Weekly Security Intelligence Briefing -- Week of 2026-0

_ April 13, 2026_ Tech Jacks Solutions_ 0 Comments

Executive Summary

The week of April 13, 2026 presents one of the most operationally demanding threat landscapes of the year, with simultaneous pressure across critical infrastructure, the software supply chain, cloud identity systems, and developer tooling. The SCC pipeline processed 62 intelligence items this week, tracking 6 critical CVEs, 4 CISA KEV additions with imminent remediation deadlines, and 18 active campaigns across nation-state and cybercriminal actors. The dominant theme is convergence: attackers are simultaneously targeting the tools organizations use to build software (Trivy, Axios), the cryptographic libraries embedded in billions of devices (wolfSSL), the OT systems that operate physical infrastructure (Rockwell PLCs, Iranian and Russian APTs), and the identity mechanisms protecting cloud environments (APT41, Forest Blizzard, VENOM PhaaS). The highest-urgency item is the Fortinet FortiClient EMS SQL injection (CVE-2026-21643), with a CISA KEV deadline of April 16, 2026 — three days from publication. Adobe Acrobat (CVE-2026-34621) carries a KEV deadline of April 27. The Axios/Trivy dual supply chain compromise (CVE-2026-33634, CVSS 9.5, EPSS 95.66th percentile) exposed hundreds of thousands of secrets across organizations including Cisco and the European Commission. The ShinyHunters Anodot breach demonstrated how third-party SaaS tokens create direct paths to Snowflake, S3, and Kinesis environments. Critical infrastructure operators face immediate action requirements: Iranian-affiliated actors are actively exploiting internet-exposed Rockwell PLCs (CISA AA26-097A), and Russian GRU’s Forest Blizzard is conducting DNS hijacking against SOHO routers to harvest Microsoft 365 OAuth tokens at scale.

Critical Action Items

Patch Fortinet FortiClient EMS (CVE-2026-21643) — CISA KEV deadline April 16, 2026
Affected: FortiClient EMS version 7.4.4 and 7.x range (verify full scope at https://www.fortiguard.com/psirt). CVSS 9.8, EPSS 94.26th percentile. Active exploitation confirmed. Restrict internet access to the EMS management interface immediately; apply official Fortinet patch upon release. Monitor Windows Event ID 4688 for unexpected child processes spawned by EMS service accounts.
Patch Adobe Acrobat and Reader (CVE-2026-34621) — CISA KEV deadline April 27, 2026
Prototype pollution enabling arbitrary code execution. Apply Adobe Security Bulletin APSB26-43. Enable Protected View mode as interim mitigation. Monitor for cmd.exe or PowerShell spawned by AcroRd32.exe or Acrobat.exe.
Audit and isolate internet-exposed Rockwell PLCs — Active Iranian APT exploitation (CISA AA26-097A)
Block inbound connections to EtherNet/IP (TCP/UDP 44818) and management ports from external IP space immediately. Rotate all PLC credentials and eliminate defaults. Verify no Dropbear SSH, CastleRAT, or ChainShell artifacts are present. Consult https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a.
Audit CI/CD pipelines for Trivy and Axios compromise exposure — CVE-2026-33634 (CVSS 9.5)
Identify pipeline runs using Trivy or Axios during the March 2026 compromise window. Rotate all secrets, API keys, and cloud credentials accessible to those pipelines. Pin packages to verified clean versions; consult https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6×23 and https://nvd.nist.gov/vuln/detail/CVE-2026-33634.
Upgrade wolfSSL to 5.9.1 — CVE-2026-5194 (CVSS 9.5, 5 billion devices affected)
Inventory all firmware, embedded systems, IoT devices, and ICS gateways for wolfSSL or CyaSSL prior to 5.9.1. Apply upgrade or vendor firmware update. For devices where patching is delayed, enforce IMDSv2 on cloud-adjacent systems and network isolation for vulnerable OT components. Check https://nvd.nist.gov/vuln/detail/CVE-2026-5194.
Revoke Anodot integration tokens across Snowflake, S3, and Kinesis — Active ShinyHunters campaign
Audit all active Anodot tokens within 4 hours. Revoke at the cloud provider level. Query Snowflake ACCOUNT_USAGE.LOGIN_HISTORY and AWS CloudTrail for anomalous access. Re-provision with least-privilege scoping only after Anodot confirms remediation. See https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/.
Isolate and audit SOHO router DNS settings — Forest Blizzard (APT28) and GRU active operations
Compare current DNS resolver IPs on all SOHO and remote worker routers against approved baselines. Any unrecognized DNS resolver IP is a high-priority compromise indicator. Reset router credentials, update firmware, and revoke Microsoft 365 OAuth tokens for accounts authenticated through potentially compromised routers. Revoke active sessions via Microsoft Graph (Revoke-MgUserSignInSession).
Patch or isolate MajorDoMo (CVE-2026-27175) — CISA KEV, CVSS 9.8, EPSS 96.19th percentile
OS command injection via unauthenticated web endpoints. Restrict access to rc/index.php and cycle_execs.php immediately at perimeter or WAF. Check for web shell artifacts and unexpected cron entries. Monitor NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-27175 for confirmed patch.

Key Security Stories

Axios and Trivy Supply Chain Compromise Exposes Hundreds of Thousands of Secrets; Cisco Source Code Stolen

The most consequential supply chain event of the week involved simultaneous compromise of the Axios npm HTTP client and the Trivy open-source vulnerability scanner. The Axios compromise, tracked as CVE-2026-33634 (CVSS 9.5, EPSS 95.66th percentile), affected all versions distributed during a March 2026 window. Trivy was weaponized by threat actor TeamPCP (also tracked as UNC6780) who turned the DevSecOps scanner — a trusted element of CI/CD pipelines — into an initial access vector. The campaign resulted in confirmed exfiltration of Cisco source code and downstream compromise of the European Commission’s internal cloud infrastructure via an AWS API key harvested through a compromised Trivy execution environment.

The attack chain is particularly dangerous because security tools sit in privileged positions within build pipelines: they execute with broad read access to source code, secrets stores, and cloud credentials, yet are rarely subject to the same integrity verification as production software. Additional confirmed victims or affected packages in the same wave include LiteLLM (PyPI), Telnyx Python SDK, Checkmarx GitHub Actions workflows, and the European Commission’s Europa hosting infrastructure. OpenAI’s ChatGPT Desktop, Codex, Codex CLI, and Atlas macOS applications were also affected, with a certificate revocation deadline set for May 8, 2026. Organizations that ran Trivy or imported Axios during March 2026 should treat all pipeline-accessible credentials as compromised and rotate immediately.

Detection requires a multi-layer approach: network monitoring for unexpected outbound connections from CI/CD runners, package integrity verification against registry checksums, and cloud audit log analysis for API activity from build-system service accounts. Consult the official Aqua Security advisory at https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6×23 for IOC hashes and C2 indicators. MITRE techniques: T1195.001, T1195.002, T1552.001, T1041, T1554.

Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)

The Interlock ransomware group is actively exploiting a zero-day vulnerability in Cisco Firepower Management Center (FMC), tracked as CVE-2026-20131 (CVSS 9.1, EPSS 73.90th percentile). The vulnerability enables exploitation of public-facing FMC management interfaces, consistent with a command injection pattern (CWE-78). Interlock has demonstrated capability for rapid enterprise ransomware deployment following FMC compromise, using the security management platform as a pivot point to reach the broader network it manages. The campaign was jointly documented by eSentire and Amazon’s threat intelligence team.

