[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frFMcZ_3TQo8k43wQ7tkF_XHhI1Kpg2q0OC3uetvPeHc":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":60,"social_x":61,"article_count":62,"awareness_links":63,"status":124,"published_at":125,"created_at":126,"updated_at":126,"mastodon_posted_at":127,"executive_summary":128,"tagline":128,"cover_image_url":128},"39f54b36-d63e-4f43-9ed3-60f0a8233259","2026-W14","2026-w14","2026-03-30","2026-04-05","🔥 Critical week for supply chain attacks with React2Shell (CVE-2025-55182) exploited to harvest credentials from 766+ Next.js hosts\n🎯 North Korean UNC1069 compromised Axios npm maintainer via fake Teams call, injecting malware into packages with 100M weekly downloads\n🚨 European Commission breached via TeamPCP supply chain attack, exposing 92GB of data from 30+ EU entities\n💸 $285M DeFi heist attributed to North Korean hackers using sophisticated durable nonce social engineering\n🛡️ FortiClient EMS zero-day (CVE-2026-35616) actively exploited with emergency patches released\n⚠️ LinkedIn secretly scans 6,000+ browser extensions for competitive intelligence and user profiling\n🎭 Multiple ransomware groups (Qilin, Krybit) target government entities while threat actors sell initial access to critical infrastructure","## Vulnerabilities & Exploits\n\n**[Critical React2Shell exploited in mass credential harvesting campaign](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-react2shell-in-automated-credential-theft-campaign)**. UAT-10608 exploits CVE-2025-55182 (CVSS 10.0) to compromise 766+ Next.js hosts using NEXUS Listener framework for automated credential theft.\n\n**[FortiClient EMS zero-day actively exploited](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks\u002F)**. CVE-2026-35616 pre-authentication bypass allows unauthenticated RCE; emergency patches released for 2,000+ exposed instances.\n\n**[Critical ShareFile RCE chain discovered](https:\u002F\u002Fwww.securityweek.com\u002Fcritical-sharefile-flaws-lead-to-unauthenticated-rce\u002F)**. CVE-2026-2699 and CVE-2026-2701 can be chained for complete system compromise via authentication bypass and arbitrary file upload. [Learn more](\u002Fawareness\u002Fcritical-sharefile-rce-vulnerabilities-enable-complete-system-compromise)\n\n**[Firefox JIT vulnerability patched](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2039815953312055513)**. CVE-2026-4698 (CVSS 8.8) JIT miscompilation in Firefox JavaScript engine affects multiple versions. [Learn more](\u002Fawareness\u002Fcritical-jit-vulnerability-in-firefox-requires-immediate-patching)\n\n### Key Takeaway\nPrioritize patching React\u002FNext.js applications and FortiClient EMS, as both are seeing active exploitation.\n\n## Supply Chain & Software Attacks\n\n**[North Korean UNC1069 compromises Axios npm maintainer](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Faxios-npm-hack-used-fake-teams-error-fix-to-hijack-maintainer-account)**. Social engineering via fake Microsoft Teams call led to RAT deployment and publication of malicious Axios versions affecting 100M+ weekly downloads. [Learn more](\u002Fawareness\u002Fnorth-korean-actors-compromise-npm-supply-chain-through-social-engineering)\n\n**[European Commission breached via Trivy supply chain attack](https:\u002F\u002Fwww.securityweek.com\u002Feuropean-commission-confirms-data-breach-linked-to-trivy-supply-chain-attack\u002F)**. TeamPCP compromised Aqua Security's Trivy scanner, leading to 300GB data theft from EU AWS environment affecting 30+ organizations.