← Back to Cybersecurity News Center
Severity
CRITICAL
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
In the final week of April 2026, three simultaneous threats converge across developer pipelines, remote access infrastructure, and credential security. A malicious npm package actively exfiltrates environment variables from CI/CD systems; over 3.4 million RDP and VNC servers remain directly internet-exposed, many running unpatched or end-of-life Windows with CVE-2019-0708 (BlueKeep), an unauthenticated remote code execution vulnerability; and Vidar Stealer 2.0 has emerged to fill the operational gap left by disrupted infostealer operations, continuing active credential theft campaigns. Organizations running exposed remote access services, public-facing developer toolchains, or unpatched Windows endpoints face immediate breach risk from all three attack vectors.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Vidar Stealer 2.0 operators (unattributed), TanStack brandsquatter (unattributed)
TTP Sophistication
HIGH
21 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
TanStack npm package ecosystem, Windows RDP/VNC/RPC servers (including end-of-life Windows versions), OpenEMR, Komari agent, Chrome and Edge browser extensions, VNC servers (unauthenticated exposure)
Are You Exposed?
⚠
Your industry is targeted by Vidar Stealer 2.0 operators (unattributed), TanStack brandsquatter (unattributed) → Heightened risk
⚠
You use products/services from TanStack npm package ecosystem → Assess exposure
⚠
21 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
An unpatched internet-exposed RDP server can be fully compromised in minutes by an automated exploit with no user interaction required — ransomware groups actively scan for and monetize exactly this exposure. A poisoned developer pipeline can silently steal every secret key and credential your engineering team uses, giving attackers authenticated access to cloud infrastructure, source code repositories, and customer data systems before any alert fires. The combination of credential theft via Vidar Stealer 2.0 and remote access exploitation creates conditions for rapid, multi-system compromise that can halt operations, trigger regulatory breach notification obligations across GDPR, HIPAA, and PCI-DSS jurisdictions, and generate remediation costs that routinely exceed initial attack containment by a factor of ten.
You Are Affected If
You run RDP (TCP/3389) or VNC (TCP/5900) on systems directly reachable from the public internet without a VPN or ZTNA gateway in front
Any of your Windows systems running RDP are unpatched for CVE-2019-0708 (BlueKeep) — this means Windows 7, Windows Server 2008, or Windows Server 2008 R2 without the May 2019 security update (KB4499175 or KB4499164)
Your CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.) run npm install without package integrity verification, lockfile enforcement, or allowlisted registry controls
Developer workstations or build agents store secrets, API keys, or cloud credentials as environment variables accessible to npm lifecycle scripts
Your SOC detection content for credential-stealing malware was last updated against Lumma Stealer or Rhadamanthys signatures and has not been refreshed following their law enforcement disruption
Board Talking Points
Three simultaneous attack vectors — targeting developer systems, remote access servers, and employee credentials — create compounding breach risk that automated attackers can exploit faster than most security teams can respond.
The board should expect confirmation within 48 hours that internet-exposed remote desktop servers are patched or isolated, and that CI/CD pipeline secrets have been rotated.
Organizations that do not act immediately on exposed RDP services face a high probability of ransomware deployment — CVE-2019-0708 (BlueKeep) has been weaponized in active ransomware campaigns since 2019 and requires no employee interaction to trigger.
HIPAA Security Rule § 164.312(a)(1) — Access Control: CVE-2026-24908 affects OpenEMR, a widely deployed electronic health records platform. Organizations running OpenEMR must treat any unpatched instance as a potential ePHI exposure. Verify patch status immediately and document risk acceptance or remediation under your HIPAA risk management process.
HIPAA Security Rule § 164.312(b) — Audit Controls: Organizations running OpenEMR must confirm audit logging is active and capturing access events. NIST AU-2 and CIS 8.2 map directly to this requirement. Retain logs per AU-11 for a minimum period consistent with HIPAA documentation requirements.
HIPAA Security Rule § 164.308(a)(5)(ii)(B) — Protection from Malicious Software: Vidar Stealer 2.0 activity on endpoints with access to ePHI systems constitutes a malicious software event requiring incident response documentation. Apply the escalation note: this finding may constitute a reportable breach depending on whether ePHI was accessible from compromised endpoints — verify with your Privacy Officer and legal counsel.
Technical Analysis
Three distinct threat vectors are active concurrently:
**1.
Supply Chain Poisoning, Malicious npm Package (TanStack Brandsquatting)**
A threat actor registered an npm package impersonating the legitimate TanStack ecosystem.
The package executes environment variable exfiltration at install time, targeting CI/CD pipeline secrets, API keys, and credentials stored in shell environments.
