Daily Cyber Threat Brief, Ep 1104 – April 6, 2026

Host: Dr. Gerald Auger, Simply Cyber Media Group

Episode Overview

Theme:
This episode delivers April 6’s most impactful cybersecurity news for professionals, focusing on real-world attacks, vulnerabilities, and lessons for practitioners and business leaders alike. Jerry blends expert insight, practical recommendations, and signature humor, covering stories about supply chain risks, government cyber budget cuts, exploited vulnerabilities, significant breaches, and insider threats.

Purpose:
Beyond recapping major stories, the episode aims to contextualize each one, offering actionable takeaways for security teams, career advice for newcomers, and ongoing professional development for #TeamSC.

Key Discussion Points & Insights

1. Malicious npm Packages—Open Source Supply Chain Attack

[13:06–21:54]

• What Happened: Researchers found 36 malicious npm packages disguised as Strapi CMS plugins. The attackers exploited Redis and PostgreSQL, deployed reverse shells, harvested credentials, and installed persistent implants.

• Tactics: These packages used names starting with “strapi-plugin-...” to appear legitimate. The attack chain targets developers directly and can compromise downstream organizations.

• Industry Context: The prevalence of open-source attacks was highlighted, citing the 2021 Log4j events as a wake-up call.

• Practical Advice:

  • Audit installed npm packages for suspicious Strapi plugins.
  • If compromised, rotate all credentials immediately, especially dev ones and API keys.
  • Educate developers on risks of open-source packages and supply chain threats.

• Quote:

  "Developers are not the CEO ... they're special snowflakes. They want to be free ... But when threat actors get credentials of developers and get malware detonating under developer permissions, they get a lot of access."
  — Gerald, [16:00]

• Memorable Metaphor:

  "Threat actors are like water—they're going to find the easiest path in, or the one with the highest chance of repeated success."
  — Gerald, [21:09]

2. CISA Budget Cuts—Implications for National Security

[21:54–26:52]

• What Happened: The US president's 2027 proposed budget calls for slashing the Cybersecurity and Infrastructure Security Agency’s (CISA) funding by $77–$361 million. The reductions mostly affect programs already shut down, but the overall budget would drop from $3B to just over $2B.
• Impacts:
  • CISA is vital for the federal “Known Exploited Vulnerabilities Catalog,” patch deadlines, and threat alerts for government entities.
  • Cuts may have modest operational impact since targeted programs were already deprecated.
• Quote:

  "Cutting [CISA] sucks ... They still have $2 billion. I mean, if you gave me $2 billion, I think I could make it work."
  — Gerald, [24:00]

3. React to Shell—Automated Credential Harvesting

[26:52–35:52]

• What Happened: At least 766 hosts compromised via exploitation of React to Shell in NextJS apps. Attackers automated credential theft using Nexus Listener to extract cloud/environment secrets and keys.

• Industry Angle: This CVE (2025-55182, CVSS 10.0) has been known for months; active exploitation underscores the dangers of unpatched vulnerabilities.

• Lesson:

  • Vulnerability management is hard—security knows the risk, but business teams or IT may delay patching, exposing organizations.
  • Old, unfixed vulnerabilities remain top targets; every day unpatched increases risk.
  • Use real-world case studies like this for “f-around and find out” teaching moments.

• Quote:

  "A vulnerability is a vulnerability ... If it's being exploited, every day that passes is one more day a threat actor has a shot ... we've had the answer for months."
  — Gerald, [33:30]

• Metaphor:

  "Like knowing your outside pipes will freeze, and you just keep waiting ... then your house fills with water."
  — Gerald, [34:45]

4. Fortinet EMS Zero-Day & Out-of-Band Patch

[35:52–43:06]

• What Happened: Pre-auth API access bypass in Fortinet Endpoint Management Server (EMS, versions 7.4.5–7.4.6), CVSS 9.1. Hotfix released given the urgency and active exploitation risk.
• Takeaways:
  • Out-of-band patches indicate severity—prioritize them over scheduled patch cycles.
  • Unauthenticated remote code execution (RCE) possible. Fortinet frequently a target due to its market presence.
  • Use honeypots to detect and validate active exploitation.
• Quote:

  "Out-of-band patch ... should make your butt pucker—don't spend your political capital every time, but you don't see out-of-band unless it's serious."
  — Gerald, [37:20]

• Practical Tip:
  • Monitor vulnerability intelligence sources and deploy patches rapidly—don’t wait for the next cycle if circumstances warrant.

