Iran's Handala Wiped 80,000 Devices Using One Stolen Microsoft Intune Credential

Stolen Credential Turned Device Manager Into Destruction Tool

Iran-linked Handala group wiped approximately 80,000 Windows devices at medical equipment manufacturer Stryker in mid-March 2026 using a single stolen credential in Microsoft Intune. The attack required no malware — attackers abused Stryker's own device management platform to execute mass remote wipes across 79 countries. Hornetsecurity documented the incident in its April 2026 Monthly Threat Report published this week. The group claimed over 200,000 systems affected, though that figure remains unconfirmed.

This changes the risk calculus for every enterprise using mobile device management platforms. Intune, VMware Workspace ONE, Jamf Pro, and Google Endpoint Management are no longer just operational tools — they are high-value attack surfaces that can convert administrative access into company-wide destruction in minutes. CISA issued urgent guidance following the attack, recognizing that device platforms now function as potential destruction vectors rather than merely stealth access points.

The mechanism matters: one over-privileged account bypassed every other security control Stryker had in place. The attacker did not need to compromise 80,000 endpoints individually or deploy ransomware payloads. They used Stryker's centralized management system exactly as designed, triggering remote wipes that legitimate administrators execute daily. The administrative interface became the weapon.

Budget Pressure Shifts to MDM Hardening and Segmentation

Enterprise security teams now face immediate pressure to audit admin account privileges across device management platforms. Initial estimates suggest 10-20% budget reallocations toward MDM security controls, focusing on zero-trust segmentation that limits what any single credential can execute. That means investing in privileged access management tools that enforce just-in-time access and continuous verification, even for accounts that historically operated with standing privileges.

The specific vulnerability — excessive administrative scope combined with inadequate credential protection — applies across competing platforms. VMware Workspace ONE and Google Endpoint Management offer similar remote management capabilities with equivalent destructive potential if credentials are compromised. Buyers evaluating these platforms must now demand granular role-based access controls, anomaly detection for mass device actions, and approval workflows that require multiple authorized parties before executing wipes at scale.

Stryker's medical device focus adds urgency: remote wipes affected inventory management, service coordination, and potentially device maintenance systems tied to patient care equipment across healthcare facilities worldwide. The operational impact extends beyond lost productivity into patient safety risk.

North Korea Poisoned Axios npm Package, Detected in Three Hours

On March 31, 2026, North Korea's Sapphire Sleet group injected remote access trojan payloads into Axios, an npm package with over 70 million weekly downloads. Malicious versions 1.14.1 and 0.30.4 pulled trojans via a package called "plain-crypto-js" from North Korean command-and-control servers. Microsoft and Google attributed the attack with high confidence. The poisoned versions were detected and removed within three hours.

This represents a maturation of North Korean supply chain tactics following their Contagious Interview campaign. The Axios compromise targeted a core HTTP client library used across thousands of enterprise applications, meaning the attack vector reached deeply into production environments before detection. Manual security reviews failed to catch the malicious code during the three-hour window — automated software composition analysis tools from Snyk, Sonatype, or Black Duck would have flagged the suspicious dependencies immediately.

Enterprises relying on manual code review or delayed security scans now face unacceptable exposure windows. The npm registry competes with PyPI and Maven Central as targets, but all three share the same fundamental risk: trusted packages can be compromised at the source. Buyers must integrate SCA tools directly into CI/CD pipelines to scan dependencies before they reach production. Cost ranges from $50,000 to $500,000 annually for large organizations depending on repository scale and scanning frequency, but the alternative is running production code with active backdoors for hours or days.

Medusa Ransomware Hit Trauma Center for Nine Days

Medusa ransomware disrupted 35 clinics at University of Mississippi Medical Center between March 12-20, 2026, severing electronic health record access for nine days and exfiltrating patient data. The attackers demanded $800,000. UMMC operates Mississippi's only Level I trauma center, meaning the attack directly threatened emergency care capabilities. Passaic County, New Jersey healthcare facilities experienced parallel Medusa attacks during the same period.

The pattern signals opportunistic scaling by Medusa operators, who compete with LockBit and ALPHV/BlackCat in the ransomware-as-a-service market. Healthcare remains the highest-impact target because EHR downtime immediately affects patient safety, creating maximum payment pressure. The nine-day outage forced clinics to operate on paper records while attackers held both access and exfiltrated data as leverage.

Healthcare CISOs face accelerated investment requirements in immutable backup systems and network segmentation that isolates EHR infrastructure. Veeam and Rubrik offer air-gapped backup solutions that prevent ransomware from reaching recovery data, but implementation requires architectural changes that most healthcare systems have deferred. Sector-wide investment estimates exceed $100 million as organizations deprioritize cost optimization in favor of recovery guarantees. Buyers are specifically requesting backup solutions that guarantee sub-24-hour recovery times with verified isolation from production networks.

What to Watch

Audit all administrative accounts in device management platforms this quarter. If a single credential can wipe your entire fleet, you have a critical vulnerability regardless of endpoint security controls. The Stryker incident proves that centralized management tools require the same zero-trust segmentation enterprises apply to production data.

For development teams, automated dependency scanning is no longer optional. The Axios compromise demonstrates that manual reviews cannot protect against supply chain attacks with three-hour detection windows. Budget for SCA tools that integrate with your build pipeline and block deployments with suspicious dependencies.

Healthcare organizations should assume ransomware groups will continue targeting EHR systems because downtime directly threatens patient care. Immutable backups with verified air gaps are the only reliable defense against encryption and exfiltration tactics that combine access denial with data theft.