Three stories changed materially since morning. React2Shell escalated from a routine one-liner to a full Cisco Talos campaign analysis: 766 hosts compromised per 24 hours, Stripe payment credentials confirmed stolen alongside AWS/Azure/GitHub tokens — the KEV deadline passed four months ago. Socket.dev revealed the Axios compromise was one success in a systematic DPRK campaign targeting the maintainers behind Lodash, Fastify, Express, and Node.js core — packages with billions of monthly downloads. TrueConf jumped from routine to critical: The Record attributes active exploitation to Chinese state actors and CISA issued a two-week patch deadline. Two new AI-adjacent critical vulns: OpenClaw's CVSS 9.8 priv-esc and a documented CLAUDE.md supply chain attack path with an unshipped fix.
Elevated from this morning's routine section. Cisco Talos primary analysis now available.
This morning's one-line mention ("React2Shell credential harvesting, 750+ systems, very thin") was correct about the scale and wrong about the depth — Talos has published the full campaign analysis. An exposed C2 dashboard gave Talos direct visibility into UAT-10608's operations: fully automated exploitation of CVE-2025-55182 (pre-auth RCE in Next.js Server Components, EPSS 0.65) at a rate of 766 hosts per 24-hour window. The harvesting script collects everything: usernames, passwords, SSH keys, cloud tokens, environment secrets. Confirmed stolen credential types include Stripe (payment processor API keys — immediate monetization pathway), AWS, Azure, OpenAI, Anthropic, Nvidia NIM, OpenRouter, GitHub, and Tavily.
The KEV due date was December 2025. Four months ago. Any publicly exposed, unpatched Next.js deployment should be treated as already compromised. Talos is notifying affected cloud providers. The primary Talos blog likely contains IOCs not captured in the news summary — pull directly.
Sources: CSO Online · Cisco Talos
Socket.dev investigation. Not in morning digest.
The morning digest covered the Axios maintainer postmortem in detail. This afternoon's Socket.dev report is a different and arguably more important story: the Axios compromise was a single success within a systematic, multi-month UNC1069 campaign targeting the highest-value maintainers in the entire Node.js ecosystem. Confirmed targets:
The playbook is theatrical: weeks of low-pressure relationship building on LinkedIn and Slack under fake corporate identities (recurring persona: "Openfort"), then fake video calls on spoofed Teams/Zoom/Streamyard with live AI-generated video of the "interviewer." A technically plausible audio error prompts the target to install a native app or run a curl command. The installed RAT (WAVESHAPER.V2, HYPERCALL, DEEPBREATH, CHROMEPUSH — confirmed matching Mandiant's February 2026 UNC1069 reporting via researcher Tay) exfiltrates .npmrc tokens, browser session cookies, AWS credentials, and macOS keychain contents. Post-auth session theft renders 2FA irrelevant. OIDC-based publishing doesn't mitigate a fully compromised machine. New fake Slack huddle infrastructure was observed emerging this week — the campaign is actively iterating.
The strategic logic: npm write access to any single package maintained by these individuals is a direct path to millions of downstream deployments. DPRK has operationalized "hack one maintainer, reach a million applications" as a direct replacement for one-on-one crypto wallet operations. The 2FA-doesn't-help and OIDC-doesn't-fix-a-compromised-machine caveats need to reach developer security awareness teams immediately.
Source: Socket.dev
OpenClaw, an AI agent framework with 347k GitHub stars and by-design deep OS-level access (Slack, Discord, Telegram, local/network filesystems, authenticated sessions, cloud accounts), patched CVE-2026-33579 this week. The vulnerability allows any user with pairing-level (lowest) permissions to escalate to administrator — gaining control of everything the agent was trusted with. The blast radius is defined not by the vulnerability but by OpenClaw's architectural philosophy: it requires maximum access to function, so compromising it yields maximum access.
EPSS is 0.0001 (freshly assigned, lagging indicator). CVSS ranges 8.1–9.8 depending on deployment context. All OpenClaw deployments should be assumed compromised until patching is confirmed and all credentials/tokens accessible to the agent are rotated. Two sources covering simultaneously; a PoC or exploitation report may follow shortly.
This is a structural problem with agentic AI as a category: a tool that requires omniscience as a feature requirement creates a vulnerability where the lowest-privilege entry point yields everything. Morning's discussion of the LiteLLM/AI-coding-agent vector and this vulnerability are two faces of the same unsolved governance gap.
Source: Ars Technica
Distinct from morning's routine "Claude Code source leak malware lures." This is the architectural vulnerability, not the lure.
