Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Today’s SME cyber look-out: poisoned developer packages and risky IoT hubs

What small and medium-sized businesses should look out for today.

Moderate Friday 03 July 2026, 18:47 UK time
Today’s look-out: Software supply-chain risk (malicious packages) + insecure IoT device management

What to look out for today

Two themes to keep on your radar:

  • Malicious developer packages (npm) disguised as legitimate “polyfill” tooling, designed to steal developer secrets and enable remote access.
  • Insecure IoT hub management where attackers could potentially access and control devices managed by a hub (relevant if you have connected/“smart” devices on your business network).

Why this matters to smaller businesses

  • Supplier and contractor exposure: even if you don’t write software in-house, your web agency/MSP/app developer might. A compromised build or leaked credentials can become your breach.
  • Passwords and keys are high-value: developer credentials, API keys and cloud tokens can give criminals a quiet way into email, cloud storage, accounting integrations, websites and customer databases.
  • IoT is often unmanaged: “smart” hubs and devices can be forgotten on networks, giving attackers a foothold for disruption, surveillance or lateral movement.

Warning signs

  • Developers/IT reporting odd new dependencies, unexpected package names, or builds failing then “mysteriously” working after someone installs a different package.
  • Unusual login alerts for developer services (code repos, CI/CD, cloud consoles), or API key usage spikes.
  • New outbound network traffic from build machines, servers, or “admin” laptops that doesn’t fit normal patterns.
  • Unexpected behaviour from smart/connected devices (changing settings, going offline, reappearing, or being controllable when they shouldn’t be).

How attackers may exploit the situation

  • Typosquatting/lookalike packages: criminals publish packages that look like popular tools, hoping developers install them quickly under time pressure.
  • Secret theft: once installed, malicious code may try to access environment variables, config files, tokens, and credentials used to deploy websites and apps.
  • Remote access: stolen credentials can be used to access your systems without noisy malware on user PCs.
  • IoT hub takeover: weak or exposed access paths to a hub can allow outsiders to control connected devices (and potentially use the hub as a stepping stone on the network).

What to do today

  • Tell staff what to report: any unexpected MFA prompts, new “authorised app” prompts, or unusual login alerts—especially for cloud/admin/dev accounts.
  • Check who has developer-level access: confirm which suppliers/contractors have access to your website, cloud, or integrations, and whether it’s still needed.
  • Lock down secrets: ensure API keys/tokens are stored in an approved password manager/secret store, not in shared docs or emailed around.
  • Inventory IoT: list any hubs/connected devices on-site (meeting room panels, smart displays, building controls, specialist hubs). If you can’t identify them, ask your IT provider to help discover them.

Ask your IT provider

  • Do we (or our suppliers) use npm/CI pipelines, and what controls are in place to prevent installing lookalike or untrusted packages?
  • How are API keys, deploy keys and admin credentials stored, rotated and monitored for misuse?
  • Do we have alerts for unusual logins to code repos, hosting, and cloud admin portals?
  • What IoT devices/hubs are on our network today, who owns them, and are they isolated from core business systems?

Patch watch - only one short paragraph, and only if relevant

CISA published an advisory on the Gardyn IoT Hub indicating issues that could allow unauthenticated access and control of managed devices (including use of hard-coded credentials). If your organisation uses this product (or you have similar hubs), treat it as a prompt to confirm device ownership, network segregation, and whether the vendor’s recommended updates/mitigations have been applied.

One action today

Ask your IT provider today for a list of all internet-facing admin portals and developer accounts (hosting, cloud, website, CI/CD) and confirm MFA is enforced and login alerts are enabled for each.

Related Actions On Cyber resource

Actions On Cyber checklist: Supplier & MSP access review (who has access, what they can reach, and how it’s monitored)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.