Cyware Daily Threat Intelligence, March 23, 2026

The software supply chain is facing a volatile new threat as TeamPCP weaponizes the "CanisterWorm," a self-propagating malware that has already hijacked nearly 50 npm packages. Most alarmingly, the worm uses stolen tokens to autonomously publish its own malicious updates and leverages a decentralized ICP canister for resilient C2, ensuring the infection continues to spread even if traditional servers are taken down.

The era of "Zoom fatigue" is being exploited by a high-fidelity phishing campaign that traps users in realistic, JavaScript-animated waiting rooms to deploy surveillance tools. Victims receive a convincing meeting invite that leads to a spoofed interface—complete with fake participant lists and choppy "network error" audio—designed to frustrate them into downloading a malicious update.

Administrative control is hanging by a thread for organizations running unpatched Quest KACE Systems Management Appliances, as hackers actively exploit a "perfect 10" severity vulnerability. Tracked as CVE-2025-32975, this authentication bypass flaw allows remote attackers to impersonate any user and achieve total takeover of the management console.

Top Malware Reported in the Last 24 Hours

New npm packages compromised by CanisterWorm

JFrog Security researchers have identified new compromised versions of npm packages linked to the CanisterWorm supply chain attack, orchestrated by a group known as "TeamPCP." This sophisticated attack compromises legitimate npm publisher namespaces, such as @emilgroup and @teale.io, by introducing malicious payloads through updated package versions. The malware employs a malicious `postinstall` script to install a Python backdoor, ensuring persistence via a systemd service named pgmon. It actively harvests credentials by scanning for authentication tokens in various configuration files and environment variables. Additionally, CanisterWorm autonomously spreads by using stolen tokens to publish malicious updates to npm packages, significantly increasing its threat to the software supply chain. 

New fake Zoom invite scam spreads malware

Cybersecurity researchers have uncovered a new scam that utilizes realistic fake Zoom meeting invites to trick users into downloading malware. The attack begins with an email resembling a standard Zoom invitation, leading users to a spoofed security check instead of the official site. Once users pass this test, they are presented with a simulated Zoom waiting room, complete with fictitious participants and misleading audio. During this fake meeting, a pop-up prompts users to download an "update," which redirects them to a counterfeit Microsoft Store page. This download installs a tool called ScreenConnect, granting attackers full control over the victim's computer. Researchers noted that the emails often originate from generic Gmail accounts, and the meeting links are unrelated to Zoom, indicating the fraudulent nature of the invite.

Top Vulnerabilities Reported in the Last 24 Hours

Critical QNAP QVR Pro vulnerability disclosed

QNAP has issued an urgent security advisory regarding a critical vulnerability in its QVR Pro application, identified as CVE-2026-22898. This flaw allows unauthorized remote attackers to gain full access to systems running QVR Pro version 2.7.x by bypassing essential authentication checks. The vulnerability enables malicious actors to send crafted network requests, granting them the ability to view real-time surveillance feeds, modify camera configurations, or delete video archives. Given that QNAP devices often store sensitive corporate data and are integral to enterprise networks, this exploit poses a significant risk, potentially allowing attackers to move laterally within the network and compromise additional systems. 

Hackers exploit critical Quest KACE vulnerability

Hackers are actively exploiting a critical authentication bypass vulnerability, CVE-2025-32975, in unpatched Quest KACE Systems Management Appliance (SMA), which has a maximum CVSS score of 10.0. This vulnerability allows attackers to impersonate legitimate users, potentially leading to the complete takeover of administrative accounts. Malicious activity linked to this exploit began around March 9, 2026, with threat actors utilizing the flaw to execute remote commands and drop payloads from an external server. They have also created additional administrative accounts and modified the Windows Registry for persistence. Techniques employed by the attackers include credential harvesting with Mimikatz and conducting reconnaissance to gather information about logged-in users and administrator accounts, as well as gaining unauthorized access to backup infrastructure and domain controllers.