Threat Analysis: Scattered Spider Sentenced, Trojanised Collaboration Tools, and the AsyncAPI Supply Chain Compromise
Hello, Mauven here.
This is your Daily Threat Analysis for 16th July 2026.
Three items today. Two of them are directly UK-relevant. One is a supply chain issue that affects any organisation with developers using npm. The common thread across all three is worth noting before we get into the specifics: trusted channels being used against you. Legitimate software. Legitimate platforms. Legitimate-sounding people on the phone.
Story One: Scattered Spider Sentenced, What the Coverage Is Missing
Two British members of the Scattered Spider cybercrime collective were sentenced today to five years and six months in prison each for their role in the 2024 hack of Transport for London. This is being described as the biggest cybercrime conviction in UK history, which is accurate. The sentencing is significant. The coverage, predictably, focuses on the prison terms.
What the coverage is spending less time on is the method.
The Transport for London compromise did not succeed because Scattered Spider found an unpatched vulnerability in a perimeter system. It succeeded because someone made a phone call to a helpdesk and convinced the operator to reset credentials. Social engineering. The kind of thing that does not require technical sophistication, does not trigger endpoint detection, and works just as well against a 12-person professional services firm as it does against a major public transport authority.
Scattered Spider’s playbook has been well-documented since at least 2022. They target IT helpdesks and identity providers. They impersonate employees, sometimes with convincing personal detail pulled from LinkedIn. They are patient. They are plausible. And they specifically look for the point where human beings are making decisions about access without adequate verification procedures in place.
The NCSC published guidance on identity verification for helpdesk processes years ago. The fact that organisations are still being compromised through this vector tells you everything about how seriously that guidance is being implemented.
For UK SMBs, the practical question is not academic. If someone rings your IT support, whether that is an internal person, an MSP, or a part-time contractor, and requests a password reset for a senior member of staff, what happens? Is there a callback to a known number? Is there a secondary verification step? Or does the request go through because it sounds plausible and the person on the phone is friendly and seems to know enough about the company to be convincing?
If your answer involves any uncertainty, that is the gap Scattered Spider exploits. And while these two individuals are now in prison, the tactics they used are not going anywhere.
What to do: Review your helpdesk authentication procedures. Any request to reset credentials for a privileged account should require out-of-band verification, a callback to a number already on record, not one provided by the caller. This is not complicated. It is just not being done consistently.
Story Two: Trojanised WebEx and Zoom, UAT-11795 and Starland RAT
A financially motivated Russian threat actor tracked as UAT-11795 is distributing trojanised versions of WebEx and Zoom installers containing a new backdoor called Starland RAT. The malware steals credentials and cryptocurrency and establishes persistent remote access.
The delivery mechanism is straightforward: victims are directed to unofficial download sites, through phishing, malvertising, or search engine poisoning, where they download what appears to be a legitimate installer. The installer runs. The collaboration software installs correctly, which is the point. The user sees what they expect to see. In the background, Starland RAT is establishing a foothold.
This matters for SMBs for a specific reason. Organisations that manage software centrally through IT have some protection here, because employees are installing from approved sources. But a significant proportion of smaller businesses operate with a degree of shadow IT, staff downloading tools they need for meetings without going through any formal process. The person downloading a Zoom installer from a search result rather than from zoom.com is not doing anything that feels risky. It feels entirely routine.
UAT-11795 is betting on that. The campaign has been active and the indicators suggest broad targeting rather than sector-specific operations, meaning this is opportunistic and volume-driven, not a targeted attack on specific organisations.
Starland RAT’s capabilities include credential harvesting, cryptocurrency wallet targeting, and persistent remote access. If it lands on a machine used for financial operations or email access, the downstream consequences are straightforward to imagine.
What to do: Verify that your staff, and this includes people working remotely on personal devices if they access business systems, are downloading collaboration tools from official vendor sources only. zoom.com. webex.com. Full stop. If you have an MSP, ask them to confirm that software deployment is centrally managed and that unofficial installer sources are blocked where possible.
Story Three: AsyncAPI npm Supply Chain Compromise, Miasma v3 in the Wild
On 14th July, the AsyncAPI npm organisation was compromised. Four packages were affected: @asyncapi/generator, @asyncapi/generator-helpers, @asyncapi/generator-components, and @asyncapi/specs. The malicious versions delivered Miasma v3, a worm previously encountered in compromised Red Hat packages.
This is worth paying attention to for two reasons.
First, the delivery mechanism was through AsyncAPI’s legitimate GitHub Actions workflow using npm’s OIDC integration. The malicious packages were published with valid provenance attestations, meaning standard supply chain integrity checks would not have caught this. The packages looked legitimate because, from a signing and provenance perspective, they were published through legitimate infrastructure that had been compromised.
Second, unlike most npm supply chain attacks that trigger malicious code in a postinstall script, which many security tools now monitor, Miasma v3 executes at module import time. This bypasses common npm installation-phase detection entirely. The payload runs when the package is first used in code, not when it is installed.
This is not a threat to the typical UK SMB directly. But it is a threat to any organisation that has developers, uses JavaScript-based tooling, or has suppliers who do. If your internal development team or your software vendor’s team uses AsyncAPI packages in their toolchain, those affected versions needed to come out of the dependency tree immediately.
Microsoft’s analysis confirms the attack originated from a GitHub Actions workflow vulnerability that exposed privileged credentials, enabling code injection into the published packages. JFrog’s research independently confirmed the Miasma v3 connection.
What to do: If you have developers, ask them to audit your package.json and package-lock.json files for the affected AsyncAPI packages and verify the versions in use. Affected versions have been pulled from the registry, but packages already installed in build pipelines or cached environments may still be present. If you use an external development supplier, ask them directly whether they have checked.
Also on the Radar Today
CISA has added an Oracle E-Business Suite vulnerability to its Known Exploited Vulnerabilities catalogue with an unusually short remediation window, federal agencies were given until Saturday to patch. The advisory is US-government-directed, but the KEV catalogue is a reliable indicator of what is being actively exploited in the wild. If your organisation uses Oracle E-Business Suite, do not wait for your own government to tell you.
Windows 10 remains installed on approximately one in six machines globally, with Windows 11 24H2 Home and Pro editions now confirmed to be 90 days from end of support. If you have machines in your estate still on Windows 10 and no migration plan in place, you are running out of runway. End of support means end of security patches. Unpatched operating systems are not a hypothetical risk, they are a confirmed entry point for ransomware campaigns.
Sources
If Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing arrives automatically. And if you know someone who needs the heads-up, a colleague, a client, someone running a business who thinks this does not apply to them, pass it along. It costs nothing and it might matter more than you expect.
Mauven.