Adversa AI documented a concrete supply chain attack path against Claude Code. The mechanism: Claude Code's security analysis (deny-rule enforcement) is compute-intensive and is silently disabled after processing 50+ subcommands, falling back to simple user prompts. Users — reasonably assuming protections are still active — approve. The attack vector: distribute a legitimate-looking repository with a poisoned CLAUDE.md containing 50+ plausible build commands followed by credential exfiltration or payload delivery. Anyone running Claude Code against untrusted repositories is exposed right now.
The damning detail: a fix (tree-sitter parser) exists in the leaked source code and is documented in internal code comments, but Anthropic has not shipped it to production builds. No CVE assigned. Until the fix ships, treat all CLAUDE.md files from external repos as untrusted input. Organizations using Claude Code in CI/CD or agentic development pipelines should audit exposure immediately.
Sources: CSO Online · Adversa AI
Since morning: elevated from routine. Morning said "no new detail beyond April 2 KEV addition."
The Record now attributes active TrueConf exploitation to Chinese state-affiliated hackers and CISA has issued a two-week federal patch deadline (~April 17) — shorter than the standard three-week BOD 22-01 timeline, signaling elevated urgency. TrueConf is deployed in government and enterprise environments; compromise provides access to sensitive communications infrastructure. The specific CVE wasn't extracted from enrichment — consult the CISA advisory directly for CVE, CVSS, and affected versions.
Video conferencing infrastructure is chronically under-patched because it's treated as a productivity tool rather than a security-critical system. Combined with TA416's resumption of European government targeting (below), this is two PRC-attributed operations against European targets surfacing on the same day.
Sources: The Record · CISA
TA416, a PRC-aligned espionage cluster, has resumed operations against European government and diplomatic targets after approximately two years of regional dormancy. Active since mid-2025, the campaign deploys PlugX via OAuth-based phishing lures — a notable TTP evolution away from classic spearphish attachment chains. Historical TA416 European targeting has correlated with PRC foreign policy pressure points; the resumption warrants tracking against current EU-China trade and Taiwan dynamics.
Source: The Hacker News
ShinyHunters has issued a final extortion ultimatum to Cisco, claiming exfiltration via three separate breach paths: UNC6040 (a tracked intrusion cluster — possible first public mention in this context), Salesforce Aura exploitation, and compromised AWS accounts. Alleged scope: 3M+ Salesforce records including PII, internal GitHub repositories, and AWS storage contents. Cisco has not confirmed.
The multi-vector claim is notable — Salesforce Aura misconfigurations have been a persistent sector-wide problem. UNC6040 as a designation suggests Mandiant/Google tracking that may now be publicly attributed for the first time. ShinyHunters' track record (AT&T, Ticketmaster, Snowflake-adjacent) means their claims carry weight pending confirmation.
Source: SC World
TeamPCP/EU Commission (CVE-2026-33634, KEV April 9): Three additional sources this afternoon (The Record, Dark Reading, TechCrunch) — no substantively new facts beyond morning coverage. Dark Reading notes ShinyHunters/LAPSUS$ infighting over credit, consistent with morning analysis. KEV deadline remains April 9.
Axios npm / UNC1069 postmortem: Additional corroboration from Tenable and SC World; morning coverage remains comprehensive. The new dimension is Socket.dev's broader campaign research (covered above as a separate critical item).
Chrome CVE-2026-5281 (KEV April 15): CSO Online adds context about four Chrome zero-days this year but no new technical detail. Action unchanged: update to 146.0.7680.178+.
Drift Protocol $285M, VENOM phishing kit, Cisco IMC CVE-2026-20093: No afternoon coverage.
Tenable Research published a structural analysis framing TeamPCP, Sapphire Sleet (UNC1069), and a new designation GlassWorm (targeting VSCode/OpenVSX for Web3 credential theft) as a three-tier industrialized market: credential generation → weaponization → opportunistic bulk theft. Core analytic finding: EDR is structurally blind to credential theft in ephemeral CI/CD runners, and WAVESHAPER.V2 was designed to exfiltrate and self-destruct faster than human triage. GlassWorm is Tenable-coined with no independent corroboration — treat as unilateral threat intel. The layered taxonomy, if accurate, implies operational coordination not previously documented for this ecosystem. (Tenable)
Since morning: "Citrix ShareFile critical unauthenticated RCE — no CVEs assigned yet" now has CVEs.
