This weekly threat intelligence bulletin covers multiple active ransomware campaigns, four critical vulnerabilities under active exploitation, and emerging AI-driven threats. Notable items include actively exploited RCE flaws in Oracle E-Business Suite and Progress Kemp LoadMaster, a Citrix NetScaler memory disclosure flaw exploited within 24 hours of disclosure, a North Korean supply-chain campaign (PolinRider) deploying 108 malicious packages, and a proof-of-concept browser-native ransomware generated by an LLM abusing Chrome's File System Access API.
AI is not fundamentally changing adversary capabilities but is compressing attack timelines, lowering operational costs, and scaling existing tactics. Breakout times have dropped to an average of 29 minutes, with AI-enabled operations increasing 89% year-on-year. The most significant emerging threats are runtime-LLM malware (PROMPTSTEAL/LAMEHUG, QUIETVAULT) that query language models during execution, and agentic AI operations (GTG-1002) where AI agents conduct multi-stage intrusions with minimal human steering. Defenders face a dual pressure: faster attacks and an expanding attack surface from AI supply-chain dependencies.
Recorded Future's Insikt Group evaluates Mexico's newly published 2025-2030 National Cybersecurity Plan, assessing it against the country's actual threat landscape from 2020-2026. Ransomware is the dominant threat with 223 documented incidents across 64 groups, while financial malware (Mispadu, Grandoreiro, Casabaneiro, Fenix botnet), state-sponsored espionage (TAG-141/FamousSparrow, TGR-STA-1030), hacktivism (Chronus Team, Guacamaya), and organized crime-linked money laundering via Chinese networks compound the risk. The 2026 FIFA World Cup will be an early operational test of Mexico's cyber resilience.
AI Attacked and Abused While Perimeter Authentication Collapses
The month's defining shift was the emergence of AI as a two-sided battlefield: organizations deployed AI tools faster than they secured them, while attackers weaponized the same technology against defenders. Critical flaws in LangGraph allowed SQL injection chained to remote code execution, M365 Copilot could be turned into a one-click data exfiltration weapon via SearchLeak, and Langflow was exploited to deploy cryptominers. Meanwhile, the ongoing Shai-Hulud campaign injected prompts to blind AI malware scanners, macOS.Gaslight turned prompt injection against human analysts, and Russia's APT28 began experimenting with LLM-integrated malware. At the same time, perimeter authentication collapsed at scale: FortiBleed exposed credentials for over 73,000 FortiGate firewalls, CVE-2026-50751 let attackers bypass Check Point VPN authentication entirely, and ShinyHunters exploited an Oracle PeopleSoft zero-day across over 100 organizations.
Supply chain attackers followed developers to their new AI tools, compromising the ecosystems where code is written and built. The Shai-Hulud/Miasma worm expanded from npm into PyPI and injected persistent backdoors into AI coding assistant configurations, while North Korea's Sapphire Sleet compromised over 140 Mastra npm packages to steal cryptocurrency wallets, and the ongoing GlassWorm campaign pivoted to WebAssembly malware in VS Code extensions using the Solana blockchain as command-and-control. Social engineering also industrialized: the ErrTraffic framework turned ClickFix deception into a Malware-as-a-Service operation with blockchain dead drops, and EvilTokens hid phishing flows inside browser-side encryption to defeat network scanners while hijacking Microsoft device-code authentication.
Organizations should treat AI deployments as untrusted perimeter assets—restrict their network access, audit third-party skills and extensions, and assume prompt-injection attacks will target both automated scanners and human analysts. Every internet-facing VPN, firewall, and edge appliance should be patched immediately, with credentials rotated and phishing-resistant MFA enforced, because perimeter authentication failures now cascade directly into internal network compromise.
SentinelLABS identified macOS.Gaslight, a DPRK-aligned Rust backdoor targeting macOS systems. The implant establishes a resilient C2 channel via the Telegram Bot API using AES-GCM over pinned TLS and achieves persistence via a masqueraded LaunchAgent. Notably, it embeds a 38-message prompt-injection payload designed to feed fabricated system errors to LLM-assisted triage tools, aiming to abort or corrupt automated analysis. The malware also stages a standalone Python environment to execute a credential and data stealer.
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
Microsoft identified a large-scale npm supply chain attack by North Korean threat actor Sapphire Sleet, compromising over 140 packages in the Mastra ecosystem. The attackers used a compromised maintainer account to inject a malicious typosquat dependency that executes a cross-platform Node.js implant during installation, leading to cryptocurrency wallet theft, host reconnaissance, and persistent backdoor access.
