CyberSecurity Knuggets
Apr 02, 2026
Subject: Risky Bulletin: Iranian password sprays came first, then came the missiles
Sender: risky-biz@ghost.io
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MjAyNjA0MDEwNTUzMjIuNGY3YWExMGM1YmJhZjRiNUBtLmdob3N0LmlvfHxja3NtK2N5YmVyc2VjdXJpdHlAc3VtbXltb25rZXkubWU=4da5ee152e22cf2615fb0efb26ed53fbc
Content:
– Summary:
A suspected Iranian APT group conducted a wide-ranging password spray attack against Microsoft 365 accounts of governments and private sector organizations in the Middle East, particularly Israeli and UAE municipalities targeted by drone and missile strikes.
– The campaign began in early March 2026, coinciding with Iran’s military actions after strikes that killed Iranian leader Ali Khamenei and other officials.
– The attackers targeted municipalities because of their critical role in bombing damage assessment (BDA) and emergency response.
– Other targets included private sector entities in satellite, aviation, energy, and maritime sectors.
– The campaign is still ongoing with password spraying seen in three waves across March.
– The group believed responsible is Gray Sandstorm, an Iranian APT known for password spraying since 2021.
Additional Security News:
– Statistics South Africa targeted by ransomware group XP95 asking for $100,000 ransom.
– Anthropic’s AI coding assistant Claude Code source code leaked via npm source maps.
– Popular npm package Axios was hacked, with malicious versions live over three hours, impacting thousands of projects downstream; attributed to North Korean group UNC1069.
– Telegram warns users against third-party clients as they may log details and are vulnerable to man-in-the-middle attacks.
– Google Workspace ransomware protection moved from beta to production.
– Australia investigates Facebook, Instagram, Snapchat, TikTok, and YouTube over social media minimum age enforcement failures.
– Italy fined Intesa Sanpaolo €31.8 million under GDPR for data misuse.
– OkCupid settled FTC investigation over sharing user data with third parties.
– Russia intensifies crackdown on VPNs and Apple ID balance refills.
– Iran will target US tech companies across the Middle East starting April 1.
– South Korea launched ransomware task force.
– CISA dropped an investigation into a failed polygraph incident involving former acting director Madhu Gottumukkala.
– Quantum computers capable of breaking encryption expected within 10-15 years, prompting Google and governments to accelerate adoption of quantum-resistant encryption.
– US charged Maryland man for hacking Uranium Finance platform, recovering $31 million.
– Nigerian fraudster sentenced to 15 years for scams stealing $1.5 million.
– Russian Flint24 hackers sentenced to prison.
– WhatsApp phishing campaign detected delivering backdoors.
– New malware such as DeepLoad loader with AI code and CrySome RAT able to survive factory resets identified.
– Phantom Stealer and Venom Stealer infostealers analyzed.
– New phishing-as-a-service platforms UPMI Ultimate and EvilTokens emerged.
– Sponsor interview with Knocknoc CEO about AI-enhanced security platform.
Podcasts:
– Risky Business podcast available with latest episodes on YouTube.
– Between Two Nerds talking about hacking and scams.
– Risky Business Features episode discusses LLM and nation-state iOS exploit kit.
Subject: Webinar Today: Agentic AI vs. Identity’s Last Mile Problem – Register Now
Sender: news@securityweek.com
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MTE0MjMwOTkwMDg3NS4xMTAyNTkyMDEyNDU4LjE2NTM3ODkzNTIuMC4yOTA4NDVKTC4yMDAyQHN5bmQuY2NzZW5kLmNvbXx8Y2tzbStjeWJlcnNlY3VyaXR5QHN1bW15bW9ua2V5Lm1l0742ede7dd5faf946abd4eea1a777ab7c
Content:
– Invitation to live webinar on Wednesday, April 1, 1 PM ET.
– Topic: How Agentic AI reshapes identity security by automating controls across enterprises, addressing the “last mile” problem of disconnected applications and manual processes exploited by attackers.
