The Lyceum: Cybersecurity Weekly — Apr 01, 2026

This was the week the software supply chain broke — not in one place, but in several, simultaneously, and apparently by design. North Korea-nexus actors compromised the JavaScript library that many websites use to make web requests. A criminal group called TeamPCP chained together compromises of security scanners, AI tools, and communications libraries, cascading like dominos. Hackers claiming links to Iran published the FBI director's personal emails. And a phishing technique that renders two-factor authentication useless is now being sold as a subscription service. The throughline: attackers have stopped trying to break down the front door. They're poisoning the building materials instead.

• CVE-2026-20700 — Apple iOS/iPadOS (dyld component, pre-26.3): actively exploited in targeted attacks; patched in iOS 26.3 and iPadOS 26.3; added to CISA KEV catalog. Memory corruption enabling arbitrary code execution.
• CVE-2026-21385 — Qualcomm open-source display component (234 chipsets, Android): high-severity memory corruption under limited targeted exploitation. Patches available from Qualcomm (Jan 2026) and in Android March 2026 security bulletin.
• CVE-2026-2441 — Google Chrome (pre-145): actively exploited zero-day, likely arbitrary code execution. Patched in Chrome 145 update.
• FortiWeb 8.0.1 auth bypass + CVE-2025-64446/CVE-2025-58034 chain — Weaponized Metasploit modules for unauthenticated code execution on FortiWeb servers. Already in Metasploit Pro 4.22.9.
• CVE-2025-54236 (SessionReaper) — Magento/Adobe Commerce: weaponized Metasploit module for unauthenticated RCE via nested deserialization. Already in Metasploit Pro 4.22.9.

If your company has a website, there's a reasonable chance it was briefly at risk this week — and the people responsible are tied to a North Korea-nexus actor.

Axios is the JavaScript ecosystem's most popular HTTP client — the library developers use to make web requests — downloaded over 100 million times per week from npm, the app store for JavaScript code. On March 30, an attacker hijacked the lead maintainer's npm account, published two poisoned versions across both the current and legacy release branches within 39 minutes of each other, and injected a hidden dependency whose sole purpose was to deploy persistent malware on macOS, Windows, and Linux. According to Trend Micro's analysis, the malware self-destructed after execution, replacing its own evidence with a clean decoy.

The attack was surgical. According to SANS Institute reporting, the attacker pre-staged the malicious dependency — a fake crypto library called plain-crypto-js — 18 hours before publishing the poisoned Axios versions, demonstrating operational planning designed to evade detection. The malicious releases (versions 1.14.1 and 0.30.4) introduced a post-install script that fetched a cross-platform remote access trojan called WAVESHAPER.V2, per Google's Threat Intelligence Group, which attributes the attack to UNC1069 — a financially motivated North Korea-nexus threat actor active since at least 2018. Tenable's FAQ corroborates the attribution and notes the malicious packages were live for roughly three hours before npm took them down.

What changes if this pattern succeeds — and it already has, partially — is that every company's build pipeline becomes a potential beachhead for state-sponsored attackers. The economics are devastating: compromise one maintainer account, and you get code execution on thousands of developer machines before anyone notices. The signal that tells you whether this gets worse is simple: watch whether npm and other registries mandate hardware-backed two-factor authentication for maintainers of high-download packages. If they don't, similar compromises are likely — the incentive structure makes recurrence probable.

If your development team ran npm install on March 30 or 31, check for node_modules/plain-crypto-js/. Its presence confirms the dropper ran. Rotate credentials, SSH keys, and cloud tokens immediately.

The head of the FBI got hacked. Not his work systems — his personal Gmail.

On March 27, a group calling itself Handala published photographs, contacts, and email excerpts from FBI Director Kash Patel's personal inbox. According to AP News, the FBI confirmed "malicious actors" had targeted Patel's personal account and that mitigation steps were underway. NBC News reported that Handala framed the leak as retaliation after the FBI and Justice Department seized several of its websites; U.S. authorities have accused Handala of being a front for Iran's Ministry of Intelligence and Security. The FBI announced rewards up to $10 million for information on the hackers, according to TechCrunch.

The actual damage appears limited. According to Axios's reporting, the leaked conversations date back to the early 2010s and don't include details about current FBI operations. But the real story isn't what was in the emails — it's that hackers claiming Iran links embarrassed the director of America's top domestic intelligence agency and demonstrated that domain seizures and bounties don't necessarily deter a state-backed group that wants to retaliate.

