← Latest brief

Security news.

·Morning Brief

Today's security news highlights critical supply chain attacks, particularly involving NPM packages, and ongoing zero-day exploits. Google has addressed multiple vulnerabilities, including a Chrome zero-day and security issues in its Vertex AI platform, while also attributing a significant supply chain compromise to a North Korean threat group.

BLEEPINGZERO-DAY
Apr 1READ

Google fixes fourth Chrome zero-day exploited in attacks in 2026

Google has patched another zero-day vulnerability in Chrome, marking the fourth such flaw exploited in active attacks since the beginning of the year.

THNSUPPLY CHAIN
Apr 1READ

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat cluster tracked as UNC1069.

SECURITYWEEKSUPPLY CHAIN
Apr 1READ

Axios NPM Package Breached in North Korean Supply Chain Attack

A long-lived NPM access token was used to bypass GitHub Actions OIDC-based CI/CD publishing workflow to push backdoored package versions of the Axios NPM package.

SECURITYWEEKEXPLOIT
Apr 1READ

Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents

Palo Alto Networks disclosed details of its analysis of Google Cloud Platform’s Vertex AI, prompting Google to address identified security issues.

THNBREACH
Apr 1READ

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic confirmed that internal code for its AI coding assistant, Claude Code, was inadvertently released due to a human error in npm packaging, though no sensitive customer data was exposed.

BLEEPINGPRIVACY
Apr 1READ

FBI warns against using Chinese mobile apps due to privacy risks

The FBI has issued a warning to Americans regarding the use of foreign-developed mobile applications, specifically highlighting those from Chinese developers, due to potential data security and privacy risks.

THNZERO-DAY
Mar 31READ

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

A high-severity flaw (CVE-2026-3502) in TrueConf client video conferencing software has been exploited as a zero-day in a campaign dubbed "TrueChaos" targeting government entities in Southeast Asia.

CISAKEV
Mar 30READ

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-3055, a Citrix NetScaler Out-of-Bounds Read Vulnerability, to its KEV Catalog due to evidence of active exploitation.

Generated twice daily from public security RSS feeds. Informational only.