DPRK actors chained four supply chain compromises (Trivy → LiteLLM →
Telnyx → Axios) through March, culminating in a backdoored Axios npm
package with 100M+ weekly downloads and confirmed credential
exfiltration at scale. Block sfrclak[.]com and
142.11.206.73 at your perimeter NOW and audit CI/CD for
poisoned dependencies. Citrix NetScaler CVE-2026-3055 KEV deadline is
today. Chrome zero-day CVE-2026-5281 is actively
exploited (KEV deadline April 15). Cisco dropped two pre-auth criticals
with no workarounds. ShinyHunters' Cisco data leak deadline is
tomorrow.
Covered by 15+ sources across all analyst sections · CVE-2026-33634 (KEV deadline April 8) · IOCs available
The March 2026 DPRK supply chain spree is the most significant open-source ecosystem attack in years by sheer blast radius. The kill chain:
axios@1.14.1 and axios@0.30.4 with
a phantom dependency (plain-crypto-js@4.2.1) that dropped
the WAVESHAPER.V2 cross-platform RAT via postinstall
hook.Malicious Axios versions were live ~3 hours before npm removal. Socket.dev flagged the compromise within 6 minutes. GTIG estimates hundreds of thousands of secrets potentially exfiltrated.
IOCs: C2 sfrclak[.]com, IP
142.11.206.73:8000. RAT paths — macOS:
/Library/Caches/com.apple.act.mond, Windows:
%PROGRAMDATA%\wt.exe (registry run key persistence, LOLBin:
PowerShell copied to wt.exe), Linux:
/tmp/ld.py.
Action: Block IOCs at perimeter. If CI/CD ran
npm install resolving to poisoned Axios versions in the
March 31 window, treat runners as fully compromised. Rotate ALL
credentials and secrets. Audit dependency trees for
plain-crypto-js. Validate Trivy deployments for supply
chain integrity. LiteLLM v1.82.7 and v1.82.8 are the only confirmed-bad
releases; Mandiant forensic audit cleared the rest.
Two distinct threat actors now operate within the same credential pool — one financially motivated (TeamPCP/Lapsus$), one state-sponsored (UNC1069). CISA has not issued a standalone advisory at day 14, a notable gap flagged explicitly by the SANS ISC tracker. Singapore CSA issued AD-2026-002. The Wiz CIRT report contains extensive AWS API call patterns (TruffleHog validation, 24-hour pivot to IAM/EC2/S3/ECS, distinctive resource naming 'pawn'/'massive-exfil') worth pulling into detection rules immediately.
Sources: Tenable FAQ · Microsoft · Elastic · Unit 42 · CrowdStrike · SANS ISC Update 005 · Wiz CIRT · Singapore CSA
CVE-2026-3055 (EPSS 0.44) on NetScaler ADC and Gateway is in CISA KEV with a federal remediation deadline of 2026-04-02 — today. CVE-2026-4368 (EPSS 0.00017) is also patched but not in KEV. No threat actor attribution in the bulletin, but KEV listing confirms active exploitation in the wild. NetScaler boxes have been the entry point for multiple high-profile ransomware intrusions over the past several years. If your vuln team hasn't already prioritized this, they have some explaining to do.
Source: CIRCL
Use-after-free in Google's Dawn WebGPU implementation, confirmed exploited in the wild by both Google and CCCS. Added to CISA KEV April 1, with BOD 22-01 deadline April 15. Chrome stable updated to 146.0.7680.177/178. EPSS is low (0.00038) — that's irrelevant when CISA and Google have both confirmed wild exploitation. Dawn is Chrome's cross-platform WebGPU layer, so this affects all Chromium-based browsers and Electron-based applications. Covered by 4 sources.
Chrome auto-update handles most consumer installs. Enterprise managed deployments with delayed update policies are the exposure surface. Enforce update channel policies and verify Chrome versions across managed endpoints before April 15.
