BCY-ADV-2026-001
Axios npm Supply Chain Attack
North Korean State-Sponsored RAT Distribution
North Korean State-Sponsored RAT Distribution
State-sponsored supply chain compromise of the Axios npm library. Malicious versions silently installed a RAT on any machine that updated during a three-hour window on March 31, 2026. Windows, macOS, and Linux affected. IOCs, detection commands, and remediation steps documented.
BCY-ADV-2026-002 — CVE-2017-0144 — CVSS 8.8
EternalBlue — SMBv1 Remote Code Execution
WannaCry · NotPetya · No Authentication Required
WannaCry · NotPetya · No Authentication Required
Unauthenticated RCE via crafted SMBv1 packets. Weaponized by WannaCry and NotPetya. KEV listed. Still actively exploited on unpatched and misconfigured systems. One vulnerable machine can pivot to full network compromise.
BCY-ADV-2026-003 — CVE-2021-34527 — CVSS 8.8
PrintNightmare — Print Spooler Remote Code Execution
SYSTEM Privileges · Active Exploitation Confirmed
SYSTEM Privileges · Active Exploitation Confirmed
RCE and privilege escalation via Windows Print Spooler. Authenticated attacker gains SYSTEM. KEV listed with confirmed active exploitation. Multiple follow-on CVEs in the same family.
BCY-ADV-2026-004 — CVE-2021-1675 — CVSS 7.8
PrintNightmare LPE — Print Spooler Local Privilege Escalation
SYSTEM Access · KEV Listed
SYSTEM Access · KEV Listed
Local privilege escalation via Windows Print Spooler. Part of the PrintNightmare family. Grants SYSTEM-level access from a standard user context. KEV listed.
BCY-ADV-2026-005 — CVE-2016-3236 — CVSS 7.5
WPAD Proxy Hijack — Network Traffic Interception
Same-Network Attack · All Web Traffic at Risk
Same-Network Attack · All Web Traffic at Risk
Windows WPAD protocol mishandles proxy discovery, allowing any attacker on the same network to intercept all web traffic silently. Particularly dangerous in shared network environments including hospitality properties.
BCY-ADV-2026-006 — CVE-2017-5715 / CVE-2017-5754 — CVSS 5.6
Spectre & Meltdown — CPU Speculative Execution
Hardware-Level · OS & Microcode Mitigations Required
Hardware-Level · OS & Microcode Mitigations Required
Hardware-level speculative execution vulnerabilities affecting virtually all modern CPUs. Allows side-channel extraction of sensitive data from memory. OS and microcode patches available and must be verified active.
BCY-ADV-2026-007 — MITRE T1557.001
LLMNR & NBT-NS Poisoning — Responder
Silent Credential Theft · No User Interaction Required
Silent Credential Theft · No User Interaction Required
Protocol-level design weakness. Attackers use Responder to answer broadcast name resolution queries and harvest NTLM credential hashes silently. Any device on the same network is at risk. Particularly effective in shared environments.
BCY-ADV-2026-008 — MITRE T1003.001
LSASS Credential Dumping — Mimikatz
Password Hash Extraction · BYOVD Bypass Risk
Password Hash Extraction · BYOVD Bypass Risk
Mimikatz and variants exploit legitimate LSASS memory access to dump plaintext passwords and NTLM hashes. LSASS PPL blocks commodity tools. Advanced BYOVD bypasses exist but require elevated privileges and driver deployment.
BCY-ADV-2026-009 — MITRE T1550.002
Pass-the-Hash via RDP
Authentication Abuse · No Plaintext Password Needed
Authentication Abuse · No Plaintext Password Needed
Captured NTLM hashes used to authenticate as users without knowing plaintext passwords. RDP is a primary delivery vector. Restricted Admin mode blocks this technique entirely at the protocol level.
BCY-ADV-2026-010 — MITRE T1059.001
PowerShell Living-Off-the-Land Scripting
Built-In Abuse · CLM Mitigation
Built-In Abuse · CLM Mitigation
PowerShell is abused in the majority of modern intrusions because it is trusted, built in, and capable of nearly anything. Constrained Language Mode significantly raises the cost of commodity attacks without removing legitimate admin capability.
BCY-ADV-2026-011 — MITRE T1091
USB & Removable Media AutoRun Malware
Physical Vector · No User Interaction on Insertion
Physical Vector · No User Interaction on Insertion
AutoRun and AutoPlay allow malicious payloads on USB drives to execute automatically on insertion without user interaction. Configuration weakness — not a software bug. One registry key eliminates this entire attack class.
BCY-ADV-2026-012 — CWE-798 / CWE-521
Default & Predictable Account Names
First Target in Every Automated Scan
First Target in Every Automated Scan
Default Windows account names are hardcoded into every attacker toolset and targeted first in automated credential attacks. A single rename and a 12-character complexity policy closes this vector entirely at zero cost.