\n\n**[Claude Code leak weaponized with malware](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fclaude-code-leak-used-to-push-infostealer-malware-on-github\u002F)**. Threat actors created fake GitHub repositories distributing Vidar infostealer after Anthropic's accidental code exposure. [Learn more](\u002Fawareness\u002Fthreat-actors-exploit-accidental-code-leak-to-distribute-malware-via-fake-github-repos)\n\n**[ILSpy WordPress domain compromised](https:\u002F\u002Fx.com\u002Fvxunderground\u002Fstatus\u002F2040873380644110656)**. Popular .NET decompiler tool's domain hijacked to deliver malware instead of legitimate software.\n\n### Key Takeaway\nImplement supply chain security controls including dependency scanning, maintainer verification, and isolated build environments.\n\n## APT & Nation-State Activities\n\n**[China-linked TA416 resumes European government targeting](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fchina-linked-ta416-targets-european.html)**. Group deploys PlugX backdoors via OAuth phishing and MSBuild executables after two-year operational pause.\n\n**[North Korean hackers target South Korean firms via GitHub](https:\u002F\u002Fhackread.com\u002Fnorth-korean-hackers-github-spy-south-korean-firms\u002F)**. Kimsuky\u002FAPT37\u002FLazarus groups use LNK files and PowerShell to steal system data every 30 minutes.\n\n**[TrueConf zero-day exploited in Asian government attacks](https:\u002F\u002Fwww.securityweek.com\u002Ftrueconf-zero-day-exploited-in-asian-government-attacks\u002F)**. Chinese actors compromised update servers to distribute malicious packages to government entities. [Learn more](\u002Fawareness\u002Fnation-state-attack-on-critical-infrastructure-surveillance-system)\n\n**[Military entities targeted with NATO exercise lures](https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2039809395400315092)**. Campaign exploits Exercise Steadfast Dart and IDEAS defense conference themes for credential harvesting. [Learn more](\u002Fawareness\u002Fmilitary-organizations-targeted-through-nato-exercise-social-engineering)\n\n### Key Takeaway\nDeploy additional monitoring for government and defense contractors, especially during major exercises or conferences.\n\n## Ransomware & Major Breaches\n\n**[$285M DeFi theft attributed to North Korea](https:\u002F\u002Fwww.securityweek.com\u002Fnorth-korean-hackers-drain-285-million-from-drift-in-10-seconds\u002F)**. Drift Protocol compromised via sophisticated durable nonce social engineering targeting Security Council multisig. [Learn more](\u002Fawareness\u002Fcompromised-admin-keys-enable-285m-defi-vault-drainage)\n\n**[German political party hit by Qilin ransomware](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdie-linke-german-political-party-confirms-data-stolen-by-qilin-ransomware\u002F)**. Die Linke confirms March 26 attack with threat of sensitive data publication as potential hybrid warfare.\n\n**[Faulkner County Sheriff's Office claimed by Qilin](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2039858193896030555)**. Arkansas law enforcement agency becomes latest ransomware victim. [Learn more](\u002Fawareness\u002Flaw-enforcement-agency-falls-victim-to-qilin-ransomware-attack)\n\n**[ShinyHunters claims 3M+ Cisco records theft](https:\u002F\u002Fhackread.com\u002Fshinyhunters-hackers-cisco-records-data-leak\u002F)**. Group threatens April 3 leak after compromising Salesforce and AWS environments via vishing campaigns.\n\n### Key Takeaway\nImplement zero-trust architecture and multisig controls for administrative functions, especially for high-value targets.\n\n## Privacy & Corporate Surveillance\n\n**[LinkedIn secretly scans 6,000+ browser extensions](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Flinkedin-secretly-scans-for-6-000-plus-chrome-extensions-collects-data\u002F)**. BrowserGate investigation reveals hidden JavaScript fingerprinting for competitive intelligence and customer identification.\n\n**[Fake ChatGPT Ad Blocker spies on users](https:\u002F\u002Fhackread.com\u002Ffake-chatgpt-ad-blocker-chrome-extension-spy-users\u002F)**. Malicious Chrome extension harvested ChatGPT conversations via Discord webhooks before removal.