The business impact is amplified because FMC instances control firewall policy across entire network segments. An attacker with FMC access can modify security policies to permit lateral movement, disable threat detection, or exfiltrate configuration data revealing the full network topology. Security teams should immediately restrict FMC management interface access to authorized management IP ranges, audit FMC logs for unauthorized configuration changes, and prepare for emergency patching once Cisco releases the advisory. Specific affected version ranges and patch identifiers require verification at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory.

Retrieve Interlock IOC sets (hashes, IPs, domains) from eSentire at https://www.esentire.com/security-advisories/cisco-vulnerability-cve-2026-20131-exploited-by-interlock and Amazon’s security blog before querying your SIEM. MITRE techniques: T1190, T1059, T1133, T1071.001, T1486.

APT41 Deploys Evasive Backdoor Targeting Cloud Credentials via Typosquatted C2

Chinese APT41 has deployed a sophisticated backdoor campaign targeting credentials across AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. The campaign uses typosquatted domains with high visual similarity to canonical cloud service endpoints (character substitutions, added hyphens, TLD variations on amazonaws.com, googleapis.com, azure.com, and aliyuncs.com) for command-and-control infrastructure. The malware employs dynamic resolution (T1568) to avoid static blocklist detection and specifically targets the cloud instance metadata API (T1552.005) to harvest IAM role credentials from running compute instances.

The campaign demonstrates a mature, multi-cloud credential harvesting capability. After establishing access via stolen application tokens or metadata API credentials, APT41 uses legitimate cloud API calls to exfiltrate data from storage services, making detection dependent on behavioral baseline analysis rather than signature matching. The use of IMDSv1 exploitation as a technique underscores the importance of enforcing IMDSv2 on all EC2 instances as a baseline control independent of this specific campaign. Organizations in sectors historically targeted by APT41 — technology, healthcare, telecommunications, and government — should treat this as an active hunting priority.

No confirmed public IOCs (specific typosquatted domains, IPs, or malware hashes) were available from verified sources at publication. Detection relies on DNS resolver log analysis for queries matching cloud endpoint patterns with character anomalies, cloud audit log monitoring for metadata API calls from unexpected principals, and behavioral analysis of cloud IAM activity. MITRE techniques: T1078.004, T1552.005, T1528, T1530, T1583.001, T1568, T1556.

Iranian-Affiliated Actors Actively Exploiting Rockwell PLCs in U.S. Critical Infrastructure (CISA AA26-097A)

CISA advisory AA26-097A confirms Iranian-affiliated actors are conducting active exploitation of internet-exposed Rockwell Automation and Allen-Bradley PLCs across U.S. water, energy, and government services sectors. The campaign deploys Dropbear SSH for persistent remote access, uses CastleRAT as a remote access trojan, and employs ChainShell — a blockchain-based C2 mechanism — to evade traditional network-layer detection. Approximately 4,000 U.S.-exposed industrial devices were identified via Censys research. Confirmed technique capabilities include unauthorized command messages (T0855), control manipulation (T0831), device restart/shutdown (T0816), and manipulation of HMI display views (T0832).

The physical consequence potential of this campaign cannot be overstated. PLCs managing water treatment, power distribution, and wastewater systems that receive unauthorized command messages can cause real-world physical harm. The use of blockchain-based C2 is a deliberate evasion technique: outbound connections from OT assets to blockchain APIs are atypical enough that most OT network monitoring tools lack detection rules for this traffic pattern. The campaign exploits the persistent and well-documented problem of internet-exposed OT assets — Censys data indicates thousands of such devices remain accessible despite years of CISA guidance to the contrary.

Immediate action: audit all Rockwell Automation devices for internet exposure and remove it. Rotate all PLC credentials. Verify control logic integrity against known-good baselines. Detect Dropbear SSH presence (common paths: /usr/sbin/dropbear, /tmp/dropbear) and ChainShell indicators (unexpected HTTPS from OT assets to blockchain APIs). Consult https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a. MITRE ICS techniques: T0855, T0831, T0816, T0832, T0883, T1133.

ShinyHunters Supply Chain Attack: Anodot Token Theft Enables Snowflake, S3, and Kinesis Compromise

ShinyHunters executed a supply chain attack through SaaS analytics platform Anodot, stealing integration tokens that provided direct access to downstream Snowflake data warehouses, Amazon S3 buckets, Amazon Kinesis streams, and Zendesk instances. Confirmed downstream victims include Rockstar Games (Grand Theft Auto Online and Red Dead Online analytics data confirmed compromised, with an extortion ultimatum issued). The attack demonstrates the “trusted relationship” exploitation pattern (T1199): attackers do not need to breach the target organization directly when a SaaS integrator holds persistent, high-privilege tokens with broad data access.

The systemic risk this attack exposes is the absence of monitoring and lifecycle governance over third-party SaaS integration tokens. Many organizations grant SaaS analytics platforms near-unlimited read access to data warehouses during initial integration and never reassess that access scope, enforce token expiry, or monitor the resulting API activity for anomalies. In this case, Anodot’s legitimate token grants provided direct API-level access equivalent to a database administrator credential — with no MFA requirement at the cloud provider layer because service-to-service authentication bypasses interactive MFA controls.

Organizations using Anodot should immediately revoke all active tokens at the Snowflake admin console and AWS IAM layer. Query Snowflake ACCOUNT_USAGE.LOGIN_HISTORY and AWS CloudTrail for anomalous access from Anodot-associated principals. Sources: https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/. MITRE techniques: T1528, T1199, T1530, T1567.002, T1552.001, T1078.004.

wolfSSL Cryptographic Bypass (CVE-2026-5194) Affects 5 Billion Devices

A critical cryptographic validation bypass in wolfSSL prior to version 5.9.1 (CVE-2026-5194, CVSS 9.5) enables certificate forgery attacks against an estimated 5 billion devices relying on the embedded TLS library. wolfSSL — formerly CyaSSL — is deployed across embedded systems, IoT devices, industrial control systems, routers, automotive systems, and aerospace and military equipment. The vulnerability maps to OWASP A02:2021 (Cryptographic Failures) and enables adversary-in-the-middle attacks (T1557) and installation of forged root certificates (T1553.004) against any TLS-protected communication handled by the affected library versions.

The challenge for defenders is the embedded nature of wolfSSL deployments. Unlike application-layer library updates, wolfSSL is frequently compiled into vendor firmware and cannot be updated independently of a full firmware release from the device manufacturer. This creates a long tail of vulnerable devices where the patch is technically available (wolfSSL 5.9.1 was released April 8, 2026) but practically inaccessible until downstream vendors release updated firmware. Organizations should immediately inventory all assets for wolfSSL/CyaSSL version strings, prioritize internet-facing devices, and track vendor firmware advisories for all affected hardware categories.

Detection is primarily inventory-based: search SBOMs, firmware images, and package managers for wolfSSL version strings below 5.9.1. Network-side detection is limited without specific IDS signatures. Check https://nvd.nist.gov/vuln/detail/CVE-2026-5194 for updated signatures. MITRE techniques: T1557, T1557.002, T1553.004, T1600, T1600.001.

