Cyber Threat Brief — April 1 2026
⚠️ This report is AI-generated. Always validate findings.
1. Axios npm Supply Chain Compromise — WAVESHAPER.V2 RAT (UNC1069)
TL;DR: Malicious axios npm versions 1.14.1 and 0.30.4 published March 31 drop a cross-platform RAT via the plain-crypto-js dependency. GTIG attributes the attack to North Korean UNC1069; the ~3-hour exposure window on a 100M-weekly-download package demands immediate artifact hunting.
What’s New:
- Maintainer account
@jasonsaaymancompromised; attacker published to both release branches within 39 minutes (00:21–03:00 UTC March 31) - Dependency
[email protected]pre-staged 18 hours prior;postinstallscript decodes via string-reversal + Base64 then XOR keyOrDeR_7077(position-dependent:7 * i² % 10) - Platform-specific WAVESHAPER.V2 RAT: in-memory PE injection (Windows), LaunchAgent persistence (macOS), Python RAT (Linux)
- Capabilities: system recon, process listing, arbitrary shell execution, in-memory PE loading
- Malicious versions removed from npm by 03:29 UTC; safe versions: 1.14.0 / 0.30.3
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
[email protected] (SHA1: 07d889e2dadce6f3910dcbc253317d28ca61c766) | Malicious package | T1195.002 | npm audit, SBOM | Block/alert on package name and hash in CI/CD |
[email protected] (SHA1: 2553649f232204966871cea80a5d0d6adc700ca) | Compromised package | T1195.002 | npm audit, SBOM | Scan lockfiles for these exact versions |
[email protected] (SHA1: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71) | Compromised package | T1195.002 | npm audit, SBOM | Scan lockfiles for these exact versions |
sfrclak[.]com | C2 domain | T1071.001 | DNS, proxy logs | Block and hunt in DNS/proxy logs |
142.11.206.73 | C2 IP | T1071.001 | Firewall, NDR | Block and hunt in netflow/firewall logs |
/Library/Caches/com.apple.act.mond | macOS RAT path | T1543.001 | EDR, fs monitoring | Hunt for file creation at this path |
%PROGRAMDATA%\wt.exe | Windows RAT path | T1059 | Sysmon EID 1/11, EDR | Alert on wt.exe execution from ProgramData |
/tmp/ld.py | Linux RAT path | T1059.006 | auditd, EDR | Hunt for python executing /tmp/ld.py |
XOR key OrDeR_7077 | Decoder artifact | T1140 | YARA, script analysis | YARA rule on string in postinstall scripts |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: npm postinstall shell execution → outbound C2 correlation rule |
| Elastic | Axios WAVESHAPER.V2 Detection (published March 31) | Review Elastic blog for full rule set |
| Sigma | None specific | Need: Suspicious npm postinstall script execution; wt.exe from ProgramData |
Sources: Google Cloud / GTIG Attribution · Snyk Advisory · Elastic Security Labs · Socket.dev
2. Operation TrueChaos — CVE-2026-3502 (TrueConf Zero-Day)
TL;DR: Chinese-nexus actor exploited TrueConf’s update mechanism (CVE-2026-3502, CVSS 7.8) to push Havoc C2 framework payloads to all connected clients in Southeast Asian government networks. Patch to TrueConf client 8.5.3+.
What’s New:
- Zero-day in TrueConf Windows client update validation — attacker controlling on-prem TrueConf server replaces legitimate update with malicious payload
- DLL sideloading chain: benign
poweriso.exe+ malicious7z-x64.dlldropped toC:\ProgramData\PowerISO\ - Havoc C2 framework deployed post-exploitation; C2 hosted on Alibaba Cloud and Tencent infrastructure
- Check Point Research attributes to Chinese-nexus actor (moderate confidence) based on DLL sideloading TTPs, C2 infrastructure, and victimology
- Patched in TrueConf Windows client 8.5.3 (released March 2026)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
C:\ProgramData\PowerISO\poweriso.exe | Sideload host | T1574.002 | Sysmon EID 1/11, EDR | Hunt for poweriso.exe in ProgramData (not normal install path) |
C:\ProgramData\PowerISO\7z-x64.dll | Malicious DLL | T1574.002 | Sysmon EID 7, EDR | Alert on 7z-x64.dll loaded from ProgramData\PowerISO |
| Havoc C2 beacon traffic | C2 framework | T1071.001 | NDR, proxy logs | Deploy Havoc C2 Malleable-C2 JA3/JA4 signatures |
| Alibaba Cloud / Tencent C2 infrastructure | C2 hosting | T1583.003 | Proxy, firewall | Hunt for unusual outbound to Chinese cloud providers from gov/enterprise |
| TrueConf update mechanism abuse | Initial access | T1195.002 | Application logs | Audit TrueConf server update integrity; verify server hasn’t been compromised |
trueconf.exe spawning poweriso.exe | Process chain | T1204.002 | Sysmon EID 1, EDR | Alert on TrueConf process spawning unexpected children |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: DLL sideload via poweriso.exe from non-standard path; TrueConf child process anomaly |
| Elastic | Suspicious DLL Loaded via Side-Loading (generic) | Gap: No TrueConf-specific rule |
| Sigma | sysmon_dll_sideloading_7z.yml (community, partial) | Gap: No rule for poweriso.exe sideload chain or TrueConf update abuse |
Sources: Check Point Research · The Hacker News · Check Point Blog
Status Updates
- CVE-2026-3055 (Citrix NetScaler): CISA KEV added March 30; active exploitation confirmed via SAMLRequest and /wsfed/passive paths; Metasploit module available; federal deadline April 2 — patch immediately. Previous brief.
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new artifacts. Previous brief.
- CVE-2025-53521 (F5 BIG-IP APM): Federal deadline passed March 30; UNC5221 BRICKSTORM exploitation ongoing; no new artifacts. Previous brief.
- CVE-2026-4681 (PTC Windchill): German police physically warning affected orgs; still no patch available; imminent exploitation threat persists. Previous brief.