THREATNOIR
Subscribe
Back to Weekly Roundups
2026-W14 Classification: PUBLIC

WEEKLY INTELLIGENCE BRIEFING

2026-03-30 to 2026-04-05 80 articles

Articles scanned
80
Top IOCs
15
Download STIX LinkedIn X
TLDR
  • 🔥 Critical week for supply chain attacks with React2Shell (CVE-2025-55182) exploited to harvest credentials from 766+ Next.js hosts
  • 🎯 North Korean UNC1069 compromised Axios npm maintainer via fake Teams call, injecting malware into packages with 100M weekly downloads
  • 🚨 European Commission breached via TeamPCP supply chain attack, exposing 92GB of data from 30+ EU entities
  • 💸 $285M DeFi heist attributed to North Korean hackers using sophisticated durable nonce social engineering
  • 🛡️ FortiClient EMS zero-day (CVE-2026-35616) actively exploited with emergency patches released
  • ⚠️ LinkedIn secretly scans 6,000+ browser extensions for competitive intelligence and user profiling
  • 🎭 Multiple ransomware groups (Qilin, Krybit) target government entities while threat actors sell initial access to critical infrastructure

Intelligence Breakdown

6 modules
Vulnerabilities & Exploits
VULNERABILITIES-AND-EXPLOITS
2026-W14

Critical React2Shell exploited in mass credential harvesting campaign. UAT-10608 exploits CVE-2025-55182 (CVSS 10.0) to compromise 766+ Next.js hosts using NEXUS Listener framework for automated credential theft.

FortiClient EMS zero-day actively exploited. CVE-2026-35616 pre-authentication bypass allows unauthenticated RCE; emergency patches released for 2,000+ exposed instances.

Critical ShareFile RCE chain discovered. CVE-2026-2699 and CVE-2026-2701 can be chained for complete system compromise via authentication bypass and arbitrary file upload. Learn more

Firefox JIT vulnerability patched. CVE-2026-4698 (CVSS 8.8) JIT miscompilation in Firefox JavaScript engine affects multiple versions. Learn more

Key Takeaway

Prioritize patching React/Next.js applications and FortiClient EMS, as both are seeing active exploitation.

Supply Chain & Software Attacks
SUPPLY-CHAIN-AND-SOFTWARE-ATTACKS
2026-W14

North Korean UNC1069 compromises Axios npm maintainer. Social engineering via fake Microsoft Teams call led to RAT deployment and publication of malicious Axios versions affecting 100M+ weekly downloads. Learn more

European Commission breached via Trivy supply chain attack. TeamPCP compromised Aqua Security's Trivy scanner, leading to 300GB data theft from EU AWS environment affecting 30+ organizations.

Claude Code leak weaponized with malware. Threat actors created fake GitHub repositories distributing Vidar infostealer after Anthropic's accidental code exposure. Learn more

ILSpy WordPress domain compromised. Popular .NET decompiler tool's domain hijacked to deliver malware instead of legitimate software.

Key Takeaway

Implement supply chain security controls including dependency scanning, maintainer verification, and isolated build environments.

APT & Nation-State Activities
APT-AND-NATION-STATE-ACTIVITIES
2026-W14

China-linked TA416 resumes European government targeting. Group deploys PlugX backdoors via OAuth phishing and MSBuild executables after two-year operational pause.

North Korean hackers target South Korean firms via GitHub. Kimsuky/APT37/Lazarus groups use LNK files and PowerShell to steal system data every 30 minutes.

TrueConf zero-day exploited in Asian government attacks. Chinese actors compromised update servers to distribute malicious packages to government entities. Learn more

Military entities targeted with NATO exercise lures. Campaign exploits Exercise Steadfast Dart and IDEAS defense conference themes for credential harvesting. Learn more

Key Takeaway

Deploy additional monitoring for government and defense contractors, especially during major exercises or conferences.

Ransomware & Major Breaches
RANSOMWARE-AND-MAJOR-BREACHES
2026-W14

$285M DeFi theft attributed to North Korea. Drift Protocol compromised via sophisticated durable nonce social engineering targeting Security Council multisig. Learn more

German political party hit by Qilin ransomware. Die Linke confirms March 26 attack with threat of sensitive data publication as potential hybrid warfare.

Faulkner County Sheriff's Office claimed by Qilin. Arkansas law enforcement agency becomes latest ransomware victim. Learn more

ShinyHunters claims 3M+ Cisco records theft. Group threatens April 3 leak after compromising Salesforce and AWS environments via vishing campaigns.

Key Takeaway

Implement zero-trust architecture and multisig controls for administrative functions, especially for high-value targets.

Privacy & Corporate Surveillance
PRIVACY-AND-CORPORATE-SURVEILLANCE
2026-W14

LinkedIn secretly scans 6,000+ browser extensions. BrowserGate investigation reveals hidden JavaScript fingerprinting for competitive intelligence and customer identification.

Fake ChatGPT Ad Blocker spies on users. Malicious Chrome extension harvested ChatGPT conversations via Discord webhooks before removal.

Key Takeaway

Review browser extension policies and implement monitoring for unauthorized data collection by web applications.

References
REFERENCES
2026-W14