This pack covers three dominant attack patterns active as of 2026-04-12: a critical zero-day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 9.6) actively exploited since December 2025 via malicious PDF delivery; a supply-chain and watering-hole campaign delivering STX RAT through trojanized hardware utility downloads from cpuid.com; and two critical SSRF vulnerabilities in the axios npm library (CVE-2025-62718, CVE-2026-40175) enabling cloud metadata credential harvesting in Node.js environments. Immediate action is required on the Adobe zero-day patch (APSB26-43) and axios remediation for any cloud-hosted Node.js workloads. Two confirmed third-party data breaches (Rockstar Games via vendor compromise, youX fintech exposing 444,000 Australian borrowers) drive parallel vendor risk and notification obligations.