Storm-1175 Deploys Medusa Ransomware with Sub-24-Hour Exploitation Windows

Microsoft Threat Intelligence has published a report on Storm-1175, a threat actor serving as a delivery mechanism for Medusa ransomware with a documented time-to-exploitation of less than 24 hours from vulnerability disclosure. Storm-1175 targets organizations in healthcare, education, finance, and professional services by exploiting newly disclosed vulnerabilities in internet-facing systems before most organizations can complete their patch cycles. This pattern directly validates the Qualys TRU research finding that patch lag is structural rather than operational — monthly patch cycles are architecturally incapable of defending against sub-24-hour exploitation.

The behavioral detection chain for Storm-1175/Medusa follows a consistent MITRE pattern: T1190 (initial exploitation of public-facing application) → T1078 (valid account acquisition) → T1059 (scripting interpreter execution) → T1083 (file discovery) → T1486 (data encryption for impact), often with T1567 (exfiltration over web service) preceding encryption. Cross-reference with CISA Advisory AA25-071A (Medusa Ransomware, published March 2025; verify currency at cisa.gov) for known IOC sets. Organizations in the targeted sectors should verify emergency patch procedures exist and have been tested for critical internet-facing systems.

No confirmed Storm-1175-specific IOCs are available in current source data. Detection should cover the complete ATT&CK chain: spike in exploit-pattern web requests (T1190), anomalous service account creation (T1078), encoded PowerShell invocations (T1059), high-frequency file enumeration (T1083), and volume shadow copy deletion preceding encryption (T1486). MITRE techniques: T1190, T1078, T1059, T1083, T1486, T1567.

VENOM PhaaS Platform Bypasses MFA via AiTM and Device-Code Phishing Against C-Suite Accounts

A Phishing-as-a-Service platform designated VENOM is conducting targeted campaigns against C-suite executive accounts in Microsoft 365 environments, specifically designed to defeat standard MFA controls through adversary-in-the-middle (AiTM) proxy techniques and the OAuth 2.0 device authorization flow. The platform harvests OAuth tokens and session cookies that remain valid even after the initial MFA event, allowing attackers to establish persistent access using legitimate credentials without triggering MFA prompts on subsequent access. Post-compromise activity includes inbox rule creation for mail forwarding, SharePoint data exfiltration, and delegated OAuth application consent grants for long-term persistence.

This campaign highlights a critical gap in organizational MFA posture: standard TOTP (time-based one-time password) and push notification MFA do not protect against session token theft. Once an attacker intercepts a valid OAuth token via AiTM, the MFA event is already satisfied from the identity provider’s perspective. The only controls that prevent this attack class are phishing-resistant MFA (FIDO2 security keys, Windows Hello for Business) and session binding technologies like Microsoft’s Continuous Access Evaluation (CAE) or Device Bound Session Credentials (DBSC, now shipping in Chrome 146).

Immediate detection priorities: audit Entra ID sign-in logs for device-code grant type authentication events against executive accounts; review Unified Audit Log for inbox rule creation events correlated with anomalous sign-ins; revoke active OAuth tokens for suspected accounts via Microsoft Graph (Revoke-MgUserSignInSession). Disable OAuth device authorization flow for your tenant unless operationally required. MITRE techniques: T1557, T1111, T1621, T1539, T1528, T1550.001, T1556.006.

CPUID Trusted Utility Site Compromised: STX RAT Delivered via DLL Side-Loading

The legitimate hardware diagnostic website cpuid.com was weaponized for approximately 19 hours (April 9–10, 2026 UTC), with downloads of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor replaced by trojanized installers delivering the STX remote access trojan via DLL side-loading. This is a developer and IT tool compromise targeting the implicit trust users and organizations place in well-known utility sites — a supply chain attack against distribution rather than development. The attack exploits the absence of download integrity verification (CWE-494) on the consumer side: most users installing hardware diagnostic tools do not verify file hashes before execution.

Organizations should immediately check whether any systems downloaded cpuid.com utilities during the compromise window. Full IOC details (file hashes for trojanized installers, STX RAT DLL signatures, C2 domains and IPs) are published by Kaspersky Securelist at https://securelist.com/tr/cpu-z/119365/ — retrieve directly to avoid transcription errors. Detection focuses on DLL side-loading indicators: unexpected DLLs loaded by CPU-Z.exe, HWMonitor.exe, or PerfMonitor.exe processes; PowerShell child processes spawned by these executables; and network beaconing from hardware utility processes to external IP addresses.

Post-incident policy recommendation: establish a requirement for hash verification before execution of downloaded utilities, distribute hardware diagnostic tools through an internal, hash-verified repository rather than direct vendor download. MITRE techniques: T1574.002, T1059.001, T1055, T1056, T1497, T1189, T1195.002.

Marimo Python Notebook RCE (CVE-2026-39987) Exploited Within 10 Hours of Disclosure

A critical remote code execution vulnerability in Marimo, the open-source reactive Python notebook framework, (CVE-2026-39987, CVSS 9.8, EPSS 85.89th percentile) was actively exploited within 10 hours of public disclosure. The vulnerability stems from missing authentication on notebook server endpoints (CWE-306) combined with code injection (CWE-94), enabling unauthenticated remote code execution against any Marimo instance accessible over a network. The 10-hour time-to-exploitation confirms the structural patch lag problem: organizations relying on weekly or monthly patch cycles cannot respond to this threat class.

Marimo and similar Python notebook environments (Jupyter, etc.) are frequently deployed by data science and engineering teams without formal change control, network isolation, or authentication enforcement. They represent a significant blind spot in enterprise security programs that focus on production applications but neglect developer tooling. Any Marimo instance bound to a public or shared network interface should be treated as compromised until patched. The fixed version is available at https://github.com/marimo-team/marimo/releases; verify against https://nvd.nist.gov/vuln/detail/CVE-2026-39987 before applying.

Detection: monitor for unauthenticated HTTP requests triggering cell execution; Python interpreter spawning unexpected child processes (shell, curl, wget) from the Marimo process parent; and outbound connections from Marimo host systems to external IPs. MITRE techniques: T1190, T1059.006.

Booking.com Breach Exposes Reservation PII, Enables Targeted Phishing

Booking.com has confirmed a data breach exposing customer reservation information including PII sufficient to enable highly targeted phishing campaigns. Travel platform breaches are particularly dangerous because reservation data provides attackers with authentic contextual details — booking confirmation numbers, travel dates, hotel names, and payment method metadata — that make phishing lures credible enough to defeat user skepticism. The threat actor, attribution unconfirmed, has not publicly released IOCs; security teams should implement behavioral detection rather than signature-based defenses.

For organizations with employees who use Booking.com for business travel: advise immediate password resets for accounts where corporate email addresses are registered. Monitor email security gateways for inbound messages referencing Booking.com reservation language combined with external links. Watch for lookalike sender domains (booking-confirmation[.]com, reservations-bookingcom[.]net patterns). If Booking.com is integrated via API into corporate travel management workflows, audit API access logs for anomalous query patterns and rotate any API tokens provisioned for Booking.com integrations. MITRE techniques: T1598, T1566.002, T1534, T1659, T1078.

Forest Blizzard (APT28/GRU) Turns Home Routers Into Microsoft 365 OAuth Token Harvesting Infrastructure

Russian GRU unit Forest Blizzard (APT28) is conducting a sophisticated campaign that compromises SOHO routers via DNS reconfiguration to create adversary-in-the-middle positions for harvesting Microsoft Outlook on the web and Microsoft 365 OAuth tokens. The campaign, active since at least August 2025, uses attacker-controlled DNS resolvers to redirect authentication traffic through Forest Blizzard’s proxy infrastructure, intercepting OAuth tokens without triggering MFA failures — because the user completes the MFA challenge against a proxy that forwards the flow to the legitimate service while retaining the resulting token. Post-compromise activity includes mail forwarding rules, OAuth app consent persistence, and long-term intelligence collection.