\n\n### Key Takeaway\nReview browser extension policies and implement monitoring for unauthorized data collection by web applications.\n\n## References\n\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-react2shell-in-automated-credential-theft-campaign\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Faxios-npm-hack-used-fake-teams-error-fix-to-hijack-maintainer-account\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Feuropean-commission-confirms-data-breach-linked-to-trivy-supply-chain-attack\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fnorth-korean-hackers-drain-285-million-from-drift-in-10-seconds\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fchina-linked-ta416-targets-european.html\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdie-linke-german-political-party-confirms-data-stolen-by-qilin-ransomware\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Flinkedin-secretly-scans-for-6-000-plus-chrome-extensions-collects-data\u002F",[13,17,21,24,27,30,33,37,39,41,44,47,51,54,57],{"type":14,"value":15,"context":16},"cve","CVE-2025-55182","Critical RCE vulnerability in React Server Components and Next.js App Router (CVSS 10.0), exploited for initial access.",{"type":18,"value":19,"context":20},"malware","NEXUS Listener","Web-based credential harvesting and collection framework deployed post-compromise; currently at version 3.",{"type":18,"value":22,"context":23},"React2Shell","Initial infection vector vulnerability name used by threat cluster UAT-10608.",{"type":14,"value":25,"context":26},"CVE-2026-3775","DLL hijacking vulnerability in Foxit PDF Editor\u002FReader update service",{"type":18,"value":28,"context":29},"Vidar","Information-stealing malware deployed via fake Claude Code GitHub repositories",{"type":18,"value":31,"context":32},"Qilin","Ransomware-as-a-service operation claiming responsibility for Faulkner County Sheriff's Office attack.",{"type":34,"value":35,"context":36},"domain","krybitxdpxohsmjooeb3gbgpmdddreh6mnflzac6bnezz74b7yje67yd.onion","Krybit ransomware group Tor C2 domain",{"type":34,"value":38,"context":36},"krybitx3fh5krdnhegyp2ob3lhizsaiadturtio3ginf7it5gsdgu2yd.onion",{"type":34,"value":40,"context":36},"krybitqsdzwmhnitvwuhvsntfgf2wrhxveyxroxpc44c6gkft2cqldyd.onion",{"type":14,"value":42,"context":43},"CVE-2026-35616","Pre-authentication API access bypass in FortiClient EMS, actively exploited, CVSS 9.1",{"type":14,"value":45,"context":46},"CVE-2026-21643","Related critical unauthenticated vulnerability in FortiClient EMS, CVSS 9.1, recently patched",{"type":48,"value":49,"context":50},"mitre_attack","T1505.004","Web Shell - PHP-based web shells deployed on compromised servers",{"type":48,"value":52,"context":53},"T1053.006","Cron - scheduled tasks used for persistence and re-creation of malicious payloads",{"type":48,"value":55,"context":56},"T1190","Exploit Public-Facing Application - initial access via known vulnerabilities",{"type":34,"value":58,"context":59},"blockaiads.com","Suspicious domain linked to ChatGPT Ad Blocker malware distribution","This week brought a perfect storm of supply chain attacks and nation-state activity:\n\n• React2Shell (CVE-2025-55182) exploited to harvest credentials from 766+ Next.js hosts globally\n• North Korean UNC1069 social engineered Axios maintainer, injecting malware into 100M+ weekly downloads\n• European Commission breached via TeamPCP supply chain attack, exposing 92GB from 30+ EU entities\n• $285M DeFi heist shows North Korean sophistication in social engineering multisig controls\n• FortiClient EMS zero-day actively exploited with 2,000+ exposed instances\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w14\n\n#cybersecurity #supplychain #threatintelligence #infosec #apt","🚨 Massive week for supply chain