Summary5 min read

Risky Bulletin: Iranian Password Sprays Came First, Then Came the Missiles

Podcast: Risky Bulletin by Risky Business Media
Date: April 1, 2026
Host: Claire Airdrop (reporting for Catalin Kim Panu)

Main Theme

This episode provides a rapid-fire roundup of global cybersecurity incidents, with a primary focus on Iranian cyber activities preceding missile strikes, high-profile application supply chain attacks, international law enforcement actions, and significant policy/industry developments. The tone is factual, urgent, and direct—characteristic of a security news bulletin.

Key Discussion Points & Insights

1. Iranian Cyber Attacks Targeting Israel

Password Spraying Campaign:
- Iranian threat actors targeted Microsoft 365 accounts across Middle Eastern organizations.
- Focused on agencies likely to gather intelligence about missile strikes (e.g., local government entities).
- Campaign followed US and Israeli military actions against Iran.
- Notable Link: “Some regions targeted by the campaign were later hit by Iranian strikes.” (00:16)
Potential Infrastructure Attacks:
- Iran’s Islamic Revolutionary Guard Corps threatens US tech infrastructure in the Middle East.
- Published a blacklist of 18 companies (all but one US-based), including Google, Apple, Microsoft, and Nvidia.
- Actual attacks: Amazon Data Centre and Microsoft Research Office already hit by strikes.

2. Application Supply Chain and Cloud Security Incidents

NPM Package Hack and Axios Incident:
- Attackers compromised Axios’s GitHub and NPM accounts, locking out admins.
- Malicious versions of Axios (a package with 100+ million weekly downloads) were live for over 3 hours.
- Google attributes attack to North Korean group UNC 1069.
- Quote: “Attackers broke into the Axios GitHub and npm accounts on Monday and locked out its admin. Malicious versions were live on NPM for just over three hours.” (00:36)
Anthropic Claude Coding Agent Source Leak:
- Source code leaked online via a map file in NPM account, marking a second leak following one in February.

3. Financial & Cryptocurrency-Related Cybercrime

Major Crypto Heists and Fraud Cases:
- US charges 10 individuals for pumping and dumping cryptocurrencies using artificial trading volumes.
- Maryland man Jonathan Spoletta indicted for Uranium Finance hack, accused of stealing $53 million (spending some on antique Roman coins, Pokemon, and Magic: The Gathering cards).
- Nigerian national Inmate Awolabi sentenced to 15 years for classic “Nigerian prince” scams; prosecution highlighted his “flaunting of stolen wealth on social media.” (01:20)

4. International Law Enforcement & Legal Actions

Russian Flint 24 Group Members Sentenced:
- 26 hackers receive 5+ years each in penal colonies.
- Operated multiple underground “carding” shops, selling Russian citizens’ data until a 2020 takedown.
Major GDPR Fine in Italy:
- Intesa San Paolo fined €31.8M after insider accessed data of 3,500+ clients, including celebrities and politicians.
- “This is the country's second-largest GDPR fine.” (03:42)

5. Ransomware, Phishing, and Vulnerability Exploit News

South Africa Stats Agency Ransomware Attack:
- XP95 group demands $100,000 to stop leaking exfiltrated data.
Device Code Phishing Platform ‘Evil Tokens’:
- Platform automates phishing for Microsoft account access via device code abuse (smart TVs, embedded devices); attacks widespread in March 2026.
- “Device code phishing tricks users into granting attackers access … without compromising their credentials.” (02:17)
TrueConf Zero-Day Exploitation:
- Suspected Chinese APT targets SE Asian government videoconf servers to push malicious updates.
Magento PolyShell Vulnerability:
- Hundreds of online stores hacked per hour due to a recent (mid-March) unauthenticated web shell upload flaw.
Fortinet EMS SQL Injection:
- Patch issued in February; attacks began last week allowing full web interface compromise.

6. Regulatory and Policy Developments

CISA Investigation Dropped:
- Starfus investigation, related to an unsanctioned polygraph and access to sensitive documents, is dropped.
South Korea Launches Ransomware Recovery Task Force:
- New unit formed after 40% rise in attacks over 2025.
Russia Blocks VPN Users:
- Internet-related businesses pressured to block VPNs to remain operational during connectivity blackouts.
Australian Social Media Age Verification Probe:
- Investigates Facebook, Instagram, Snapchat, TikTok, and YouTube for potential underage user compliance failures.
Google Android Developer Account Verification:
- Requires government ID or business registration for Play Store publishers. Hobbyists/students can skip but face installation constraints.