Insikt Group's analysis of the global state digital surveillance landscape identifies 31 countries as high or very high risk, driven by the proliferation of commercial spyware, network interception technologies, and AI-powered data aggregation. The report outlines five primary surveillance vectors—network, endpoint, platform, public space, and data aggregation—and highlights the increasing threat to foreign nationals and business travelers, necessitating strict device management and travel security protocols.
The CrowdStrike 2026 Technology Threat Landscape Report highlights that the technology sector remains the primary target for both state-sponsored and eCrime adversaries. China-nexus actors focus on intellectual property theft and AI capabilities, while DPRK-nexus actors leverage fraudulent employment and open-source supply chain compromises (such as the Axios npm package). Additionally, eCrime groups are accelerating extortion operations and exploiting AI trends to distribute malware like macOS infostealers.
A targeted supply chain attack attributed to Famous Chollima compromised a development branch of the legitimate PHP package 'roberts/leads' on Packagist. The attackers injected an obfuscated JavaScript loader into a tailwind.js configuration file, which utilizes blockchain RPC infrastructure as a dead drop to retrieve and execute secondary payloads like DEV#POPPER RAT, likely as part of a Contagious Interview developer lure.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
Void Dokkaebi has updated its InvisibleFerret malware by compiling the original Python scripts into Cython binaries (.pyd for Windows, .so for macOS) to evade traditional script-based detection. The campaign utilizes a multi-stage BeaverTail JavaScript infection chain to deliver these binaries, targeting software developers to steal cryptocurrency wallet credentials, establish backdoor access, and downgrade browser security controls.
North Korea-aligned APT ScarCruft executed a multi-platform supply-chain attack compromising the sqgame platform to target ethnic Koreans in China's Yanbian region. The campaign distributed the BirdCall backdoor via trojanized Android applications and malicious Windows updates (which initially dropped RokRAT), enabling extensive espionage capabilities including data exfiltration, audio recording, and screen capture.
Attackers are increasingly targeting CI/CD pipelines to harvest secrets and pivot to production environments using techniques like workflow modification and privileged trigger exploitation. Elastic has released an open-source tool, cicd-abuse-detector, which leverages regex-based signal extraction and LLM analysis to detect suspicious pipeline changes during the pull request phase.
North Korean state-sponsored actors, including Lazarus and TraderTraitor, are highly motivated to access advanced AI models to accelerate their labor-intensive cryptocurrency heists. The primary attack vectors are not direct breaches of AI cryptographic perimeters, but rather supply chain compromises, fraudulent hiring of DPRK IT workers, and third-party contractor misuse.
The rapid adoption of agentic AI in enterprise environments introduces significant security risks by amplifying existing software supply chain and identity management vulnerabilities. Threat actors can leverage prompt engineering, input manipulation, and malicious packages to weaponize AI agents, necessitating zero-trust principles, robust IAM for non-human identities, and human-in-the-loop safeguards.
Microsoft Threat Intelligence identified a macOS-focused campaign by North Korean threat actor Sapphire Sleet that uses social engineering to deliver malicious AppleScripts disguised as Zoom updates. The attack leverages built-in macOS utilities like curl and osascript to bypass security controls, manipulate TCC databases, harvest credentials, and exfiltrate sensitive data such as cryptocurrency wallets.
A supply chain attack involving a compromised version of the Axios library (1.14.1) impacted OpenAI's macOS app signing workflow. The malicious package was executed in a GitHub Actions CI pipeline with access to sensitive code signing certificates, prompting OpenAI to revoke the certificates, rebuild applications, and force user updates, though no downstream compromise or data exfiltration was observed.
Recent supply chain attacks in March 2026, including the compromise of the widely used Axios npm package by North Korean actors and CI/CD targeting by TeamPCP, highlight the increasing threat to the open-source ecosystem. These incidents underscore the necessity of supporting and securing open-source maintainers against sophisticated nation-state social engineering and credential theft campaigns, rather than abandoning open-source architecture.
North Korean state actors compromised the lead maintainer of the popular Axios npm package through a highly targeted social engineering campaign. By establishing credibility via fake corporate personas and communication channels, the attackers tricked the developer into executing malware disguised as a software update, ultimately gaining unauthorized publish access to the npm registry.
North Korea's Contagious Interview campaign has launched a coordinated supply chain attack across five major open-source ecosystems. The threat actors published malicious packages masquerading as legitimate developer tools that act as staged loaders to deliver remote access trojans (RATs) and infostealers to developer workstations.
A high-severity social engineering campaign is actively targeting open source developers on Slack by impersonating Linux Foundation leaders. The multi-stage attack uses a fake AI tool lure to harvest credentials and trick victims into installing a malicious root certificate, leading to traffic interception and malware execution on macOS and Windows systems.
