Cybersecurity Weekly Recap: Axios npm Breach, Chrome Zero-Day, and Emerging Threats
The past week has been marked by significant cybersecurity incidents, highlighting the evolving tactics of threat actors and the vulnerabilities within widely used software systems. From the compromise of a popular npm package to the exploitation of zero-day vulnerabilities, these events underscore the critical need for vigilance and proactive security measures.
Axios npm Package Compromised by North Korean Hackers
In a concerning development, threat actors linked to North Korea successfully infiltrated the npm account of the lead maintainer of Axios, a widely utilized JavaScript library with nearly 100 million weekly downloads. This breach led to the distribution of malicious versions of Axios containing a cross-platform malware identified as WAVESHAPER.V2. The operation has been attributed to a financially motivated group known as UNC1069.
The rapid dissemination of the compromised package illustrates the potential for widespread impact when popular software components are targeted. The malware’s self-deleting anti-forensic capabilities suggest a meticulously planned attack aimed at evading detection.
Avital Harel, a Security Researcher at Upwind, emphasized the strategic shift in attack vectors:
The build pipeline is becoming the new front line. Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale. That’s what makes these attacks so dangerous—they’re not just targeting one application; they’re targeting the process behind many of them.
Ismael Valenzuela, Vice President of Labs, Threat Research, and Intelligence at Arctic Wolf, highlighted the broader implications:
Even though the malicious versions were available for only a few hours, Axios is so deeply embedded across enterprise applications that organizations may have unknowingly pulled the compromised code into their environments through build pipelines or downstream dependencies. This incident reinforces that security teams need to treat build-time tools and dependencies as part of the attack surface and not just trust tools by default.
Google Patches Actively Exploited Chrome Zero-Day
Google has released security updates for its Chrome web browser to address 21 vulnerabilities, including a high-severity zero-day flaw identified as CVE-2026-5281. This vulnerability, a use-after-free bug in Dawn—an open-source and cross-platform implementation of the WebGPU standard—has been actively exploited in the wild.
Users are strongly advised to update their Chrome browsers to versions 146.0.7680.177/178 for Windows and macOS, and 146.0.7680.177 for Linux, to mitigate potential risks. Google has not disclosed specific details regarding the exploitation methods or the entities behind these attacks.
TrueConf Zero-Day Exploited in Southeast Asia
Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software, targeting government entities in Southeast Asia. The flaw, tracked as CVE-2026-3502 with a CVSS score of 7.8, arises from a lack of integrity checks during the application update process, allowing attackers to distribute tampered updates.
According to Check Point, the compromised TrueConf on-premises server was operated by a governmental IT department and served as a video conferencing platform for numerous government entities across the country. The malicious update was distributed to all these entities, highlighting the potential for widespread impact through supply chain attacks.
Fortinet FortiClient EMS Vulnerability Under Active Attack
Fortinet has issued out-of-band patches for a critical security flaw in FortiClient EMS, identified as CVE-2026-35616. This pre-authentication API access bypass vulnerability leads to privilege escalation and has been exploited in the wild.
Exploitation efforts against this vulnerability were first recorded on March 31, 2026, according to watchTowr. This development follows the active exploitation of another recently patched critical vulnerability in FortiClient EMS, CVE-2026-21643.
Claude Code Source Code Leak
Anthropic has acknowledged an inadvertent release of internal code for its AI coding assistant, Claude Code, due to human error. Version 2.1.88 of the Claude Code npm package included a map file exposing nearly 2,000 source code files and over 512,000 lines of code.
The leak revealed various features under development, including an Undercover mode to hide AI authorship in public code repositories, a persistent background agent named KAIROS, and active monitoring of user frustration indicators. The incident quickly escalated into a cybersecurity threat, with attackers leveraging the exposed information to distribute stealer malware.
Emerging Threats and Vulnerabilities
The cybersecurity landscape continues to evolve, with new vulnerabilities emerging and being exploited at an alarming rate. Notably, device code phishing attacks have surged, abusing the OAuth device authorization grant flow to hijack accounts. Push Security reported a 15-fold increase in device code phishing pages at the start of March 2026, indicating mainstream adoption of this technique.
Additionally, LinkedIn has come under scrutiny for allegedly using hidden JavaScript scripts to scan visitors’ browsers for installed Google Chrome extensions and collect device data without user consent. The BrowserGate report claims that LinkedIn scans for over 200 products that compete with its own sales tools, raising significant privacy concerns.
Conclusion
The recent incidents underscore the critical importance of securing software supply chains, promptly patching vulnerabilities, and maintaining vigilance against emerging threats. Organizations must adopt a proactive approach to cybersecurity, treating build-time tools and dependencies as integral parts of their attack surface and implementing robust monitoring and response strategies to mitigate potential risks.
