Weekly threat intelligence digest: March 30 - April 5, 2026

Executive summary

This week marks an unusually concentrated cluster of critical vulnerabilities targeting authentication, authorization, and supply-chain integrity, coupled with evidence of state-sponsored counter-intelligence operations and rapidly evolving malware-as-a-service platforms. The convergence of unauthenticated RCE vectors (Budibase, PX4, PraisonAI), authentication bypass flaws (mpp, PraisonAI, Juju), and coordinated supply-chain attacks (Axios/Teams compromise, 36 Strapi lookalikes on npm) suggests threat actors are prioritizing access acquisition over traditional exploitation. Threat level remains critical.

Critical & high priority

State-sponsored counter-intelligence breach: FBI Director email compromise

Iranian state-linked Handala group successfully compromised FBI Director Kash Patel's personal email account and published sensitive materials. This is not a technical vulnerability—it is a strategic intelligence operation targeting the highest levels of US law enforcement. The breach indicates either credential compromise through phishing/social engineering or exploitation of an underlying email provider vulnerability. Implications extend to counter-intelligence exposure and potential asset/operational compromise. Monitor for downstream targeting of individuals and organizations referenced in published materials.

Authentication bypass cascade in PraisonAI (CVE-2026-34953, CVE-2026-34952)

PraisonAI shipped with a critical logic flaw: its OAuthManager returns True for any unrecognized token when the token store is empty (default state), completely bypassing authentication. Combined with an unauthenticated /ws WebSocket gateway and /info endpoint that leaks all registered agents, an attacker gains immediate access to execute arbitrary tools, access file systems, and run agents without any credentials. Any deployment using default configuration is fully compromised. Action: audit all PraisonAI instances immediately; require explicit token configuration and restrict WebSocket endpoints to authenticated users only.

Unauthenticated RCE in Budibase via webhook injection (CVE-2026-35216)

Budibase allows unauthenticated attackers to POST to public webhook endpoints that trigger automation workflows containing Bash execution steps with unsanitized template processing. An attacker can achieve root-level code execution without authentication. This is particularly dangerous in development/staging environments where Budibase may have access to production credentials or infrastructure. Action: disable public webhooks; enforce authentication on all webhook endpoints; audit recent webhook execution logs for suspicious payloads.

FortiClient EMS pre-authentication RCE (CVE-2026-35616)

Fortinet issued emergency patches for a pre-authentication API access control flaw allowing unauthenticated privilege escalation. Active exploitation confirmed. This affects endpoint management infrastructure in widespread use. Patch immediately and monitor for indicators of compromise in FortiClient logs (unauthorized API calls, privilege elevation attempts). Verify that only authenticated, authorized users can access EMS APIs.

PX4 Autopilot unauthenticated command injection (CVE-2026-1579)

PX4 Autopilot v1.16.0 contains an authentication bypass in the MAVLink interface, allowing unauthenticated remote code execution on drone and robotics systems. This affects mission-critical unmanned systems across commercial, military, and infrastructure sectors. Upgrade immediately; if upgrade is not feasible, network-isolate affected systems or restrict MAVLink command sources to trusted control stations.

Juju cluster authentication bypass (CVE-2026-4370)

Juju controllers (3.2.0+) fail to validate TLS client certificates on Dqlite cluster endpoints, allowing network-adjacent attackers to join clusters and read/modify all data without credentials. This impacts cloud orchestration and infrastructure-as-code deployments. Upgrade to patched versions; enforce strict network access controls on Dqlite cluster ports (default 19291); verify TLS enforcement is enabled.

Device code OAuth phishing at scale: EvilTokens and 37x surge

Device code phishing attacks have surged 37-fold this year. EvilTokens is now a commercialized malicious service automating Microsoft device code attacks at scale, stealing authentication tokens without requiring passwords. Attackers simply trick users into authorizing a "device" on the OAuth consent screen—traditional MFA is ineffective because the compromise happens at the token level, not the password level. Action: educate users to refuse unexpected device authorization requests; enforce Conditional Access policies requiring device compliance; monitor for unusual device registrations in corporate tenant logs; consider disabling device code flow if not required for legitimate scenarios (e.g., CLI tools, embedded systems).

TrueConf zero-day supply-chain malware distribution

Unpatched zero-day in TrueConf conference servers allows injection of malicious updates that propagate to all connected clients, turning legitimate software distribution channels into botnet vectors. This represents the worst-case supply-chain scenario: trusted software channels weaponized by a single server compromise. TrueConf users should immediately isolate affected servers and audit client endpoint update histories for suspicious changes.

Strapi npm package substitution: 36 backdoors in the wild

Researchers identified 36 malicious npm packages masquerading as Strapi CMS plugins (e.g., strapi-plugin-*). These packages exploit Redis and PostgreSQL instances, harvest credentials, deploy reverse shells, and install persistent implants targeting development and CI/CD environments. The attack works because developers search for "Strapi" and install typosquat packages without careful verification. Action: audit node_modules and package-lock.json for suspicious Strapi plugins; verify all Strapi plugins are installed from the official Strapi marketplace or verified sources; restrict npm package resolution to internal registries if possible; run credential rotation on all systems where development environments may have had access.