– Webinar agenda:
* Real world breach case studies related to disconnected app risks
* Capabilities and limits of Agentic AI in identity security today
* Extending identity lifecycle management and governance into disconnected apps
* Automation replacing manual processes and eliminating blind spots
* Bringing all apps inside the identity perimeter
– Also promotes upcoming webinars on automated pentesting (April 7), CPS security ROI (May 13), and virtual Threat Detection and Incident Response Summit (May 20).
– Reminder: Email distribution controlled by SecurityWeek.
– Registration link provided.
Subject: N. Korean hackers were behind malicious versions of Axios
Sender: info@metacurity.com
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MjAyNjA0MDExMzQxMjIuZjlhYzBhMDcwNmVkODcyMUBnaG9zdC5tZXRhY3VyaXR5LmNvbXx8Y2tzbStjeWJlcnNlY3VyaXR5QHN1bW15bW9ua2V5Lm1l7fb293d6438a724d412ade6426320428c
Content:
– A North Korean group UNC1069 is linked to compromising the Axios npm package by inserting malicious code into two versions, live for about three hours.
– Axios is a widely used JavaScript library for HTTP requests with tens of millions of downloads weekly.
– Malicious code replaced the developer’s account email making recovery hard.
– Google’s Threat Intelligence Group confirmed attribution to UNC1069, noting North Korea’s experience in supply chain attacks often aimed at cryptocurrency theft.
– Cisco also suffered a cyberattack after attackers abused stolen credentials from a recent Trivy supply chain compromise; source code for AI products and customer data were accessed; over 300 GitHub repositories cloned.
– Anthropic leaked part of Claude AI assistant’s source code due to packaging error; no sensitive customer data was exposed.
– Apple shifted iOS update strategy by backporting security patches for older versions due to exploits like DarkSword; users resisting updates represented a security risk.
– AI recruiting startup Mercor confirmed a supply chain incident linked to LiteLLM compromise related to TeamPCP hacking group; Lapsus$ extortion group claimed to have data access.
– Researcher found vulnerabilities in Vim and GNU Emacs by prompting Claude AI; RCE possible by opening crafted files via modeline or Git config abuse.
– Palo Alto Networks showed how Google Cloud Vertex AI agents could be hijacked to execute backdoors, data exfiltration, and persistent attacks; Google recommends adopting least-privilege service accounts.
– ESET reported that nearly 80% of UK manufacturers suffered cyber incidents in 12 months, often with significant financial losses.
– India warned of “Android God Mode” malware abusing accessibility permissions to control devices fully; users should install only trusted apps and avoid granting accessibility rights to unknown apps.
– NYC Mayor reversed 2023 TikTok ban for city agencies with restrictions, despite ongoing concerns around China’s influence on TikTok.
– Water treatment plant in Minot, ND was targeted with ransomware implant, operated manually until resolution; FBI investigating.
– FBI warned against using foreign-made apps, especially Chinese ones, due to potential privacy and data security risks.
– Venture funding news: Tenex.ai raised $250M, Linx Security $50M, depthfirst $80M.
– European efforts to achieve digital sovereignty by replacing Microsoft products with open-source alternatives highlighted.
– Lawsuit alleges Perplexity AI shared user data with Meta and Google in violation of California privacy laws.
Subject: North Korean threat actor compromises axios npm package | The CyberWire 4.1.26s
Sender: editor@newsletter.n2k.com
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MTc3NTA1OTUyMTE0MC5hNjkyNzZlMC04YjAzLTQ1NjgtYTRjYS0zMDQ0ZTg4ZjlhMWNAYmYwMy5odWJzcG90ZW1haWwubmV0fHxja3NtK2N5YmVyc2VjdXJpdHlAc3VtbXltb25rZXkubWU=fc85322ba20c561a5ed1e04e8bdf2e69c
Content:
– North Korean group UNC1069 inserted malicious dependency into Axios npm package versions 1.14.1 and 0.30.4, used widely with millions of weekly downloads.
