Ransomware & Supply Chain Surge: DragonForce, BQTLock, and GitHub Actions Campaigns Dominate Critical Threat Landscape

The threat landscape has intensified, with ransomware-as-a-service (RaaS) operations and sophisticated supply chain attacks driving a surge in critical incidents. Over the past 24 hours, six reports were rated critical, dominated by DragonForce claiming five new victims across pharmaceuticals, manufacturing, and retail, and BQTLock exfiltrating a massive 5.3 terabytes of patient data from Metro Hospital USA. Concurrently, INC Ransom added four new victims, signaling sustained pressure across multiple sectors.

Beyond ransomware, credential theft vectors are scaling dramatically. Device code phishing attacks have surged 37-fold year-to-date, fueled by the proliferation of PhaaS (Phishing-as-a-Service) platforms like EvilTokens, which are democratizing the abuse of OAuth 2.0 device flows for initial access. In the software supply chain, Wiz disclosed a six-wave GitHub Actions campaign, dubbed 'prt-scan,' that successfully compromised npm packages, highlighting the persistent vulnerability of open-source ecosystems. This activity forced Meta to pause its work with the vendor Mercor following a supply chain breach linked to the threat actor TeamPCP, which exposed sensitive AI training data.

The convergence of these trends—high-volume RaaS, weaponized cloud identity protocols, and multi-wave software supply chain compromises—creates a complex and layered threat environment. Critical infrastructure, particularly healthcare with the BQTLock breach, remains a prime target, while the commoditization of attack techniques lowers the barrier for entry for less sophisticated actors. Organizations face simultaneous pressure from financially motivated data theft and strategically motivated intrusions aimed at the software development lifecycle itself.