Threat Analysis: npm Supply Chain Surge and Splunk Under Active Exploit, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: npm Supply Chain Surge and Splunk Under Active Exploit, What UK SMBs Need to Know

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 19th June 2026.

Two things landed today that deserve your attention before the weekend. They are not the loudest stories in the feed, one is a CISA advisory about enterprise software, and the other is a string of developer ecosystem compromises that most non-technical business owners will not have seen. That is precisely why I am covering both.

Take thirty minutes with these. Not because they are abstract future risks. Because both are active, and because the weekend is when response capability drops and attackers know it.

Story One: The npm Supply Chain Is Being Systematically Targeted

Three separate supply chain attacks against the npm package registry have been confirmed in the last few days, and the pattern is consistent enough that you should treat them as a coordinated campaign rather than isolated incidents.

The largest, confirmed by Microsoft Threat Intelligence, compromised over 140 packages in the mastra and @mastra scopes. The vector was account takeover, attackers gained control of the ehindero npm maintainer account, then pushed poisoned package versions that introduced a malicious dependency called easy-day-js, a typosquat of the widely-used dayjs library. That malicious package executed a postinstall hook deploying a credential harvester immediately on installation.

The second attack hit node-ipc, a package with significant downstream usage. The takeover was achieved through an expired email domain, the attacker simply registered a domain that had lapsed, took control of the associated email account, and used it to reset the dormant npm maintainer credentials. The malicious versions (9.1.6, 9.2.3, and 12.0.1) contained obfuscated stealer and backdoor code that fingerprints the host environment, reads local files including SSH keys, and exfiltrates cloud credentials and database connection strings via DNS. DNS exfiltration is specifically chosen because many organisations do not monitor or filter outbound DNS in the same way they do HTTP traffic.

The third confirmed attack targeted the Microsoft DurableTask Python client on PyPI, not npm, but the same pattern. Versions 1.4.1 through 1.4.3 were compromised through a stolen GitHub account, with the payload targeting credentials from AWS, Azure, GCP, Kubernetes, and Vault on Linux systems.

There is also a fourth incident worth noting: the Okendo Reviews widget, used by over 18,000 e-commerce brands, was found to have had malicious JavaScript injected into it in May 2026, acting as a staged loader across storefronts and product pages.

What the advisories do not say clearly enough: maintainer account takeover via expired email domains is not a sophisticated attack. It requires patience and a domain registrar account. The security model of public package registries has not materially changed to address this, and the NCSC published guidance on software supply chain risks in 2023. The fact we are still seeing the same attack pattern, expired domain, account reset, malicious release, tells you how seriously the ecosystem has taken it.

What this means for UK SMBs

If your business has a development team, uses a managed service provider who maintains code or web infrastructure on your behalf, or runs any e-commerce presence built on modern JavaScript frameworks, your exposure to this threat class is real.

You do not need to be a developer to ask the right questions. Ask your MSP or internal team:

  • Which npm or PyPI packages does our codebase depend on?
  • Were any dependencies updated in the last two to three weeks?
  • Do those updates have corresponding public release notes, and have they been reviewed?
  • Are we monitoring outbound DNS for unusual query patterns?

If the answer to any of those is ‘I don’t know’ or ‘we don’t have visibility on that,’ that is your risk assessment right there.

Story Two: Splunk Enterprise Under Active Exploit, CISA Confirms KEV Addition

CISA has added a critical Splunk Enterprise vulnerability to its Known Exploited Vulnerabilities catalogue and set a patch deadline of this Sunday, 22nd June 2026, for US federal agencies.

The CISA KEV listing is the closest thing to a confirmed, authoritative signal that a vulnerability is being actively used in real attacks, not theoretically exploitable, not proof-of-concept only. Active exploitation, confirmed.

Splunk Enterprise is a log management and security information platform used across sectors including financial services, healthcare, and larger professional services firms. It is also used by many managed security service providers to monitor client environments.

The significance here is structural, not just technical. The tool that is supposed to tell you when you have been compromised is itself the attack surface. If your monitoring platform is unpatched and an attacker exploits it, they are in a position to suppress or manipulate alerts, exfiltrate the log data that would otherwise identify their presence, and potentially move laterally through the network from a trusted internal system.

What the advisory does not say: the CISA deadline applies to US federal agencies under a specific mandate. UK organisations are not bound by it. In my experience, that framing leads to a predictable response: ‘that’s an American thing, we’ll get to it.’ The vulnerability does not read those advisories. The exploit works the same way on a Splunk instance in Manchester as it does in Maryland.

If you run Splunk Enterprise, patch it today. Not Monday. Not after the weekend review meeting.

A note on the ICO leadership situation

Separately today, John Edwards resigned as Information Commissioner. The timing is not directly related to any threat intelligence, but I will note it plainly: the ICO is the body responsible for enforcing UK data protection law, investigating breaches, and issuing fines. A leadership transition creates a period of institutional uncertainty. Enforcement actions already in progress will continue, but the strategic direction on emerging issues, AI-generated data, agentic systems, supply chain breach notification, will be in flux.

For UK businesses, this is not a reason to relax. If anything, it is a reason to make sure your own house is in order, because you cannot predict what the institution’s priorities will look like in six months. The law has not changed.

What To Do Before Monday

These are not aspirational. Do them today.

  1. If you use Splunk Enterprise: Check your version. If you are not on the patched release, apply the update now. If you rely on an MSP for your monitoring, contact them today and ask for written confirmation that the patch has been applied.

  2. If you have a web presence or development function: Ask your development team or MSP for a review of recently updated npm and PyPI dependencies. Specifically ask whether node-ipc, any package in the mastra scope, or durabletask is in your dependency tree. If it is, check which version you are running.

  3. If you run an e-commerce store: Ask your platform provider or developer whether the Okendo Reviews widget was present on your storefront in May 2026, and if so, what remediation steps were taken.

  4. General hygiene: Ensure outbound DNS monitoring is in place or on your roadmap. Attackers specifically choose DNS exfiltration because it bypasses firewalls that only inspect HTTP/HTTPS.

Hey {{firstname}}, before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically, and pass it to someone who needs the heads-up.

Sources

SourceTitleURL
Microsoft Security BlogPostinstall payload: Inside the Mastra npm supply chain compromisehttps://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
Socket.devnode-ipc Package Compromisedhttps://socket.dev/blog/node-ipc-package-compromised
WizDurableTask TeamPCP Supply Chain Attackhttps://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
BleepingComputerCISA: Splunk Enterprise flaw actively exploited, patch by Sundayhttps://www.bleepingcomputer.com/news/security/cisa-splunk-enterprise-flaw-actively-exploited-patch-by-sunday/
ZscalerSmartApeSG Launches Okendo Reviews Supply Chain Attackhttps://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
The RegisterBritain’s privacy watchdog quits after ‘poor judgment’ admissionhttps://www.theregister.com/security/2026/06/19/britains-privacy-watchdog-quits-after-poor-judgment-admission/5258926

Filed under

  • supply-chain-risk
  • smb-security
  • uk-business
  • credential-theft
  • vendor-risk
  • incident-response
  • msp-security