Executive Summary
- China-linked TA416 resuming targeting of European governments with PlugX malware and OAuth phishing after two-year pause
- North Korean UNC1069 successfully compromised Axios npm package through targeted social engineering of maintainer, impacting JavaScript supply chain
- Device code phishing attacks surging 37x annually; OAuth 2.0 abuse becoming primary account compromise vector
- TeamPCP supply chain attacks confirmed by EU targeting European Commission with 300GB+ data theft via Trivy vulnerability
- TrueConf zero-day actively exploited by Chinese threat actors against Asian government targets for reconnaissance and code execution
Top Threats Today
1. TA416 European Government Campaign – PlugX & OAuth Phishing
Severity: CRITICAL Affected: Government Defense
China-aligned threat actor TA416 has renewed targeting of European government and diplomatic organizations following a two-year operational pause. Campaign leverages PlugX remote access trojan alongside OAuth-based phishing to compromise credentials and establish persistent access. Targeting diplomatic infrastructure indicates geopolitical intelligence collection objectives. Actors exploit trust in legitimate authentication flows to bypass security controls.
Recommended Action
- Implement OAuth 2.0 device code flow monitoring and anomaly detection on authentication logs
- Deploy phishing awareness training emphasizing OAuth consent screens and suspicious authentication requests
- Conduct endpoint sweep for PlugX indicators of compromise using memory forensics and network traffic analysis
- Enable conditional access policies restricting authentication from atypical geographic locations and device types
2. UNC1069 Axios npm Supply Chain Compromise – Social Engineering
Severity: CRITICAL Affected: Technology Finance
North Korean threat actor UNC1069 orchestrated highly-targeted social engineering campaign against Axios HTTP client maintainer Jason Saayman using fake Microsoft Teams error fix lure. Attackers crafted tailored messaging to manipulate account compromise and inject malicious code into npm package reaching millions of downstream dependencies. Supply chain compromise affects JavaScript ecosystem across finance, technology, and critical infrastructure sectors.
Recommended Action
- Immediately audit package.json and npm registry history for Axios version anomalies or unexpected updates
- Implement Software Composition Analysis (SCA) scanning to detect compromised Axios versions in development and production
- Enforce multi-factor authentication (MFA) and hardware security keys for all npm/GitHub maintainer accounts
- Establish package signing verification and dependency pinning policies for critical libraries
- Review npm access logs for unauthorized account activity from February-April 2026 timeframe
3. Device Code Phishing Surge – 37x Annual Increase in OAuth Abuse
Severity: CRITICAL Affected: Finance Technology
Device code phishing attacks exploiting OAuth 2.0 Device Authorization Grant flow have increased 37-fold year-over-year. Threat kits now widely distributed enabling attackers to phish users into approving device code exchanges that grant account access without triggering typical password-based compromise alerts. Attack pattern evades MFA bypass detection and appears as legitimate OAuth consent flow to security systems.
Recommended Action
- Deploy anomalous device code grant detection in OAuth provider logs and SIEM systems
- Mandate user notification and approval workflows for device code authorization requests in organizational tenants
- Block or require additional verification for device code flows from untrusted networks or non-corporate devices
- Educate end-users on recognizing device code phishing prompts distinct from standard login experiences
- Implement risk-based access policies requiring step-up authentication for sensitive device code grants
4. TrueConf Zero-Day – Asian Government Targeting
Severity: CRITICAL Affected: Government Defense
Chinese threat actors actively exploiting zero-day vulnerability in TrueConf video conferencing platform against Asian government targets. Exploitation chain enables reconnaissance, privilege escalation, and arbitrary payload execution on victim endpoints. CISA issued emergency directive requiring all U.S. federal agencies to patch within two weeks, indicating weaponization at scale.
Recommended Action
- URGENT: Apply TrueConf security patches immediately across all government and defense organization deployments
- Isolate TrueConf infrastructure from sensitive networks pending patch validation
- Hunt for indicators of compromise: suspicious TrueConf process execution, unexpected child processes, and lateral movement from conferencing infrastructure
- Review TrueConf server and application logs for exploitation attempts (CVE pending notification)
- Consider deploying application-level filtering on video conferencing traffic until patch compliance verified
5. TeamPCP European Commission Breach – 300GB+ Data Theft via Trivy Supply Chain
Severity: CRITICAL Affected: Government
EU cybersecurity agency confirmed TeamPCP hacking group orchestrated massive European Commission data breach stealing 300GB+ from AWS environment including personal information and sensitive government records. Attack leveraged Trivy supply chain vulnerability to establish initial foothold. Attackers exploited cloud misconfigurations to exfiltrate data at scale. Demonstrates persistent compromise of EU critical infrastructure.
Recommended Action
- Conduct forensic analysis of AWS CloudTrail logs from January 2026 onward to identify access patterns and exfiltration timeline
- Review and remediate AWS S3 bucket policies, IAM permissions, and security group rules for overprivileged configurations
- Scan entire AWS environment for Trivy scanner deployment and vulnerable container image scanning configurations
- Implement data loss prevention (DLP) rules on AWS S3 with alerting for large-scale bulk downloads
- Initiate breach notification process for affected individuals per GDPR and national data protection regulations
Today’s Action Checklist
- ☐ URGENT: Patch TrueConf video conferencing systems across government and critical infrastructure deployments
- ☐ URGENT: Audit npm package versions for Axios supply chain compromise and scan dependencies with SCA tools
- ☐ URGENT: Activate incident response team for potential OAuth device code phishing exposure in cloud tenants
- ☐ HIGH: Enable OAuth device code flow anomaly detection and user notification in Azure AD/Entra ID and Google Workspace
- ☐ HIGH: Review AWS CloudTrail logs for European Commission-class infrastructure for suspicious S3 access and data exfiltration
- ☐ HIGH: Implement PlugX IOC scanning on European government networks (file hashes, C2 domains from TA416 campaign)
- ☐ MEDIUM: Deploy conditional access policies restricting authentication from unusual geographic locations matching TA416 targeting
- ☐ MEDIUM: Enforce MFA and hardware security keys for all software maintainer and privileged cloud accounts