MITRE techniques: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1071.001 (Web Protocols for C2). CWE-494 (Download of Code Without Integrity Check) is the core weakness. Confirmed affected scope: any developer or automated pipeline that installed the malicious package. No CVE assigned to this package at analysis time.
**2. Mass Remote Access Exposure, RDP/VNC Internet-Facing Servers**
Internet-exposed RDP and VNC servers number in the millions according to public scanning reports (Shadowserver, Shodan, Censys). A material subset runs unauthenticated VNC or end-of-life Windows versions. CVE-2019-0708 (BlueKeep), CVSS 9.8 per NVD, is an unauthenticated RCE vulnerability via RDP on Windows 7, Windows Server 2008 R2, and earlier systems. Exploitation is wormable with no user interaction required (AV:N/AC:L/PR:N/UI:N). MITRE techniques: T1190 (Exploit Public-Facing Application), T1021.001 (Remote Desktop Protocol), T1021.005 (VNC), T1068 (Exploitation for Privilege Escalation). CVE-2026-24908 and CVE-2026-23627 are referenced in source material but technical details are not yet available in NVD at analysis time. Organizations should monitor NVD updates for these 2026-series CVEs. Recommendations in this brief focus on CVE-2019-0708 , which is confirmed and actively exploited.
**3. Infostealer Ecosystem Reshuffling, Vidar Stealer 2.0**
Following law enforcement disruption of Lumma Stealer and Rhadamanthys operations in early 2026, Vidar Stealer 2.0 has emerged as the dominant commodity infostealer in active use. Vidar is distributed via phishing (T1566.002 ), browser extension abuse (T1176 ), and malvertising. It targets browser-stored credentials (T1555 ), session cookies (T1539 ), and keylogging (T1056 ). CWE coverage: CWE-613 (Insufficient Session Expiration), CWE-285 (Improper Authorization). The transition to a new dominant stealer increases detection gap risk for SOC teams tuned to Lumma/Rhadamanthys IOC signatures and infrastructure.
**CVE Verification Status:**
- CVE-2019-0708 (BlueKeep): CVSS 9.8, confirmed in NVD, patched May 2019 via Microsoft Security Advisory.
- CVE-2026-24908 and CVE-2026-23627 : Referenced in source data; specific technical details pending NVD publication. Do not rely on these CVEs for detection or containment guidance until NVD details are published.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO and legal counsel immediately if: evidence of successful BlueKeep (CVE-2019-0708) RCE is confirmed on any internet-facing host (kernel crash dumps with MS_T120 channel artifacts + subsequent unauthorized service installation Event ID 7045), if CI/CD environment variable exfiltration by the malicious TanStack npm package included secrets granting access to production systems or customer data (triggering breach notification assessment under applicable regulations including HIPAA if OpenEMR is in scope per the affected systems list), or if Vidar Stealer 2.0 credential theft is confirmed on endpoints with access to privileged accounts or PII/PHI repositories.
1
Step 1: Containment — Audit all npm packages installed in CI/CD pipelines and developer environments over the past 30 days. Flag any package name resembling 'tanstack' that is not the verified @tanstack scope on npmjs.com. Revoke and regenerate all secrets, API keys, and credentials stored in pipeline environment variables that may have been exfiltrated. Block outbound connections from build systems to unrecognized external IPs at the network boundary. For RDP/VNC: immediately restrict inbound TCP 3389 and TCP 5900 at the perimeter firewall to allowlisted VPN or jump-box IP ranges only — direct internet exposure must be closed now. (Cite: NIST AC-4 — Information Flow Enforcement / NIST AC-17 — Remote Access / CIS 4.4 — Implement and Manage a Firewall on Servers / CIS 4.5 — Implement and Manage a Firewall on End-User Devices / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected systems and prevent further damage while preserving evidence; CSF [RS] — execute IR plan, contain, communicate, mitigate
NIST IR-4 (Incident Handling) — implement containment as part of incident handling capability
NIST SI-3 (Malicious Code Protection) — detect and contain malicious code introduced via supply chain vector
NIST CM-3 (Configuration Change Control) — flag unauthorized package introductions as unapproved configuration changes
CIS 2.3 (Address Unauthorized Software) — ensure unauthorized packages (malicious TanStack typosquats) are removed from enterprise assets
CIS 4.4 (Implement and Manage a Firewall on Servers) — enforce outbound firewall rules on build servers to block C2 exfiltration channels
Compensating Control
Use 'npm ls --all 2>/dev/null | grep -i tanstack' across all pipeline nodes to enumerate installed packages; cross-reference against 'npm view @tanstack/<package> dist-tags' to confirm legitimate scoped publisher. For secret rotation without a secrets manager, use 'printenv | grep -iE "token|secret|key|password|api"' to enumerate exposed variables, then immediately update each upstream service credential. Block outbound build-server traffic using host-based iptables rules: 'iptables -A OUTPUT -p tcp --dport 80 -d <unrecognized_ip> -j DROP' for flagged IPs identified from 'ss -tnp' or 'netstat -tnp' captured at time of detection.
