{"id":466,"date":"2026-04-06T16:11:17","date_gmt":"2026-04-06T16:11:17","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/06\/axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more-cyberdefensa-mx\/"},"modified":"2026-04-06T16:11:17","modified_gmt":"2026-04-06T16:11:17","slug":"axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/06\/axios-hack-chrome-0-day-fortinet-exploits-paragon-spyware-and-more-cyberdefensa-mx\/","title":{"rendered":"Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>This\u00a0week had real hits. The\u00a0key software got tampered with. Active\u00a0bugs showed up in the tools people use every day. Some\u00a0attacks didn\u2019t even need much effort because the path was already\u00a0there.<\/p>\n<p>One weak spot now spreads wider than before. What\u00a0starts small can reach a lot of systems fast. New\u00a0bugs, faster use, less time to\u00a0react.<\/p>\n<p>That\u2019s this week. Read\u00a0through\u00a0it.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the\u00a0Week<\/strong><\/h2>\n<p><strong>Axios npm Package Compromised by N. Korean\u00a0Hackers<\/strong>\u2014Threat actors with ties to North Korea seized control of the npm account belonging to the lead maintainer of Axios, a popular npm package with nearly 100 million weekly downloads, to push malicious versions containing a cross-platform malware dubbed WAVESHAPER.V2. The\u00a0activity has been attributed to a financially motivated threat actor known as UNC1069. The\u00a0incident demonstrates how quickly the compromise of a popular npm package can have ripple effects through the ecosystem. The\u00a0malware\u2019s self-deleting anti-forensic cleanup points to a deliberate, planned operation. \u00abThe build pipeline is becoming the new front line. Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale,\u00bb Avital Harel, Security Researcher at Upwind, said. \u00abThat\u2019s what makes these attacks so dangerous \u2014 they\u2019re not just targeting one application, they\u2019re targeting the process behind many of them. Organizations should be looking much more closely at CI\/CD systems, package dependencies, and developer environments, because that\u2019s increasingly where attackers are placing their bets.\u00bb Ismael Valenzuela, vice president of Labs, Threat Research, and Intelligence at Arctic Wolf, said the Axios npm compromise reflects a broader trend where attackers infiltrate trusted, widely used software components to obtain access to downstream customers at scale. \u00abEven though the malicious versions were available for only a few hours, Axios is so deeply embedded across enterprise applications that organizations may have unknowingly pulled the compromised code into their environments through build pipelines or downstream dependencies,\u00bb Valenzuela added. \u00abThat downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves. This\u00a0incident reinforces that security teams need to treat build\u2011time tools and dependencies as part of the attack surface and not just trust tools by\u00a0default.\u00bb<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top\u00a0News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/new-chrome-zero-day-cve-2026-5281-under.html\">Google Patches Actively Exploited Chrome 0-Day<\/a><\/strong>\u2014Google released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The\u00a0high-severity vulnerability, CVE-2026-5281 (CVSS score: N\/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. Users\u00a0are advised to update their Chrome browser to versions 146.0.7680.177\/178 for Windows and Apple macOS, and 146.0.7680.177\u00a0for Linux. Google\u00a0did not reveal how the vulnerability is being exploited and who is behind the exploitation effort.<\/li>\n<li><strong>TrueConf 0-Day Exploited in Attacks Targeting Government Entities in Southeast Asia<\/strong>\u2014Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Southeast Asia. The\u00a0exploited flaw, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because of a lack of integrity checks when fetching application update code, allowing an attacker to distribute a tampered update. \u00abThe compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update,\u00bb Check Point said. The\u00a0activity, which began in January 2026, involved the deployment of the Havoc framework. Most\u00a0infections likely began with a link sent to the victims. TrueConf is used widely across organizations in Asia, Europe, and the Americas, serving about 100,000 organizations globally.