5. EU Commission Data Breach—Compromised AWS API Keys

[46:58–51:44]

• What Happened: Team PCP attributed for breaching the European Commission’s AWS account, stealing 92GB of compressed data via stolen API keys. The popular Europa.eu platform was targeted.
• Significance:
  • API misuse, not sophisticated hacking, underlies this breach—reaffirming that “threat actors aren’t hacking in, they’re logging in.”
  • Proper cloud configuration and secrets management are critical.
  • Monitor AWS for unusual API activity and enforce least privilege.
• Quote:

  "Threat actors aren’t hacking in, they’re logging in ... If you do the things, the threat actors will have to change."
  — Gerald, [48:00]

6. Massachusetts Regional Emergency Communication Attack

[51:44–55:29]

• What Happened: Several small-town communication systems in northern Massachusetts were disrupted by a cyber event. While 911 remains operational, non-emergency business lines were hit.
• Broader Insight:
  • Rural and local public-sector entities often lack budget and dedicated cybersecurity staff, making them “sitting ducks.”
  • Critical systems (like 911) are often segmented, but ancillary operations suffer in attacks.
• Quote:

  "In local government, it’s one IT lady, basically Spongebob: doing eight things at once with her arms ... They’re being asked to do more with less."
  — Gerald, [53:00]

7. Hims and Hers—Zendesk/Okta Breach Exposure

[55:29–56:16]

• What Happened: Threat actors accessed Hims and Hers’ Zendesk instance via compromised Okta SSO, stealing millions of support tickets including names and contact info (but no medical records).

• Risks:

  • Support data can fuel highly targeted social engineering and phishing.
  • The real damage is potential targeting of vulnerable clientele with scams, using their disclosed issues.

• Quote:

  "It’s not so much about medical records ... It’s about exposure—attackers can now prey on people’s vulnerabilities, which is gross."
  — Gerald, [56:10]

• Tip:

  • Limit SSO scopes, monitor federated account activities, and emphasize security awareness among support teams and customers.

8. Insider Threat—Engineer Locks Out Employer in Ransom Plot

[59:50–61:50]

• What Happened: A 57-year-old engineer at an industrial company used an admin account to delete and change passwords for more than 250 servers, demanding 20 bitcoin ransom (worth ~$750k). He was caught after searching crime how-tos from a VM inside the company network.
• Lessons:
  • Insider threats remain real, and not all attackers are sophisticated.
  • Logic bombs and extortion even by inside staff are ongoing risks.
  • Detection requires layered security, monitoring for unusual admin account activity, and quick incident response.
• Quote:

  "This guy is such a dumbass ... Like, he’s wearing a spirit Halloween threat actor costume. I've never seen a part-time bush league cyber attack work out."
  — Gerald, [61:20]

Notable Quotes & Moments

• On Supply Chain:
  "If it starts with 'strapi', that's a problem ... If you have any of them installed, you should assume you're compromised and rotate all your credentials." [18:40]
• On Patch Urgency:
  "Honeypots are an awesome way to test for active exploitation—put one inside your network for a high-fidelity alert." [41:35]
• On Insider Threats:
  "Logic bomb ... that's what's up. Forensics found he searched how to clear logs from the work machine." [61:18]
• Community Shout-out:
  "This is the mullet of cyber threat briefs—business up front, party in the back." [43:53]
• Championing Diversity and Community:
  "Shout out to Shimiria Gonzalez—crushing it in the women’s channel, standing up Simply Cyber Houston." [44:00]

Additional Segments

Career, Cert & Tool Advice—“Jawjacking/Cyber Mentor Hotline” Q&A

[Post-main stories; select highlights]

• Is CompTIA SecAI worth it?
  – Maybe, if market demand grows, but always check if employers ask for it before investing. [68:00]
• GRC Engineering for SMBs without cloud:
  – Use PowerShell to audit Active Directory objects; automate what analysts would audit manually. [69:55]
• How do GRC pros show their skills?
  – Build a GRC portfolio (sample artifacts, risk registers, audit findings)—see [YouTube video link]. [71:20]
• Managed SOC/MSSP vs. In-house:
  – For organizations up to ~$1B, MDR/MSSP can provide 24/7 coverage vastly cheaper than hiring several staff. [77:20]
• Top advice for infosec conference attendees:
  – Network, don’t just attend talks. Leave bad talks. Try CTFs. Meet people; that’s the main value. [80:00]

Timestamps for Critical Segments

• [13:06] — Malicious npm Packages (Supply Chain)
• [21:54] — CISA Budget Cuts
• [26:52] — React to Shell / Credential Theft
• [35:52] — Fortinet EMS Zero-Day
• [46:58] — EU Data Breach / AWS Secrets
• [51:44] — Emergency Services Disruption (MA)
• [55:29] — Hims and Hers Zendesk/Okta Incident
• [59:50] — Insider Threat Extortion
• [68:00+] — Cybersecurity career/skill Q&A

Tone & Style

• Language: Conversational, humorous, slightly irreverent, but always practical and inclusive.
• Key Threads:
  • “Real talk” on technical and human issues alike.
  • Frequent use of pop-culture analogies and metaphors for approachable learning.
  • Warm encouragement for newcomers: “First timers, drop it in chat!”
  • Community-centric: shout outs, personal anecdotes, and celebration of members.

Summary

This episode is packed with lessons about the persistence of old vulnerabilities, the creative persistence of threat actors (“threat actors are like water”), the ongoing challenge of managing supply chain risk, and the importance of practical basics: prompt patching, secrets management, monitoring, and user education. It underscores the realities facing both large organizations and resource-constrained local governments, highlights the enduring risk of insider threats, and ties it all together with actionable, field-tested advice and community engagement.

Final takeaway:
Stay vigilant, keep learning, and support each other—the threat actors aren’t taking breaks, so neither can the defenders.