[{"data":1,"prerenderedAt":177},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-02":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-02","Chrome Zero-Day Under Active Attack as Supply Chain Threats Hit Axios and TrueConf","This 24-hour period has been marked by a surge in high-impact threats, including the active exploitation of a critical zero-day vulnerability (CVE-2026-5281) in Google Chrome, affecting billions of users. Concurrently, sophisticated supply chain attacks have compromised widely-used developer tools, with North Korean actors targeting the Axios npm package and a Chinese-nexus group exploiting a zero-day in TrueConf video conferencing software. These incidents, coupled with ongoing nation-state espionage campaigns and ransomware attacks on critical infrastructure, highlight a landscape of escalating complexity and risk, demanding immediate patching and heightened vigilance from all organizations.","2026-04-02",9,[10,38,62,81,98,113,130,146,164],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":29,"updatedAt":30,"readingTime":31,"cves":32,"cvssScore":34,"isUpdate":35,"updateSummary":36,"updateContent":37},"d97424e5-1a38-4bdf-90b3-d834b5a50056","team-pcp-cascading-supply-chain-attack-compromises-litellm","TeamPCP's Supply Chain Attack Cascade Hits LiteLLM, Stealing AI Credentials","Multi-Stage Supply Chain Attack by TeamPCP Compromises Trivy, Checkmarx, and LiteLLM","critical","The threat actor group 'TeamPCP' has executed a sophisticated, multi-stage supply chain attack, beginning with the compromise of the popular open-source vulnerability scanner Trivy. The attackers leveraged this access to poison downstream GitHub Actions, stealing credentials from CI/CD pipelines. They then pivoted to compromise other developer tools, including Checkmarx KICS, before publishing malicious versions of the widely-used LiteLLM AI gateway on PyPI. The trojanized LiteLLM packages were designed to steal sensitive AI API credentials, exfiltrating them to an attacker-controlled server. This cascading attack highlights the systemic risk in the open-source software supply chain, where a single point of failure can lead to widespread compromise across thousands of dependent projects.",[18,19,20,21,22,23,24],"supply chain","PyPI","GitHub Actions","CI/CD","credential theft","open source","AI security",[26,27,28],"Supply Chain Attack","Malware","Threat Actor","2026-03-26T15:00:00.000Z","2026-04-02T00:00:00.000Z",6,[33],"CVE-2026-33634",9.4,true,"AI firm Mercor confirmed as victim of the LiteLLM supply chain attack, with Lapsus$ claiming 4TB data theft and extortion. This escalates the incident's real-world impact.","AI recruiting firm Mercor has confirmed it was impacted by the LiteLLM supply chain attack. Malicious versions 1.82.7 and 1.82.8 of LiteLLM were briefly available on March 27, during which Mercor's systems were compromised. The notorious Lapsus$ group has since claimed responsibility for stealing over 4 terabytes of data from Mercor and listed the company on its data leak site, indicating an extortion attempt. This development significantly increases the real-world severity and impact of the previously reported LiteLLM compromise, highlighting the cascading risks of supply chain vulnerabilities and the involvement of high-profile extortion groups.",{"id":39,"slug":40,"headline":41,"title":42,"severity":15,"excerpt":43,"tags":44,"categories":53,"createdAt":56,"updatedAt":30,"readingTime":31,"cves":57,"cvssScore":59,"isUpdate":35,"updateSummary":60,"updateContent":61},"ce7f55d2-7944-4197-9649-29f95662aba0","trueconf-zero-day-exploited-in-truechaos-campaign","Chinese-Nexus Actor Exploits TrueConf Zero-Day in \"TrueChaos\" Campaign","TrueConf Zero-Day (CVE-2026-3502) Exploited in 'TrueChaos' Campaign Targeting Governments","A zero-day vulnerability in the TrueConf video conferencing application, CVE-2026-3502, has been actively exploited in a targeted campaign named 'TrueChaos.' The campaign, attributed with moderate confidence to a Chinese-nexus threat actor, has targeted government entities in Southeast Asia. The CVSS 7.8 flaw exists in the update mechanism of the TrueConf Windows client, allowing an attacker who has compromised an on-premises TrueConf server to push malicious updates to all connected endpoints, thereby deploying malware like the Havoc C2 framework.",[45,46,47,48,49,50,51,52],"zero-day","cve","trueconf","truechaos","apt","china","havoc c2","espionage",[54,28,55],"Vulnerability","Cyberattack","2026-03-30T15:00:00.000Z",[58],"CVE-2026-3502",7.8,"Check Point attributes 'Operation TrueChaos' to Chinese APT; new D3FEND detection/mitigation details provided.","New analysis from Check Point attributes the 'Operation TrueChaos' campaign, exploiting CVE-2026-3502 in TrueConf, to a Chinese-nexus APT group. The updated report provides a refined attack chain, including a user prompt for malicious updates, and incorporates