A sophisticated social engineering campaign linked to DPRK-nexus actor UNC1069 is targeting high-impact Node.js and npm maintainers. Attackers build rapport over weeks before luring victims to spoofed video conferencing sites that deploy infostealing malware designed to hijack session tokens, bypass 2FA, and compromise the open-source software supply chain.
In March 2026, severe software supply chain attacks targeted popular open-source packages. A North Korean threat actor compromised the Axios NPM package to distribute a cross-platform RAT, while the TeamPCP group poisoned the LiteLLM PyPI package to harvest cloud and infrastructure secrets.
A DPRK-nexus threat actor, likely STARDUST CHOLLIMA, compromised the widely used Axios npm package using stolen maintainer credentials. The supply chain attack deployed updated, cross-platform variants of the ZshBucket malware capable of arbitrary command execution, payload injection, and file system enumeration, likely targeting the cryptocurrency and fintech sectors for financial gain.
Suspected DPRK state actors compromised the highly popular Axios npm package by taking over a maintainer's account and publishing malicious versions that deployed a cross-platform RAT via a phantom dependency. Concurrently, a threat group named TeamPCP conducted a cascading supply chain attack affecting Trivy, LiteLLM, and Telnyx to harvest CI/CD credentials. These incidents underscore the critical need for automated package monitoring, rapid credential rotation, and delayed dependency updates.
On March 31, 2026, the popular Axios npm package was compromised in a supply chain attack attributed to North Korean threat actor Sapphire Sleet. Malicious versions 1.14.1 and 0.30.4 included a fake dependency that silently executed a post-install script to download and install OS-specific Remote Access Trojans (RATs) on Windows, macOS, and Linux systems.
A North Korea-nexus threat actor, UNC1069, executed a software supply chain attack by compromising the maintainer account of the widely used 'axios' NPM package. They introduced a malicious dependency that uses a postinstall hook to silently deploy the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments, enabling remote command execution and data theft.
North Korean threat group NICKEL ALLEY is targeting technology professionals and Web3 developers through fake job interviews and malicious code repositories. The group employs social engineering, the ClickFix tactic, and malicious VS Code tasks to deliver remote access trojans like PyLangGhost RAT and BeaverTail, primarily aiming for cryptocurrency theft and potential supply chain compromise.
The CrowdStrike 2026 Global Threat Report highlights a shift toward highly evasive, malware-free attacks leveraging valid credentials, AI tools, and supply chain compromises. Adversaries are operating with unprecedented speed, with average breakout times dropping to 29 minutes, while increasingly targeting AI infrastructure, cloud environments, and network edge devices.
Following the outbreak of a geopolitical conflict in the Middle East in early 2026, Akamai observed a 245% surge in malicious cyber activity targeting global enterprises. The threat landscape is characterized by massive increases in automated reconnaissance, credential harvesting, and data-wiping attacks by state-sponsored and hacktivist groups like Handala, primarily targeting the financial, ecommerce, and healthcare sectors.
Threat actors, particularly North Korean state-sponsored groups, are increasingly operationalizing AI to accelerate cyberattacks. They leverage generative AI for reconnaissance, social engineering, identity fabrication, and malware development, acting as a force multiplier that reduces technical friction while human operators maintain control over objectives.
AI Weaponization Collapses Trust as Identity Becomes the Perimeter
Attackers are using artificial intelligence to make phishing and social engineering dramatically cheaper and more convincing, as seen in BlueNoroff's AI-generated deepfake meetings targeting Web3 executives and the Bluekit phishing platform's built-in AI assistant that crafts lures on demand. Because these AI tools can generate convincing scams and steal session cookies to bypass multi-factor authentication, traditional email filters and basic MFA are no longer sufficient barriers. In parallel, attackers are shifting from hacking infrastructure to hijacking identity and trust systems—installing legitimate remote-access tools via phishing, exploiting API authentication flaws like BOLA, and harvesting credentials through malicious AI browser extensions that spy on users in real time. This identity-focused shift compounds with the persistent exploitation of older vulnerabilities; groups like SHADOW-EARTH-053 still use years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 (Microsoft Windows) and CVE-2026-41940 (cPanel) are already being exploited in the wild. Because AI models like Claude Mythos can now autonomously chain these vulnerabilities into working exploits at machine speed, defenders cannot rely on manual patching cadences to stay safe. These trends together suggest that the real perimeter is no longer the firewall but the identity layer, and defending it requires phishing-resistant authentication, automated response, and rigorous vetting of developer pipelines and third-party trust. Watch for AI-accelerated exploitation of unpatched systems and invest in identity-centric, machine-speed defenses before the next wave of automated attacks outpaces your team's response.