Security news.
Today's security landscape is marked by critical vulnerabilities and active exploitation, with a zero-day in TrueConf impacting Asian governments and critical flaws in ShareFile leading to unauthenticated RCE. Supply chain attacks continue to be a significant threat, highlighted by a social engineering campaign against the Axios npm package maintainer.
TrueConf Zero-Day Exploited in Asian Government Attacks
A Chinese threat actor exploited a zero-day in the TrueConf video conferencing platform for reconnaissance, privilege escalation, and payload execution against Asian government entities. CISA has added CVE-2026-3502 to its KEV catalog.
Critical ShareFile Flaws Lead to Unauthenticated RCE
Multiple critical vulnerabilities in ShareFile can be chained to bypass authentication and upload arbitrary files, leading to unauthenticated remote code execution.
UNC1069 Social Engineering Led to npm Supply Chain Attack on Axios
North Korean threat actors (UNC1069) used a highly-targeted social engineering campaign against the Axios npm package maintainer, resulting in a supply chain compromise.
Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK
Solana-based decentralized exchange Drift confirmed a security incident on April 1, 2026, where attackers drained approximately $285 million using a novel durable nonce attack to gain unauthorized access and administrative control.
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
A large-scale credential harvesting operation exploited the React2Shell vulnerability (CVE-2025-55182) to compromise over 750 systems and steal various sensitive credentials and tokens.
New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
A new version of the SparkCat malware has been found on Apple App Store and Google Play Store, hidden in benign apps, and is designed to steal crypto wallet recovery phrase images.
CERT-EU: European Commission Hack Exposes Data of 30 EU Entities
The European Union's Cybersecurity Service (CERT-EU) attributed a cloud hack of the European Commission to the TeamPCP threat group, exposing data from at least 29 other EU entities.
Man Admits to Locking Thousands of Windows Devices in Extortion Plot
A former core infrastructure engineer pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot against his industrial company employer.