Cybersecurity News | Daily Recap [01 Apr 2026]

Daily Recap, the day’s headlines span supply‑chain compromises such as Axios trojanizing the npm package to drop SILKBELL and WAVESHAPER.V2, along with Anthropic Claude Code exposure, LiteLLM breaches affecting Mercor, and a Trivy‑related breach that exposed Cisco source code. Daily Recap, coverage also highlights AI/Cloud risks, CVEs and patches (Chrome CVE-2026-5281, Windows KB5086672, GIGABYTE CVE-2026-4415, TrueConf CVE-2026-3502) and editor RCEs for Vim/Emacs, plus nation‑state activity (APT28 PRISMEX, AgeWheeze, Handala Hack Team, Romania attacks), ransomware and crime trends (Meriden, Leak Bazaar, Uranium Theft) and policy shifts (FBI warning on Chinese apps, Proton Meet, Drive ransomware detection). #Axios #SILKBELL #WAVESHAPER #ClaudeCode #LiteLLM #Mercor #Trivy #Cisco #APT28 #PRISMEX #Romania #AgeWheeze #KashPatel #DutchTreasury #Meriden #LeakBazaar #Uranium #Vim #Emacs

Supply Chain & Package Attacks

Attackers trojanized the popular Axios npm package to push a staged dependency (plain-crypto-js) that deployed the SILKBELL dropper and cross‑platform WAVESHAPER.V2 RAT, impacting many downstream projects. – Axios Breach, Axios Attribution, Axios Malware, Axios Compromise
The accidental npm release exposed nearly 2,000 TypeScript files from Anthropic’s Claude Code, sparking reposts, typosquatting, and dependency‑confusion concerns. – Claude Leak
A compromise in the open‑source LiteLLM supply chain led to a breach affecting AI startup Mercor and thousands of companies, with ties to TeamPCP and claims by Lapsus$. – LiteLLM Compromise
Stolen credentials from the Trivy supply-chain incident were used to breach Cisco dev environments and exfiltrate source code from over 300 GitHub repos. – Cisco Breach

AI & Cloud Risks

Researchers showed how malicious AI agents can escalate via Google Cloud’s agent model, abusing the P4SA and Agent Engine to exfiltrate artifacts and access customer projects. – Vertex Flaw, Vertex Research
Enterprise AI autonomy and identity risk drew attention in a webinar on Agentic AI and a guidance piece on categorizing AI agents, warning that agent access levels drive security exposure. – Agentic AI, Agent Risk

Vulnerabilities & Patches

Google issued emergency updates for a use‑after‑free Chrome zero‑day (tracked as CVE-2026-5281) — the fourth Chrome zero‑day fixed so far in 2026. – Chrome Zero-Day
Microsoft pushed an out‑of‑band Windows 11 update (KB5086672) to replace a pulled preview after installation errors and to restore protections. – Windows Patch
An arbitrary file‑write flaw in the GIGABYTE Control Center (tracked as CVE-2026-4415) could permit remote file writes and possible code execution; vendor update available. – GIGABYTE Flaw
A high‑severity TrueConf updater flaw (CVE-2026-3502) was exploited in the wild to deliver tampered updates and DLL side‑loading implants in Southeast Asia. – TrueConf Zero-Day
Proof‑of‑concept RCEs that trigger on file open were demonstrated for Vim and Emacs, with Vim patched and Emacs analysis ongoing; avoid opening untrusted files. – Editor RCE

Nation‑State & Targeted Attacks

APT28/Fancy Bear’s expanded PRISMEX campaign uses advanced steganography, fileless techniques, COM hijacking, and known CVEs to target NATO logistics and Ukrainian defense infrastructure. – PRISMEX Offensive
Romanian government institutions face more than 10,000 daily attack attempts, blamed on Russian‑connected actors and ransomware groups like Qilin and Gentlemen, alongside disinformation operations. – Romania Attacks
Pro‑Russian actors impersonated Ukraine’s CERT‑UA to distribute a password‑protected archive that installed the AgeWheeze RAT in targeted campaigns. – CERT‑UA Impersonation
The Iran‑linked Handala Hack Team published private content from FBI Director Kash Patel’s personal email, highlighting risks from weak personal account security. – Kash Patel
The Dutch Finance Ministry took its treasury banking portal offline after a breach, affecting roughly 1,600 public institutions’ online balance visibility while investigations proceed. – Dutch Treasury

Ransomware, Fraud & Crime Economy

The ransomware group Inc claims it breached the city of Meriden, CT and posted sample data while the city reports prolonged service disruptions but has not confirmed data loss. – Meriden Claim
A proposed dark‑web service called Leak Bazaar aims to turn messy ransomware dumps into searchable, monetizable intelligence, raising extortion and fraud concerns. – Leak Bazaar
Authorities indicted and charged a Maryland man for exploiting smart‑contract flaws to steal roughly $53–54M from Uranium Finance in 2021, with follow‑up seizures and money‑laundering allegations. – Uranium Theft, Uranium Charges
Security analysis warns stolen credentials sold by infostealers are fueling ransomware, supply‑chain compromises, and nation‑state attacks, underscoring identity‑centric defenses. – Stolen Logins

Product, Privacy & Policy

The FBI advised US users to beware of foreign apps—especially those from China—that may collect extensive personal data and urged stronger device hygiene and reporting. – FBI Warning
Google enabled AI‑powered Google Drive ransomware detection by default for paid Workspace customers to pause syncs, notify admins, and guide recovery. – Drive Protection
Google began rolling out Android developer verification to reduce anonymous sideloading (starting in Brazil, Indonesia, Singapore, Thailand) ahead of global enforcement. – Android DevID
Privacy‑focused provider Proton launched Meet, an end‑to‑end encrypted conferencing service with free one‑hour meetings and paid Pro plans. – Proton Meet

Trends & Funding

Internet‑scanning firm Censys raised $70 million to expand its internet‑intelligence platform and tooling. – Censys Funding
Analysis warns the next cybersecurity crisis may be untrustworthy data—impacting AI decisions and operations—and calls for stronger data governance and provenance. – Data Trust

Cybersecurity News | Daily Recap – hendryadrian.com