Sources: CISA · CCCS AV26-306 · The Hacker News · SecurityWeek
Nine advisories dropped April 1. Two are critical and require immediate action:
High-rated issues include authenticated RCE chains on IMC (CVE-2026-20094 through -20097), SSM On-Prem privilege escalation via credential leakage (CVE-2026-20151), and EPNM admin session token exposure (CVE-2026-20155). Medium issues cover Nexus Dashboard SSRF, backup credential exposure, and IMC XSS.
SSM On-Prem is a license management server with broad internal network access. IMC is the out-of-band management interface for UCS hardware — compromising it gives hardware-level access that survives OS reimaging. Both are management-plane infrastructure that should never face the internet but regularly does. If you can't patch immediately, network-segment these services from anything untrusted.
Sources: Cisco SSM CLI · Cisco IMC Auth Bypass · Cisco IMC Cmd Inj · Cisco SSM Priv Esc · Cisco EPNM
ShinyHunters posted a "FINAL WARNING" against Cisco claiming three separate intrusions (attributed partly to UNC6040): 3M+ Salesforce PII records, internal GitHub repos, and AWS bucket contents. Leak deadline is April 3 — tomorrow. ShinyHunters has a credible track record (Ticketmaster, AT&T). The UNC6040 designation is a Mandiant tracking name, suggesting linkage to a tracked threat cluster. The multi-vector framing (Salesforce Aura component, AWS, GitHub) implies a multi-phase campaign or broad SaaS/cloud credential compromise.
This may be related to the Trivy-vector Cisco source code theft from the TeamPCP supply chain story above — different claimed threat actors but overlapping victim and timeframe. Cisco is having a very bad week.
Source: ransomware.live
Akira ransomware posted Starr Insurance as a victim. Starr is a major global specialty insurer operating in ~100 countries with substantial premium volume — a breach carries regulatory notification obligations across multiple jurisdictions. Double extortion. Akira typically gains access via unpatched VPN services or compromised RDP credentials. Law firm Tange, Mann & Garza posted in the same window; cluster size suggests additional Akira victims not captured in this batch.
Financial sector peers: review VPN/RDP exposure and verify MFA enforcement. Check for recent Cisco ASA/FTD or Fortinet vulns in your perimeter infrastructure — these are Akira's bread and butter.
Sources: Ransomlook · Ransomlook
Rapid7's March releases add modules for CVE-2023-2868 (Barracuda ESG TAR command injection, EPSS 0.895, KEV due 2023-06-16) and CVE-2025-64328 (FreePBX filestore command injection, EPSS 0.853, KEV due 2026-02-24). Barracuda recommended physical appliance replacement rather than patching — any surviving units are now trivially exploitable via a public Metasploit module. Additional modules target Eclipse Che WebSocket RCE (CVE-2025-12548) and AVideo Encoder (CVE-2026-29058). SMB NTLM relay capabilities also significantly expanded. If you still have an unpatched Barracuda ESG in production, that thing needed to be in a dumpster two years ago. Sources: Rapid7 03/27 · Rapid7 03/20
Qilin posted at least four victims in 24 hours but the underlying cluster size is 19, suggesting a mass dump of older compromises. Named victims include State Road and Tollway Authority (Georgia SRTA — Peach Pass, I-285/400 express lanes), Neurologic Associates of Central Brevard (FL healthcare), and Chek News (Canadian broadcaster). Transportation critical infrastructure and a healthcare practice in the same batch. Sources: Ransomlook
New MaaS kit automating device code OAuth phishing against Microsoft 365. Victims enter a code on a genuine Microsoft domain, unknowingly granting a persistent refresh token that bypasses MFA. Directly relevant to every M365 environment. Mitigation: enforce Conditional Access to restrict device code flow to compliant devices only; consider disabling device code flow entirely if not operationally required; monitor Entra ID for anomalous OAuth token grants and device code authorization events. Source: BleepingComputer