Axios maintainer social engineering compromise

North Korean threat actors used a spoofed Microsoft Teams error message to socially engineer the Axios npm package maintainer, compromising credentials and gaining potential access to the widely-used HTTP client. This represents a critical supply-chain vector because Axios is a dependency of hundreds of thousands of projects. Monitor for unusual commits, releases, or changes to the Axios repository. If you depend on Axios, verify your current version integrity; consider vendoring a known-good version if upstream compromise is suspected.

Smart Slider 3 arbitrary file read (800,000+ installations)

A file read vulnerability in the Smart Slider 3 WordPress plugin allows subscriber-level users to access arbitrary files on the server, exposing database credentials, configuration files, and other sensitive data. With 800,000+ active installations, this is a mass-exploitation vector for WordPress ecosystem compromise. Action: update Smart Slider 3 immediately; audit access logs for suspicious file read requests from subscriber accounts; review file permissions to ensure sensitive configuration files are not readable by web server processes; consider implementing Web Application Firewall rules to block suspicious file read patterns.

Chrome Dawn WebGPU use-after-free (CVE-2026-5281)

CISA added CVE-2026-5281, a zero-day use-after-free in Chrome's WebGPU implementation, to its Known Exploited Vulnerabilities Catalog after active exploitation evidence. This represents an emerging attack surface: GPU rendering APIs are less scrutinized than traditional JavaScript and DOM APIs, but they have equivalent code execution potential. Chrome users should ensure auto-update is enabled. Organizations should enforce Chrome version pinning and forbid outdated browsers.

Apple iOS DarkSword exploit kit: accelerated rollout

Apple is accelerating iOS 18 security updates across iPhone models to address the actively exploited DarkSword exploit kit. This indicates a mature, weaponized exploit chain with sufficient prevalence to warrant rapid deployment. iOS users should install updates immediately when available; organizations should enforce managed device policies requiring latest iOS versions.

Notable developments

MikroORM SQL injection via duck-type marker detection (CVE-2026-34220)

MikroORM fails to validate internal ORM markers, allowing attackers to inject raw SQL through specially crafted objects passed to write APIs. This is primarily an application-level input validation issue—if you pass untrusted objects to MikroORM write methods, you are vulnerable. Inspect your application code for any user-controlled data flowing into MikroORM operations; add runtime type checking to ensure ORM objects come from trusted sources only.

GitHub Actions command injection via issue_comment.body (CVE-2026-34243)

GitHub Actions workflows that embed issue_comment.body directly into shell commands without sanitization allow unauthenticated attackers to inject arbitrary shell commands on runners. This affects any public repository with Actions workflows triggered by issue comments. Audit all GitHub Actions workflows; use ${{ github.event.issue.body }} only with explicit env variable binding and proper shell escaping; prefer Actions-native string parsing over shell interpolation.

Stored DOM XSS in Methods and Permission management (CVE-2026-34558, CVE-2026-34557)

Two stored XSS vulnerabilities allow persistent code execution in administrative contexts by injecting unsanitized payloads into navigation menus and permission fields. These vulnerabilities enable account takeover and privilege escalation. If you maintain applications with role/permission management interfaces, audit all input fields for HTML/JavaScript sanitization; implement Content Security Policy to prevent inline script execution; validate and escape all user input before storing in the database.

Anritsu Remote Spectrum Monitor unauthenticated reconfiguration (CVE-2026-3356)

All versions of Anritsu's Remote Spectrum Monitor series allow network-accessible attackers to modify operational settings without authentication. This affects critical RF test equipment in telecommunications and defense sectors. Air-gap affected systems or restrict network access to trusted control stations only. This is a supply-chain risk if Anritsu equipment is used in manufacturing or validation processes.

OpenClaw CWD .env loading order vulnerability

OpenClaw loads .env files from the current working directory before applying trusted state-dir configuration, allowing environment variable injection via repository-committed files. This bypasses host environment isolation and enables attackers to override security settings. If you use OpenClaw, verify that all .env files are listed in .gitignore and manually review any committed configuration files.

PyLoad SSRF via HTTP redirect bypass (CVE-2026-35459)

pyLoad's earlier fix for CVE-2026-33992 validates only the initial download URL but fails to validate HTTP redirect targets. Attackers can reach internal addresses through HTTP redirects. Patch to the latest version; if you run pyLoad, audit access logs for redirect patterns to unusual internal IPs (127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x).

Anthropic Claude Code source leak via npm

Anthropic accidentally published Claude Code's closed-source implementation to npm, exposing proprietary code without compromising customer data or credentials. This is a corporate embarrassment and reverse-engineering risk, but not an exploitable security vulnerability. The incident highlights the need for automated supply-chain integrity checks in build pipelines.