Preserve Evidence
Capture BEFORE rotating secrets or removing packages: (1) full 'npm ls --all' output and package-lock.json/yarn.lock snapshots from each affected pipeline node to document the malicious package's dependency chain; (2) CI/CD job execution logs (GitHub Actions logs, Jenkins build console output, GitLab CI job traces) showing the install step that introduced the malicious TanStack-named package — these logs will contain the exact npm registry URL resolved and any stderr output from postinstall hooks; (3) network flow logs or pcap from the build server's outbound interface during the last 30-day window, filtering on the build server IP as source — the exfiltration payload (environment variables) was transmitted outbound, so capture destination IPs/domains and payload size; (4) /proc/<pid>/environ snapshots or OS-level process environment dumps for any node processes spawned by the malicious postinstall script; (5) shell history files (~/.bash_history, ~/.zsh_history) on build nodes for any commands executed by the malicious package's lifecycle hooks.
2
Step 2: Detection — Query firewall and SIEM logs for inbound ACCEPT on TCP 3389 or TCP 5900 from source IPs not in RFC1918 ranges and not in allowlisted VPN or jump-box IP ranges. Search Windows Security Event Log for Event ID 4625 (failed logon) with Logon Type 10 (RemoteInteractive) from non-RFC1918 addresses at high frequency — this signals BlueKeep scanning activity. Search Event ID 4624 for successful RDP logons from external IPs. For the malicious npm package: audit npm install logs for package names closely resembling 'tanstack'; verify all @tanstack/* installs match official registry checksums. In CI/CD pipeline logs, look for unexpected outbound HTTP/S connections from build agents at install time (T1071.001). For Vidar Stealer 2.0: review browser process trees for unexpected child processes and flag PowerShell execution (T1059.001) spawned from browser processes. Update threat intelligence feeds — existing Lumma/Rhadamanthys signature sets will not reliably detect Vidar 2.0 variants. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-12 — Audit Record Generation / CIS 8.2 — Collect Audit Logs / D3-LAM — Local Account Monitoring / D3-SFA — System File Analysis)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across log sources, prioritize incidents by scope and impact; CSF [DE] — monitor, detect, analyze, correlate, and triage adverse events
NIST SI-4 (System Monitoring) — monitor for BlueKeep exploitation attempts on RDP (TCP 3389) and unauthenticated VNC (TCP 5900) exposure
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — review Windows Security Event Log for Event IDs 4624/4625 indicating external RDP authentication attempts
NIST AU-2 (Event Logging) — ensure RDP authentication events and network flow logs are captured for analysis
NIST IR-5 (Incident Monitoring) — track and document RDP/VNC exposure findings and Vidar Stealer 2.0 behavioral indicators across affected endpoints
CIS 8.2 (Collect Audit Logs) — ensure audit logs for RDP logon events and browser process telemetry are collected and centrally accessible
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — use Shadowserver exposure data as an input to identify unmanaged internet-facing RDP/VNC assets
Compensating Control
Without SIEM/EDR: on each Windows RDP-enabled host, run 'Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624 or EventID=4625)] and EventData[Data[@Name=\"LogonType\"]=\"10\"]]" | Select-Object TimeCreated, Message | Export-Csv rdp_logons.csv' — LogonType 10 is RDP-specific. For Vidar Stealer 2.0 browser process tree detection without EDR, deploy Sysmon with SwiftOnSecurity's base config and query Event ID 1 (Process Create) filtering ParentImage containing 'chrome.exe' or 'msedge.exe' with Image containing 'powershell.exe' or 'cmd.exe'. For VNC unauthenticated exposure, run 'nmap -sV -p 5900 --script vnc-info <your_external_ranges>' from an external vantage point to confirm authentication enforcement. Register for free Shadowserver organizational membership to receive automated daily reports on your ASN's exposed services.