The home router attack vector is operationally significant because remote workers’ home network devices are outside enterprise MDM and security monitoring scope. A compromised router that processes an employee’s Microsoft 365 authentication is invisible to corporate SIEM, EDR, and email security platforms. Detection depends on cloud-side anomaly analysis: Entra ID sign-in events from unexpected ASNs, OAuth tokens used from IP addresses inconsistent with authenticated device history, and Unified Audit Log events for inbox rule creation correlated with anomalous sign-ins. MITRE techniques: T1557, T1584.008, T1584.002, T1539, T1556, T1078, T1071.004.

GPUBreach: Rowhammer-Style GDDR6 Attack Enables Host Privilege Escalation

Security researchers have demonstrated GPUBreach, a Rowhammer-style attack against GDDR6 GPU memory that chains memory bit-flip corruption to achieve host privilege escalation from within a GPU workload. The attack is relevant to shared GPU infrastructure, multi-tenant AI training environments, and cloud GPU instances — environments where untrusted or external workloads execute on shared GPU hardware alongside privileged processes. Affected hardware includes NVIDIA RTX A6000 (GDDR6) and other NVIDIA GPUs without ECC memory, with exposure confirmed on Google Cloud, AWS, and Microsoft Azure GPU instance types.

No patch or CVE assignment was available at publication time; full technical disclosure is expected April 13, 2026. IOMMU is not an effective compensating control for this attack path. Organizations running multi-tenant GPU infrastructure or shared AI training clusters should assess whether their isolation model treats GPU memory as a trust boundary and update threat models accordingly. Monitor NVIDIA’s product security page for advisory releases. MITRE techniques: T1068, T1611, T1055, T1548.

OT/ICS Post-Quantum Cryptography Gap: Harvest-Now-Decrypt-Later Exposure in Critical Infrastructure

A systemic governance finding this week highlights that most OT/ICS environments lack a cryptographic asset inventory and have no documented post-quantum cryptographic (PQC) migration plan, despite operating RSA, ECC, and Diffie-Hellman encrypted communications that are vulnerable to future quantum decryption of currently harvested traffic. Nation-state actors with long-horizon intelligence requirements are actively conducting “harvest now, decrypt later” collection against industrial networks. The threat is not theoretical: MITRE ATT&CK techniques T1040 (Network Sniffing) and T1557 (Adversary-in-the-Middle) are actively used by documented threat actors against OT environments.

Organizations should initiate a formal PQC readiness assessment aligned to NIST IR 8413 and track CISA for OT-specific migration framework releases. Immediate priority is inventory: document all encrypted OT communications channels (historian connections, engineering workstation-to-controller links, remote access tunnels) and identify which rely on quantum-vulnerable key exchange algorithms. Enforce strict egress filtering on OT network zones as a near-term mitigation. Consult CISA ICS security guidance at https://www.cisa.gov/topics/industrial-control-systems. NIST controls: SC-13, SC-8, SC-17.

CISA KEV & Critical CVE Table

CVE	Product	CVSS	EPSS %ile	Status	KEV Deadline	Description
CVE-2026-21643	Fortinet FortiClient EMS 7.4.4+	9.8	94.26	CISA KEV / Active Exploitation	April 16, 2026	Critical SQL injection in FortiClient EMS; unauthenticated RCE via internet-exposed management interface (CWE-89)
CVE-2026-34621	Adobe Acrobat and Reader	8.8	11.37	CISA KEV / Active Exploitation	April 27, 2026	Prototype pollution enabling arbitrary code execution; client-side exploitation via malicious PDF (CWE-1321)
CVE-2026-27175	MajorDoMo (Major Domestic Module)	9.8	96.19	CISA KEV / Active Exploitation	Not yet specified	OS command injection via unauthenticated rc/index.php and cycle_execs.php endpoints (CWE-78)
CVE-2026-33634	Trivy (Aqua Security) / Axios (npm)	9.5	95.66	Active Exploitation / Supply Chain Compromise	Not listed (CISA KEV not yet confirmed)	Supply chain compromise of Trivy scanner and Axios HTTP client; credential exfiltration from CI/CD pipelines
CVE-2026-5194	wolfSSL prior to 5.9.1	9.5	10.38	Critical — Patch Available	Not listed	Cryptographic bypass enabling certificate forgery; affects ~5 billion embedded/IoT/ICS devices (CWE-295)
CVE-2026-20131	Cisco Firepower Management Center	9.1	73.90	Zero-Day / Active Exploitation (Interlock)	Not listed	Exploitation by Interlock ransomware group; enables initial access via FMC management interface (CWE-78 pattern)
CVE-2026-39987	Marimo Python Notebook	9.8	85.89	Active Exploitation — exploited within 10 hours	Not listed	Unauthenticated RCE via missing authentication on notebook server endpoints (CWE-306, CWE-94)
CVE-2026-40175	axios (npm) — SSRF variant	9.1	46.96	Critical — Patch Available	Not listed	Header injection chain enabling SSRF to AWS instance metadata (169.254.169.254) for IAM credential theft (GHSA-fvcv-3m26-pcqx)

Supply Chain & Developer Tool Threats

Trivy and Axios: Dual Compromise Wave

The week’s dominant supply chain story is the simultaneous compromise of Trivy (Aqua Security’s widely deployed container vulnerability scanner) and the Axios JavaScript HTTP client. TeamPCP (UNC6780) weaponized Trivy’s trusted position in CI/CD pipelines to harvest credentials from build environments. The Axios npm package was separately compromised during a March 2026 window, distributing versions that exfiltrated secrets from applications and development environments. Combined, the two tools affect a significant fraction of modern software development pipelines — Axios is among the most downloaded npm packages, and Trivy is the dominant open-source container scanner in DevSecOps environments.

Secondary affected packages in the same campaign wave: LiteLLM (PyPI), Telnyx Python SDK (PyPI), and Checkmarx GitHub Actions workflows. Downstream confirmed victims include Cisco (source code), the European Commission (42 internal clients, AWS API key compromise), and Rockstar Games (via the related Anodot/Snowflake vector). The OpenAI macOS application ecosystem was also affected, with a certificate revocation deadline of May 8, 2026 for ChatGPT Desktop, Codex, Codex CLI, and Atlas — applications that have not been updated to re-signed versions will cease to function after that date.

Key defensive actions: (1) verify package integrity against registry checksums and signed releases before use; (2) apply least-privilege scoping to all CI/CD pipeline credentials — scanners should not hold secrets beyond their operational need; (3) extend EDR and network monitoring to build systems, which are frequently excluded from standard coverage; (4) implement Sigstore/Cosign or equivalent signing verification for npm and container image pulls. Consult https://osv.dev/vulnerability/GHSA-69fq-xp46-6×23 for Trivy IOC hashes.

CPUID Utility Site: Trusted Distribution Channel Weaponized

The 19-hour compromise of cpuid.com replaced legitimate downloads of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor with trojanized versions delivering the STX RAT via DLL side-loading. This attack targets the trust users implicitly assign to well-known hardware diagnostic sites. Unlike package manager supply chain attacks, this compromise targeted the distribution layer of standalone installer downloads — a vector that bypasses SCA tools that scan package manifests but do not verify the integrity of direct downloads.

