that are being actively compromised right now, using a vulnerability that was publicly disclosed and patched over two years ago.
The advisory issued to US government agencies to patch within a defined deadline is relevant context, but it should not give UK businesses the impression this is an American problem. Oracle WebLogic is widely deployed in enterprise environments, including those of larger UK organisations whose supply chains include smaller firms. The downstream exposure from a compromised WebLogic instance in a customer or partner environment is a legitimate concern for SMBs that may have no direct WebLogic exposure themselves.
If your IT provider manages Oracle products in your environment, the question to ask them today is simple: is CVE-2024-21182 patched? If they cannot answer that immediately, that is your answer.
If you are not an Oracle WebLogic shop, this is still worth noting as a data point. A two-year-old vulnerability being actively exploited in 2026 reflects something consistent and persistent about patch cadence across organisations of all sizes. The assumption that patches happen automatically, or that your managed service provider has handled it, is how these situations develop.
npm Supply Chain: 33 Malicious Packages Actively Harvesting Developer Credentials
Between 28th and 29th May, Microsoft Threat Intelligence identified 33 malicious npm packages published by a threat actor using three different maintainer aliases. The packages were crafted to mirror real corporate namespace names, a technique called dependency confusion, where attackers publish public packages with the same name as internal private packages, and hope that automated build processes fetch the malicious public version instead of the intended internal one.
These packages execute reconnaissance payloads through npm lifecycle hooks, code that runs automatically when the package is installed, without any further action from the developer. The payloads harvest:
- GitHub Actions secrets
- npm tokens
- Cloud credentials across AWS, Azure, and GCP
- Kubernetes and Vault material
- SSH keys
- Git credentials
A second related campaign, what researchers are calling the Shai-Hulud campaign, targeted Red Hat Cloud Services npm packages specifically, using AES-encrypted payloads and obfuscated JavaScript loaders through the same preinstall hook mechanism.
The relevance for UK SMBs is not necessarily direct. Most small businesses are not running their own npm ecosystems. But many use external development agencies, freelance developers, or software houses, and those firms are the ones with npm dependencies and CI/CD pipelines. If a development contractor’s machine is compromised through one of these packages, the credentials and access they hold to your systems goes with it.
This is supply chain risk in the most practical sense. You do not need to have been targeted directly to be affected.
What to do:
- If you have in-house development staff or contractors, ask them to audit npm dependencies published between 25th May and 2nd June and confirm they have not pulled packages from unusual namespaces.
- Ensure any contractors or development agencies with access to your cloud infrastructure are using short-lived credentials and MFA. Harvested long-lived API keys are immediately useful to an attacker; short-lived tokens with mandatory rotation reduce the window significantly.
- Ask your development suppliers whether they have reviewed the Microsoft Threat Intelligence advisory from 29th May.
Also Worth Noting: Android Zero-Day Patched in June Update
Google’s June 2026 Android security update addresses 124 vulnerabilities including one actively exploited zero-day. For UK SMBs, the action item is simple: if your organisation uses Android devices for business purposes, whether company-owned or BYOD, ensure the June security patch has been applied. Android updates are not always applied automatically, and the patch gap between release and deployment on unmanaged devices can be weeks.