specific D3FEND techniques for network traffic analysis, endpoint analysis, and server integrity monitoring for enhanced detection. Mitigation strategies now explicitly include network isolation and application control, reinforcing the importance of updating TrueConf clients to version 8.5.3.",{"id":63,"slug":64,"headline":65,"title":66,"severity":67,"excerpt":68,"tags":69,"categories":76,"createdAt":77,"updatedAt":30,"readingTime":78,"isUpdate":35,"updateSummary":79,"updateContent":80},"1b86da6d-f5b8-439a-ae37-0faf100c5190","shinyhunters-claims-massive-data-breach-at-european-commission","European Commission Confirms Data Breach After ShinyHunters Claims 350GB Theft","ShinyHunters Hacking Group Claims Massive Data Breach at European Commission, Allegedly Stealing 350GB from Europa.eu Portal","high","The European Commission (EC) has confirmed a cyberattack targeting its Europa.eu web portal, following a claim by the notorious hacking group ShinyHunters. The group alleges it breached one of the Commission's Amazon Web Services (AWS) accounts and exfiltrated over 350GB of sensitive data, including mail servers, databases, and confidential documents. ShinyHunters has reportedly leaked a 90GB archive as proof. While the EC acknowledged the intrusion and data theft, it sought to downplay the impact, stating that internal systems were not affected and the breach was limited to public-facing websites. This incident marks the second data breach for the EC in 2026, raising serious questions about the security posture of EU institutions.",[70,71,72,73,74,55,75],"ShinyHunters","Data Breach","European Commission","AWS","Cloud Security","Government",[71,28,55],"2026-04-01T15:00:00.000Z",5,"ShinyHunters provided screenshots showing employee data and email server access as proof of 350GB data theft from EC's Europa.eu portal.","The European Commission's data breach by ShinyHunters is further substantiated by the group's release of screenshots, purportedly showing employee data and access to an email server. This new evidence reinforces the extent of the 350GB data theft from the EC's AWS environment hosting the Europa.eu portal. The incident follows a separate recent compromise of the Commission's mobile device management system, highlighting ongoing security challenges for the institution as it investigates the latest breach.",{"id":82,"slug":83,"headline":84,"title":85,"severity":67,"excerpt":86,"tags":87,"categories":94,"createdAt":96,"updatedAt":96,"readingTime":31,"isUpdate":97},"d6370eec-e82b-465d-a4bf-4570b06fc147","chinese-apt-mustang-panda-renews-espionage-campaign-against-european-governments","Chinese APT Mustang Panda Renews Espionage Campaign Against European Governments","Chinese APT TA416 (Mustang Panda) Targets European Governments with Evolving Malware Delivery Tactics","The Chinese state-sponsored threat group TA416, also known as Mustang Panda, has resumed its cyber-espionage operations against European government and diplomatic entities, including EU and NATO missions. According to Proofpoint, the group has been active since mid-2025, using evolving tactics to deliver its signature PlugX malware. Attack methods have included spoofed Cloudflare Turnstile pages, abuse of Microsoft Entra ID applications, and malicious archives containing a renamed MSBuild executable. The campaigns leverage phishing links distributed via compromised and newly created email accounts to deliver malware hosted on legitimate cloud services like Google Drive and Azure Blob Storage.",[88,89,90,91,52,92,93],"APT","Mustang Panda","TA416","China","PlugX","MSBuild",[28,55,95],"Phishing","2026-04-02T15:00:00.000Z",false,{"id":99,"slug":100,"headline":101,"title":102,"severity":103,"excerpt":104,"tags":105,"categories":112,"createdAt":96,"updatedAt":96,"readingTime":78,"isUpdate":97},"85da74de-a19d-4136-b5b3-2caf3fc0b385","social-engineering-campaign-abuses-whatsapp-for-windows","Microsoft Warns of Social Engineering Campaign Abusing WhatsApp for Windows","Microsoft Uncovers Social Engineering Campaign Targeting WhatsApp for Windows Users with VBScript Malware","medium","Microsoft has issued a warning about an ongoing social engineering campaign targeting users of the WhatsApp desktop application on Windows. Attackers send malicious Visual Basic Script (`.vbs`) files disguised as legitimate attachments. Once executed, the script uses 'living off the land' (LOTL) techniques, copying and renaming legitimate Windows tools to download and execute remote access software. The malware also attempts to bypass User Account Control (UAC) and establishes persistence through registry modifications, giving attackers full control over the victim's machine. This attack does not exploit a software vulnerability but relies entirely on tricking the user.",[106,107,108,109,110,111],"social