Retrieve full IOC tables (file hashes, C2 domains and IPs) from https://securelist.com/tr/cpu-z/119365/. Organizations should check DNS and proxy logs for cpuid.com connections during April 9–10, 2026 UTC, and audit endpoint telemetry for DLL loads from non-standard paths by CPU-Z.exe and related processes. The recommended systemic control is distributing all utility software through an internal, hash-verified repository.

Smart Slider 3 Pro: WordPress/Joomla Plugin Update Channel Compromised

The auto-update channel for Smart Slider 3 Pro (v3.5.1.35) was compromised, delivering a multi-layer backdoor to an estimated 900,000+ WordPress and Joomla sites. The backdoor includes web shell deployment (T1505.003), local account creation (T1136.001), event-triggered execution via mu-plugins (T1546), and credential theft from wp-config.php (T1552). Sites that auto-updated during approximately April 7 through the vendor patch release should be treated as compromised. The vendor security advisory is available at https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise.

Immediate actions: disable affected sites, audit wp-content/mu-plugins/ for unrecognized files, search WordPress user tables for accounts created after April 7, and restore from pre-April 7 backups where compromise cannot be ruled out. This incident highlights the risk of unrestricted plugin auto-update trust in content management platforms.

AI-Powered Browser Extensions: Enterprise Blind Spot

Palo Alto Networks Unit 42 documented a Chrome extension exploitation technique (Gemini Live hijacking) demonstrating that AI productivity extensions can exfiltrate credentials, session cookies, and DOM content through channels that bypass standard perimeter controls. The underlying issue is structural: browser extensions operate inside the browser security context with broad permission to read page content, access the DOM, intercept network requests, and read stored credentials, yet most enterprise security programs have no visibility into extension behavior.

Key risks: T1539 (session cookie theft), T1555 (credentials from password stores), T1185 (browser session hijacking), and T1176 (persistent extension-based backdoor). Detection requires browser management platform telemetry (Chrome Browser Cloud Management, Microsoft Intune for Edge), proxy/egress monitoring for unusual API calls from browser processes, and an extension allowlist policy enforced via Group Policy. Consult Unit 42’s Gemini Live hijacking analysis at https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/ for technical indicators.

Nation-State & APT Activity Summary

Russia — Forest Blizzard (APT28 / GRU)

Campaign: SOHO router DNS hijacking for Microsoft 365 OAuth token harvesting. Attribution: Microsoft Threat Intelligence, confirmed GRU Unit 26165. Active since: August 2025. Targeted sectors: Government, defense, think tanks, NGOs, remote worker environments. TTPs: T1584.008 (compromise network devices), T1584.002 (DNS server compromise), T1557 (AiTM), T1539 (steal session cookie), T1556 (modify authentication process), T1071.004 (DNS). Observable indicators: Unauthorized DNS resolver IPs on SOHO routers; OAuth token grants from unexpected ASNs without MFA claim in Entra ID logs; inbox forwarding rules created from anomalous sessions. No confirmed C2 IPs or domains released publicly. Recommended action: Audit SOHO router DNS settings immediately; revoke all M365 OAuth tokens for accounts authenticated through potentially compromised network segments; enforce FIDO2 MFA.

Russia — Forest Blizzard (APT28) — Secondary Credential Campaign

Campaign: SOHO router credential theft via DNS hijacking of general authentication traffic. TTPs: T1040 (network sniffing), T1557 (AiTM), T1078 (valid accounts), T1133 (external remote services), T1562.001 (disable/modify tools). This campaign overlaps mechanistically with the M365 OAuth campaign above but represents a broader credential harvesting operation not limited to Microsoft cloud services.

China — APT41

Campaign: Multi-cloud credential theft via evasive backdoor with typosquatted C2. Targeted environments: AWS, GCP, Azure, Alibaba Cloud. TTPs: T1078.004 (cloud accounts), T1552.005 (cloud instance metadata API), T1528 (steal application access token), T1568 (dynamic resolution), T1583.001 (typosquatted domains), T1530 (data from cloud storage). Sectors historically targeted by APT41: Technology, healthcare, telecommunications, financial services, government. Observable indicators: DNS queries with character substitutions on canonical cloud service domains; unexpected metadata API calls; cloud IAM anomalies. No confirmed IOCs from verified sources at publication. Recommended action: Enforce IMDSv2, review cloud IAM least-privilege, enable DNS monitoring for typosquatted cloud domain patterns.

Iran — MuddyWater / IRGC-Affiliated Actors

Campaign 1 (CISA AA26-097A): Active exploitation of Rockwell Automation PLCs in U.S. water, energy, and government sectors. Confirmed tools: Dropbear SSH, CastleRAT, ChainShell, Tsundere botnet malware. TTPs: T0855, T0831, T0816, T0832, T1021.004, T1571, T1572, T1102, T1133. Physical consequence potential: direct manipulation of industrial control processes. Campaign 2: Broader Iranian APT activity against internet-exposed PLCs (FBI advisory context), using brute force (T1110) and default credential exploitation (CWE-1188) as initial access vectors. Recommended action: Emergency audit of all internet-exposed OT assets; consult https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a.

North Korea — APT41 Overlap / UNC4736 (Labyrinth Chollima)

Campaign: Six-month social engineering operation against Drift Protocol resulting in $280M+ theft via compromised developer workstations. Vehicles: VSCode extensions, Cursor IDE, Apple TestFlight lures. TTPs: T1566.003 (spearphishing via service), T1195.001 (compromise software dependencies), T1547 (boot/logon autostart), T1562 (impair defenses), T1552 (unsecured credentials), T1657 (financial theft). Recommended action: Audit IDE extensions, enforce hardware security keys for DeFi governance signers, implement identity verification for external contributor access.

North Korea — Kimsuky and ScarCruft

Campaign: Targeting South Korean organizations via LNK-based phishing with GitHub and Dropbox as C2 channels. Tools: LucidRook, LucidKnight (Lua-based modular malware), PowerShell loaders, DLL side-loading via Microsoft Edge (msedge.exe). TTPs: T1566.001, T1102.002, T1574.002, T1059.001, T1053.005, T1071.003, T1480.001 (environmental keying — zh-TW locale targeting). Retrieve IOCs from FortiGuard Labs: https://fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2 and Cisco Talos: https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/.

Unattributed (China-Suspected) — FBI Surveillance System Breach

The FBI has classified a breach of an internal surveillance system as a “Major Incident” and notified Congress. China-linked hackers are suspected but attribution is not confirmed. No public IOCs have been released. Detection focus for organizations with federal system integrations: audit authentication logs for T1078 patterns, review cloud storage access logs for T1213/T1119 indicators, and monitor CISA advisories for IOC releases.

Phishing & Social Engineering Alert

VENOM PhaaS: QR-Code and Device-Code Flow Targeting C-Suite

Platform: VENOM Phishing-as-a-Service. Target: C-suite executives with Microsoft 365 accounts. Delivery: Spearphishing emails with embedded QR codes (bypassing URL-based email filtering); inbound messages with double Base64-encoded URLs that evade link scanners; spearphishing attachments impersonating legitimate Microsoft communications. Technique: Adversary-in-the-Middle proxy intercepting OAuth authentication flows; OAuth 2.0 device authorization grant flow abuse to harvest tokens without triggering MFA re-authentication on the victim’s device.

