Health-ISAC Q3 Insights - Shai-Hulud npm worm, QR phishing surge, device exposures in Netscaler & Cisco ASA

Health-ISAC’s Q3 2025 Quarterly Threat Insights highlights intensifying threats to healthcare. Notable trends include the Shai-Hulud worm spreading via malicious npm packages that embed into developer-owned packages and exfiltrate to attacker-controlled GitHub repos. There is an uptick in QR code–based phishing, where malicious links are embedded in images to bypass some security appliances. Attackers are also leveraging typosquatting with the .med TLD—pressuring orgs to monitor for deceptive domain registrations. The report calls out ongoing risks from fraudulent North Korean remote IT worker schemes and fake job postings used to harvest PII or solicit payments. Vulnerability pressure persists on Citrix NetScaler ADC/NetScaler Gateway and Cisco ASA devices; both have seen exploitation, prompting member alerts. The Insights also summarize regulatory evolution: the FDA’s final June 2025 guidance on premarket cybersecurity expectations (e.g., SBOM inclusion) and note that the U.S. Cybersecurity Information Sharing Act of 2015 expired on 30 September 2025, raising information-sharing questions. European concerns include Russian drone incursions and subsea cable resilience; globally, Oracle E-Business Suite incidents and executive-targeted extortion continue to surface. For healthcare entities balancing cyber and physical missions, these developments emphasize ecosystem vigilance across developer pipelines, exposed edge devices, and HR/recruiting pathways.