Fda Advises Consumers, Retailers, And Distributors Not To Eat, Sell, Or Serve Recalled Black Sheep Egg Company Eggs

To date, WGS analysis has identified 17 different strains of this bacterium in samples from patients, finished products, and ingredients. While these sample results add to the available evidence needed to investigate the root cause of this outbreak, due to the complexities of Clostridium botulinum and limited scientific evidence currently available, FDA has not yet determined a root cause(s). Additional sample analysis and research is being conducted and is necessary to inform possible conclusions about this outbreak. The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.

Firms can then move on to gathering data (including from Appointed Representatives (ARs), where relevant), reviewing customer records, and understanding the potential scale of changes needed and any remediation due — see more detailed steps below. The board positioned two 2,000-gallon water tankers at Waialua Community Association and Sunset Beach Neighborhood Park. Interim Police Chief Raddy Vanic said access into Waialua is limited to local traffic only as residents return and crews continue cleanup work. Ireland warned residents exposed to floodwaters to watch for gastrointestinal illness, fever or infected cuts, noting risks of sewage discharge and leptospirosis. “Ensure all access is mediated, monitored, and controlled,” the advisory said. For Rockwell Automation controllers with a physical mode switch, it is recommended to place the switch in run position to block remote modification.

Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section). The threat actor has expanded operations to the npm ecosystem via a self-propagating worm dubbed “CanisterWorm,” leveraging stolen NPM publish tokens exfiltrated from compromised CI/CD pipelines. Aikido Security documented this worm at aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise. The use of stolen publish tokens to propagate malware across the NPM package registry represents a significant escalation of the campaign’s downstream impact. During this process, and while onboarding the response team, the team identified additional suspicious activity on Sunday, March 22nd, involving unauthorized changes and repository tampering.

• Analysis is ongoing and results will be provided as they become available.
• This has potentially become more untenable under the Consumer Duty, which has raised the bar.
• FDA continues to receive reports that recalled formula is still being found on store shelves, despite the ongoing recall of all ByHeart infant formula products.
• For 36 cases with illness onset information available, illnesses started on dates ranging from August 9 to November 19, 2025.

Povolny said organizations should treat the advisory as an active warning, not a routine notification. “Adversaries are signaling intent, capability, and access patterns, and defenders should respond with the assumption that probing activity is already underway,” he said. To carry out those manipulations, the actors used leased overseas infrastructure and legitimate Rockwell Automation configuration software to connect to victim PLCs, specifically CompactLogix and Micro850 devices that were left directly exposed to the public internet, the advisory said.

Please note that incidents may not always have exact matches listed in the Event Detail column due to variations in event logging and TTPs. Pin GitHub Actions to full, immutable commit SHA hashes — not mutable version tags. This statement does not apply to the independent use of open-source Trivy components outside the Aqua Platform. Users who consume open-source Trivy directly should follow the remediation guidance below.

Volt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy C2 traffic. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure). Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access TA0003. They often use VPN sessions to securely connect to victim environments T1133, enabling discreet follow-on intrusion activities. This tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic, significantly reducing their chances of detection.

The .gov means it’s official.Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site. See Table 1 for recent IP addresses used by the Iranian-affiliated APT actors to communicate with Rockwell Automation/Allen-Bradley-manufactured devices (and potentially other branded OT devices) in the United States. Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions T1012.

Of the eight (8) people interviewed, all eight (8) (100%) in this outbreak reported consuming or being served raw dairy products. As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. On November 8, 2025, preliminary laboratory results reported by the California Department of Public Health suggest the presence of the bacteria that produce botulinum toxin in an open can of ByHeart infant formula (lot 206VABP/251131P2) that was fed to an infant with infant botulism. Additional testing is underway, and results are expected in the coming weeks.

Additional testing by FDA, CDC, and state partners is underway, and results are expected in the coming weeks. Detection of Clostridium botulinum in infant formula is complex, and a negative test result does not rule out the presence of the bacteria in the product. This is especially important for recalls involving foods for infants and young children, who are among our most vulnerable populations.Additional testing by ByHeart, FDA, CDC, and state partners is underway, and results are expected in the coming weeks. Positive sample results for finished product testing will be included and updated in the Sample Results section below. ByHeart infant formula products make up approximately 1% of all infant formula sold in the United States and this outbreak does not create shortage concerns of infant formula for parents and caregivers. EPA encourages water systems that need technical support or additional information on cybersecurity best practices to use EPA’s RealWaterTA resources and submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector.

