← Latest brief

Security news.

·Morning Brief

Today's security landscape is marked by critical vulnerabilities and active exploitation, with a zero-day in TrueConf impacting Asian governments and critical flaws in ShareFile leading to unauthenticated RCE. Supply chain attacks continue to be a significant threat, highlighted by a social engineering campaign against the Axios npm package maintainer.

SECURITYWEEKZERO-DAY
Apr 3READ

TrueConf Zero-Day Exploited in Asian Government Attacks

A Chinese threat actor exploited a zero-day in the TrueConf video conferencing platform for reconnaissance, privilege escalation, and payload execution against Asian government entities. CISA has added CVE-2026-3502 to its KEV catalog.

SECURITYWEEKRCE
Apr 3READ

Critical ShareFile Flaws Lead to Unauthenticated RCE

Multiple critical vulnerabilities in ShareFile can be chained to bypass authentication and upload arbitrary files, leading to unauthenticated remote code execution.

THNSUPPLY CHAIN
Apr 3READ

UNC1069 Social Engineering Led to npm Supply Chain Attack on Axios

North Korean threat actors (UNC1069) used a highly-targeted social engineering campaign against the Axios npm package maintainer, resulting in a supply chain compromise.

THNPOLICY
Apr 3READ

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK

Solana-based decentralized exchange Drift confirmed a security incident on April 1, 2026, where attackers drained approximately $285 million using a novel durable nonce attack to gain unauthorized access and administrative control.

SECURITYWEEKEXPLOIT
Apr 3READ

React2Shell Exploited in Large-Scale Credential Harvesting Campaign

A large-scale credential harvesting operation exploited the React2Shell vulnerability (CVE-2025-55182) to compromise over 750 systems and steal various sensitive credentials and tokens.

THN
Apr 3READ

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

A new version of the SparkCat malware has been found on Apple App Store and Google Play Store, hidden in benign apps, and is designed to steal crypto wallet recovery phrase images.

BREACH
READ

CERT-EU: European Commission Hack Exposes Data of 30 EU Entities

The European Union's Cybersecurity Service (CERT-EU) attributed a cloud hack of the European Commission to the TeamPCP threat group, exposing data from at least 29 other EU entities.

BLEEPING
Apr 3READ

Man Admits to Locking Thousands of Windows Devices in Extortion Plot

A former core infrastructure engineer pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot against his industrial company employer.

Generated twice daily from public security RSS feeds. Informational only.