SMS blasters, npm brandsquatting, and 3.4M exposed RDP/VNC servers headline weekly threat roundup

Canadian authorities arrested three men running an SMS blaster — a fake cellular tower that forces nearby phones to connect and delivers phishing texts impersonating trusted brands. It is the first such device documented in the country, with tens of thousands of devices ensnared. Separately, a malicious npm package brandsquatting on TanStack (versions 2.0.4–2.0.7) exfiltrated .env files at install time; the maintainer later admitted demanding $10,000 from the legitimate TanStack creator and framed the code as Antigravity jailbreak testing.

Forescout mapped 1.8M exposed RDP and 1.6M exposed VNC servers, with China hosting 22% of RDP and 70% of VNC instances. Roughly 18% of exposed RDP servers run end-of-life Windows, 19,000+ remain vulnerable to BlueKeep, and nearly 60,000 VNC servers run with authentication disabled — including 670+ that expose OT/ICS control panels directly. Huntress also documented the first in-the-wild abuse of Komari, a Go-based remote management agent that ships with arbitrary command execution, an interactive PTY reverse shell, and network probing enabled by default over a TLS-fronted WebSocket.

LayerX flagged 80 browser extensions — including 24 media extensions across 800K installs and 12 ad blockers totaling 5.5M users — that openly resell user browsing and viewing data via their privacy policies. Two new phishing kits, Saiga 2FA and Phoenix System, push beyond adversary-in-the-middle into mailbox scraping and geofenced SMS delivery, with Phoenix tied to 2,500+ domains targeting 70 organizations in finance, telecom, and logistics since January 2025.