Transcript
A (0:00)
Before we get into the headlines, just a quick reminder that April is Trust Month at the CISO Series. We've got some fun events lined up in April to talk all about trust in cybersecurity, so head on over to our events page@cisoseries.com for more details from the CISO Series.
B (0:16)
It's Cybersecurity Headlines
A (0:21)
These are the cybersecurity Headlines for Wednesday, April 1, 2026 hi, I'm Rich Straffolino. HTTP client introduces malicious dependency Axios, a widely used HTTP client library on npm, was hijacked by threat actors to introduce a remote access Trojan into two releases. Google's Threat Intelligence Group chief analyst John Holtquist attributed the attack to the North Korean APT UNC 1069. Axios is downloaded roughly 100 million times a week. The attackers were able to hijack the NPM account of Axios maintainer, change the account email and then lock them out. Rather than change the Axios code directly, they added a malicious dependency manually pushing through NPM CLI rather than through the project's GitHub Actions pipeline to avoid detection. Researchers at Step Security noted this attack showed significant planning and sophistication with separate payloads ready for Windows, macOS and Linux. Check out the show notes now for details on the affected versions. Team PCP testing the open source supply chain in more bad news for all things open source, researchers at Wiz released a report on the activities of Team pcp. We've covered the group's attacks on the LLM proxy library Light LLM. Last week, Wiz observed the group seeking to quickly validate stolen secrets from supply chain attacks. In the case of its malware injection on Trivi, Team PCP was seen validating stolen data within hours flipping, followed by AWS discovery operations against validated secrets in less than a day. Researchers told Infosecurity magazine that Team PCP has been seen explicitly collaborating with extortion groups like Lapsus and other ransomware organizations, serving as initial access broker clearinghouse. Claude source code leaked Solaire Labs intern Chofan Sho posted on X that Anthropic seemed to have published a JavaScript source map file for Claude code on its public NPM registry. This source file was quickly archived and spread across GitHub. Anthropic acknowledged the leak, saying it was the result of human error, not malicious activity. The file revealed how Claude code limits context entropy through a three layer memory architecture and provides details on a background daemon mode called Kairos. It also gives details on Anthropic's internal model roadmap and current development milestones, and provides a prompt for an undercover mode to stealthily use CLAUDE code for public open source contributions. A call to Secure Quantum computing Supply Chains we are seeing continuing signs that everyone is getting ready for the advent of quantum computing. The most recent example, the Financial Times reports that a U.S. delegation will push to shore up the security and stability of the quantum computing supply chain at this week's meeting of the Quantum Development Group in London. This will look to secure access to rare earth metals and get ahead of other material constraints needed for this emerging technology. US Chief Technology Officer Ethan Klein said he hopes to align on policy with European allies on these initiatives. This comes after the US suspended the US UK Technology Prosperity deal back in September, which had previously served as a cooperative research framework for emerging tech like AI and quantum computing. And now, thanks to Today's episode sponsor ThreatLocker Least privilege isn't about distrusting users, it's about limiting blast radius. Many attacks succeed because malware inherits excessive permissions. Enforcing least privilege helps ensure that even if something goes wrong, attackers can't easily escalate access or move laterally across the environment. Learn more@threatlocker.com Italy Fines Finance giant for personal data security failures the Italian Data Protection Authority fined one of Italy's largest financial firms, intesa San Paolo Spa, 31.8 million euros, citing serious shortcomings in personal data security due to the inadequacy of the technical and organizational measures adopted. This follows a three year investigation into the firm which discovered employees improperly accessing customer information without triggering internal control systems. While this Access impacted about 3,500 customers, the investigation found that these were often high risk accounts belonging to public figures. The investigation also found that the company sent incomplete breach notifications well after legally required deadlines. Iran revives Pay two Key as former CISA director Chris Krebs recently characterized, iran seems to be throwing everything against the wall when it comes to cyber operations. The most recent examples Researchers at Kela's Cyber Intelligence center found evidence that the country revived its state backed ransomware operation paytakey. This revival saw the group recruiting from Russian illicit forums, a move Kela characterized as outsourcing geopolitical retribution to the global cybercrime talent pool. Part of the strategy for Pay two Key appears to be launching so called pseudo ransomware attacks where the goal is just to leave systems encrypted to cause chaos or install other forms of wiper malware. Pay2Key also serves as initial access broker for other threat actors. Silverfox spreads rats across Asia. A Chinese cybercrime group that goes by a range of frankly awesome sounding names, including Silver Fox, Swimsnake, the Great Thief of the Valley and and Void Arachne, has been spotted operating a typo squatting campaign. This attempts to spoof trusted software brands like surfshark, Telegram, Zoom and Signal to install a novel Atlas Cross remote access Trojan. After visiting a spoof domain, victims are prompted to download a zip archive that installs an autodesk binary, which then launches a shellcode loader for Atlas Cross. Researchers say the coordinated nature of the campaign and the development of a previously unseen remote access Trojan show significantly more sophistication from Silver Fox Dutch Finance Ministry goes offline after breach Last week, the Dutch Ministry of Finance disclosed that it suffered a data breach on March 19th. This attack didn't impact systems used for tax collection, subsidies or import export regulations, but did expose data on some employees. So far, no threat group has taken credit for the attack. In a statement to legislators, Minister of Finance Ilko Heinen said the ministry was forced to shut down some systems for security reasons. As of March 23, Heinen said about 1,600 institutions could not see account balances or use an online portal to apply for loans. Both services are available through conventional banking channels. No word on when these online portals will come back online. It's April 1st, and that means it's the start of Trust Month at the CISO series. We mentioned it at the top of the show each Friday in April, we're focusing Super Cyber Friday on a different aspect of trust in cybersecurity. This week, we're digging into building trust within your security team. If you've ever worked with a security team that's been burned by leadership in the past, you've got to join us this Friday at 1pm Eastern for the livestream. You can share some of the lessons you've learned in our chat, play some fun games, win some CISO series swag, and have fun in a meetup after the stream is over. If that sounds good, head on over to our events page@cisoseries.com to register. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us feedbackisoseries.com we would be delighted to hear from you. Reporting from the CISO series, I'm Rich Strofalino, reminding you to have a super sparkly day.