#0245
Socketabout 2 months ago6 min▣LLM reportcritical A critical supply chain attack compromised the widely used Axios npm package, publishing malicious versions that introduced a trojanized dependency. This dependency executes a multi-stage remote access trojan (RAT) across Windows, macOS, and Linux systems, utilizing obfuscation and anti-forensics to evade detection and establish persistence.
#0244
CrowdStrikeabout 2 months ago5 min▣LLM reportcritical A DPRK-nexus threat actor, likely STARDUST CHOLLIMA, compromised the widely used Axios npm package using stolen maintainer credentials. The supply chain attack deployed updated, cross-platform variants of the ZshBucket malware capable of arbitrary command execution, payload injection, and file system enumeration, likely targeting the cryptocurrency and fintech sectors for financial gain.
#0243
Elastic Security Labsabout 2 months ago4 min▣LLM reportinfo Elastic outlines the methodology and operational benefits of Higher-Order Rules (HOR), which correlate atomic security alerts across entities, data sources, and timeframes. By aggregating signals from endpoints, network devices, and observability metrics, HORs significantly reduce alert fatigue and surface high-confidence malicious activity for prioritized SOC triage.
#0242
Socketabout 2 months ago2 min▣LLM reportinfo The Node.js project has paused its bug bounty program following the suspension of the Internet Bug Bounty (IBB) initiative, which provided its funding. The shift highlights ongoing challenges in open-source security funding and the strain caused by high volumes of low-quality, AI-generated vulnerability reports.
#0241
Recorded Futureabout 2 months ago5 min▣LLM reporthigh In 2025, the Latin America and the Caribbean (LAC) region faced escalating cybercriminal activity driven by rapid digital adoption and economic instability. Threat actors heavily utilized Telegram and dark web forums to distribute ransomware, banking trojans, and infostealers, increasingly targeting the healthcare, manufacturing, and government sectors while adapting to law enforcement disruptions.
#0240
Cisco Talosabout 2 months ago4 min▣LLM reporthigh Advancements in AI have democratized Business Email Compromise (BEC) attacks, allowing threat actors to efficiently target smaller organizations with tailored social engineering. Concurrently, attackers are exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications to harvest cloud and database credentials, while Qilin ransomware has been observed deploying a sophisticated EDR-killing payload.
#0239
Elastic Security Labsabout 2 months ago5 min▣LLM reportcritical Suspected DPRK state actors compromised the highly popular Axios npm package by taking over a maintainer's account and publishing malicious versions that deployed a cross-platform RAT via a phantom dependency. Concurrently, a threat group named TeamPCP conducted a cascading supply chain attack affecting Trivy, LiteLLM, and Telnyx to harvest CI/CD credentials. These incidents underscore the critical need for automated package monitoring, rapid credential rotation, and delayed dependency updates.
#0238
Elastic Security Labsabout 2 months ago5 min▣LLM reporthigh This article details behavioral detection engineering strategies for Linux rootkits, emphasizing the failure of static signatures against trivial binary modifications. It provides actionable detection logic for userland and kernel-space rootkits, including emerging threats leveraging eBPF and io_uring, alongside common persistence and defense evasion techniques.
#0237
Akamaiabout 2 months ago2 min▣LLM reportlow This article is a high-level overview of digital transformation trends in Africa, focusing on the need for secure, scalable, and flexible cloud architectures. It highlights Akamai's solutions and upcoming presence at GITEX AFRICA 2026, containing no specific threat intelligence or technical indicators.
#0236
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security issued two security advisories. Apple released extensive updates across its operating systems to mitigate vulnerabilities, specifically targeting web attacks from the DarkSword iOS exploit kit. WatchGuard patched an Arbitrary File Write via Path Traversal vulnerability affecting the Fireware Web UI in multiple versions of Fireware OS.
#0235
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-3502, a vulnerability in TrueConf Client involving the download of code without integrity checks, to its Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to potential cyberattacks.
#0234
Recorded Futureabout 2 months ago2 min▣LLM reportinfo The article introduces the concept of 'Quantum Geopolitics' to describe the current fluid and interconnected state of international relations. It emphasizes that cybersecurity is now a core enterprise risk, requiring organizations to adopt continuous scenario planning, invest in operational resilience, and improve cross-functional communication to navigate geopolitical uncertainties.
#0233
Recorded Futureabout 2 months ago4 min▣LLM reporthigh The payment fraud ecosystem has industrialized through Malware-as-a-Service e-skimmer kits, automated card testing, and scalable purchase scams. This standardization allows defenders to proactively detect and map fraudulent infrastructure upstream before monetization occurs, rather than relying solely on reactive transaction monitoring.
#0232
Trail of Bitsabout 2 months ago3 min▣LLM reportlow Trail of Bits has introduced MuTON and mewt, advanced mutation testing tools designed to identify untested code paths in smart contracts and blockchain applications. These tools leverage Tree-sitter for accurate syntax parsing and integrate with AI agents to optimize testing configurations and triage results, addressing the historical performance limitations of mutation testing.
#0231
Microsoftabout 2 months ago7 min▣LLM reportcritical On March 31, 2026, the popular Axios npm package was compromised in a supply chain attack attributed to North Korean threat actor Sapphire Sleet. Malicious versions 1.14.1 and 0.30.4 included a fake dependency that silently executed a post-install script to download and install OS-specific Remote Access Trojans (RATs) on Windows, macOS, and Linux systems.
#0230
ANY.RUNabout 2 months ago7 min▣LLM reporthigh March 2026 saw a surge in sophisticated, multi-stage cyber attacks designed to evade early detection. Key threats included OAuth device code phishing (EvilTokens) for M365 account takeover, registry-hidden RAT staging (RUTSSTAGER), macOS backdoors delivered via ClickFix lures, and resilient botnets utilizing Dead Drop Resolvers.
#0229
Elastic Security Labsabout 2 months ago6 min▣LLM reportcritical A compromised maintainer account for the widely used axios npm package published backdoored versions that deliver a cross-platform Remote Access Trojan (RAT). The malicious payload, triggered via a postinstall hook in a decoy dependency, deploys identical C2 frameworks across Windows, macOS, and Linux systems while employing anti-forensic techniques to hide its tracks.
#0228
Elastic Security Labsabout 2 months ago6 min▣LLM reportcritical A critical supply chain attack compromised the popular Axios npm package, utilizing a malicious transitive dependency to execute cross-platform payloads during installation. The attack targets Linux, Windows, and macOS systems, deploying OS-specific Remote Access Trojans (RATs) capable of host profiling, command execution, and follow-on payload delivery. Detection engineering efforts should focus on anomalous process ancestry, such as Node.js spawning native OS shells to retrieve and background remote payloads.
#0227
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability in Google Chrome (CVE-2026-5281) that is currently being exploited in the wild. Organizations are urged to update Chrome for Desktop to the latest stable versions to mitigate this active threat.
#0226
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-5281, a Use-After-Free vulnerability in Google Dawn, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.