Executive Summary
- $285 million Drift hack attributed to six-month DPRK social engineering operation demonstrates sustained threat actor persistence and sophistication
- Critical FortiClient EMS vulnerability (CVE-2026-35616, CVSS 9.1) actively exploited in the wild; emergency patches released
- 36 malicious npm packages disguised as Strapi plugins targeting Redis/PostgreSQL with persistent implants and credential harvesting
- China-linked TA416 targeting European governments with PlugX and OAuth-based phishing; device code attacks surged 37x YoY
- Supply chain attacks escalating: European Commission breach (300GB+ stolen), Axios npm hijacking, Trivy vulnerability exploitation
Top Threats Today
1. Critical FortiClient EMS Pre-Authentication RCE (CVE-2026-35616)
Severity: Critical Affected: Technology, Government
Fortinet released emergency out-of-band patches for CVE-2026-35616, a pre-authentication API access bypass in FortiClient Enterprise Management Server with CVSS score 9.1. Active exploitation in the wild confirmed. This vulnerability allows unauthenticated attackers to bypass security controls and achieve privilege escalation without valid credentials.
Recommended Action
- Apply Fortinet emergency patches immediately to all FortiClient EMS instances
- Review access logs and API calls for suspicious pre-authentication requests
- Isolate affected EMS systems from production networks until patched
- Implement network segmentation to restrict EMS access
2. DPRK-Attributed $285 Million Drift Social Engineering Campaign
Severity: Critical Affected: Finance, Technology
Democratic People's Republic of Korea (DPRK) conducted a meticulously planned six-month social engineering operation against Drift, culminating in $285 million theft on April 1, 2026. The campaign demonstrates sophisticated targeting, extended persistence, and coordination typical of state-sponsored threat actors. Similar tactics previously attributed to DPRK include Axios npm maintainer account compromise.
Recommended Action
- Audit employee communications for unusual contact from vendors, IT support, or external parties
- Implement multi-factor authentication on all critical accounts and enforce hardware security keys
- Conduct security awareness training emphasizing social engineering risks and verification protocols
- Review financial transaction logs for suspicious activity dating back six months
- Establish vendor communication verification procedures independent of email/messaging
3. Supply Chain Attack Wave: 36 Malicious npm Packages and European Commission Breach
Severity: Critical Affected: Technology, Government
Thirty-six malicious npm packages disguised as Strapi CMS plugins discovered targeting Redis and PostgreSQL with persistent implants, reverse shells, and credential harvesting. Concurrently, European Commission suffered 300GB+ data breach via TeamPCP supply chain attack exploiting Trivy vulnerability. Axios npm hijacking via social engineering targeting maintainers demonstrates coordinated supply chain compromise. These attacks indicate systematic targeting of software dependencies.
Recommended Action
- Audit all npm package dependencies; remove or update any Strapi-related plugins from untrusted sources
- Review database access logs (Redis, PostgreSQL) for unauthorized connections or unusual queries
- Implement Software Composition Analysis (SCA) tools to detect malicious or vulnerable dependencies
- Restrict npm package installation to approved registries and verified publishers
- Patch all systems using Trivy or affected npm packages immediately
4. China-Linked TA416 Targeting European Governments with OAuth Phishing
Severity: High Affected: Government
China-aligned TA416 (overlapping with DarkPeony, RedDelta) has resumed targeting European government and diplomatic organizations since mid-2025 after two years of reduced regional activity. Campaigns deploy PlugX and exploit OAuth Device Authorization Grant flow for account hijacking. Device code phishing attacks have surged 37x this year with proliferating attack kits. Tactics include sophisticated social engineering and credential harvesting.
Recommended Action
- Implement conditional access policies restricting device code OAuth flows to known/trusted applications
- Enable MFA requirements for all OAuth token requests
- Conduct phishing simulation exercises targeting government staff with PlugX-themed lures
- Monitor for unusual device code authorization grant attempts in authentication logs
- Brief diplomatic and government personnel on OAuth phishing risks
5. Cookie-Controlled PHP Web Shells and Persistent Linux Implants
Severity: High Affected: Technology, Finance
Microsoft Defender Security Research discovered threat actors increasingly using HTTP cookies as command and control channels for PHP-based web shells on Linux servers, achieving persistent remote code execution. Attacks bypass traditional URL parameter detection and leverage cron-based persistence mechanisms. This technique represents evolving evasion against endpoint detection and response (EDR) solutions.
Recommended Action
- Audit PHP configurations to disable dangerous functions (eval, system, exec)
- Implement HTTP request inspection examining cookie payloads for encoded commands
- Review cron job logs and scheduled tasks on Linux servers for unauthorized entries
- Deploy Web Application Firewalls (WAF) with PHP anomaly detection
- Conduct forensic analysis of web server access and PHP execution logs
Today’s Action Checklist
- ☐ URGENT: Patch all FortiClient EMS instances with CVE-2026-35616 emergency update
- ☐ URGENT: Audit npm dependencies and remove malicious Strapi-related packages
- ☐ URGENT: Review database access logs for unauthorized Redis/PostgreSQL connections
- ☐ HIGH: Enforce MFA on all critical accounts and implement hardware security keys
- ☐ HIGH: Implement Software Composition Analysis (SCA) tooling
- ☐ HIGH: Restrict OAuth device code flows and enable conditional access policies
- ☐ HIGH: Audit PHP configurations and implement WAF rules for cookie-based command injection
- ☐ MEDIUM: Conduct supply chain risk assessment of all third-party software dependencies
- ☐ MEDIUM: Deploy Linux cron job monitoring and anomaly detection
- ☐ MEDIUM: Execute social engineering awareness training with government and finance staff