<\/li>\n<li><strong>Fortinet FortiClient EMS Flaw Under Attack<\/strong>\u2014Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616) that it said has been exploited in the wild. The\u00a0vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation. Exploitation efforts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026, per watchTowr. The\u00a0development comes days after another recently patched, critical vulnerability in FortiClient EMS (CVE-2026-21643) came under active exploitation.<\/li>\n<li><strong>Apple Backports DarkSword Fixes to More Devices<\/strong>\u2014Apple expanded the availability of iOS 18.7.7\u00a0and iPadOS 18.7.7\u00a0to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. The\u00a0update targets customers whose devices are capable of upgrading to the newest operating system (iOS 26), but have chosen to remain on iOS 18. Apple\u00a0has taken the unprecedented step to counter risks posed by an exploit kit called DarkSword. The\u00a0broader availability of the patches underscores the level of threat that malware like DarkSword poses. The\u00a0fact that a large number of users were still using iOS 18, combined with the leak of a new version of DarkSword on GitHub, has pushed Apple towards releasing the fix so that they can stay protected without the need for updating to iOS 26. The\u00a0leak is significant as it puts it within reach of less technically savvy cybercriminals out there.<\/li>\n<li><strong>ClickFix Attack Leads to DeepLoad Malware<\/strong>\u2014The ClickFix technique is being used to deliver a stealthy malware named DeepLoad that\u2019s capable of stealing credentials and intercepting browser interactions. The\u00a0malware first emerged on a dark web cybercrime forum in early February 2026, when a threat actor, using the alias \u00abMysteryHack,\u00bb advertised it as a \u00abcentralized panel for multiple types of malware.\u00bb According to <a href=\"https:\/\/www.zerofox.com\/intelligence\/flash-report-cryptocurrency-stealer-for-sale-on-dark-web\/\">ZeroFox<\/a>, \u00abDeepLoad\u2019s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment.\u00bb The malware has since been distributed to Windows systems through ClickFix under the guise of resolving fake browser error messages. Besides stealing credentials, the malware drops a rogue browser extension to intercept sensitive data and spreads via removable USB drives. DeepLoad\u2019s actual attack logic is buried under layers of obfuscation, raising the possibility that some parts of the malware were developed using an artificial intelligence (AI) model.<\/li>\n<li><strong>Claude Code Source Code Leaks<\/strong>\u2014Anthropic acknowledged that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. Essentially, what happened was this: When Anthropic pushed out version 2.1.88\u00a0of its Claude Code npm package, it accidentally included a map file that exposed nearly 2,000 source code files and more than 512,000 lines of code. The\u00a0<a href=\"https:\/\/github.com\/zackautocracy\/claude-code\">source code leak<\/a> has since <a href=\"https:\/\/ccleaks.com\/\">revealed<\/a> various features the company appears to be working on or that are built into the service, including an Undercover mode to hide AI authorship from contributions to public code repositories, a persistent background agent called KAIROS, combat distillation attacks, and <a href=\"https:\/\/alex000kim.com\/posts\/2026-03-31-claude-code-source-leak\/#frustration-detection-via-regex-yes-regex\">active monitoring<\/a> of words and phrases that show signs of user frustration. The\u00a0leak also quickly escalated into a cybersecurity threat, as attackers pounced on the surge in interest to lure developers into downloading stealer malware.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd25 Trending\u00a0CVEs<\/strong><\/h2>\n<p>New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The\u00a0flaws below are this week\u2019s most critical \u2014 high-severity, widely used software, or already drawing attention from the security community.