Another week, another collection of serious threats demanding immediate attention from security teams. The week ending April 6, 2026 delivered a North Korean npm supply chain attack against a widely-used HTTP library, two actively exploited Chrome vulnerabilities, FortiClient EMS exploitation in the wild, and new evidence of commercial spyware deployment. Here's a consolidated look at everything that mattered.
Axios npm Supply Chain Attack — UNC1069 (North Korea)
The week's marquee story centered on the Axios npm package, one of the most downloaded HTTP client libraries in the JavaScript ecosystem with over 300 million weekly downloads. A social engineering campaign attributed by Google Mandiant to UNC1069 — a North Korean threat cluster — successfully compromised the account of an Axios maintainer using a fake Microsoft Teams error fix lure (a variant of the ClickFix technique).
Once the maintainer's machine was compromised, UNC1069 gained access to the npm publishing credentials and pushed a malicious Axios version containing a cross-platform remote access trojan. The backdoored package was live in the npm registry long enough to be pulled into downstream CI/CD pipelines before detection.
Key details:
- Attack vector: social engineering via fake Teams error overlay, leading to PowerShell execution
- Compromised: npm maintainer credentials, publishing access
- Malicious payload: cross-platform RAT embedded in a legitimate HTTP library
- Attribution: UNC1069 (DPRK) via Google Mandiant
- The Drift crypto platform's $285 million theft earlier in the week was traced to a six-month-long social engineering operation also attributed to DPRK actors, reinforcing the pattern
Chrome Zero-Day — CVE-2026-5281 and Ongoing V8 Exploitation
Google released an emergency update for Chrome after confirming another zero-day under active exploitation. CVE-2026-5281 joins a growing list of Chrome zero-days in 2026, with this being the fourth or fifth depending on the counting methodology. The flaw is a use-after-free vulnerability in the V8 JavaScript engine enabling arbitrary code execution in the renderer process.
Google has not released full technical details pending broader patch adoption, but confirmed the vulnerability is being exploited in targeted attacks. Users should verify Chrome has updated to the latest version. The ongoing frequency of Chrome zero-days in 2026 reflects both the browser's attack surface and the elevated demand for browser exploits from nation-state and criminal actors.
Fortinet FortiClient EMS — Active Exploitation in the Wild
CVE-2026-35616, a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS), moved from patched to actively exploited during the week. The flaw enables remote code execution against EMS servers and was assigned a CVSS score reflecting critical severity.
Fortinet released an emergency patch but security researchers observed exploitation in the wild before patch adoption was widespread. Organizations running FortiClient EMS should verify patch status immediately — EMS servers manage endpoint security configurations across entire enterprise environments, making them high-value targets for ransomware operators seeking to disable endpoint protection before lateral movement.
The exploitation of FortiClient EMS follows a pattern of ransomware groups specifically targeting security product management infrastructure to create blind spots before deploying payloads.
Paragon Spyware — New Campaign Evidence
Evidence emerged this week of Paragon Solutions commercial spyware being deployed in active targeted campaigns. Paragon, an Israeli surveillance vendor, markets its Graphite spyware product to government clients for what it describes as lawful interception purposes.
Researchers identified new infrastructure associated with Graphite deployments and documented targeting patterns consistent with journalists, activists, and political dissidents — a recurring concern with commercial spyware vendors regardless of their stated use policies. The findings follow prior reporting that linked Paragon infrastructure to surveillance operations in multiple countries.
Device Code Phishing — 37x Surge in New Kits
A separate but significant development: researchers documented a 37-fold increase in device code phishing attack kits being distributed and discussed in underground forums. Device code phishing abuses the OAuth device authorization flow — designed for input-constrained devices like smart TVs — to steal Microsoft 365 access tokens and bypass MFA entirely.
The surge in ready-to-use kits indicates the technique has crossed from nation-state-exclusive territory into the broader cybercriminal ecosystem, with Russian threat actors including Storm-2372 having pioneered the approach before it filtered to criminal groups.
Other Stories Worth Noting
- Germany BKA unmasks REvil leaders: German federal police publicly identified the core operators behind REvil and GandCrab ransomware, including the alias "UNKN," linking them to 130+ attacks against German victims
- 36 malicious npm packages exploiting Redis and PostgreSQL: A cluster of malicious packages abused database connections to deploy persistent implants on developer machines
- Traffic violation QR code scams: A new phishing wave impersonating traffic violation notices uses QR codes to redirect victims to credential-harvesting pages, targeting mobile users who scan codes without scrutinizing URLs
What This Week Means
The convergence of a major npm supply chain attack, ongoing browser zero-day exploitation, and actively-exploited enterprise security product vulnerabilities reinforces a few persistent themes:
- Developer tooling is a high-value target: Compromising widely-used libraries delivers malicious code to thousands of downstream consumers with a single action
- Social engineering remains the most reliable initial access vector: Neither UNC1069's npm attack nor the Drift breach required a technical exploit to begin — both started with a human making a mistake
- Enterprise security products are not passive: FortiClient EMS exploitation demonstrates that attackers specifically seek to compromise the tools organizations rely on to protect themselves
- Browser zero-days are accelerating: Four or more Chrome zero-days in a single quarter signals elevated exploitation demand and a highly active browser vulnerability market
Source: The Hacker News