Post-compromise activity: Inbox rule creation for silent mail forwarding; OAuth application consent grants for persistent delegated access; SharePoint data collection. Evasion techniques: QR code delivery bypasses URL reputation scanning; device-code flow exploits the legitimate OAuth pattern where a device requests a user code and the user authenticates on a separate device — attackers impersonate the “device” role in this flow, causing the victim to authenticate and hand over the resulting token.

Detection: Entra ID sign-in logs filtering for device_code grant type events against executive accounts; Unified Audit Log monitoring for inbox rule creation correlated with anomalous sign-in events; QR code pattern detection in email security platforms. Recommended controls: Disable OAuth device authorization flow for your tenant unless required; deploy FIDO2 hardware keys for executive accounts; enable Continuous Access Evaluation (CAE). See the Action Checklist in the Critical Action Items section.

AMOS macOS Infostealer: AppleScript URL Scheme Bypass

Platform: macOS (all versions; partial mitigation in macOS Tahoe 26.4 bypassed). Delivery: Browser-based phishing lures mimicking Apple-branded disk cleanup and storage optimizer utilities. Technique: Abusing the applescript:// URL scheme to launch macOS Script Editor pre-loaded with attacker-controlled AppleScript, bypassing ClickFix protections. The resulting script drops and executes an AMOS (Atomic macOS Stealer) payload targeting browser session cookies, macOS Keychain credentials, and cryptocurrency wallet extensions.

Target profile: macOS users with cryptocurrency wallets, high-value browser sessions, and browser-stored credentials. Detection: Script Editor (com.apple.ScriptEditor2) launched by a browser process is anomalous in all enterprise contexts; monitor for this parent-child relationship. Alert on osascript execution followed by outbound HTTPS to non-Apple infrastructure. Immediate mitigation: Deploy a LaunchServices Configuration Profile via MDM restricting the applescript:// URL scheme handler. MITRE techniques: T1059.002, T1539, T1555.001, T1555.003, T1566, T1204.001.

Booking.com Breach-Enabled Phishing

Following the Booking.com data breach, security teams should anticipate targeted phishing campaigns leveraging authentic reservation details (confirmation numbers, travel dates, hotel information) to increase lure credibility. Common patterns in post-travel-platform-breach campaigns include: impersonation emails requesting payment card updates for existing reservations; PIN reset phishing pretexting security responses to the breach; and lookalike Booking.com login pages designed to harvest credentials for account takeover. Alert on inbound messages containing Booking.com branding paired with external links from non-booking.com sending domains. Monitor for newly registered domains containing “booking,” “reservation,” or “travel” variants via passive DNS feeds.

Rockstar/ShinyHunters Extortion Phishing Risk

The ShinyHunters Anodot campaign and Rockstar Games data breach create conditions for targeted extortion phishing. Threat actors in possession of authentic internal data (game analytics, reservation records) may craft highly credible lures referencing specific internal details to extract additional credentials or payments. Organizations in gaming, entertainment, and tech sectors should brief security awareness programs on extortion-pretexting patterns and enforce out-of-band verification for any communication requesting credential changes or financial actions.

Indicators of Compromise

Campaign / Story	IOC Type	Value	Confidence	Context
Trivy/Axios Supply Chain (CVE-2026-33634)	URL (Advisory)	GHSA-69fq-xp46-6×23 (Aqua Security)	High	Primary source for IOC hashes, affected versions, C2 indicators — retrieve directly
Trivy/Axios Supply Chain (CVE-2026-33634)	URL (NVD)	https://nvd.nist.gov/vuln/detail/CVE-2026-33634	High	Authoritative CVE record; cross-validate affected version ranges
Iranian PLC Campaign (CISA AA26-097A)	Tool	Dropbear SSH (paths: /usr/sbin/dropbear, /tmp/dropbear)	High	Lightweight SSH server deployed by threat actors on Rockwell PLCs for persistent remote access; anomalous on any OT device
Iranian PLC Campaign (CISA AA26-097A)	Tool	CastleRAT	High	Remote access trojan added to MuddyWater toolchain; used for persistent C2 on compromised hosts
Iranian PLC Campaign (CISA AA26-097A)	Tool	ChainShell	High	Blockchain-based C2 mechanism; outbound HTTPS from OT assets to blockchain APIs is a behavioral indicator
Iranian PLC Campaign (CISA AA26-097A)	URL (Advisory)	https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a	High	Primary CISA advisory; consult for any released specific IOCs
CPUID STX RAT Campaign	URL (Research)	https://securelist.com/tr/cpu-z/119365/	High	Kaspersky Securelist primary report; contains file hashes for trojanized installers and STX RAT DLLs, C2 domains and IPs — retrieve directly
CPUID STX RAT Campaign	Behavioral	cpuid.com downloads, April 9–10, 2026 UTC	High	All binaries downloaded from cpuid.com during this window should be treated as potentially malicious
CPUID STX RAT Campaign	Behavioral (DLL Side-Loading)	Unexpected DLL loads by CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe from user-writable paths	High	T1574.002 — DLL sideloading indicator; any DLL loaded by these processes from %APPDATA%, %TEMP%, or %LOCALAPPDATA% is anomalous
Interlock / Cisco FMC (CVE-2026-20131)	URL (Advisory)	eSentire Interlock Advisory	Medium	Retrieve campaign-specific IOCs (hashes, IPs, domains) from this source before querying SIEM
Interlock / Cisco FMC (CVE-2026-20131)	URL (Advisory)	Amazon Security Blog — Interlock	Medium	Additional Interlock campaign IOCs from Amazon threat intelligence team
ShinyHunters / Anodot	URL (Reporting)	BleepingComputer — Rockstar/Anodot	High	Primary reporting on ShinyHunters Anodot campaign and downstream Snowflake/S3/Kinesis compromise
Forest Blizzard / SOHO Router DNS	Behavioral	Unauthorized DNS resolver IPs on SOHO routers (any IP outside provisioned baseline)	High	T1584.002 — DNS server compromise indicator; compare against approved resolver list
Forest Blizzard / M365 OAuth	Behavioral	Entra ID sign-in events with grant_type = device_code targeting executive accounts	High	T1621 — OAuth device code flow abuse; alert on this pattern against privileged accounts
Forest Blizzard / M365 OAuth	Behavioral	Unauthorized mail forwarding rules (Set-MailboxRule) created post-August 2025	High	Post-compromise persistence; audit Unified Audit Log for this pattern
AMOS macOS / AppleScript Bypass	URL Scheme (Behavioral)	applescript:// (any browser-triggered invocation)	High	T1059.002 — AppleScript execution via URL scheme; Script Editor launched by browser process is anomalous in all enterprise contexts
Kimsuky / LucidRook	Domain (Behavioral)	smtp.gmail.com (outbound from non-mail processes)	Medium	T1071.003 — LucidKnight abuses Gmail SMTP/GMTP for C2; this is a legitimate Google domain being abused, not malicious infrastructure
Kimsuky / LucidRook	URL (Research)	Cisco Talos — LucidRook	High	Retrieve file hashes and C2 indicators from Talos primary report directly
Axios SSRF (CVE-2026-40175)	IP	169.254.169.254	High	AWS IMDSv1 instance metadata endpoint; outbound requests from application processes to this IP are a primary SSRF exploitation indicator
Axios SSRF (CVE-2026-40175)	URL (IMDS path)	http://169.254.169.254/latest/meta-data/iam/security-credentials/	High	Specific IMDS path targeted to retrieve IAM role credentials via SSRF exploitation
Axios SSRF (CVE-2026-40175)	URL (IMDS path)	http://169.254.169.254/latest/dynamic/instance-identity/document	Medium	IMDS path for instance identity and region data; commonly retrieved alongside credentials
Smart Slider 3 Pro Backdoor	File Path (Behavioral)	wp-content/mu-plugins/ (unrecognized PHP files)	High	T1546 — event-triggered execution via WordPress mu-plugins autoload; any unrecognized file is a high-confidence compromise indicator
Marimo RCE (CVE-2026-39987)	URL (NVD)	https://nvd.nist.gov/vuln/detail/CVE-2026-39987	High	Authoritative CVE record; check for confirmed affected versions and patch details
Marimo RCE (CVE-2026-39987)	URL (Patch)	https://github.com/marimo-team/marimo/releases	High	Official Marimo release page; source for confirmed patched version — validate before applying
MajorDoMo (CVE-2026-27175)	Behavioral	POST/GET to /rc/index.php with shell metacharacters ($(), `, ;, \|, &&) in param field	High	T1190 — OS command injection trigger pattern; alert on requests with these characters to this endpoint