attacks:\n\n• React2Shell exploited: 766+ hosts compromised\n• North Korea hijacked Axios npm (100M downloads)\n• EU Commission breached via Trivy compromise  \n• $285M DeFi theft\n• FortiClient zero-day exploited\n\nFull breakdown: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w14",80,[64,67,70,73,76,79,82,85,88,91,94,97,100,103,106,109,112,115,118,121],{"slug":65,"title":66},"military-organizations-targeted-through-nato-exercise-social-engineering","Military Organizations Targeted Through NATO Exercise Social Engineering",{"slug":68,"title":69},"critical-langflow-path-traversal-vulnerability-enables-remote-code-execution","Critical Langflow Path Traversal Vulnerability Enables Remote Code Execution",{"slug":71,"title":72},"critical-jit-vulnerability-in-firefox-requires-immediate-patching","Critical JIT Vulnerability in Firefox Requires Immediate Patching",{"slug":74,"title":75},"dll-hijacking-vulnerability-enables-privilege-escalation-in-foxit-pdf-software","DLL Hijacking Vulnerability Enables Privilege Escalation in Foxit PDF Software",{"slug":77,"title":78},"dll-hijacking-vulnerability-in-foxit-pdf-software-update-service","DLL Hijacking Vulnerability in Foxit PDF Software Update Service",{"slug":80,"title":81},"nation-state-threats-require-proactive-corporate-security-planning","Nation-State Threats Require Proactive Corporate Security Planning",{"slug":83,"title":84},"source-code-breach-at-upwave-exposes-intellectual-property-and-creates-supply-chain-risk","Source Code Breach at Upwave Exposes Intellectual Property and Creates Supply Chain Risk",{"slug":86,"title":87},"critical-nextjs-vulnerability-exploited-in-mass-credential-harvesting-campaign","Critical Next.js Vulnerability Exploited in Mass Credential Harvesting Campaign",{"slug":89,"title":90},"threat-actors-exploit-accidental-code-leak-to-distribute-malware-via-fake-github-repos","Threat Actors Exploit Accidental Code Leak to Distribute Malware via Fake GitHub Repos",{"slug":92,"title":93},"law-enforcement-agency-falls-victim-to-qilin-ransomware-attack","Law Enforcement Agency Falls Victim to Qilin Ransomware Attack",{"slug":95,"title":96},"nation-state-attack-on-critical-infrastructure-surveillance-system","Nation-State Attack on Critical Infrastructure Surveillance System",{"slug":98,"title":99},"defi-protocol-loses-280m-through-administrative-control-compromise","DeFi Protocol Loses $280M Through Administrative Control Compromise",{"slug":101,"title":102},"supply-chain-attack-leads-to-major-eu-data-breach-via-compromised-aws-credentials","Supply Chain Attack Leads to Major EU Data Breach via Compromised AWS Credentials",{"slug":104,"title":105},"compromised-admin-keys-enable-285m-defi-vault-drainage","Compromised Admin Keys Enable $285M DeFi Vault Drainage",{"slug":107,"title":108},"malicious-apps-bypass-store-security-to-steal-crypto-wallets","Malicious Apps Bypass Store Security to Steal Crypto Wallets",{"slug":110,"title":111},"former-employee-uses-admin-access-for-750k-extortion-plot","Former Employee Uses Admin Access for $750K Extortion Plot",{"slug":113,"title":114},"react2shell-vulnerability-enables-mass-credential-theft","React2Shell Vulnerability Enables Mass Credential Theft",{"slug":116,"title":117},"zero-day-software-supply-chain-attack-targets-government-entities","Zero-Day Software Supply Chain Attack Targets Government Entities",{"slug":119,"title":120},"north-korean-actors-compromise-npm-supply-chain-through-social-engineering","North Korean Actors Compromise npm Supply Chain Through Social Engineering",{"slug":122,"title":123},"critical-sharefile-rce-vulnerabilities-enable-complete-system-compromise","Critical ShareFile RCE Vulnerabilities Enable Complete System Compromise","published","2026-04-06T05:37:13.329+00:00","2026-04-06T00:02:09.939987+00:00","2026-04-16T04:30:03.756+00:00",null]