Three Recent Cybersecurity Incidents That Show Where Attacks Are Heading
Cybersecurity headlines often look unrelated at first glance. One story might involve firewalls, another developer tools, and another enterprise SaaS platforms. But when you look closer, many of these incidents reveal the same underlying pattern: attackers are shifting their focus to places that organizations trust the most.
Three recent cases highlight this trend clearly: intrusions through Fortinet edge devices, the resurgence of the PhantomRaven supply-chain campaign in the npm ecosystem, and a large-scale Salesforce data extortion campaign attributed to the ShinyHunters group.
Each attack targets a different layer of modern infrastructure. Together they paint a picture of how today’s threat actors operate.
1. Edge Devices Becoming the Initial Entry Point
Security researchers recently documented several real-world intrusions involving compromised Fortinet FortiGate firewalls. Instead of attacking user endpoints or public applications, the attackers focused on the network perimeter itself.
The firewall, which normally acts as a defensive barrier, became the attacker’s entry point.
Once access to the device was obtained, the attackers extracted the firewall configuration. These configuration files often contain sensitive information such as:
- service account credentials
- LDAP or Active Directory integration settings
- network topology information
In some cases, credentials embedded in these configurations were only lightly protected and could be recovered by attackers. With those credentials, the attackers pivoted into the internal network and began interacting directly with Active Directory.
From there, they attempted common post-exploitation techniques such as reconnaissance, password spraying, and the creation of additional domain resources to maintain access.
This type of attack highlights an important reality: edge infrastructure often contains highly privileged information but receives far less monitoring than endpoints or servers.
2. Supply Chain Attacks Targeting Developers
Another recent campaign shows a very different but equally dangerous attack vector: developer ecosystems.
Security researchers observed a new wave of the PhantomRaven campaign targeting the npm ecosystem. Instead of directly infecting machines with traditional malware, the attackers attempted to compromise developers by publishing seemingly harmless open-source packages.
The innovation in this campaign was a technique known as remote dynamic dependency loading.
Rather than embedding malicious code inside the package itself, the published package simply referenced external resources controlled by the attacker. When developers installed the package, the build process downloaded the malicious payload from the attacker’s infrastructure.
This approach allowed the malware to evade many automated scanners because the harmful code did not appear in the initial package.
Once executed, the payload attempted to collect sensitive data commonly found in development environments, including:
- environment variables
- configuration files used by development tools
- credentials and tokens used by CI/CD pipelines
The risk of these attacks goes far beyond a single developer workstation. If attackers obtain CI/CD credentials or repository access, they may be able to compromise the software development pipeline itself.
That makes supply-chain attacks one of the most serious threats facing modern software ecosystems.
3. CRM Data Harvesting Through Misconfigured Cloud Platforms
A third incident illustrates how attackers are also exploiting misconfigurations in widely used enterprise platforms.
The hacking group known as ShinyHunters claimed to have harvested large amounts of corporate data from organizations using Salesforce Experience Cloud portals. According to reports, hundreds of companies may have been affected.
These portals are commonly used to provide customers or partners with limited access to CRM data. However, misconfigured guest permissions can allow anonymous users to access far more information than intended.
Attackers reportedly scanned the internet for publicly accessible Salesforce portals and tested them for overly permissive guest settings. When such configurations were found, automated tools were used to extract large datasets from the CRM environment.
The attackers later contacted affected companies, threatening to publish the stolen data unless ransoms were paid.
Importantly, researchers noted that the issue was not a vulnerability in Salesforce itself. Instead, the incidents were largely the result of insecure configuration choices made by individual organizations.
What These Incidents Have in Common
Although these three stories involve different technologies, they share several important themes.
First, attackers are increasingly targeting trusted infrastructure rather than individual users. Firewalls, developer tools, and SaaS platforms all sit at critical points in modern digital environments.
Second, many of these attacks rely on misconfiguration or overlooked security assumptions rather than sophisticated zero-day exploits.
Finally, the incidents demonstrate how quickly attackers can move once they gain an initial foothold. A single exposed credential, developer token, or cloud permission can provide a pathway to far broader compromise.
Lessons for Security Teams
These incidents reinforce several key security practices:
- Protect edge infrastructure
Network devices should be monitored, patched, and logged with the same level of attention as servers and endpoints.
- Secure the software supply chain
Organizations should validate dependencies, monitor external packages carefully, and enforce strict controls around CI/CD credentials.
- Audit cloud platform configurations
Public-facing portals and SaaS integrations should be regularly reviewed to ensure that guest or anonymous access is tightly restricted.
- Minimize credential exposure
Service accounts and API tokens should be limited in scope and rotated regularly.