Here are today’s top cybersecurity stories for Thursday, April 2, 2026.
Google Formally Attributes Axios npm Supply Chain Attack to North Korean Threat Group UNC1069
Google Threat Intelligence Group researchers formally attributed the March 31 supply chain attack against the Axios npm package to UNC1069, a North Korean threat cluster with a history of financially motivated supply chain operations. Attackers compromised the npm account of the Axios package maintainer, published two backdoored versions (v1.14.1 and v0.30.4), and deployed the SILKBELL dropper to deliver WAVESHAPER.V2, a C++ backdoor previously linked to North Korean cryptocurrency-sector intrusions. The malicious versions were available for approximately three hours and were downloaded by an estimated 3% of the Axios user base before removal from the registry. The Hacker News | SecurityWeek
Cisco Source Code Stolen as TeamPCP Uses Trivy Supply Chain Credentials to Breach Internal Dev Environment
Cisco confirmed threat actors breached its internal development environment using credentials stolen in the late-March Trivy vulnerability scanner supply chain attack. Attackers from the TeamPCP group accessed Cisco build systems and CI/CD pipelines, stealing source code belonging to Cisco and its customers. Multiple AWS access keys were exfiltrated and used for unauthorized activity in Cisco cloud accounts before detection. Cisco’s CSIRT team has contained the immediate breach but anticipates continued follow-on attack activity tied to the broader Trivy-linked supply chain compromise series. BleepingComputer
Citrix NetScaler CVE-2026-3055 CISA Patching Deadline Passes as Active SAML Memory Leak Exploitation Continues
CISA’s April 2 patching deadline for federal civilian agencies to remediate Citrix NetScaler CVE-2026-3055 has passed with active exploitation ongoing since March 27. The CVSS 9.3 flaw affects NetScaler appliances configured as SAML Identity Providers: attackers send a malformed SAMLRequest to /saml/login, triggering a memory leak via the NSC_TASS cookie and exposing session tokens and credential fragments from appliance memory. Exploitation requires no authentication. Affected versions include NetScaler ADC and Gateway prior to 14.1-60.58, 13.1-62.23, and 13.1-37.262. BleepingComputer | The Hacker News
Apple Expands iOS 18.7.7 to More iPhone Models to Block DarkSword Exploit Kit Vulnerability Chain
Apple extended iOS 18.7.7 availability to a broader set of older iPhone models on April 1 to address the DarkSword mobile exploit kit, which chains six WebKit and memory vulnerabilities — including CVE-2025-31277, CVE-2026-20700, and four additional flaws — against devices running iOS 18.4 through 18.7. Coverage now includes iPhone XR, XS, and 11 through 13 series models. Users on affected models should update immediately. The Hacker News | BleepingComputer
CISA Adds Laravel Livewire, Craft CMS, and Apple Bugs to KEV Catalog with April 3 Patching Deadline
CISA added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to patch by April 3, 2026. The batch includes CVE-2025-54068 (Laravel Livewire unauthenticated remote code execution, CVSS 9.8), CVE-2025-32432 (Craft CMS remote code injection), and CVE-2026-20700 (Apple iOS/macOS, exploited by the DarkSword mobile exploit kit). Both the Laravel Livewire and Craft CMS flaws carry confirmed in-the-wild exploitation histories and affect web applications deployed across enterprise and government environments. The Hacker News
Huntress Documents Active Exploitation of Multiple Critical Gladinet CentreStack Vulnerabilities Across Customer Environments
Huntress published threat intelligence on April 2 documenting active in-the-wild exploitation of critical vulnerabilities in Gladinet CentreStack and TrioFox across nine monitored customer environments. Attackers achieved remote code execution through a combination of the recently disclosed zero-day and earlier hard-coded cryptographic key vulnerabilities affecting the ASPX ViewState protection in both products. Organizations running CentreStack or TrioFox should apply all available patches immediately and treat internet-exposed instances as requiring urgent inspection. SecurityWeek
FBI Confirms Salt Typhoon Telecom Espionage Is ‘Still Very Much Ongoing’ Across 200-Plus Organizations Worldwide
A senior FBI cyber official at CyberTalks 2026 confirmed Salt Typhoon, the Chinese state-sponsored group behind widespread telecommunications infrastructure intrusions beginning in 2024, remains active against private and public sector organizations globally. The FBI has previously confirmed intrusions at more than 200 companies across 80 countries. Officials described US telecommunications infrastructure as too fragmented and large-scale to enable complete ejection of Salt Typhoon presence, and urged affected organizations to engage with the FBI and CISA for remediation support. CyberScoop
Pierce County Library Discloses Data Breach Affecting 340,000 Patrons and Employees
The Pierce County Library System in Washington state notified approximately 340,000 current and former patrons and staff of a data breach traced to a security incident identified in late 2025. Compromised data includes names, contact details, library account information, and in some cases Social Security numbers and government identification numbers for employees. The library system has engaged forensic investigators and is issuing notifications per state breach reporting requirements. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