Preserve Evidence
Capture BEFORE any blocking or isolation actions: (1) Windows Security Event Log exports (Event IDs 4624, 4625, 4648) from all internet-facing RDP hosts filtered to LogonType=10, preserving source IP fields — BlueKeep exploitation (CVE-2019-0708) targets the pre-authentication RDP protocol stack and may appear as anomalous connection attempts followed by system crashes or Event ID 7045 (new service installed) post-exploitation; (2) Windows System Event Log for Event ID 6008 (unexpected shutdown) and Application Log for Event ID 1000/1001 (application crash/Windows Error Reporting) on RDP hosts — BlueKeep causes a kernel-level use-after-free that frequently produces a BSoD/crash dump before achieving RCE; (3) for Vidar Stealer 2.0, collect browser credential store file paths before they are wiped — Chrome: '%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data', Edge: '%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data' — these SQLite files will show last-accessed timestamps indicating stealer activity; (4) Sysmon Event ID 3 (Network Connection) logs showing browser processes (chrome.exe, msedge.exe) making outbound connections to non-Google/Microsoft IPs, consistent with Vidar 2.0 C2 exfiltration; (5) firewall/perimeter logs showing inbound connection volume and source IP distribution for TCP 3389 and TCP 5900 over the prior 72 hours — mass BlueKeep scanning produces characteristic port-sweep patterns from known exploit framework source ranges.
3
Step 3: Eradication — For BlueKeep (CVE-2019-0708): apply Microsoft Security Update KB4499175 (Windows 7 and Windows Server 2008 R2) or KB4499164 (Windows Server 2008 SP2) via Microsoft Update Catalog. For end-of-life systems that cannot be patched: isolate immediately and begin decommission or upgrade planning — these assets must not remain internet-reachable. Disable RDP on all systems that do not require it. Enable Network Level Authentication (NLA) on all RDP-enabled systems as a compensating control. For exposed VNC: require authentication on all VNC instances or take them offline. For the malicious npm package: remove from package.json, clear npm cache, purge node_modules, and rerun install from verified lock files only. Rotate all credentials and API keys confirmed or suspected to have been present in pipeline environment variables. (Cite: NIST AC-6 — Least Privilege / NIST AC-17 — Remote Access / CIS 2.2 — Ensure Authorized Software is Currently Supported / CIS 7.3 — Perform Automated Operating System Patch Management / CIS 7.4 — Perform Automated Application Patch Management / D3-CRO — Credential Rotation / D3-CH — Credential Hardening)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: remove threat from environment, remediate vulnerabilities that enabled the incident, verify eradication completeness; CSF [RS] — remove threat, verify eradication
NIST SI-2 (Flaw Remediation) — apply KB4499175 and KB4499164 to remediate CVE-2019-0708 on Windows 7/2008 R2 and 2008 SP2 respectively; identify and remediate EoL systems that cannot receive patches
NIST CM-7 (Least Functionality) — disable RDP on systems that do not require it as part of reducing attack surface
NIST SI-3 (Malicious Code Protection) — purge malicious TanStack-named npm packages from all pipeline environments and verify clean reinstall from verified lock files
NIST IA-3 (Device Identification and Authentication) — enforce Network Level Authentication (NLA) on RDP to require device-level credential verification before session establishment
CIS 7.3 (Perform Automated Operating System Patch Management) — apply BlueKeep patches KB4499175/KB4499164 through patch management process; flag EoL systems as unmanageable via standard patching
CIS 7.4 (Perform Automated Application Patch Management) — enforce npm package integrity via verified lock files as part of application-level patch management
CIS 4.7 (Manage Default Accounts on Enterprise Assets and Software) — audit VNC instances for default or null authentication configurations and enforce password requirements
Compensating Control
For EoL Windows systems that cannot receive KB4499175/KB4499164: implement host-based firewall rules to block all inbound TCP 3389 — 'netsh advfirewall firewall add rule name="Block RDP Inbound" dir=in action=block protocol=tcp localport=3389' — and place the host on an isolated VLAN with no internet routing. For NLA enforcement without Group Policy infrastructure, set the registry key directly: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f'. For npm eradication on CI/CD nodes without package management tooling, run 'npm cache clean --force && rm -rf node_modules package-lock.json && npm install --ignore-scripts' — the '--ignore-scripts' flag prevents malicious postinstall hooks from re-executing during the clean reinstall. Verify package integrity with 'npm audit' and cross-check each dependency's SHA-512 integrity hash in package-lock.json against npmjs.com registry entries.
Preserve Evidence
Capture BEFORE patching or removing packages — eradication destroys forensic state: (1) full memory dump from any RDP host suspected of BlueKeep exploitation using WinPmem ('winpmem_mini_x64.exe memdump.raw') — CVE-2019-0708 exploitation leaves artifacts in kernel memory pool allocations related to the MS_T120 channel use-after-free; (2) Windows crash dump files (%SystemRoot%\Minidump\*.dmp and %SystemRoot%\MEMORY.DMP) from affected RDP hosts — BlueKeep frequently triggers BSoD prior to successful RCE, preserving heap spray artifacts; (3) registry export of 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' to document current RDP configuration state, NLA setting, and any attacker-modified values before patching overwrites them; (4) for the malicious npm package, preserve the full contents of node_modules/<malicious-package>/ including package.json, any .js files, and postinstall scripts — these contain the exfiltration logic and C2 destination hardcoded or obfuscated within the lifecycle hook; (5) npm-debug.log and CI/CD runner logs from the install step that introduced the malicious package, preserving the registry resolution URL and any HTTP requests made during postinstall execution.