Note: Specific IOC values for Interlock ransomware, APT41 typosquatted domains, Forest Blizzard C2 infrastructure, Trivy/Axios payload hashes, and CPUID STX RAT binaries were not available from verified public sources at publication time. Retrieve from the authoritative advisory URLs listed above before deploying detection rules. Presenting unverified values would be a fabrication.

Helpful 5: High-Value Low-Effort Mitigations

1. Enforce IMDSv2 on All EC2 Instances — Block SSRF Credential Theft

Why this week: CVE-2026-40175 (Axios SSRF, CVSS 9.1) and APT41’s cloud credential harvesting campaign both exploit IMDSv1, which responds to any HTTP request to 169.254.169.254 without requiring a session token. Enforcing IMDSv2 requires a session-oriented token exchange, blocking credential theft even if an SSRF vulnerability exists in an application using the affected library.

How: (1) Open AWS Console → EC2 → Instances; (2) Select all instances; (3) Actions → Instance Settings → Modify Instance Metadata Options; (4) Set “IMDSv2” to “Required”; (5) Set “HTTP Put Response Hop Limit” to 1 (prevents forwarding beyond the instance); (6) For new instances, enforce via launch template or AWS Config rule aws-ec2-imdsv2-check. Terraform: add metadata_options { http_tokens = “required” } to aws_instance resources. Verify via AWS CLI: aws ec2 describe-instances –query “Reservations[*].Instances[*].MetadataOptions”.

Framework alignment: NIST CSF PR.AC-4, NIST 800-53 SC-7 (Boundary Protection), CIS v8 Control 13.4 (Perform Traffic Filtering Between Network Segments), MITRE ATT&CK T1552.005 mitigation.

2. Disable OAuth 2.0 Device Authorization Grant Flow in Microsoft Entra ID

Why this week: The VENOM PhaaS platform and Forest Blizzard both exploit the OAuth device code flow (T1621) to harvest Microsoft 365 tokens that remain valid post-MFA. Disabling this flow eliminates a primary attack surface used in both nation-state espionage and ransomware precursor campaigns targeting executive accounts.

How: (1) Sign in to the Microsoft Entra admin center (entra.microsoft.com); (2) Navigate to Identity → Applications → App registrations → Authentication flows; (3) In Tenant-level settings, disable “Device code flow” unless a specific application requires it (inventory before disabling); (4) Alternatively, create a Conditional Access policy blocking device code flow: Conditions → Authentication flows → Device code flow → Block. Verify with a test authentication attempt using the device code grant type. Monitor Entra Sign-in Logs for any device_code grant type events as a residual alert.

Framework alignment: NIST 800-53 IA-2 (Identification and Authentication), CIS v8 Control 6.3 (Require MFA for Externally-Exposed Applications), CIS v8 Control 6.5 (Require MFA for Administrative Access), MITRE ATT&CK T1621 mitigation.

3. Rotate All CI/CD Pipeline Credentials and Apply OIDC Federation

Why this week: The Trivy and Axios supply chain compromises (CVE-2026-33634) exfiltrated static API keys and access tokens from CI/CD pipeline environments. Static long-lived credentials in build systems represent a single-point-of-failure: once harvested, they provide persistent access until manually rotated. OIDC federation eliminates static credentials entirely for major CI/CD platforms.

How for GitHub Actions + AWS: (1) In AWS IAM, create an OIDC identity provider for token.actions.githubusercontent.com; (2) Create an IAM role with a trust policy permitting the GitHub repository’s workflow to assume it; (3) In GitHub Actions workflow, add: permissions: id-token: write and use aws-actions/configure-aws-credentials@v4 with role-to-assume; (4) Remove all hardcoded AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY secrets from GitHub Secrets. Equivalent patterns exist for GitLab CI (OIDC to AWS/GCP/Azure), Jenkins (AWS plugin with role assumption), and CircleCI (OIDC integration). Run a secrets scan (Gitleaks or TruffleHog) to identify any residual static credentials before completing the transition.

Framework alignment: NIST 800-53 IA-5 (Authenticator Management), NIST 800-53 SR-3 (Supply Chain Controls), CIS v8 Control 5.2 (Use Unique Passwords), NIST CSF GV.SC-01, MITRE ATT&CK T1552.001 mitigation.

4. Block the applescript:// URL Scheme via MDM on macOS Endpoints

Why this week: AMOS operators are actively exploiting the applescript:// URL scheme to bypass ClickFix protections (T1059.002) on macOS, launching Script Editor with attacker-controlled code to steal Keychain credentials and session cookies. This is a low-effort MDM configuration change with no impact on standard enterprise workflows — virtually no enterprise application requires browser-triggered AppleScript execution.

How: (1) In your MDM solution (Jamf Pro, Kandji, Microsoft Intune for macOS, or Mosyle), create a Configuration Profile; (2) Add a LaunchServices payload; (3) Restrict the applescript:// URL scheme handler — in Jamf, use a custom schema restriction; in Intune, use a custom macOS configuration profile with the com.apple.LaunchServices.LSDefaultApplicationDictionaryVersionNumber key; (4) Test on a subset of endpoints by attempting to open applescript:// from a browser — Script Editor should not launch; (5) Deploy broadly. Additionally, enforce Script Editor restrictions via parental controls policy or application allowlisting if your MDM supports it.

Framework alignment: NIST 800-53 CM-7 (Least Functionality), CIS v8 Control 2.5 (Allowlist Authorized Software), CIS v8 Control 2.6 (Allowlist Authorized Libraries), MITRE ATT&CK T1059.002 mitigation.

5. Audit and Enforce Authentication on All Internet-Accessible OT Web Interfaces

Why this week: Both the Iranian PLC campaign (CISA AA26-097A) and the MajorDoMo KEV (CVE-2026-27175) exploit unauthenticated or default-authenticated web interfaces on operational technology and automation platforms (CWE-306, CWE-1188). Censys data indicates approximately 4,000 U.S. industrial devices remain internet-exposed. This mitigation addresses the root cause for both campaigns simultaneously.

How: (1) Run a Shodan or Censys query against your organization’s IP space for EtherNet/IP (port 44818), Modbus TCP (port 502), BACnet (port 47808), and web management interfaces on OT/ICS device IP ranges; (2) For any result: immediately place behind a firewall deny-all inbound rule or VPN-gated jump host; (3) For Rockwell PLCs: verify Studio 5000 and EtherNet/IP web server authentication is enabled per Rockwell’s hardening guide (https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html); (4) For any web-based OT platform (MajorDoMo, custom HMIs): ensure .htaccess or web server config requires authentication before executing any command-capable endpoint; (5) Change all default credentials immediately (run: hydra or equivalent against your own devices with the top 20 default credential pairs for the device model to verify).

