VulnHub

A new phishing scam is exploiting the ongoing conflict between Iran, the US, and Israel by sending out fake missile alerts to trick users into revealing their Microsoft login credentials. Attackers are using QR codes and counterfeit government emails to lure victims. This tactic is particularly concerning as it preys on the heightened anxiety surrounding geopolitical tensions, making users more susceptible to clicking on malicious links. The scam underscores the importance of vigilance regarding unsolicited communications, especially during times of crisis. Users are advised to verify the authenticity of any alerts before taking action, particularly those requesting sensitive information.

A new threat group known as UAT-10608 is targeting Next.js applications that are exposed on the web. They are using an automated tool to steal sensitive information such as user credentials and system secrets. This attack can affect any organization using vulnerable Next.js apps, potentially leading to significant data breaches and unauthorized access to systems. It's crucial for companies to assess their web applications for vulnerabilities, especially those related to the React2Shell flaw, to prevent such automated credential harvesting campaigns. The ongoing exploitation of this vulnerability emphasizes the need for timely security updates and monitoring of web applications.

Recent research has identified several email-based threats that are evolving with the rise of AI and sophisticated attack methods. Key threats include OAuth consent attacks, where attackers exploit legitimate app permissions to gain unauthorized access to accounts. Lateral phishing is also on the rise, where compromised accounts are used to target other users within the same organization. Additionally, AI is being misused in payroll fraud schemes, tricking companies into making mistaken payments. These threats impact a wide range of organizations, as they rely heavily on email for communication and transactions. As these tactics become more common, businesses must remain vigilant and enhance their email security measures to protect against these evolving risks.

German authorities have identified two members of the REvil ransomware group, linking them to over 130 cyberattacks in the country. The suspects are Daniil Maksimovich Shchukin, a 31-year-old Russian national, and another unnamed individual. These attacks have targeted various sectors across Germany, causing significant disruptions and financial losses. The identification of these operators is a crucial step in combating ransomware, as it could lead to further investigations and arrests. This situation underscores the ongoing threat posed by ransomware groups and the importance of international cooperation in addressing cybercrime.

Kaspersky has reported that SparkCat malware has resurfaced on app stores, specifically targeting cryptocurrency users in Asia. This malware has been found in applications available for both iOS and Android devices. Users downloading these apps may unknowingly expose their sensitive information, such as cryptocurrency wallet details, to attackers. This resurgence is particularly concerning given the increasing popularity of cryptocurrency among users, making them prime targets for cybercriminals. As the malware spreads, it underlines the need for users to be vigilant about the apps they download and the permissions they grant.

In March 2026, a threat actor known as TeamPCP executed a supply chain attack that targeted developer workstations, turning them into credential vaults for attackers. These machines are crucial for developers, as they handle the creation and management of various credentials across services and tools. By infiltrating these systems, attackers gained access to sensitive information that could be reused across multiple platforms, increasing the risk of data breaches. This incident raises significant concerns for companies that rely on developer machines, highlighting the need for improved security measures to protect sensitive credentials. As attackers continue to exploit these valuable resources, organizations must reassess their security protocols to safeguard against similar threats in the future.

Hackers have targeted users of Guardarian by publishing 36 malicious NPM packages that masquerade as Strapi plugins. These deceptive packages are designed to execute shell commands, escape container environments, and steal user credentials. This attack poses a serious risk to developers and organizations using Strapi, as the malicious code could lead to significant data breaches or unauthorized access. Users of Strapi should exercise caution and verify the authenticity of any plugins they intend to use, as these packages can compromise their systems. This incident serves as a reminder of the ongoing risks associated with third-party software dependencies.

North Korean hackers, previously linked to the Axios supply chain attack, are now targeting prominent maintainers of Node.js in a social engineering campaign. These attackers are using deceptive tactics to compromise the accounts of these developers, potentially putting the security of the Node.js ecosystem at risk. This is concerning because Node.js is widely used in web development, and any breach could lead to widespread vulnerabilities in applications that rely on its libraries. Developers and organizations that utilize Node.js should be on high alert and take precautions to protect their accounts and code repositories. The ongoing targeting of developers reflects a broader trend of cybercriminals seeking to exploit trusted software maintainers to gain access to critical systems.

Fortinet has issued an emergency security update for a serious vulnerability found in its FortiClient Enterprise Management Server (EMS). This flaw is currently being exploited in the wild, posing a significant risk to organizations using the software. Users of FortiClient EMS should prioritize applying the patch released over the weekend to protect their systems from potential attacks. The vulnerability affects the management of client devices, which could allow unauthorized access or control if not addressed promptly. The urgency of this update highlights the ongoing challenges companies face in securing their environments against evolving threats.

In a significant security breach, the decentralized exchange Drift reported that it lost $285 million due to an attack linked to North Korea's government. The breach occurred on April 1, 2026, following a six-month social engineering campaign that began in the fall of 2025. Attackers employed sophisticated tactics to manipulate individuals within the organization, ultimately leading to the theft of a large sum of money. This incident raises concerns about the vulnerabilities within decentralized finance platforms and highlights the potential for state-sponsored cybercriminal activities. Companies operating in the crypto space need to enhance their security measures and employee training to prevent such attacks in the future.