watchTowr disclosed CVE-2026-2699 (auth bypass) and CVE-2026-2701 (RCE) in the Storage Zones Controller of Progress ShareFile 5.x. Chained: unauthenticated file exfiltration and full RCE. No CVSS/EPSS yet. Progress MFT products have a strong weaponization track record (cf. MOVEit CVE-2023-34362). Patch or take SZC offline if externally exposed. (SC World · CybersecurityDive)
Qilin claimed and Die Linke confirmed an attack with data theft threatened. Political party data — comms, donor/member records, strategy documents — has high intelligence value. Watch for actual data publication, which may carry implications for German coalition dynamics. (BleepingComputer)
Previously undocumented malware family targeting government, healthcare, education, and finance sectors via spoofed CERT-UA communications. Impersonating a national CERT during active conflict is particularly cynical exploitation of institutional trust. Attribution unconfirmed; context strongly implies Russia-aligned actor. Very thin source. (SC World)
NYSE-listed telehealth platform confirmed breach originating from Zendesk support system, attributed to employee social engineering (T1566, T1078). Support tickets for a telehealth company are effectively medical records-lite — HIPAA implications are real. No threat actor, no IOCs, scope unknown. Watch for SEC 8-K and HHS OCR notification. (BleepingComputer)
Varonis ThreatLabz identified a subscription-based infostealer bypassing Chrome's App-Bound Encryption across Chrome, Edge, Firefox, and Waterfox, with crypto wallet targeting. MaaS model means broad distribution. Full Varonis report needed for technique details and IOCs. (SC World)
Microsoft documented PHP web shells using HTTP cookie values as covert C2, evading WAFs that inspect URL params and POST bodies. Persistence via cron on Linux. Detection: anomalous PHP process spawns from web server context + unexpected cron creation. Source the full Microsoft writeup for YARA rules. (The Hacker News)
Apple patching a deprecated major release is itself a severity signal — historically reserved for actively exploited or zero-click critical flaws. No CVE in enrichment; consult Apple security advisory directly. Enterprises with iOS 18 device fleets should apply immediately. (Dark Reading)
Metasploit inclusion = trivially exploitable. FreeScout is the priority: no authentication required, customer support platform that lives on public infra. Grav CMS requires admin creds but elevated EPSS for an authenticated vuln. Patch both. (Rapid7)
First on-the-record US government confirmation of Paragon Graphite in active domestic LE use. Drug trafficking framing is the legal basis; the tool's capabilities are not scoped to that use case. Track alongside normalization of commercial spyware in western agency procurement. (SC World)
If you're gating on "is this a datacenter IP," you're blind to over a third of active malicious traffic. Review how much weight your detection stack places on IP reputation alone as a signal. (SC World)
Microsoft's LinkedIn deploys JavaScript scanning for 6,000+ installed Chrome extensions without explicit disclosure. Corporate browser visitors may be leaking inventories of security tools, VPN clients, and password managers. Raise with browser security and DLP teams. (BleepingComputer)
Agency brought to ~2Bfrom 3B. Proposal recycles FY2026 language referencing already-shuttered programs. Practical downstream effects — reduced shared threat intel, thinner critical infrastructure engagement — manifest over 1-2 years. (Cyberscoop · CybersecurityDive)
IBB paused submissions; Node.js stopped payouts; Curl and Google OSS VRP halted AI-generated reports. AI enables near-zero-cost high-volume report generation, collapsing triage economics. Second-order risk: real bugs submitted during the spam flood may have been dismissed. (CSO Online)
~145 entries skipped: 94 bulk VulDB Linux kernel CVE stubs (no EPSS, no KEV, no exploitation context), 49 general-section drops (7 empty CrowdStrike blog posts, 6 N-able advertorials cosplaying as CSO Online editorial, 4 Proofpoint PR clips, a 21k-word Marc Andreessen AI podcast transcript, Sophos Gartner self-congratulation, HN threads on disassembling Mercury and async Python, and various single-sentence briefs), 1 malware duplicate, 1 social-engineering duplicate. Enrichment lowlights: MERCURY tagged as a threat actor from a Dyson sphere post, SILICON from the a16z podcast, and a GitHub gist filename fragment flagged as an MD5 IOC.
The afternoon's key development is the Socket.dev report reframing UNC1069's scope. The Axios compromise was concerning as an isolated incident; as one node in a systematic DPRK campaign targeting the entire upper echelon of the Node.js maintainer community, it represents a strategic threat to software supply chains at a foundational level. These maintainers collectively control packages with trillions of annual downloads — and UNC1069 is actively iterating infrastructure this week. Meanwhile, the React2Shell elevation is the most immediately actionable change since morning: if you run publicly-exposed Next.js and haven't patched a four-month-old KEV, UAT-10608's automated harvesting likely already has your credentials in a database somewhere. The two PRC-attributed European operations surfacing on the same day (TA416 resumption + TrueConf exploitation) may be coincidence or may indicate coordinated collection tempo — worth watching.