Fortinet PSIRT published three threat analysis posts documenting active SSO abuse on FortiOS, renewed exploitation of FG-IR-19-283 (a seven-year-old advisory), and novel post-exploitation persistence mechanisms. A 2019 advisory still seeing active abuse indicates a persistent tail of unpatched FortiGate deployments. If you're running FortiOS and haven't patched against a 2019 advisory, the vuln management conversation is now a governance conversation. Review FortiOS SSO configurations and authentication logs for anomalous patterns. Sources: Fortinet SSO Analysis · FG-IR-19-283 Advisory
StarLabs reverse-engineered the V8 patch for CVE-2026-0899 (OOB memory access via class initializer reparsing) and documented a full exploitation path to arbitrary read/write via kgsl_memdesc manipulation. Currently gated by V8 CHECK assertions in both debug and release builds, but the underlying memory corruption is real, the trigger PoC is public, and the post is essentially a roadmap. V8 bugs with documented arb R/W and public triggers are on a short countdown to in-the-wild exploitation. Verify Chrome fleet patches. Source: StarLabs
Hundreds of millions stolen from decentralized finance platform Drift; deposits and withdrawals suspended. Attack vector not yet disclosed. The DeFi sector continues to serve as a live-fire demonstration of what happens when you deploy financial infrastructure without mature security practices. Source: TechCrunch
Unauthorized access detected March 28. SEC filing. Systems taken offline affecting order processing and shipping. "Continuing to implement measures to secure business operations" — phrasing that suggests attackers may still have active access. No attribution, no strain, no data exfil confirmation yet. Covered by 5 sources. Source: HelpNetSecurity
CVE-2026-3502 in TrueConf conference client exploited to push Havoc C2 to all connected endpoints simultaneously by abusing the update/file push mechanism. Multiple SE Asian government organizations compromised. The attack vector is the alarming part: any conferencing platform with a server-to-client push mechanism presents a similar risk profile. Review the update trust model for all deployed conferencing software. Source: BleepingComputer
The 2026 "Cyber Strategy for America" includes language about "unleashing the private sector" to "identify and disrupt adversary networks." Schneier calls it dangerous vigilantism given attribution failures in cyberspace. Citizen Lab warns of counterintelligence risks, accelerated cyber arms race, and empowerment of the commercial hacking industry. This is official White House policy — not a leak, not interpretation. CISO and legal teams at organizations with critical infrastructure roles or significant foreign adversary targeting should brief on this. The strategy document is worth reading as primary source. Sources: Schneier · Citizen Lab
Researcher demonstrated Claude Code discovering CVE-2026-34714 (Vim,
CVSS 9.2, patched in 9.2.0272), an unfixed "forever-day" in GNU Emacs
Git VCS integration (maintainers declined to fix, affects stable 30.2
and dev 31.0.50), and CVE-2026-4747 (FreeBSD kernel RCE). The Emacs vuln
is the most operationally concerning — no patch available, trivially
triggered by opening any file in a directory containing a crafted
.git/ folder. Mitigate by setting
vc-handled-backends to nil. The paradigm shift —
LLM-assisted vuln research accessible to non-specialist attackers — is
the longer-term signal. Sources: CSO
· Calif
AI
wpnapps.dll/msxml6.dll. (iPurple
Team)wp-config.php forces fresh-install state → full
takeover. Patched in 5.1.1. (Wordfence)~176 entries skipped across all sections: 108 VulDB CVE stubs with
zero content body, 46 non-security content (Apple anniversary coverage,
geopolitical non-cyber, vendor marketing, stale offensive tooling tips,
thin briefs superseded by higher-quality coverage), 12 misconfigured DOJ
feed entries and stale MITRE posts, 10 vendor marketing stubs, empty F5
weekly bulletins, and the Censys "Pigeon Forge" April Fools' joke —
complete with fabricated SHA256 hashes (c00c00c00…,
b1rdb1rd…) and fictional ATT&CK sub-techniques
(T1036.418, T1053.coo) that the enrichment pipeline ingested at face
value. Consider adding a date == april_1 sanity check.