Framework alignment: NIST 800-53 AC-17 (Remote Access), NIST 800-53 IA-2 (Identification and Authentication), CIS v8 Control 6.3 (Require MFA for Externally-Exposed Applications), NIST SP 800-82 Rev. 3, CISA Cross-Sector CPGs, MITRE ICS T0883, T1078 mitigation.

Framework Alignment Matrix

Threat	MITRE Tactic	MITRE Technique	NIST 800-53 Controls	CIS v8 Controls
Trivy/Axios Supply Chain Compromise (CVE-2026-33634)	Initial Access	T1195.001, T1195.002	SR-3, SR-2, SA-9, SI-7, CM-3	2.5, 2.6, 15.1, 16.10
Trivy/Axios Supply Chain — Credential Exfiltration	Credential Access	T1552.001, T1041	IA-5, SC-28, CA-7	5.2, 6.3, 8.2
Cisco FMC Zero-Day (CVE-2026-20131) / Interlock	Initial Access, Impact	T1190, T1486	SI-2, RA-5, SC-7, CP-9, CP-10	7.3, 7.4, 13.4
wolfSSL Certificate Bypass (CVE-2026-5194)	Defense Evasion, Credential Access	T1553.004, T1557, T1600	SC-13, SC-8, SC-17, SI-2	3.10, 7.3, 7.4
Fortinet FortiClient EMS SQLi (CVE-2026-21643)	Initial Access, Execution	T1190, T1059	SI-10, SI-2, SC-7, CM-7	16.10, 7.3, 7.4
Adobe Acrobat Prototype Pollution (CVE-2026-34621)	Execution	T1203, T1059.007	SI-2, SI-3, SI-4, AC-6	7.3, 7.4, 5.4
Iranian APT PLC Exploitation (CISA AA26-097A)	Initial Access, Impact	T0883, T0855, T0831, T1133	AC-17, SC-7, IA-2, IA-5, AC-7	6.1, 6.2, 6.3
ShinyHunters / Anodot Token Theft	Credential Access, Collection	T1528, T1199, T1530	AC-3, IA-5, SR-2, SI-4	6.1, 6.2, 15.1
APT41 Cloud Credential Harvesting	Credential Access, Defense Evasion	T1552.005, T1078.004, T1528, T1568	AC-2, AC-6, IA-2, IA-5, SI-4	5.2, 6.3, 6.4, 6.5
Forest Blizzard DNS Hijacking / OAuth Token Theft	Credential Access, C2	T1557, T1584.008, T1539, T1071.004	SC-8, SC-17, IA-5, SI-4, CA-8	3.10, 6.3, 7.3, 7.4
VENOM PhaaS / AiTM Device Code Phishing	Credential Access	T1557, T1621, T1111, T1539	IA-2, IA-5, AT-2, CA-7	6.3, 6.4, 6.5, 14.2
Storm-1175 / Medusa Ransomware	Initial Access, Impact	T1190, T1078, T1486, T1567	SI-2, RA-5, CP-9, CP-10, IR-4	7.3, 7.4, 11.1, 11.2
CPUID STX RAT / DLL Side-Loading	Persistence, Execution	T1574.002, T1189, T1195.002	SI-7, SI-3, CM-7, SA-9, SR-3	2.5, 2.6, 8.2
Marimo RCE (CVE-2026-39987)	Initial Access, Execution	T1190, T1059.006	SC-7, SI-2, RA-5, CA-8	6.3, 7.3, 7.4
Axios SSRF to IMDS (CVE-2026-40175)	Credential Access	T1552.005, T1599	SC-7, SI-10	13.4, 6.3
MajorDoMo OS Command Injection (CVE-2026-27175)	Initial Access, Execution	T1190, T1059.004	SI-10, SI-2, CM-7, SC-7	2.5, 16.10
OT/ICS PQC Gap (Governance)	Credential Access, Defense Evasion	T1040, T1557, T1600, T1600.001	SC-13, SC-8, SC-17	3.10
AMOS macOS AppleScript Bypass	Execution, Credential Access	T1059.002, T1539, T1555.001	CM-7, SI-3, CM-3	2.5, 2.6, 7.3

Upcoming Security Events & Deadlines

CISA KEV Remediation Deadlines (Within 30 Days)

April 16, 2026 (3 days): CVE-2026-21643 — Fortinet FortiClient EMS SQL Injection. Federal agencies required to remediate. Commercial organizations should align. Verify affected version range and obtain patch from https://www.fortiguard.com/psirt.
April 27, 2026 (14 days): CVE-2026-34621 — Adobe Acrobat and Reader Prototype Pollution. Apply Adobe APSB26-43 patch. Verify fixed version from Adobe Security Bulletins page.
CVE-2026-27175 (MajorDoMo OS Command Injection): CISA KEV listing confirmed; remediation deadline not specified in available data as of publication. Monitor https://www.cisa.gov/known-exploited-vulnerabilities-catalog for deadline assignment.

Upcoming Patch Tuesday

May 12, 2026: Microsoft Patch Tuesday (second Tuesday of May). Prepare patch testing and deployment pipelines. Given Storm-1175’s sub-24-hour exploitation patterns, critical and high severity patches should be accelerated beyond the standard monthly cycle for internet-facing systems.

Critical Vendor Deadlines

May 8, 2026: OpenAI certificate revocation deadline for ChatGPT Desktop, Codex, Codex CLI, and Atlas macOS applications (affected by Trivy/Axios supply chain compromise). Versions predating the re-signed release will cease to function. Update all affected macOS endpoints before this date. Reinstall from official download source after confirming re-signed certificate is in place.
Ongoing: Rockwell Automation and Allen-Bradley PLC firmware security advisories — check https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html for any new advisories related to the Iranian APT campaign.
Ongoing: Vendor firmware updates for wolfSSL 5.9.1 integration — track downstream device manufacturers for firmware releases incorporating the patched library, particularly for IoT, automotive, and ICS device categories.

Standards and Regulatory Milestones

NIST PQC Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) are finalized. Organizations should begin cryptographic asset inventories for PQC migration planning, especially for OT/ICS environments. Reference NIST IR 8413 for migration framework guidance.
CIRCIA Reporting Requirements: Organizations classified as critical infrastructure covered entities should verify incident reporting procedures meet CISA’s proposed 72-hour incident report and 24-hour ransomware payment report timelines. Rulemaking is in progress; verify current status at https://www.cisa.gov/circia.
SEC Cybersecurity Disclosure (17 CFR §229.106): Annual report season. Verify that proxy statements and 10-K filings accurately describe board-level cyber oversight and do not make material cybersecurity misstatements. Review against this week’s incident landscape for potential disclosure obligations.

Security Research Disclosures

April 13, 2026 (today): GPUBreach full technical disclosure expected from the research team. Monitor for CVE assignment and NVIDIA advisory following disclosure. Update detection and mitigation guidance based on released technical details.

Sources

Note: All URLs in this briefing were included based on their status as authoritative or primary sources documented within the SCC pipeline intelligence items. URLs should be validated by the reader before operational use. This briefing reflects information available as of the week of April 13, 2026. Some CVE records, vendor advisories, and IOC sets were pending publication at briefing time; security teams should re-check listed sources for updates.

Author