Today’s roundup
Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
U.S. CISA adds a flaw in Citrix NetScaler to its Known Exploited Vulnerabilities catalog
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies
China-Linked groups target Southeast Asian government with advanced malware in 2025
Qilin Ransomware allegedly breached chemical manufacturer giant Dow Inc
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
New RoadK1ll WebSocket implant used to pivot on breached networks
Dutch Finance Ministry takes treasury banking portal offline after breach
Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers
Summary
The popular HTTP client Axios has fallen victim to a supply chain attack. Malicious dependency "plain-crypto-js" was injected into npm package versions 1.14.1 and 0.30.4, following the compromise of the primary Axios maintainer's npm credentials. This incident led to the distribution of a cross-platform Remote Access Trojan (RAT).
OpenAI has patched a critical vulnerability in ChatGPT that permitted sensitive conversation data exfiltration without user consent. Discovered by Check Point, the flaw allowed a malicious prompt to create a covert channel, leaking user messages and uploaded files.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical memory overread vulnerability, CVE-2026-3055 (CVSS 9.3), affecting Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are mandated to patch this flaw by April 2, 2026. Citrix also released updates for a race condition, CVE-2026-4368.
A critical zero-click vulnerability, ZDI-CAN-30207 (CVSS 9.8), was disclosed for Telegram on Android and Linux, potentially enabling remote code execution via a malicious animated sticker. However, Telegram formally denies the flaw's existence, asserting server-side validation prevents such exploits.
Three China-linked threat clusters, including Mustang Panda, Earth Estries, and Unfading Sea Haze, conducted extensive cyberespionage against a Southeast Asian government in 2025. The sophisticated campaign deployed a variety of malware families like HIUPAN, PUBLOAD, CoolClient, EggStremeFuel, MASOL RAT, and FluffyGh0st to achieve persistent access and exfiltrate data.
The Qilin ransomware group has claimed a breach of Dow Inc., a major global chemical manufacturing company. Dow Inc. has been listed on the group's Tor data leak site, though specific proof of the hack or data exfiltration has not yet been publicly released.
A novel malware loader named DeepLoad is being distributed via ClickFix social engineering tactics. This AI-assisted malware employs obfuscation and WMI persistence to steal browser credentials, demonstrating advanced evasion techniques against static scanning.
Security researchers have identified a new malicious implant, dubbed RoadK1ll, which utilizes WebSockets. This implant allows threat actors to move laterally and quietly pivot from an initial compromised host to other systems within a breached network.
The Dutch Ministry of Finance has proactively taken several internal systems offline, including its digital portal for treasury banking, to facilitate an investigation into a detected cyberattack. The incident was identified two weeks prior to the systems being disconnected.
An IT glitch affecting the Lloyds banking app resulted in the exposure of transactional details and personal data belonging to up to 447,936 customers. The exposure occurred during a system update.
Want to dig deeper?
Cyber Groups
Malware Families