⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More  Ravie Lakshmanan  Apr 06, 2026 Cybersecurity / Hacking This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there. One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react. That’s this week. Read through it. ⚡ Threat of the Week Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead maintainer of Axios, a popular npm package with nearly 100 million weekly downloads, to push malicious versions containing a cross-platform malware dubbed WAVESHAPER.V2. The activity has been attributed to a financially motivated threat actor known as UNC1069. The incident demonstrates how quickly the compromise of a popular npm package can have ripple effects through the ecosystem. The malware's self-deleting anti-forensic cleanup points to a deliberate, planned operation. "The build pipeline is becoming the new front line. Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale," Avital Harel, Security Researcher at Upwind, said. "That's what makes these attacks so dangerous -- they're not just targeting one application, they’re targeting the process behind many of them. Organizations should be looking much more closely at CI/CD systems, package dependencies, and developer environments, because that's increasingly where attackers are placing their bets." Ismael Valenzuela, vice president of Labs, Threat Research, and Intelligence at Arctic Wolf, said the Axios npm compromise reflects a broader trend where attackers infiltrate trusted, widely used software components to obtain access to downstream customers at scale. "Even though the malicious versions were available for only a few hours, Axios is so deeply embedded across enterprise applications that organizations may have unknowingly pulled the compromised code into their environments through build pipelines or downstream dependencies," Valenzuela added. "That downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves. This incident reinforces that security teams need to treat build‑time tools and dependencies as part of the attack surface and not just trust tools by default." Inside the 2026 Cyber Workforce: Skills, Shortages, and Shifts in the Age of AI Insights to help leaders make informed decisions and show practitioners where careers are heading. Download Now ➝ 🔔 Top News Google Patches Actively Exploited Chrome 0-Day —Google released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. Users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux. Google did not reveal how the vulnerability is being exploited and who is behind the exploitation effort. TrueConf 0-Day Exploited in Attacks Targeting Government Entities in Southeast Asia —Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Southeast Asia. The exploited flaw, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because of a lack of integrity checks when fetching application update code, allowing an attacker to distribute a tampered update. "The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update," Check Point said. The activity, which began in January 2026, involved the deployment of the Havoc framework. Most infections likely began with a link sent to the victims. TrueConf is used widely across organizations in Asia, Europe, and the Americas, serving about 100,000 organizations globally. Fortinet FortiClient EMS Flaw Under Attack —Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616) that it said has been exploited in the wild. The vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation. Exploitation efforts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026, per watchTowr. The development comes days after another recently patched, critical vulnerability in FortiClient EMS (CVE-2026-21643) came under active exploitation. Apple Backports DarkSword Fixes to More Devices —Apple expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. The update targets customers whose devices are capable of upgrading to the newest operating system (iOS 26), but have chosen to remain on iOS 18. Apple has taken the unprecedented step to counter risks posed by an exploit kit called DarkSword. The broader availability of the patches underscores the level of threat that malware like DarkSword poses. The fact that a large number of users were still using iOS 18, combined with the leak of a new version of DarkSword on GitHub, has pushed Apple towards releasing the fix so that they can stay protected without the need for updating to iOS 26. The leak is significant as it puts it within reach of less technically savvy cybercriminals out there. ClickFix Attack Leads to DeepLoad Malware —The ClickFix technique is being used to deliver a stealthy malware named DeepLoad that's capable of stealing credentials and intercepting browser interactions. The malware first emerged on a dark web cybercrime forum in early February 2026, when a threat actor, using the alias "MysteryHack," advertised it as a "centralized panel for multiple types of malware." According to ZeroFox , "DeepLoad's design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment." The malware has since been distributed to Windows systems through ClickFix under the guise of resolving fake browser error messages. Besides stealing credentials, the malware drops a rogue browser extension to intercept sensitive data and spreads via removable USB drives. DeepLoad's actual attack logic is buried under layers of obfuscation, raising the possibility that some parts of the malware were developed using an artificial intelligence (AI) model. Claude Code Source Code Leaks —Anthropic acknowledged that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. Essentially, what happened was this: When Anthropic pushed out version 2.1.88 of its Claude Code npm package, it accidentally included a map file that exposed nearly 2,000 source code files and more than 512,000 lines of code. The source code leak has since revealed various features the company appears to be working on or that are built into the service, including an Undercover mode to hide AI authorship from contributions to public code repositories, a persistent background agent called KAIROS, combat distillation attacks, and active monitoring of words and phrases that show signs of user frustration. The leak also quickly escalated into a cybersecurity threat, as attackers pounced on the surge in interest to lure developers into downloading stealer malware. 🔥 Trending CVEs New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week's most critical — high-severity, widely used software, or already drawing attention from the security community. Check these first, patch what applies, and don't wait on the ones marked urgent — CVE-2026-35616 (Fortinet FortiClient EMS), CVE-2026-20093 (Cisco Integrated Management Controller), CVE-2026-20160 (Cisco Smart Software Manager On-Prem), CVE-2026-5281 (Google Chrome), CVE-2026-3502 (TrueConf), CVE-2026-27876, CVE-2026-27880 (Grafana), CVE-2026-4789 (Kyverno), CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, CVE-2026-2287 (CrewAI), CVE-2025-14819 (Notepad++), CVE-2026-34714 , CVE-2026-34982 ( Vim ), CVE-2026-33660 , CVE-2026-33696 (n8n), CVE-2026-25639 (Axios), CVE-2026-25075 ( strongSwan ), CVE-2026-34156 (NocoBase), CVE-2026-3308 (Artifex MuPDF), CVE-2026-1579 (PX4 Autopilot), CVE-2026-3991 (Symantec Data Loss Prevention Agent for Windows), CVE-2026-33026 (nginx-ui), CVE-2026-33416 , CVE-2026-33636 (libpng), CVE-2026-3775, CVE-2026-3779 (Foxit PDF Editor), CVE-2026-34980, CVE-2026-34990 (CUPS), and CVE-2026-34121 (TP-Link). 🎥 Cybersecurity Webinars Learn How to Close Identity Gaps Using Insights from IT Leaders → Identity programs face rising risk from disconnected apps, manual credentials, and expanding AI access. Based on 2026 insights from 600+ IT and security leaders, this session shows what to measure, fix, and do now to close identity gaps and regain control. Learn How to Build Secure AI Agents Using Identity, Visibility, and Control → AI agents are already being used, but most teams don’t know how to secure them properly. This session shows a clear, practical way to do it using three key ideas: identity, visibility, and control.You will see what real deployment looks like, how to track what agents do, and how to manage their behavior safely.It also explains how to