7. Industry News & Standards

New Access Control Standard (Alero):
- Released by Connectivity Standards Alliance, backed by Apple, Google, Samsung; allows phones to replace physical access cards.
Kaspersky Reports Record Revenue:
- Despite being banned in the US and closing most EU offices, sees record income driven by Russian/former Soviet markets.

Notable Quotes & Memorable Moments

On Iranian Cyberstrategy:
“Some regions targeted by the campaign were later hit by Iranian strikes.” (00:16)
On Axios Hack:
“Attackers broke into the Axios GitHub and npm accounts on Monday and locked out its admin. Malicious versions were live on NPM for just over three hours.” (00:36)
On Cryptocurrency Fraud Sentencing:
“The prosecution requested a harsh sentence, highlighting Awolabi's social media posts flaunting his stolen wealth.” (01:20)
On Device Code Phishing:
“Device code phishing tricks users into granting attackers access to an account without compromising their credentials.” (02:17)
On Italian GDPR Enforcement:
“This is the country's second largest GDPR fine. The largest was against energy provider Enel, which was fined 79.1 million euros in 2024.” (03:42)

Timestamps for Key Segments

00:04: Iranian password spraying campaign, context, and impacts
00:36: Axios NPM hack linked to North Korea
00:57: Anthropic Claude code leak
01:02: Uranium Finance hack, Jonathan Spoletta case
01:20: Major pump-and-dump crypto scheme charges
01:29: Nigerian scammer sentenced
01:40: Russian Flint 24 hacking group sentencing
01:54: South African stats agency ransomware extortion
02:10: Device code phishing (Evil Tokens platform)
02:23: TrueConf zero-day APT attacks
02:39: Magento PolyShell vulnerability
02:51: Fortinet EMS SQLi exploitation
03:04: CISA investigation dropped
03:16: South Korean ransomware task force
03:26: IRGC blacklists US tech firms; attacks on regional infrastructure
03:36: Russia’s VPN blocking mandate
03:42: Major GDPR fine for Italian bank
03:58: Australia probes tech firms over age checks
04:10: Google tightens Android developer verification
04:25: Mobile access control standard (Alero) launch
04:34: Kaspersky’s record revenue in 2025

This episode is a dense, authoritative rundown of critical cybersecurity news as of April 2026. The reporting is concise and serious, suitable for infosec professionals tracking global cyber threats, policy shifts, and law enforcement actions.