Proactive Actions For Firms

Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information T1082, network service T1046, group T1069 and user T1033 discovery. See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises. Also review any workflows referencing aquasecurity/kics-github-action, which was subject to a parallel compromise identified on March 23.

The authoring agencies assessed that the group is “conducting this activity to cause disruptive effects within the United States.” The advisory said the escalation is likely tied to ongoing US-Iran-Israel hostilities. Once inside, they extracted project files, altered SCADA and HMI display data, and installed remote access software to maintain a persistent foothold, it added. An estimated 5,700 firearms and hundreds of thousands of rounds of ammunition were looted by mobs during raids on state police armories.

FDA is determining if additional recalls are necessary and will update this advisory as more information becomes available. In addition, FDA is conducting a traceback investigation of products ill people reported consuming before becoming ill and is working with state partners to sample products of concern. In a few cases, this activity has resulted in operational disruption and financial loss.

Developed by Sandia National Labs, gait is a publicly available Zeek5 extension. The gait extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries. In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).

Customers were advised to boil tap water for at least one minute before drinking, cooking, or preparing baby formula. The BWA was issued as a precaution after a significant pressure loss in the WSSC Water system due to a 54-inch water main break in a wooded area near I-495 and MD 214 on Tuesday, February 11. Pressure loss in a water distribution system increases the risk of contamination, prompting the advisory. WSSC Water worked closely with the Maryland Department of the Environment to implement a comprehensive water quality sampling strategy across the affected area, ensuring the safety of drinking water for all impacted customers. After test results confirmed the water is safe to consume, WSSC Water has lifted the Boil Water Advisory for customers in southern Prince George’s County. FDA has recommended that RAW FARM, LLC voluntarily remove their raw cheese products from the market, and the firm has declined.

Biggest Healthcare Security Threats

Epidemiologic and laboratory analyses indicated that ByHeart Whole Nutrition infant formula is the source of this multistate outbreak of infant botulism. All ByHeart Whole Nutrition Infant Formula products have been recalled. This includes all lots of ByHeart formula cans and single-serve “anywhere pack” sticks.

The authoring agencies observed Iranian-affiliated APT actors using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs T0883. The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. For information on secure by design practices that may protect customers against common Volt Typhoon techniques, see joint guide Identifying and Mitigating Living off the Land Techniques and joint Secure by Design Alert Security Design Improvements for SOHO Device Manufacturers.

FDA is working with partners to improve and update these methods, so that results can be confirmed and compared across stakeholders more easily. According to information shared by IBTPP, since August 1, 2025 through November 10, 2025, 84 infants nationwide have received treatment for infant botulism. Notably, more than 40% (15) infants who had powdered infant formula exposure consumed ByHeart Whole Nutrition infant formula. This information shows that ByHeart brand formula is disproportionately represented among sick infants in this outbreak, especially given that ByHeart represents an estimated 1% of all infant formula sales in the United States. Investigations remain ongoing but have not identified any other infant formula brands or shared exposures that pose a risk to infants.

The authoring agencies recommend organizations review historical TTPs for similar Iranian-affiliated cyber actor activity in IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts.

Malicious Trivy Binary (v069

Based on epidemiological information collected by CDC, a total of 45 people infected with the outbreak strain of Salmonella have been reported from 21 states. Illnesses started on dates ranging from August 22, 2025, to December 30, 2025. Sixteen of 20 ill persons with information available reported consuming Live it Up-brand Super Greens dietary supplement powder before becoming ill. There have been 12 hospitalizations, and no deaths have been reported. As of March 14, 2026, a total of 7 confirmed infections have been reported from three states, including CA (5), FL (1), and TX (1).

The investigation is ongoing to determine the source of contamination and whether additional products are linked to illnesses. To date, to FDA’s awareness, no RAW FARM-brand cheddar cheese products from this time period have tested positive for E. As part of this investigation, state partners initiated collection of product samples for testing and analysis, but results are not yet available. FDA https://londonlovesbusiness.com/build-user-centric-products-with-derribar-ventures/ will update this advisory should additional information become available. As part of the investigation, ByHeart tested unopened infant formula products retained at its facility.