<\/p>\n<p>Check these first, patch what applies, and don\u2019t wait on the ones marked urgent\u00a0\u2014 CVE-2026-35616 (Fortinet FortiClient\u00a0EMS), CVE-2026-20093 (Cisco Integrated Management Controller), CVE-2026-20160 (Cisco Smart Software Manager\u00a0On-Prem), CVE-2026-5281 (Google\u00a0Chrome), CVE-2026-3502 (TrueConf), <a href=\"https:\/\/grafana.com\/blog\/grafana-security-release-critical-and-high-severity-security-fixes-for-cve-2026-27876-and-cve-2026-27880\/\">CVE-2026-27876, CVE-2026-27880<\/a> (Grafana), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/655822\">CVE-2026-4789<\/a> (Kyverno), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/221883\">CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, CVE-2026-2287<\/a>\u00a0(CrewAI), <a href=\"https:\/\/notepad-plus-plus.org\/news\/v893-released\/\">CVE-2025-14819<\/a> (Notepad++), <a href=\"https:\/\/github.com\/vim\/vim\/security\/advisories\/GHSA-2gmj-rpqf-pxvh\">CVE-2026-34714<\/a>, <a href=\"https:\/\/github.com\/vim\/vim\/security\/advisories\/GHSA-8h6p-m6gr-mpw9\">CVE-2026-34982<\/a>\u00a0(<a href=\"https:\/\/blog.calif.io\/p\/mad-bugs-vim-vs-emacs-vs-claude\">Vim<\/a>), <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-58qr-rcgv-642v\">CVE-2026-33660<\/a>, <a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-mxrg-77hm-89hv\">CVE-2026-33696<\/a>\u00a0(n8n), <a href=\"https:\/\/github.com\/axios\/axios\/security\/advisories\/GHSA-43fc-jf86-j433\">CVE-2026-25639<\/a>\u00a0(Axios), <a href=\"https:\/\/www.strongswan.org\/blog\/2026\/03\/23\/strongswan-vulnerability-(cve-2026-25075).html\">CVE-2026-25075<\/a>\u00a0(<a href=\"https:\/\/bishopfox.com\/blog\/strongswan-cve-2026-25075-integer-underflow-in-vpn-authentication\">strongSwan<\/a>), <a href=\"https:\/\/github.com\/nocobase\/nocobase\/security\/advisories\/GHSA-px3p-vgh9-m57c\">CVE-2026-34156<\/a> (NocoBase), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/951662\">CVE-2026-3308<\/a> (Artifex\u00a0MuPDF), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-090-02\">CVE-2026-1579<\/a> (PX4 Autopilot), <a href=\"https:\/\/labs.infoguard.ch\/advisories\/cve-2026-3991_symantec-dlp-agent_local-privilege-escalation\/\">CVE-2026-3991<\/a> (Symantec Data Loss Prevention Agent for\u00a0Windows), <a href=\"https:\/\/github.com\/0xJacky\/nginx-ui\/security\/advisories\/GHSA-fhh2-gg7w-gwpq\">CVE-2026-33026<\/a> (nginx-ui), <a href=\"https:\/\/github.com\/pnggroup\/libpng\/security\/advisories\/GHSA-m4pc-p4q3-4c7j\">CVE-2026-33416<\/a>, <a href=\"https:\/\/github.com\/pnggroup\/libpng\/security\/advisories\/GHSA-wjr5-c57x-95m2\">CVE-2026-33636<\/a>\u00a0(libpng), <a href=\"https:\/\/www.foxit.com\/support\/security-bulletins.html\">CVE-2026-3775, CVE-2026-3779<\/a> (Foxit PDF\u00a0Editor), <a href=\"https:\/\/heyitsas.im\/posts\/cups\/\">CVE-2026-34980, CVE-2026-34990<\/a> (CUPS),\u00a0and <a href=\"https:\/\/www.tp-link.com\/us\/support\/faq\/5047\/\">CVE-2026-34121<\/a> (TP-Link).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity\u00a0Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/identity-maturity-2026?source=recap\">Learn How to Close Identity Gaps Using Insights from IT Leaders<\/a> \u2192 Identity programs face rising risk from disconnected apps, manual credentials, and expanding AI access. Based on 2026 insights from 600+ IT and security leaders, this session shows what to measure, fix, and do now to close identity gaps and regain control.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/ghost-in-the-machine?source=recap\">Learn How to Build Secure AI Agents Using Identity, Visibility, and Control<\/a> \u2192 AI agents are already being used, but most teams don\u2019t know how to secure them properly. This session shows a clear, practical way to do it using three key ideas: identity, visibility, and control.You will see what real deployment looks like, how to track what agents do, and how to manage their behavior safely.It also explains how to secure AI systems today without waiting for standards to settle.