4
Step 4: Recovery — After patching, re-scan all external IP ranges to confirm TCP 3389 and TCP 5900 are no longer directly reachable from the internet. Validate that Network Level Authentication is enforced via Group Policy (Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services). Rotate all secrets and tokens that were exposed in CI/CD pipeline environments. Re-run build pipelines from clean environments using verified package hashes from confirmed lock files. Monitor authentication logs for 30 days post-remediation for anomalous RDP logon patterns using Event IDs 4624 and 4625. For Vidar Stealer 2.0 exposure: treat all browser-stored credentials on affected endpoints as compromised and force password resets for all accounts accessible from those systems. Confirm audit log collection is active and storage capacity is sufficient to retain post-remediation monitoring data. (Cite: NIST AU-4 — Audit Storage Capacity / NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-11 — Audit Record Retention / NIST AC-7 — Unsuccessful Logon Attempts / CIS 5.2 — Use Unique Passwords / CIS 6.4 — Require MFA for Remote Network Access / D3-MFA — Multi-factor Authentication / D3-CRO — Credential Rotation)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: execute recovery plan, restore systems to normal operations, verify integrity of restored systems, and monitor for recurrence; CSF [RC] — execute recovery plan, restore, verify, communicate
NIST SI-2 (Flaw Remediation) — verify patch application via post-remediation scan confirming CVE-2019-0708 is no longer exploitable on previously exposed RDP hosts
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — monitor Windows Security Event Log for anomalous RDP Event ID 4624 (LogonType=10) patterns for 30 days post-remediation as indicator of persistent access or re-exploitation
NIST IA-5 (Authenticator Management) — force rotation of all CI/CD secrets, API tokens, and credentials exfiltrated by the malicious TanStack-named npm package; force password resets for all accounts accessible from Vidar Stealer 2.0-affected endpoints
NIST SI-7 (Software, Firmware, and Information Integrity) — verify npm package integrity via SHA-512 hash comparison in package-lock.json before re-running production build pipelines
NIST CP-4 (Contingency Plan Testing) — validate that recovery procedures restored systems to verified clean state, not merely operational state
CIS 7.2 (Establish and Maintain a Remediation Process) — document post-patch rescan results as evidence of remediation closure for BlueKeep-exposed systems
CIS 5.3 (Disable Dormant Accounts) — during 30-day monitoring window, identify and disable any RDP accounts showing no legitimate activity that may indicate attacker-created persistence
Compensating Control
Post-patch RDP/VNC exposure validation without commercial scanner: use 'nmap -sV -p 3389,5900 --script rdp-enum-encryption,vnc-info <external_ip_ranges> -oN rdp_vnc_postscan.txt' from an external IP to confirm ports are unreachable or NLA-enforced. For 30-day RDP authentication monitoring without SIEM, schedule a daily PowerShell task on each RDP host: 'Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624) and TimeCreated[@SystemTime >= \"$(Get-Date (Get-Date).AddDays(-1) -Format s)Z\"]]]" | Where-Object {$_.Message -match "Logon Type:\s+10"} | Export-Csv -Append daily_rdp_monitor.csv'. For Vidar Stealer 2.0 credential compromise scope assessment without EDR, run 'Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default" -Filter "Login Data" | Select-Object LastWriteTime' to identify recent stealer access timestamps on affected endpoints.
Preserve Evidence
Capture during recovery to establish clean baseline and support post-incident review: (1) post-patch Nmap scan output confirming TCP 3389 and TCP 5900 are no longer exposed or are NLA-enforced — this becomes the documented remediation evidence artifact for compliance records (NIST AU-11); (2) Group Policy Results report ('gpresult /H gpo_report.html') from representative RDP-enabled hosts confirming NLA policy application under 'Computer Configuration > Windows Components > Remote Desktop Services'; (3) npm 'package-lock.json' integrity diff between pre-incident and post-clean-install states, capturing the SHA-512 hash change for the removed malicious package and its dependency subtree; (4) CI/CD pipeline execution logs from the first clean post-incident build run, confirming '--ignore-scripts' flag enforcement and absence of unexpected outbound network connections during install; (5) password reset completion audit log from IAM/IdP system (Active Directory event ID 4723/4724 or equivalent) documenting forced resets for all accounts accessible from Vidar Stealer 2.0-compromised endpoints, establishing a documented remediation timeline.