– Malicious code was an obfuscated dropper deploying WAVESHAPER.V2 backdoor across Windows, macOS, and Linux which can gather system info, enumerate directories, and execute payloads.
– Impact is widespread since many popular packages depend on Axios.
– GTIG urges developers to audit dependencies, isolate infected hosts, rotate secrets, and adopt strict version pinning plus enhanced supply chain monitoring.
– Cisco sustained a cyberattack exploiting stolen credentials from Trivy supply chain compromise; malicious GitHub Action plugin used; over 300 repos cloned including AI product source; impact on customers like banks and US government agencies.
– ShinyHunters extortion group claims to have stolen internal corporate data from Cisco.
– Airbus to acquire UK cyber defense firm Ultra Cyber to enhance cyber portfolio and UK sovereign capabilities.
– Selected readings include fixes for Chrome zero-day, Iranian hacker offensives, and Pentagon Zero Trust challenges.
– Advertisement and promotion for CyberWire’s B2B services.
Subject: Registration Now Open: AI Risk Summit 2026 at The Ritz-Carlton, Half Moon Bay
Sender: news@securityweek.com
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MTE0MjMwOTk0MTExNC4xMTAyNTkyMDEyNDU4LjE2NTM3ODkzNTIuMC4zNzEyMTFKTC4yMDAyQHN5bmQuY2NzZW5kLmNvbXx8Y2tzbStjeWJlcnNlY3VyaXR5QHN1bW15bW9ua2V5Lm1lf4040e9ca35d82f7af8df62a84cc188bc
Content:
– Announcement of registration opening for AI Risk Summit 2026 on August 11-12 at Ritz-Carlton, Half Moon Bay, California.
– The premier event for AI security and risk professionals.
– Program highlights:
* Securing generative and predictive AI
* Defending against adversarial AI and deepfakes
* Navigating AI-related regulatory and compliance issues
* Balancing innovation with risk management
* Technical deep dives on AI model vulnerabilities, prompt injection, supply chain threats, and agentic AI attack surface.
– Concurrent hosting of CISO Forum Summer Summit & Golf Classic at the same venue.
– Early bird full conference tickets available at $1795 including meals and receptions.
– Limited capacity, expected to sell out.
– Call for presentations and detailed event info links provided.
– Audience encouraged to register or consider speaking.
Subject: Hasbro Hit by Disruptive Cyberattacks
Sender: news@securityweek.com
Chatlink: https://summymonkey.me/wp-json/chatlink/v1/sm-chat?chat=MTE0MjMxMDA5MjUwNy4xMTAyNTkyMDEyNDU4LjE2NTM3ODkzNTIuMC43MDE1MDFKTC4yMDAyQHN5bmQuY2NzZW5kLmNvbXx8Y2tzbStjeWJlcnNlY3JpdHlAc3VtbXltb25rZXkubW
Content:
– Headlines:
* Toy company Hasbro suffered disruptive cyberattacks.
* Axios npm package breached by North Korean supply chain attack.
* Google addresses security issues in its Vertex AI platform after researchers exploited AI agents.
* Depthfirst cybersecurity AI lab raised $80 million Series B.
* New DeepLoad malware deployed via ClickFix attacks.
* Chrome patched 21 vulnerabilities including an exploited zero-day.
* FBI warns about security risks of Chinese-made mobile apps.
* US charged a cryptocurrency hacker linked to Uranium Finance.
– Expert insights:
* Data integrity is a leadership issue, not just technical.
* Governance in Agentic AI systems needs improvement.
– Includes recap of recent incidents like Venom Stealer continuous credential theft, fortinet EMS flaw exploitations, AI-related security discoveries, ransomware attacks, and multiple vulnerabilities in enterprise software.
– Links to SecurityWeek’s virtual event lineup and resources.
Stay Well!