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber\u00a0World<\/strong><\/h2>\n<ul>\n<li><strong>Device Code Phishing Attacks Surge <\/strong>\u2014Device code phishing attacks, which abuse the OAuth device authorization grant flow to hijack accounts, have surged more than 37.5x\u00a0this year. Push\u00a0Security said it detected a 15x increase in device code phishing pages at the start of March 2026, indicating that the technique has finally entered mainstream adoption. \u00abThe technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly),\u00bb the company <a href=\"https:\/\/pushsecurity.com\/blog\/device-code-phishing\/\">said<\/a>. \u00abAny app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That\u00a0said, Microsoft is, as always, much more heavily targeted at scale now than any other app.\u00bb This has been fueled by the emergence of EvilTokens (aka ANTIBOT), the first reported criminal PhaaS (Phishing-as-a-Service) toolkit that supports device code pushing. EvilTokens features a Cloudflare Workers frontend and a Railway backend for authentication. Early\u00a0iterations of the PhaaS kit emerged in January 2026. Another closed-source PhaaS kit called Venom offers device code phishing capabilities similar to EvilTokens. Some\u00a0of the other PhaaS kits that have incorporated this technique include SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE.<\/li>\n<li><strong>LinkedIn Comes Under Scanner for BrowserGate <\/strong>\u2014A newly published report called BrowserGate alleged that Microsoft\u2019s LinkedIn is using hidden JavaScript scripts on its website to scan visitors\u2019 browsers for thousands of installed Google Chrome extensions and collect device data without users\u2019 consent. \u00abLinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo,\u00bb the report <a href=\"https:\/\/browsergate.eu\/\">said<\/a>. \u00abBecause LinkedIn knows each user\u2019s employer, it can map which companies use which competitor products. It\u00a0is extracting the customer lists of thousands of software companies from their users\u2019 browsers without anyone\u2019s knowledge. Then\u00a0it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets.\u00bb The report also claimed LinkedIn loads an invisible tracking pixel from HUMAN Security, along with a separate fingerprinting script that runs from LinkedIn\u2019s servers and a third script from Google that runs silently on every page load. In\u00a0response to the findings, LinkedIn <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/linkedin-secretely-scans-for-6-000-plus-chrome-extensions-collects-data\/\">told<\/a> Bleeping Computer it scans for certain extensions that scrape data without members\u2019 consent in violation of its terms of service. The\u00a0company also claimed the report is from an individual who is \u00absubject to an account restriction for scraping and other violations of LinkedIn\u2019s Terms of Service.\u00bb<\/li>\n<li><strong>ICE Confirms Use of Paragon Spyware <\/strong>\u2014The U.S. Immigration and Customs Enforcement (ICE) <a href=\"https:\/\/cyberscoop.com\/ice-using-paragon-spyware-house-democrats-letter\/\">confirmed<\/a> it uses spyware developed by Paragon to \u00abidentify, disrupt, and dismantle Foreign Terrorist Organizations, addressing the escalating fentanyl epidemic and safeguarding national security.\u00bb Paragon\u2019s Graphite spyware has been found on the phones of journalists. WhatsApp last year said it disrupted a campaign that deployed the spyware against its users. The\u00a0governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are suspected to be customers of the Israeli company.<\/li>\n<li><strong>Ex-Engineer Pleads Guilty to Extortion Campaign <\/strong>\u2014Daniel Rhyne, 59, of Kansas City, Missouri, <a href=\"https:\/\/www.justice.gov\/usao-nj\/pr\/former-employee-national-industrial-company-pleads-guilty-crimes-related-hacking\">pleaded guilty<\/a> to a failed data extortion campaign that targeted his former employer. Rhyne\u00a0was arrested in September 2024. According to court documents, Rhyne worked as a core infrastructure engineer at a U.S.