Windows 11 emergency patch reveals quality control gaps (KB5086672)

Microsoft pulled a March 2026 preview update and then issued an emergency hotfix after widespread installation failures. This indicates systemic issues in preview testing and release validation. Consumers should be cautious about preview updates; enterprises should allow extra time between preview and stable Windows releases.

Gmail address change feature: identity flexibility vs. account takeover risk

Google is rolling out the ability for US users to change their primary @gmail.com address or create aliases. While this improves account flexibility, it introduces new vectors for account takeover and social engineering by impersonating users with similar address variants. Users should monitor their Gmail recovery emails and phone numbers closely.

LinkedIn covert extension scanner reveals mass surveillance

LinkedIn deployed hidden JavaScript code to scan visitor browsers for 6,000+ Chrome extensions and collect device fingerprinting data without explicit user consent. This raises questions about the scope and legitimacy of data collection. Use privacy-focused browser extensions to block this fingerprinting; consider whether LinkedIn's services are necessary for your organization.

Honeypot telemetry: automated bot fingerprinting and evasion

DShield Cowrie honeypot analysis shows that attackers use session duration, command count, and disconnect patterns to avoid automated detection. Defenders can use these signals to distinguish automated attacks from manual reconnaissance and refine threat intelligence collection. Consider deploying honeypots with sufficient variability to challenge attacker assumptions.

CrystalRAT MaaS: commodity RAT as a service

CrystalRAT bundles remote access, data theft, keylogging, and clipboard hijacking into a single malware-as-a-service offering distributed via Telegram. The bundling of multiple attack capabilities into commodity services lowers the barrier to entry for financially motivated threat actors. Monitor for CrystalRAT C2 communications in network logs; block known CrystalRAT domains and IPs.

Vulnerability landscape

This week tracked 239 new CVEs across the public vulnerability database, with 194 classified as high-severity and 15 as critical. The severity distribution reflects the extraordinary concentration of critical authentication, authorization, and RCE flaws across emerging technologies (PraisonAI, Budibase) and established infrastructure (PX4, Juju, Fortinet).

Top affected vendors include xenforo, pyLoad, openclaw, nginxui, and goshs—a diverse set indicating no single vendor or product line is dominant. However, the pattern is clear: authentication and input validation remain the weakest architectural components. The prevalence of pre-authentication and unauthenticated RCE flaws (Budibase, PX4, PraisonAI, Juju, FortiClient EMS) suggests that threat actors have shifted focus from exploiting authenticated functionality to bypassing authentication entirely.

Supply-chain attacks (TrueConf, Axios, Strapi, Anthropic) are now a dominant feature of weekly threat intelligence, indicating that defenders cannot rely solely on application-level patching—they must audit every software distribution channel and build pipeline for integrity.

Recommended actions

1. Immediate (today): Patch or isolate PraisonAI, Budibase, FortiClient EMS, PX4, Juju, and Smart Slider 3. These all have unauthenticated or trivial-to-exploit remote code execution or privilege escalation vectors.

2. This week: Audit npm dependencies and GitHub Actions workflows for malicious packages (especially Strapi lookalikes) and unsafe shell interpolation. Audit all device code OAuth consent logs for unusual device registrations. Monitor for Axios supply-chain indicators.

3. This week: Review all internal applications with role/permission management interfaces for stored XSS vulnerabilities. Enforce input sanitization and output escaping as a non-negotiable requirement.

4. Next week: Conduct supply-chain risk assessment for your software distribution pipelines. Identify all external package repositories, build systems, and deployment channels that could be weaponized by attackers. Implement signed releases and hash verification where possible.

5. Ongoing: Educate users on device code phishing attacks and OAuth consent screen scrutiny. Enforce Conditional Access policies requiring device compliance for risky token flows.

6. Ongoing: Prioritize authentication/authorization architecture reviews in security code reviews. The preponderance of pre-authentication vulnerabilities indicates systemic under-investment in defense-in-depth authentication models.

Looking ahead

Watch for:

• Further supply-chain poisoning via typosquat packages targeting popular frameworks (React, Vue, Angular, Django, Rails). The Strapi attack demonstrates that development environments are softer targets than production infrastructure.
• Exploitation of Chrome Dawn WebGPU and iOS DarkSword exploit kits at scale as threat actors operationalize these zero-days.
• Device code phishing attacks escalating beyond OAuth 2.0 into other device-trust scenarios (MDM enrollment, SSH agent registration, container orchestration API tokens).
• Upstream compromise of widely-used open-source projects following the Axios playbook (social engineering -> credential compromise -> supply-chain poisoning).
• Weaponization of new authentication standards (FIDO2 biometric bypass, WebAuthn fallback attacks) as MFA adoption increases.

Monitor TrueConf, PraisonAI, and Budibase communities for indicators of post-exploitation activity. These represent the most significant attack surfaces for immediate adversary access this week.