Loading summary

Transcript1 lines

[00:05]
A
Iranian password spraying targets Israel ahead of missile strikes A major NPM package gets hacked Iran says it will bomb US tech firms in the Middle east and Flint 24 hackers are sentenced to prison in Russia. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire airdrop. Today is the 1st of April and this podcast episode is brought to you by Knock Knock. A password spraying campaign is targeting the Microsoft 365 accounts of middle Eastern organisations. Evidence suggests the campaign is being carried out by an Iranian threat actor. The attacks began shortly after the US and Israel launched military action against Iran. The password spraying campaign targets agencies such as local governments that would collect information about effects of Iranian missile strikes. Check Point says that some regions targeted by the campaign were later hit by Iranian strikes. In other news, the popular NPM package has been hacked to deploy a remote access trojan. Attackers broke into the Axios GitHub and npm accounts on Monday and locked out its admin. Malicious versions were live on NPM for just over three hours. Axios has over 100 million weekly downloads. Google's linked the attack to a North Korean group tracked as UNC 1069. The source code of Anthropic's Claude AI coding agent has leaked online. It leaked via a map file in the company's NPM account. This is the second time Claud Code source has leaked after a similar incident last February. A 36 year old Maryland man has been charged with hacking the Uranium Finance cryptocurrency platform. Jonathan Spoletta is accused of stealing $53 million from the platform in 2021. Authorities seized two $31 million of the stolen funds in February last year. Spoleta allegedly used the remaining funds to acquire antique Roman coins as well as rare Pokemon and Magic the gathering cards. The US has charged 10 individuals over a scheme to artificially inflate cryptocurrency prices. Among those charged are executives and employees from the companies Gotbit, Vortex, Anteir and Contrarian. The companies used wash trading to inflate trading volumes and prices to facilitate facilitate pump and dump schemes. A Nigerian national has been sentenced to 15 years in a U.S. prison for scamming victims out of more than $1.5 million. Inmate Awolabi operated a group that ran classic Nigerian print scams. The prosecution requested a harsh sentence highlighting Awolabi's social media posts flaunting his stolen wealth. Russian Authorities have sentenced 26 members of the Flint 24 hacking group, each received between five and years in a penal colony. The Flint 24 group operated dozens of underground carding shops. Authorities dismantled the group in 2020 after they were caught selling the data of Russian citizens. South Africa's statistics agency is being extorted by a ransomware group. The hackers are demanding $100,000 to not leak the agency's data. The group XP95, which began its operations in March, has claimed credit for the attack. A new platform automates device code phishing campaigns targeting Microsoft accounts. The Evil Tokens platform launched in February and has been used in attacks throughout March. Device code phishing tricks users into granting attackers access to an account without compromising their credentials. The technique abuses the mechanism used to connect Microsoft accounts to devices like smart TVs or embedded systems. A suspected APT group is exploiting a zero day in the TrueConf videoconferencing platform. Attacks have targeted the on premise servers of several Southeast Asian governments. The zero day allows attackers that have gained access to a server to push malicious updates to its clients. Check Point says the APT has a Chinese Nexus Magento. Online stores are being targeted via a recently patched vulnerability known as PolyShell. According to SanSec. Hundreds of stores are being hacked every hour. The vulnerability was disclosed in mid March. It allows unauthenticated remote attackers to upload a Web shell. Hackers are exploiting an SQL injection vulnerability in Fortinet EMS servers. The vulnerability allows unauthenticated attackers to take over the EMS server's Web interface. It was patched in February. Attacks began last week. CISA has dropped its investigation into Starfus, who arranged a polygraph test of former director Madhu Gotamu. The agency launched the investigation into seven staff members last year after he failed the test. Kota Mukale said the test was unsanctioned and he was tricked into taking it. Politico later reported he pushed for the test in order to access sensitive documents. South Korea has launched a task force to help companies recover from ransomware attacks. It'll be part of the country's cybersecurity agency. The agency said ransomware attacks were up 40% last year compared to 2024. Iran says it would target the infrastructure of American tech companies in the Middle East. The Islamic Revolutionary Guard Corps has published a list of companies it accuses of aiding Israeli and American military operations. All but one of the 18 are US companies. The list includes Google, Apple, Microsoft and Nvidia. Iranian strikes have already hit an Amazon Data Centre and Microsoft Research Office in the region. Russia has ordered local platforms to block VPN users. This week, the government sent letters to Russian banks. Online Marketplaces and IT companies. Businesses that comply may be permitted to remain active during the country's mobile Internet blackouts. Italy's largest bank has been fined 31.8 million euros by the country's data protection agency. According to the agency, an Intesa San Paolo employee accessed data about more than 3,500 customers. Celebrities and politicians were among the affected individuals. This is the country's second largest GDPR fine. The largest was against energy provider Enel, which was fined 79.1 million euros in 2024. Australia is investigating five tech platforms for failing to comply with social media minimum age requirements. The investigation targets Facebook, Instagram, Snapchat, TikTok and YouTube. The country is looking into weaknesses in the implementation of age verification rules. Google has started verifying Android developer accounts. Apps on the Play Store must come from developers who've provided government ID or business registration data. Students and hobbyist developers can skip the verification process, but their apps will require extra steps to install. A new access control standard will allow mobile devices to be used as building access cards. The Alero standard was released by the Connectivity Standards alliance earlier this year. It was backed by major vendors including Apple, Google and Samsung. The standard is expected to be integrated in home alarm systems, building management software and other access control systems. And finally, Russian security firm Kaspersky has reported a record revenue of 836 million doll. Last year, revenue increased in Russia and former Soviet states. Kaspersky was outed from the US market in 2024. It closed most European offices following Russia's invasion of Ukraine. And that is all for this podcast edition. Today's show is brought to you by Knock Knock. Find them at Knock Knock. That's Knoc Knoc IO thanks for your company, Sam.