-based industrial company headquartered in New Jersey. In\u00a0November 2023, the defendant executed a ransomware attack against the company and sent an extortion email to its employees, threatening to continue shutting down the firm\u2019s servers unless he was paid about 20 Bitcoin, which was valued at $750,000 at the time. Last\u00a0month, the U.S. Justice Department (DoJ) announced the conviction of Cameron Curry (aka Loot), a 27-year-old from Charlotte, North Carolina, for carrying out a cyber extortion scheme against a D.C.-based international technology company called Brightly Software. \u00abTrial evidence established that Curry misused his position to access the victim company\u2019s personnel and other sensitive corporate records, which he then used to carry out the cyber extortion scheme after he learned that his contract was not going to be renewed and that he would no longer be employed by the company,\u00bb the DoJ <a href=\"https:\/\/www.justice.gov\/usao-dc\/pr\/north-carolina-man-convicted-cyber-extortion-scheme-targeted-dc-based-tech-company\">said<\/a>. Between December 11, 2023, and January 24, 2024, Curry sent more than 60 emails to company executives and employees, stating he would disclose sensitive information unless he was paid $2.5\u00a0million in cryptocurrency. Brightly ended up paying $7,540 in Bitcoin.<\/li>\n<li><strong>Residential Proxies Bypass Reputation Systems <\/strong>\u2014Threat intelligence firm GreyNoise\u2019s analysis of 4 billion sessions targeting the edge over a 90-day period from November 29, 2025, to February 27, 2026, found that 39% of unique IP addresses targeting the edge originated from home internet connections, and that 78% vanish before any reputation system can flag them. \u00ab78% of residential IPs appear in only 1\u20132 sessions and are never observed again,\u00bb it <a href=\"https:\/\/www.greynoise.io\/blog\/invisible-army-why-ip-reputation-fails-against-rotation-economy\">said<\/a>. \u00abIP reputation is structurally broken against residential proxies. The\u00a0rotation rate exceeds the update cycle of any feed-based defense.\u00bb This behavior also makes source IPs indistinguishable from a legitimate user\u2019s connection. The\u00a0data also showed that 0.1% of residential sessions carry exploitation payloads, in contrast to 1.0% from hosting infrastructure, indicating that they are primarily used for network scanning and reconnaissance. The\u00a0residential proxy traffic is generated by IoT botnets and infected computers, with the networks also resilient against takedown efforts. \u00abAfter IPIDEA lost 40% of its nodes, operators backfilled within weeks,\u00bb GreyNoise said. \u00abEvery major takedown produces the same result \u2014 temporary disruption, then regeneration.\u00bb The company also recommended that \u00abDetection must shift from \u2018where is the traffic from?\u2019 to \u2018what is the traffic doing?\u00bb Device fingerprinting provides more durable detection because fingerprints survive IP rotation.\u00bb<\/li>\n<li><strong>Suspected N. Korea\u00a0Campaign Targets Cryptocurrency Companies Using React2Shell <\/strong>\u2014A new campaign has been observed systematically compromising cryptocurrency organizations by exploiting web application vulnerabilities such as React2Shell (CVE-2025-55182), pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets. \u00abTheir targeting spans the crypto supply chain, from staking platforms, to exchange software providers, to the exchanges themselves,\u00bb Ctrl-Alt-Intel <a href=\"https:\/\/ctrlaltintel.com\/research\/DPRK-Crypto-Heist\/\">said<\/a>. The\u00a0threat intelligence firm has assessed the activity with moderate confidence to be aligned with North Korean cryptocurrency theft operations.