Here are today’s top cybersecurity stories for Tuesday, March 31, 2026.
Axios npm Supply Chain Attack: Versions 1.14.1 and 0.30.4 Deliver Cross-Platform RAT Across 83 Million Weekly Downloads
StepSecurity researchers identified two compromised versions of the widely used axios HTTP client library published to npm on March 30, 2026. Versions 1.14.1 and 0.30.4 inject a fake dependency, plain-crypto-js@4.2.1, whose sole function is executing a postinstall script that drops a cross-platform remote access trojan on macOS, Windows, and Linux. The malicious payload contacts a live command-and-control server, delivers platform-specific second-stage executables, then deletes itself and overwrites its own package.json to obstruct forensic analysis. The attack was traced to a compromised npm maintainer account. The issue is tracked as GHSA-fw8c-xr5c-95f9 and MAL-2026-2306. Organizations should audit package-lock.json files for these versions and treat any execution of the affected builds as a confirmed breach. The Hacker News | Socket
Fortinet FortiClient EMS CVE-2026-21643 (CVSS 9.8): Critical SQL Injection Under Active Exploitation Against ~1,000 Exposed Instances
Active exploitation of CVE-2026-21643, a critical SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server v7.4.4, was confirmed by threat intelligence firm Defused beginning around March 26, 2026. The flaw exists in the HTTP “Site” header, which is passed directly into a database query without sanitization before any authentication check, allowing unauthenticated attackers to inject SQL and achieve remote code execution via standard HTTP requests. Shodan scans show approximately 1,000 FortiClient EMS instances directly exposed to the internet. The patch is available in version 7.4.5. BleepingComputer | Help Net Security
Russian CTRL Toolkit Distributed via Malicious LNK Files Hijacks RDP Sessions via Fast Reverse Proxy Tunnels
Censys researchers disclosed CTRL, a custom .NET remote access toolkit of Russian origin distributed through malicious Windows shortcut files disguised as private key folders. The LNK file uses a folder icon and zeroed timestamps to avoid timeline analysis and embeds a multi-layer PowerShell loader as a base64 blob. On execution, it stores an in-memory .NET stager under plausible Explorer-related registry keys, avoiding any standalone PE file on disk. The toolkit supports credential phishing via a Windows Hello-style overlay, keylogging, RDP session shadowing and takeover, and reverse tunneling through Fast Reverse Proxy. None of the associated binaries or infrastructure appear in VirusTotal or common threat intelligence feeds, indicating private use in targeted operations. The Hacker News
OpenAI Patches ChatGPT DNS Data Exfiltration Flaw and Codex GitHub Token Vulnerability
Check Point researchers disclosed a DNS-based side channel in ChatGPT’s Linux runtime allowing a malicious prompt to encode and transmit user messages, uploaded files, and conversation content to an attacker-controlled server without triggering output-based monitoring. OpenAI patched the issue on February 20, 2026, and found no evidence of malicious exploitation. Separately, a command injection flaw in OpenAI’s Codex allowed attackers to inject arbitrary commands through GitHub branch names during cloud task execution, enabling retrieval of GitHub authentication tokens. Codex patched the flaw on February 5, 2026 after responsible disclosure in December 2025. Neither vulnerability is under active exploitation, but both demonstrate prompt injection risks in deployed AI agents. The Hacker News
CareCloud Confirms Patient Data Theft from Healthcare EHR Environment After March 16 Cyberattack
Healthcare IT and electronic health record company CareCloud confirmed that hackers stole patient data from one of its six EHR environments following a cyberattack detected on March 16, 2026. The network disruption lasted approximately eight hours before full restoration. The company filed an 8-K disclosure with the SEC on March 29, 2026, after dark web monitoring indicated stolen data was being listed. An investigation into the number of affected patients and the types of data compromised is ongoing. CareCloud has engaged outside cyber-response specialists and notified law enforcement. The affected environment is the CareCloud Health system; all other platforms and environments were unaffected. BleepingComputer | SecurityWeek
Crunchyroll Investigates Breach of 6.8 Million User Records via Compromised TELUS Support Employee’s Okta SSO
Crunchyroll is investigating a data breach affecting approximately 6.8 million users, which took place on March 12, 2026, after an attacker infected a device belonging to a TELUS customer support employee and captured the employee’s Okta single sign-on credentials. The attacker used those credentials to access Crunchyroll’s Zendesk, Slack, and Google Workspace environments and downloaded roughly 8 million support ticket records containing unique email addresses, names, login names, IP addresses, geographic data, and ticket contents during a 24-hour window before being locked out. A $5 million ransom demand was not paid. Crunchyroll describes the stolen information as primarily limited to customer service ticket data originating from a third-party vendor. BleepingComputer
Infinity Stealer: New macOS Infostealer Combines ClickFix CAPTCHA Delivery with Nuitka-Compiled Python to Evade Analysis
Malwarebytes researchers identified Infinity Stealer, a new macOS information-stealing malware delivered through fake Cloudflare CAPTCHA verification pages using the ClickFix social engineering technique. The Python payload is compiled with the Nuitka compiler, which converts Python into C code and produces a native binary rather than the bytecode bundle created by PyInstaller, making the executable substantially more resistant to static analysis and reverse engineering. Infinity Stealer targets credentials from Chromium-based browsers and Firefox, macOS Keychain entries, cryptocurrency wallet data, and plaintext secrets in developer files such as .env. Screenshots are also captured during execution. This is the first documented macOS campaign combining ClickFix delivery with Nuitka-compiled Python. BleepingComputer
LinkedIn Executive Phishing Campaign Delivers Remote Access Trojan via Tailored DM Downloads
Cybersecurity researchers identified an active LinkedIn phishing campaign targeting senior executives and IT administrators through personalized direct messages containing download links for WinRAR self-extracting archives. Filenames are customized to the target’s role — such as product roadmaps or project plans — to appear credible before deployment of a remote access trojan using an open-source penetration testing tool. The campaign targets high-value individuals specifically and uses LinkedIn’s professional context to lower target skepticism. Organizations should treat unsolicited LinkedIn DM file downloads as high-risk regardless of sender appearance, and review endpoint detection coverage for WinRAR SFX execution. Cybernews
Stay tuned for today’s in-depth analysis posts.