5
Step 5: Post-Incident — Close three recurring control gaps exposed by this convergence. (a) npm package integrity: implement npm provenance attestation or Sigstore verification in CI/CD pipelines; verify all third-party packages against the software inventory before installation. (b) Internet-facing remote access: enforce VPN-gating or zero-trust network access for all RDP and VNC — eliminate direct internet exposure by policy; gate all administrative remote access behind MFA. (c) Infostealer detection lag: establish a process to refresh infostealer detection content within 72 hours of confirmed variant transitions or major law enforcement disruption events; cross-reference open-source intelligence sources as part of this cycle. Carry all three gaps into the next GRC review cycle with traceability to the controls cited here. (Cite: NIST AC-17 — Remote Access / NIST AU-13 — Monitoring for Information Disclosure / CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / CIS 6.4 — Require MFA for Remote Network Access / CIS 6.5 — Require MFA for Administrative Access / CIS 7.1 — Establish and Maintain a Vulnerability Management Process / CIS 7.2 — Establish and Maintain a Remediation Process / D3-MFA — Multi-factor Authentication / D3-CH — Credential Hardening)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: conduct lessons-learned review, update IR plan and detection capabilities, share intelligence, and implement improvements to prevent recurrence; CSF [GV, ID] — update policies, improve detection, share intelligence
NIST IR-4 (Incident Handling) — update incident handling procedures to address supply chain package poisoning, mass RDP/VNC exposure, and commodity stealer variant transitions as distinct incident categories
NIST IR-8 (Incident Response Plan) — revise IR plan to incorporate 72-hour detection content refresh SLA triggered by major infostealer law enforcement disruption events (e.g., LockBit, Lumma takedowns precipitating Vidar 2.0 market entry)
NIST SI-7 (Software, Firmware, and Information Integrity) — implement npm Sigstore provenance attestation or package integrity verification (SHA-512 hash pinning in package-lock.json) as a preventive control for future supply chain poisoning attempts targeting CI/CD pipelines
NIST SI-5 (Security Alerts, Advisories, and Directives) — establish process to receive and act on CISA KEV additions and threat intel feeds within defined SLAs, specifically for commodity stealer variant transitions
NIST RA-3 (Risk Assessment) — document residual risk from EoL Windows systems unable to receive CVE-2019-0708 patches and include in formal risk register with compensating control documentation
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — update vulnerability management process to include internet-facing service exposure scanning (RDP TCP 3389, VNC TCP 5900) as a recurring discovery control, not a reactive measure
CIS 2.2 (Ensure Authorized Software is Currently Supported) — formally designate EoL Windows versions (7, 2008 R2, 2008 SP2) as unsupported in the software inventory and initiate decommission or upgrade tracking
CIS 6.3 (Require MFA for Externally-Exposed Applications) — include RDP/VNC gateway enforcement of MFA as a post-incident improvement action item for the next GRC review cycle
Compensating Control
For organizations without a formal threat intel program to achieve 72-hour Vidar 2.0 detection refresh: subscribe to free OSINT feeds — abuse.ch URLhaus, Feodo Tracker (for C2 IOCs), and the MITRE ATT&CK STIX feed — and create a weekly cron job to pull updated YARA rules from the Malpedia Vidar family page into local detection tooling. For npm supply chain integrity without Sigstore infrastructure, enforce 'npm ci' (instead of 'npm install') in all CI/CD pipelines — 'npm ci' requires a committed package-lock.json and fails if the lock file is inconsistent with package.json, preventing opportunistic package substitution. For ZTNA without budget, implement SSH tunneling or WireGuard (free, open-source) as a VPN gateway in front of all RDP endpoints, removing direct TCP 3389 internet exposure entirely: 'wg-quick up wg0' with a config restricting AllowedIPs to the RDP host subnet.
Preserve Evidence
Collect for lessons-learned documentation and GRC review: (1) timeline artifact mapping the three convergent threats — malicious npm package introduction date from CI/CD logs, Shadowserver first-alert date for RDP/VNC exposure, and Vidar Stealer 2.0 first detection date from threat intel feeds — to quantify mean time to detect (MTTD) for each threat vector; (2) asset inventory gap report identifying all EoL Windows systems (Windows 7, Server 2008/2008 R2) still in production that cannot receive CVE-2019-0708 patches, as direct input to NIST RA-3 risk register update; (3) npm package audit history from the CI/CD platform showing all packages installed in the 30-day window prior to detection, preserving the supply chain attack entry point for root cause documentation; (4) Vidar Stealer 2.0 IOC set (C2 domains, process tree patterns, credential store access timestamps) collected during detection phase, formatted as STIX 2.1 for sharing with sector ISACs and updating internal detection rules; (5) GRC control gap mapping document cross-referencing the three identified gaps (npm integrity, RDP exposure, stealer signature lag) against current control inventory, quantifying the delta between existing control state and target state for the next audit cycle.