<\/li>\n<li><strong>India Extends SIM-Binding Mandate <\/strong>\u2014The Indian government has extended its SIM-binding mandate through December 31, 2026, while shelving plans to require messaging apps to forcibly log out web-based sessions like WhatsApp Web every six hours. The\u00a0decision <a href=\"https:\/\/www.thehindu.com\/sci-tech\/technology\/government-shelves-periodic-web-logout-for-chat-apps-extends-sim-binding-to-december-31\/article70811929.ece\">comes<\/a> after the Broadband India Forum, which represents Meta and Google, warned the Department of Telecommunications (DoT) that the directions were unconstitutional. Under\u00a0the framework announced in November 2025, a messaging app account would be tied exclusively to the physical SIM card during registration. This\u00a0meant that the users could access the messages and other content only when that SIM is present in the device. Companies were given 90 days (i.e., until the end of February 2026) to comply. While\u00a0SIM binding has been proposed as a way to combat spammers and conduct cross\u2011border fraud, the move has raised feasibility and user experience concerns. According to Moneycontrol, WhatsApp is <a href=\"https:\/\/www.moneycontrol.com\/news\/business\/dot-extends-sim-binding-deadline-for-whatsapp-telegram-signal-to-year-end-13876716.html\">said<\/a> to be beta testing SIM binding on Android.<\/li>\n<li><strong>Russian Threat Actors Looking to Regain Access Through Compromised Infrastructure <\/strong>\u2014Russian threat actors like APT28 and Void Blizzard are attempting to regain access to computer systems they previously compromised to check if access is still available and whether the obtained credentials remain valid, CERT-UA has warned. \u00abUnfortunately, these attempts sometimes succeed if the root cause of the initial incident has not been completely eliminated,\u00bb the agency <a href=\"https:\/\/cip.gov.ua\/ua\/statics\/analitichni-materiali-derzhspeczv-yazku\">said<\/a>.<\/li>\n<li><strong>OkCupid Settles with FTC for Privacy Violations <\/strong>\u2014OkCupid and its owner, Match Group, <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2026\/03\/ftc-takes-action-against-match-okcupid-deceiving-users-sharing-personal-data-third-party\">reached<\/a> a settlement with the U.S. Federal Trade Commission over allegations that it did not inform its customers that nearly three million user photos were shared with Clarifai, a company that develops AI systems to identify and analyze images and videos. The\u00a0complaint also accused the dating site of sharing users\u2019 location information and other details without their consent. As\u00a0part of the settlement, OkCupid and Match did not admit or deny the allegations but agreed to a permanent prohibition that prevents them from misrepresenting how they use and share personal data.<\/li>\n<li><strong>New Android Malware Mirax Advertised <\/strong>\u2014A sophisticated new Android banking trojan named <a href=\"https:\/\/x.com\/KrakenLabs_Team\/status\/2029525839860163010\">Mirax<\/a> is being advertised as a private malware-as-a-service (MaaS) offering for up to $2,500 per month. The\u00a0malware enables customers to gain remote control over devices and includes specialized overlays for more than 700 different financial applications to steal credentials and other sensitive information. It\u00a0can also capture keystrokes, intercept SMS messages, record lock screen patterns, and use the infected device as a SOCKS5 proxy.<\/li>\n<li><strong>Venom Stealer Spreads via ClickFix <\/strong>\u2014A new malware-as-a-service (MaaS) platform dubbed <a href=\"https:\/\/www.blackfog.com\/venom-stealer-turns-clickfix-into-a-full-exfiltration-pipeline\/\">Venom Stealer<\/a> is being sold on cybercrime forums as a subscription ($250\/month to $1,800 for lifetime access). It\u2019s marketed as \u00abthe Apex Predator of Wallet Extraction.\u00bb Unlike other stealers, it automates credential theft and enables continuous data exfiltration. \u00abIt builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running,\u00bb BlackFog said. The\u00a0development coincides with a new <a href=\"https:\/\/www.cyberproof.com\/blog\/the-clickfix-evolution-new-variant-replaces-powershell-with-rundll32-and-webdav\/\">ClickFix variant<\/a> that replaces PowerShell with a \u00abrundll32.exe\u00bb command to download a DLL from an attacker-controlled WebDAV resource. The\u00a0attack leads to the execution of a secondary loader called SkimokKeep, which then downloads additional payloads, while incorporating anti-sandboxing and anti-debugging mechanisms. In\u00a0the meantime, <a href=\"https:\/\/mp.weixin.qq.com\/s\/0M1sZq1HqwAAaMbRDBEZEw\">recent ClickFix campaigns<\/a> have also leveraged searches for installation tutorials for OpenClaw, Claude, and other AI tools, as well as for common macOS issues to push stealer malware like MacSync.