engineering","WhatsApp","VBScript","malware","LOTL","Microsoft",[95,27],{"id":114,"slug":115,"headline":116,"title":117,"severity":15,"excerpt":118,"tags":119,"categories":125,"createdAt":96,"updatedAt":96,"readingTime":78,"cves":127,"cvssScore":129,"isUpdate":97},"c23cf2cb-3082-42ae-a2be-7f6c8395749b","cisco-patches-critical-rce-flaw-in-ssm-on-prem","Cisco Patches Critical Unauthenticated RCE Flaw in Smart Software Manager","Cisco Patches Critical 9.8 CVSS RCE Vulnerability (CVE-2026-20160) in SSM On-Prem","Cisco has released a security patch for a critical vulnerability, CVE-2026-20160, in its Smart Software Manager On-Prem (SSM On-Prem) product. The flaw, which has a CVSS score of 9.8, could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability is due to insufficient access control on a specific API. An attacker can exploit it by sending a crafted HTTP request. Cisco has released software updates and confirms there are no workarounds. The company's PSIRT is not aware of any malicious exploitation of this flaw, which was discovered during internal security testing.",[120,121,122,15,123,124],"Cisco","vulnerability","RCE","patch management","root",[54,126],"Patch Management",[128],"CVE-2026-20160",9.8,{"id":131,"slug":132,"headline":133,"title":134,"severity":67,"excerpt":135,"tags":136,"categories":143,"createdAt":96,"updatedAt":96,"readingTime":31,"isUpdate":97},"bfc07355-0edb-4926-b467-703d0c04c883","ransomware-attack-hits-north-dakota-water-treatment-plant","North Dakota Water Treatment Plant Hit by Ransomware, Reverts to Manual Operations","Ransomware Attack on North Dakota Water Treatment Plant Forces 16-Hour Manual Operation","A water treatment facility in Minot, North Dakota, serving approximately 80,000 people, was hit by a ransomware attack in March 2026. The attack compromised the plant's Supervisory Control and Data Acquisition (SCADA) system, forcing operators to shut it down and revert to manual processes for about 16 hours. City officials confirmed the incident, emphasizing that the water supply remained safe throughout. A ransomware note was found, but no specific demand was made, and no ransom was paid. The plant is currently using a backup server while a new, more secure system is prepared. The incident highlights the growing cyber threats targeting U.S. critical infrastructure.",[137,138,139,140,141,142],"ransomware","ICS","OT","SCADA","critical infrastructure","water sector",[144,145,55],"Ransomware","Industrial Control Systems",{"id":147,"slug":148,"headline":149,"title":150,"severity":151,"excerpt":152,"tags":153,"categories":161,"createdAt":96,"updatedAt":96,"readingTime":78,"isUpdate":97},"a7ba5a6b-64fd-45dd-a3dd-f5f891b3672b","ai-emerges-as-top-cybersecurity-risk-for-retail-and-hospitality","AI Now Leading Source of Friction for CISOs in Retail and Hospitality, Report Finds","AI Surpasses Ransomware as Top Cybersecurity Concern for Retail and Hospitality CISOs","informational","A new CISO Benchmark Report from the Retail & Hospitality ISAC (RH-ISAC) and IANS reveals a significant shift in the threat landscape: Artificial Intelligence is now the top concern for security leaders in these sectors. 71% of surveyed CISOs identified AI as a primary source of friction, placing it ahead of traditional threats like ransomware and phishing. Key risks associated with AI include data leakage, insider misuse, and inadequate governance. While AI is also driving investment in security operations for improved threat detection, its rapid adoption is creating new and complex challenges for cybersecurity teams.",[154,155,156,157,158,159,160],"AI","artificial intelligence","CISO","cybersecurity risk","data leakage","governance","RH-ISAC",[162,163],"Policy and Compliance","Threat Intelligence",{"id":165,"slug":166,"headline":167,"title":168,"severity":67,"excerpt":169,"tags":170,"categories":176,"createdAt":96,"updatedAt":96,"readingTime":31,"isUpdate":97},"f2af0695-671b-48cd-85fc-3494064e2a12","iranian-hackers-launch-coordinated-password-spray-attacks-on-middle-east","Iranian Hackers Launch Coordinated Password Spray Attacks on Middle East","Iranian APT Gray Sandstorm Linked to Password Spray Attacks Supporting Kinetic Operations in Middle East","The Iranian APT group Gray Sandstorm is suspected of conducting a large-scale password spray campaign against government and private sector organizations in Israel and the UAE. According to Check Point researchers, the cyberattacks, which began in early March 2026, targeted Microsoft 365 accounts and appear to be coordinated with physical military operations. The timing and targeting of municipalities responsible for damage response suggest the attacks were intended to support kinetic missile and drone strikes, likely for intelligence gathering and Bombing Damage Assessment (BDA). This campaign exemplifies the use of cyber operations in modern hybrid warfare.",[171,172,173,88,174,175],"password spray","Gray Sandstorm","Iran","Microsoft 365","hybrid warfare",[28,55,95],1775141552679]