What this changes: the calculus around personal accounts for senior government officials. If a $10 million bounty and infrastructure seizures provoke a retaliatory hack rather than deterring one, the U.S. government faces a choice between escalation and accepting that personal accounts of public figures are essentially indefensible without enterprise-grade controls. The signal to watch is whether Handala follows through on subsequent claims — the group has since claimed breaches of Lockheed Martin and Stryker, though those assertions remain unverified. If even one is confirmed, this becomes a pattern rather than a stunt.

The Axios attack didn't happen in a vacuum. It's the latest chapter in a campaign that has been quietly poisoning the tools developers use to build software — and this one has a genuinely novel twist: the attackers are using your security tools against you.

Between March 19 and March 27, a group called TeamPCP compromised four widely used open-source projects in rapid succession. According to Snyk's detailed analysis, it started with Trivy, a popular security scanner: attackers rewrote Git tags in the Trivy GitHub Action repository to point to a malicious release carrying a credential-harvesting payload. That compromised scanner then ran inside LiteLLM's own build pipeline — because LiteLLM used Trivy as part of its automated security checks — and exfiltrated the PyPI publishing token. Three days later, Trend Micro documented TeamPCP hitting the Telnyx Python SDK, this time hiding payloads inside WAV audio files to evade file-type filters.

Think of it like this: instead of breaking into a bank, TeamPCP broke into the company that makes the bank's security cameras — and then used those cameras to find the vault combination.

The Sonatype analysis of the LiteLLM compromise explains why these AI infrastructure tools are such high-value targets: LiteLLM sits directly between applications and multiple AI service providers, so it typically has access to API keys, environment variables, and cloud credentials. Compromise a package in that position and you intercept secrets without ever breaching the upstream providers. According to InfoQ's reporting, the malware could read all Kubernetes cluster secrets across all namespaces and attempt to install persistent backdoors on every node.

What makes this campaign especially hard to stop: Snyk researchers documented TeamPCP using CanisterWorm, which routes command-and-control traffic through the Internet Computer Protocol — a decentralized network whose nodes cannot be taken down by domain registrars or hosting providers. If this C2 technique proliferates, the standard playbook of seizing attacker domains becomes ineffective.

The failure mode is clear: if organizations don't isolate CI/CD credentials, pin dependencies by hash, and treat security scanners themselves as attack surface, this campaign will keep compounding. CISA has already added the Trivy compromise (CVE-2026-33634) to its Known Exploited Vulnerabilities catalog.

Xakep.ru reports that Anthropic inadvertently exposed the source code of Claude Code — its AI coding assistant — in what appears to have been an accidental publication or misconfiguration. The article does not specify the duration of exposure or the remediation timeline. In a week dominated by supply chain compromises, an accidental leak of a major AI tool's source code is a reminder that not every exposure requires a sophisticated adversary — sometimes the threat model is just a bad deploy. If confirmed and the code was accessible long enough for adversaries to study it, expect targeted attacks against Claude Code integrations.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru details a newly documented stealer called MaskGram that hides its command-and-control instructions inside publicly accessible content on Spotify and Chess.com — meaning the malicious traffic looks like normal browsing to network monitors. The technique exploits the fact that security tools rarely block or inspect traffic to major consumer platforms. This is part of a broader trend of "living off trusted services" for C2, and it means naive IP-based blocking won't catch it.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Check Point Research published findings on a data exfiltration path in ChatGPT's code execution sandbox — a hidden outbound channel that could allow data uploaded during a session to be leaked externally. The research demonstrates that the sandboxed environment isn't as isolated as users assume, which matters for anyone pasting sensitive code or documents into ChatGPT's code interpreter. In the context of this week's AI infrastructure attacks, it's another reminder that the tools accelerating development also expand the attack surface.

Source: Check Point Research — English (Israeli research, not yet in mainstream English-language press). No English-language coverage confirmed at time of publication.

A JavaScript library that phones home to infrastructure linked to North Korea before npm finishes installing. The FBI director's decade-old Gmail proving that hackers claiming Iran links have a longer memory than America's security policies. A security scanner that dutifully scanned itself into becoming the backdoor.

Somewhere, a sober driver in Iowa is explaining to a judge that they couldn't start their car because a server in a data center they've never heard of got hacked — and honestly, that's the most 2026 sentence anyone will write this week.

Stay paranoid. It's working.

If someone you know builds software, runs a website, or just uses the internet — so, everyone — forward this to them.