<\/li>\n<li><strong>More Information Stealers Spotted <\/strong>\u2014Speaking of stealers, recent campaigns have also been observed using procurement-themed email lures and fake Homebrew install guides served via sponsored search results to deliver <a href=\"https:\/\/www.group-ib.com\/blog\/phantom-stealer-credential-theft\/\">Phantom Stealer<\/a> and <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-03-31-SHub-Stealer-Activity.txt\">SHub Stealer<\/a>. Some\u00a0other newly discovered infostealer malware families include <a href=\"https:\/\/www.varonis.com\/blog\/storm-infostealer\">Storm<\/a>, <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/say-my-name-how-miolab-is-building-macos-stealer-empire\">MioLab<\/a>, and <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/torg-grabber-credential-stealer-analysis\">Torg Grabber<\/a>. In\u00a0a related development, CyberProof <a href=\"https:\/\/www.cyberproof.com\/blog\/a-deep-dive-into-pxa-stealer\/\">said<\/a> it observed a surge in PXA Stealer activity targeting global financial institutions during Q1 2026. Another malware that has <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/blankgrabber-trojan-stealer-analysis-detection.html\">gained notoriety<\/a> is BlankGrabber, which is distributed through social engineering and phishing campaigns. Data\u00a0gathered by Flare <a href=\"https:\/\/flare.io\/learn\/resources\/blog\/victim-profiling-stealer-malware\">shows<\/a> that a single stealer log can be devastating, with individual logs containing up to 1,381 pieces of personally identifiable information. In\u00a0an analysis published by Whiteintel last month, the company found that a single careless download of cracked software by one employee can hand criminal groups direct access to an entire corporate network in under two days. \u00abAn employee downloads cracked software on Tuesday afternoon,\u00bb it <a href=\"https:\/\/whiteintel.io\/blog\/infostealer-lifecycle-48-hours\">said<\/a>. \u00abBy Thursday morning, their credentials are listed on the Russian Market for $15. Corporate VPN access, AWS credentials, session tokens that bypass MFA \u2013 all packaged and ready for purchase.\u00bb<\/li>\n<li><strong>Phishing Campaign Targets Philippine Banking Users <\/strong>\u2014An ongoing phishing campaign targeting major banks in the Philippines is using email phishing via compromised accounts as the initial vector to harvest online banking credentials and one-time passwords (OTPs) for financial fraud. According to Group-IB, the campaign began in early 2024, distributing over 900 malicious links as part of the coordinated scheme. Clicking on the link embedded in the email message triggers a redirection chain that uses trusted services like Google Business, AMP CDN, Cloudflare Workers, and URL shorteners before taking the victims to the final landing page. \u00abThe campaign enables real-time financial fraud by bypassing MFA mechanisms through the theft of valid One-Time Passwords (OTP), allowing attackers to perform unauthorized fund transfers,\u00bb the company <a href=\"https:\/\/www.group-ib.com\/blog\/phisles-phishing-banks-philippines\/\">said<\/a>. \u00abTelegram bots were used as exfiltration channels, enabling threat actors to automatically collect victims\u2019 login information in real time.\u00bb The activity has been attributed to a threat group called PHISLES.<\/li>\n<li><strong>Chrome Extensions Harvests ChatGPT Conversations <\/strong>\u2014A malicious Chrome extension, named \u00abChatGPT Ad Blocker\u00bb (ID: ipmmidjikiklckbngllogmggoofbhjikgb), found on the Chrome Web Store masquerades as an ad-blocking tool for the AI chatbot, but contains functionality to \u00absteal the user\u2019s ChatGPT conversations data by systematically copying the HTML page and sending to it to a webhook on a private Discord channel,\u00bb DomainTools <a href=\"https:\/\/dti.domaintools.com\/securitysnacks\/securitysnack-openai-anti-ads-malware\">said<\/a>.<\/li>\n<li><strong>Iran Conflict Triggers Espionage Activity in Middle East <\/strong>\u2014In the aftermath of the U.S.