Today’s SMB cyber lookout: supply-chain tampering, malicious developer packages, and more convincing phishing

Today’s look-out: Software supply chain & phishing-driven account takeover

What to look out for today

Software supply chain tampering via developer tooling (code editor extensions, CI/CD workflows, repositories) being abused to gain access and steal code or secrets.
Malicious developer packages (e.g., NuGet / npm) that masquerade as legitimate SDKs but attempt to steal credentials and certificates.
More convincing phishing and social engineering (including AI-written lures) used to trick staff into signing in, installing “updates”, or approving access.
Android phishing/malware kits that generate tailored lures and can lead to business email compromise, payment fraud, or MFA fatigue/approval scams.

Why this matters to smaller businesses

Even if your business isn’t the direct target, attackers often get in through trusted services and tools: your IT supplier, your developers’ build pipelines, browser sessions, or staff mobile phones. A single compromised extension/package or stolen cloud credential can quickly turn into account takeovers, invoice fraud, or operational disruption.

Warning signs

Developers or IT report a “helpful” new VS Code/IDE extension appearing, or being requested for installation, outside normal process.
Builds or deployments suddenly change behaviour, run extra steps, or request new secrets/tokens “to fix CI”.
Unexpected prompts to re-authenticate to GitHub/Microsoft 365/Google/CRM, especially after clicking a link from email/chat.
New npm/NuGet dependencies added without a clear business reason, or sudden version bumps that don’t match planned work.
Staff report odd SMS/WhatsApp messages about deliveries, security alerts, “account lockouts”, or “urgent updates”, especially on Android.
Unusual MFA push notifications or approval requests that staff didn’t initiate.

How attackers may exploit the situation

Poisoned extensions/packages can quietly exfiltrate credentials, certificates, API keys, and cloud tokens.
Compromised developer machines can lead to stolen repository access, then lateral movement into cloud and customer environments.
AI-generated lures can increase the success rate of “sign in to view document/meeting” and fake support messages.
Session theft (stealing browser login sessions) can bypass passwords and sometimes reduce the value of MFA if the session is already authenticated.
Android phishing/malware can capture logins/OTP codes or install remote-access tooling, enabling account takeover and payment diversion.

What to do today

Brief staff (especially finance/admin) to treat “re-auth”, “account locked”, “urgent update”, and “payment change” messages as suspicious—verify using known phone numbers, not email replies.
Lock down browser and SaaS sessions: ensure MFA is on for email, accounting, payroll, CRM, and cloud admin accounts; reduce the number of admins; review sign-in alerts.
For any in-house dev or web agency work: review how extensions and dependencies are approved; check recent dependency additions/updates and who made them.
Check secrets hygiene: confirm no credentials/certificates are stored in code repos or build logs; rotate any exposed tokens quickly.
Mobile controls: ensure Android devices used for work have screen locks, OS updates, and (where possible) managed app installation; discourage installing apps from links in messages.

Ask your IT provider

Do we have a process to approve and monitor developer IDE extensions and third-party dependencies (npm/NuGet)?
What monitoring is in place for unusual sign-ins (impossible travel, new devices) to Microsoft 365/Google/admin portals?
If a build pipeline or repo token is stolen, what is our rapid containment plan (token rotation, access review, incident comms)?
Are admin accounts protected with phishing-resistant MFA where available, and are we limiting standing admin access?
How do we control and audit remote access tools and “tunnels” used for support/development?

Patch watch - only one short paragraph, and only if relevant

Browser session protection is improving: Chrome is rolling out added safeguards designed to make stolen session cookies less useful for account takeover. This doesn’t replace MFA or good sign-in monitoring, but it’s a helpful reduction in risk—confirm your organisation is staying current on browser updates and using managed settings where possible.

One action today

Send a short internal note today: “Do not install new browser/IDE extensions or approve unexpected MFA prompts; report immediately and verify sign-in/payment requests via a known phone number.”

Related Actions On Cyber resource

Actions On Cyber: Phishing & invoice fraud quick-check (staff verification checklist)

Sources

Supply Chain Compromises Impact Nx Console and GitHub Repositories (CISA Cybersecurity Advisories)
Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets (The Hacker News)
Google Chrome adds session cookie theft protection for all users (BleepingComputer)
BTMOB Android malware service generates custom phishing payloads (BleepingComputer)
New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks (The Hacker News)
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels (The Hacker News)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.