Cybersecurity News | Daily Recap [06 Apr 2026]

hendryadrian.com

hendryadrian.com

Supply-Chain Breach

• The European Commission cloud was breached after a compromised Trivy update and a stolen AWS API key allowed TeamPCP/ShinyHunters to exfiltrate roughly 91–92 GB of compressed data affecting dozens of europa.eu clients – EC Breach, EC Breach, EC Breach

Vulnerabilities & Patches

• Fortinet released emergency hotfixes and patches for a critical pre-auth access-control bug in FortiClient EMS (CVE-2026-35616) that is being actively exploited with over 2,000 exposed instances reported – FortiClient EMS, FortiClient EMS

Ransomware Attribution

• Germany’s BKA named REvil affiliate “UNKN” as Daniil Shchukin and added alleged developer Anatoly Kravchuk to wanted lists, linking them to 130 attacks and over €35.4 million in damages (≈€1.9M ransoms) – REvil Leaders

State-Linked Operations

• A DPRK-linked, six-month social-engineering operation culminated in a $285 million theft from Drift using in-person meetings, fake firms and supply-chain tactics (malicious VS Code, TestFlight wallet) tied to on-chain Radiant Capital activity – Drift Heist
• A targeted social-engineering hack of Axios maintainers led to malicious npm releases that injected a cross-platform RAT attributed to North Korean actor UNC1069 (WAVESHAPER.V2); maintainers recommend credential/key rotation – Axios Compromise

OSS & Package Attacks

• Researchers found 36 malicious npm packages masquerading as Strapi v3 plugins that exploit Redis and PostgreSQL during postinstall to deploy persistent implants, harvest credentials and backdoor systems—users should assume compromise and rotate keys – Malicious npm

Credential Theft Campaigns

• Attackers are scanning and exploiting React2Shell (CVE-2025-55182) in Next.js apps to run automated credential-harvest campaigns that compromised at least 766 hosts and stole env secrets, SSH keys and cloud tokens—patch, rotate, and enable secret scanning – React2Shell
• Device-code phishing abusing the OAuth2 Device Authorization Grant has surged 37x, powered by phishing-as-a-service kits like EvilTokens that harvest valid access/refresh tokens; defenders should disable unused flows and monitor device-code logs – Device Code Phish

Phishing & Scams

• Scammers send fake traffic-violation texts with QR codes to phishing sites demanding a $6.99 “payment,” harvesting PII and financial data while using intermediary CAPTCHAs to evade detection—state agencies warn they never request payments by text – QR Phishing

Telecom & Fraud

• The FCC proposed a $4.5 million fine against Voxbeam for routing tens of thousands of robocalls from an unregistered foreign provider—including bank-impersonation calls—citing Robocall Mitigation Database violations and warning gateway providers – Voxbeam Fine

Public Sector Incidents

• Northern Ireland’s Education Authority C2K network outage disrupted thousands of pupils and staff, forcing phased restorations and mandatory full password resets while investigators assess potential data exposure – NI Schools

Platform Privacy

• A report dubbed “BrowserGate” alleges LinkedIn injects hidden JavaScript to scan for over 6,000+ Chrome extensions and collect device-fingerprinting data—LinkedIn says scans combat scraping but researchers dispute the practice – BrowserGate

Threat Intelligence

• An industry critique warns that noisy, unverified infostealer ULP feeds are burning out SOCs and breaking automation, urging stricter provenance (system.txt, hardware IDs, IP telemetry) to reduce false positives and risky automated remediation – ULP Burnout

Cybersecurity News | Daily Recap – hendryadrian.com