-Israel-Iran conflict, Proofpoint <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets\">said<\/a> it has recorded an increase in campaigns from state-sponsored threat actors likely affiliated with China (UNK_InnerAmbush, which uses phishing emails to deliver <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/cobalt-strike-overview\">Cobalt Strike<\/a> payload), Belarus (TA473, which has used HTML attachments in emails for reconnaissance), Pakistan (UNK_RobotDreams, which has sent spear-phishing emails to India-based offices of Middle East government entities to deliver a Rust backdoor), and Hamas (TA402, which has used compromised Iraq government email addresses to conduct Microsoft account credential harvesting) targeting Middle East government organizations. The\u00a0enterprise security company said it also identified the Charming Kitten actor targeting a think tank in the U.S. to\u00a0trick recipients into entering their Microsoft account credentials. One\u00a0activity cluster that remains unattributed is UNK_NightOwl. The\u00a0email messages include a domain that spoofed Microsoft OneDrive, leading the victim to a credential harvesting page. If\u00a0the user enters credentials and clicks the sign-in button, the target is redirected to \u00abhxxps:\/\/iran.liveuamap[.]com\/,\u00bb a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.<\/li>\n<li><strong>U.K. Warns\u00a0of Messaging App Targeting <\/strong>\u2014The U.K. National Cyber Security Centre (NCSC) became the latest cybersecurity agency to warn of <a href=\"https:\/\/www.ncsc.gov.uk\/news\/ncsc-warns-of-messaging-app-targeting\">malicious activity<\/a> from messaging apps like WhatsApp, Messenger, and Signal, where threat actors could trick high-risk individuals into sharing their login or account recovery codes, or linking an attacker-controlled device under their accounts.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity\u00a0Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/step-security\/dev-machine-guard\">Dev Machine Guard<\/a> \u2192 It is an open-source script that scans a developer machine to list installed tools and detect security risks across IDEs, AI agents, extensions, and configurations, without accessing source code or secrets, helping expose gaps traditional tools miss in developer environments.<\/li>\n<li><a href=\"https:\/\/github.com\/praetorian-inc\/pius\">Pius<\/a> \u2192 It is an open-source tool that maps a company\u2019s external attack surface by discovering and cataloging internet-facing assets, helping security teams identify exposure and reconnaissance risks that could be targeted by attackers.<\/li>\n<\/ul>\n<p><em>Disclaimer: For research and educational use only. Not\u00a0security-audited. Review\u00a0all code before use, test in isolated environments, and ensure compliance with applicable\u00a0laws.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>The lesson is simple. Small\u00a0things matter. Most\u00a0issues now start from normal parts of the system, not big, obvious\u00a0gaps.<\/p>\n<p>Don\u2019t trust anything just because it looks routine. Updates, tools, and background systems can all\u00a0be used in the wrong\u00a0way. If\u00a0it seems low risk, check it again. That\u2019s where the problems are starting\u00a0now.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This\u00a0week had real hits. The\u00a0key software got tampered with. Active\u00a0bugs showed up in the tools people use every day. Some\u00a0attacks didn\u2019t even need much effort because the path was already\u00a0there. One weak spot now spreads wider than before. What\u00a0starts small can reach a lot of systems fast. New\u00a0bugs, faster use, less time to\u00a0react. That\u2019s this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[305,1418,17,24,144,1568,820,1530,1586],"class_list":["post-466","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-0day","tag-axios","tag-chrome","tag-cyberdefensa-mx","tag-exploits","tag-fortinet","tag-hack","tag-paragon","tag-spyware"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=466"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/466\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}