Today’s SME cyber lookout: poisoned software updates, fake download sites and UK-targeted phishing

Today’s look-out: Software supply-chain & fake download scams (developer tools, plugins, GitHub/CI) plus targeted phishing

What to look out for today

Three themes to brief your team on today:

Compromised open-source packages (including a reported npm supply-chain incident affecting multiple packages with infostealer malware).
Fake websites impersonating popular tools that show up high in Google results and deliver malware when downloaded.
Targeted phishing campaigns expanding into the UK and Europe, designed to drop remote access malware and steal credentials.

Why this matters to smaller businesses

You don’t need to be a “tech company” to be affected. Many SMEs rely on web agencies, SaaS integrations, plugins, and outsourced IT who use open-source components and automation tools.
One compromised dependency can lead to: stolen passwords (including email and accounting logins), session hijacking, fraudulent invoices, and wider supplier/customer notification work.
Fake download sites target everyday work. Marketing, finance, operations and IT staff often search for “free tools”, converters, remote support tools, or utilities under time pressure.

Warning signs

Staff report downloading a tool from “a site that looked right” found via Google, rather than the vendor’s known domain/app store.
Unexpected prompts to “disable antivirus”, “allow browser notifications”, or run a downloaded installer to “complete setup”.
New admin accounts, new MFA devices, or unusual sign-ins in Microsoft 365/Google Workspace audit logs.
Developers/IT mention “quickly adding a package” or updating build/CI automation without normal review.
Inbound emails that push urgent document review, shipping issues, HMRC/payroll queries, or “shared files”, especially if they lead to a login page.

How attackers may exploit the situation

Supply-chain route: attackers plant malware into open-source packages or abuse automation (e.g. CI/GitHub Actions). When dependencies are installed or workflows run, credentials/tokens can be stolen or malicious changes introduced downstream.
SEO / fake tool portals: fake “project download” pages funnel staff to malware through convincing pages that mimic legitimate tools.
Targeted phishing: attackers adapt lures to local regions (including the UK) to get a foothold, then move to email, cloud storage and finance workflows to intercept payments.

What to do today

Tell staff: only download software from your organisation’s approved sources (company portal, Microsoft Store/Apple App Store, or known vendor links). If in doubt, stop and ask.
Put a quick control on downloads: require admin approval for new software installs (even for “small utilities”).
For any web/dev supplier or internal dev work: ask for confirmation they have reviewed dependencies and are monitoring for compromised packages and workflow risks.
Review cloud sign-in alerts: check for unusual logins, impossible travel, and new OAuth/app consents in Microsoft 365/Google Workspace.
Prepare for invoice/payment fraud: remind finance teams that “bank details change” requests must be verified via a known phone number, not email.

Ask your IT provider

Do we have a policy that prevents/controls ad-hoc software installs and downloads from unverified sites?
How are we monitoring Microsoft 365/Google for suspicious sign-ins and new app/OAuth consents?
For any development work (internal or outsourced): how do you vet and monitor open-source dependencies (including npm) and build automation workflows?
Do we have an agreed process to rapidly disable accounts, revoke sessions/tokens, and reset passwords if an infostealer is suspected?

Patch watch - only one short paragraph, and only if relevant

Today’s main risk is not “a patch list” but trust in tools and suppliers. If you operate specialist industrial/monitoring systems, check with your supplier whether any recent advisories affect your environment and ensure internet exposure is tightly controlled.

One action today

Send a same-day message to staff: “Only download software from approved sources; if Google gives you a download site, stop and ask IT,” and require admin approval for any new installs.

Related Actions On Cyber resource

Actions On Cyber checklist: “Phishing & payment change verification (invoice fraud) – 60-second controls for SMEs”

Sources

New IronWorm malware hits 36 packages in npm supply-chain attack (BleepingComputer)
Software supply chain attacks: check your dependencies (NCSC All Updates)
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories (The Hacker News)
Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS (The Hacker News)
China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa (The Hacker News)
Chinese hackers use new Atlas RAT malware in European cyberattacks (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.