Front Page

Nation-State Supply Chain

Axios Poisoned: North Korea's UNC1069 Targeted 183 Million Weekly Downloads in a Three-Hour Window

On March 31, North Korea-linked UNC1069 compromised the npm credentials of Axios maintainer Jason Saayman via targeted social engineering and published two backdoored versions of the most popular JavaScript HTTP client — 1.14.1 and 0.30.4 — with a combined reach of an estimated 183 million weekly downloads across the entire ecosystem.

The malicious packages installed SILKBELL, an obfuscated dropper that self-deletes after execution and replaces itself with a clean decoy that passes npm audit. Investigators must check package-lock.json files for plain-crypto-js as a dependency and hunt CI/CD build logs for unexpected outbound connections during install phases.

Cloud Forensics

Trust the Scanner, Lose 92 GB: The Trivy Breach That Hit 29 European Union Entities

When the European Commission's automated security pipeline pulled a compromised Trivy update on March 19, it unknowingly harvested an embedded AWS API key — giving attackers five days of undetected access before CERT-EU detected abnormal activity. By March 28, 92 GB of data from 29 EU entities appeared on the ShinyHunters dark web site.

CERT-EU's April 3 attribution report traced a complete forensic chain: poisoned Trivy update → stolen AWS API key → five-day undetected exfiltration. Any organization running Trivy in CI/CD pipelines during March 19–27 should treat cloud credentials as compromised and conduct a full retrospective review of API activity during that window.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-35616

Fortinet FortiClient EMS v7.4.5–7.4.6 — Unauthenticated API bypass allows arbitrary code execution on the EMS host; CVSS 9.1. Added to CISA KEV April 6; federal deadline April 9. Forensic Note: EMS controls enterprise endpoint policy — review API call patterns and scheduled tasks on the EMS host for unauthorized lateral movement.

HIGH
CVE-2026-3502

TrueConf Client — Update mechanism lacks integrity verification, allowing server-side arbitrary executable delivery to all connected endpoints; CVSS 7.8. Exploited against Southeast Asian government networks; CISA KEV April 2. Forensic Note: Compare binary hashes to known-good versions; hunt processes spawned from the TrueConf update service.

Malware Spotlight

WAVESHAPER.V2 (UNC1069)

North Korea's cross-platform backdoor — PowerShell on Windows, Mach-O on macOS, Python on Linux — delivered via the poisoned Axios npm package, beaconing every 60 seconds. Its dropper SILKBELL self-destructs post-execution, defeating npm audit. Forensic Note: Hunt via package-lock.json diffs for plain-crypto-js and outbound C2 connections in CI/CD build logs.