Recovery Guidance
Post-containment, treat all CI/CD-derived secrets as fully compromised regardless of confirmed exfiltration evidence — the malicious npm postinstall hook had access to the full process environment, and absence of observed exfiltration does not equal absence of exfiltration given the 30-day exposure window. For BlueKeep-patched systems, conduct a post-patch authenticated vulnerability scan using OpenVAS or Nessus Essentials (free tier) within 24 hours of patch application to confirm KB4499175/KB4499164 resolved the CVE-2019-0708 finding, and retain scan results as compliance evidence. Monitor RDP authentication (Event ID 4624 LogonType=10) and new service installation (Event ID 7045) for a minimum of 30 days post-remediation, with particular attention to off-hours logons from previously observed external source IP ranges, as BlueKeep exploitation may have established persistence mechanisms that survive patching.
Key Forensic Artifacts
Windows kernel crash dump files (%SystemRoot%\Minidump\*.dmp, %SystemRoot%\MEMORY.DMP) from internet-facing RDP hosts — BlueKeep (CVE-2019-0708) exploits a use-after-free in the MS_T120 channel of the RDP pre-authentication stack, frequently producing a BSoD with heap spray artifacts in pool memory before successful RCE; presence of crash dumps correlated with inbound TCP 3389 connection spikes is a primary BlueKeep exploitation indicator
CI/CD pipeline execution logs and npm postinstall script output from the build step that installed the malicious TanStack-named package — the exfiltration mechanism is a lifecycle hook that reads process.env and transmits environment variables via HTTP POST to a hardcoded C2; logs will contain the outbound HTTP request or DNS resolution if network logging was enabled on the build node
Chrome and Edge browser credential store SQLite files from Vidar Stealer 2.0-affected endpoints: '%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data' and '%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data' — Vidar accesses these files directly using SQLite queries; LastWriteTime and LastAccessTime metadata on these files will reflect unauthorized access timestamps that precede the stealer's process termination
Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) logs showing chrome.exe or msedge.exe spawning powershell.exe or cmd.exe child processes (MITRE T1059.001) with subsequent outbound connections to non-CDN external IPs — this process tree pattern is the primary Vidar Stealer 2.0 behavioral indicator given its use of browser process injection or malicious extension abuse as an initial execution vector
Firewall and perimeter flow logs for inbound TCP 3389 and TCP 5900 showing source IP volume, connection frequency, and connection duration distribution over the 72-hour window prior to detection — BlueKeep mass scanning produces high-frequency single-packet or short-duration connection attempts across sequential or randomized destination IPs, distinguishable from legitimate RDP sessions which establish sustained connections; unauthenticated VNC (TCP 5900) logs showing sessions with zero authentication exchange (no VNC handshake security-type negotiation) confirm unauthenticated exposure exploitation
Detection Guidance
Detection coverage spans three concurrent threat vectors.
Apply the following KB-grounded controls and techniques across each.
**RDP/VNC Exposure — CVE-2019-0708 (BlueKeep) and Unauthenticated VNC:**
Enable and collect Windows Security Event Log data on all RDP-capable hosts per NIST AU-2 (Event Logging) and CIS 8.2 (Collect Audit Logs).
NIST AU-3 (Content of Audit Records) requires records capture the source IP, account, logon type, and timestamp — confirm these fields are present in your SIEM ingestion.
Alert on Event ID 4625 (failed logon) with Logon Type 10 (RemoteInteractive) from non-RFC1918 source addresses exceeding a defined frequency threshold within a short window — this pattern is consistent with BlueKeep scanning and brute-force precursor activity. Alert on Event ID 4624 (successful logon) with Logon Type 10 from any external source IP not in your allowlisted VPN or jump-box range. Apply NIST AU-6 (Audit Record Review, Analysis, and Reporting) to schedule recurring review of these logon event patterns. Use D3-LAM (Local Account Monitoring) to analyze local account activity on RDP-exposed hosts for privilege escalation attempts following initial access. Use D3-SFA (System File Analysis) to monitor for modification of RDP service configuration files or registry keys associated with NLA enforcement (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server). Query firewall logs for inbound ACCEPT on TCP 3389 or TCP 5900 from sources outside RFC1918 ranges and outside your allowlisted remote access IPs — any hit on this query represents a direct exposure requiring immediate remediation under CIS 4.4 (Implement and Manage a Firewall on Servers).
**Malicious npm Package — TanStack Brandsquatting (T1195.002 , T1552.001 , T1071.001 ):**
Audit CI/CD pipeline build logs for npm install activity involving package names that closely resemble 'tanstack' but do not match the verified @tanstack scope (e.g., tanstakc, tan-stack, @tanstak/query). Verify all @tanstack/* installs against official registry checksums — any mismatch is an immediate indicator of compromise. Apply NIST AU-2 (Event Logging) to ensure build system activity, including package installation events and outbound network connections from build agents, is captured. Monitor build agent outbound HTTP/S connections at install time for connections to unrecognized external IPs — exfiltration of environment variables occurs at install, not at runtime. Apply NIST AU-13 (Monitoring for Information Disclosure) to monitor open-source intelligence sources for newly reported malicious npm packages targeting developer ecosystems. Use D3-SFA (System File Analysis) to inspect pipeline configuration files and shell environment variable stores for unauthorized modification. Use CIS 2.1 (Establish and Maintain a Software Inventory) and CIS 2.3 (Address Unauthorized Software) as the control basis for blocking unapproved packages from reaching build environments.
**Vidar Stealer 2.0 — Credential Theft and Browser Session Hijacking (T1539 , T1056 , T1555 , T1059.001 ):**
Review EDR telemetry for browser process trees with unexpected child processes, specifically PowerShell or cmd.exe spawned from Chrome or Edge. Flag PowerShell execution events (T1059.001 ) originating from browser parent processes as high-confidence indicators. Apply NIST AU-6 (Audit Record Review, Analysis, and Reporting) to include browser process ancestry as a monitored behavioral pattern. Do not rely on existing Lumma or Rhadamanthys signature sets to detect Vidar 2.0 variants — update threat intelligence feeds and infostealer detection content immediately. Use D3-LAM (Local Account Monitoring) to detect unauthorized account activity consistent with credential replay from stolen browser session tokens. Use D3-CH (Credential Hardening) and D3-CRO (Credential Rotation) as countermeasures: harden browser credential stores and rotate any credentials accessible from endpoints where Vidar 2.0 activity is suspected. Apply CIS 8.2 (Collect Audit Logs) to ensure endpoint audit logging is active on all user devices in scope.
**Cross-Vector Log Retention:**
NIST AU-11 (Audit Record Retention) requires audit records be retained for an organization-defined period consistent with records retention policy. Retain all logs relevant to this incident — firewall, Windows Security Event Log, CI/CD build logs, and EDR telemetry — for at least 90 days to support post-incident forensic analysis. Confirm NIST AU-4 (Audit Storage Capacity) allocations are sufficient to sustain elevated log volumes during active monitoring.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
1 domain
1 url
1 hash
Type Value Enrichment Context Conf.
⌘ DOMAIN
Not confirmed at analysis time
VT
US
Vidar Stealer 2.0 C2 infrastructure — current domains not independently verified in primary sources. Update from live threat intel feeds (e.g., abuse.ch, MISP communities).
LOW
🔗 URL
Not confirmed at analysis time
VT
US
Malicious TanStack-brandsquatting npm package exfiltration endpoint — specific URL not disclosed in available sources.
LOW
# HASH
Not confirmed at analysis time
VT
MB
Vidar Stealer 2.0 payload hashes — not independently verified in primary sources at analysis time. Cross-reference with VirusTotal and threat intel feeds using 'Vidar 2.0' family tag.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: April 2026 Threat Pulse: Supply Chain Poisoning, 3.4M Exposed Remote Access Serv
let malicious_urls = dynamic(["Not confirmed at analysis time"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (6)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Not confirmed at analysis time",
"source": "SCC Threat Intel",
"description": "Vidar Stealer 2.0 C2 infrastructure \u2014 current domains not independently verified in primary sources. Update from live threat intel feeds (e.g., abuse.ch, MISP communities).",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1176
T1552.001
T1059
T1539
T1056
T1588.002
+15
CM-7
SI-3
SI-4
SI-7
AT-2
SC-7
+14
A03:2021
A08:2021
A01:2021
16.10
2.5
2.6
16.12
5.4
6.8
+1
MITRE ATT&CK Mapping
T1176
Software Extensions
persistence
T1552.001
Credentials In Files
credential-access
T1059
Command and Scripting Interpreter
execution
T1539
Steal Web Session Cookie
credential-access
T1056
Input Capture
collection
T1021.001
Remote Desktop Protocol
lateral-movement
T1543
Create or Modify System Process
persistence
T1555
Credentials from Password Stores
credential-access
T1195.002
Compromise Software Supply Chain
initial-access
T1068
Exploitation for Privilege Escalation
privilege-escalation
T1111
Multi-Factor Authentication Interception
credential-access
T1548.002
Bypass User Account Control
privilege-escalation
T1078
Valid Accounts
defense-evasion
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1190
Exploit Public-Facing Application
initial-access
T1102
Web Service
command-and-control
Guidance Disclaimer
