Weekly digests
Weekly digest5 min read

Weekly threat intelligence digest — 2026-W15

Weekly security intelligence digest covering 12 items, 3 CVEs. 7 critical, 4 high, 1 informational.

S
sebastion
campaignpolicysupply-chainthreat-intelligencevulnerabilityweekly-digest

Weekly threat intelligence digest: April 6-12, 2026

Executive summary

This week has seen a surge in critical vulnerabilities and high-priority campaigns, with several incidents highlighting the evolving tactics of cybercriminals. Key themes include large-scale credential harvesting via React2Shell exploitation in Next.js applications, a significant supply-chain compromise affecting millions through CPUID tools, and targeted attacks against cryptocurrency platforms and industrial control systems. Defenders must prioritize patching critical vulnerabilities and monitoring for emerging threats as attackers increasingly exploit supply chains and unpatched systems.

Critical & high priority

Automated credential harvesting via React2Shell exploitation in Next.js applications

  • What happened: Threat actors are exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This campaign represents a shift toward industrialized supply-chain attacks, targeting the JavaScript framework ecosystem.
  • Who's affected: Any organization using unpatched Next.js applications is at risk of credential theft and potential follow-on attacks.
  • What to do: Immediately patch Next.js instances to address React2Shell vulnerabilities (CVE-2025-55182) and implement multi-factor authentication for critical systems.

CPUID supply-chain compromise

  • What happened: Attackers compromised CPUID's API, modifying download links on the official website to serve malicious versions of CPU-Z and HWMonitor. This supply-chain attack affects millions of users who trust these tools.
  • Who's affected: Anyone who has downloaded CPU-Z or HWMonitor from the official site in recent months is at risk of malware infection.
  • What to do: Avoid using potentially compromised downloads, monitor systems for signs of malicious activity, and consider alternative hardware monitoring tools until a clean version is verified.

Iranian threat actors targeting Rockwell Automation PLCs

  • What happened: Iranian-linked cyber operators have mapped nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers (PLCs) across U.S. critical infrastructure.
  • Who's affected: Industrial control systems (ICS) in critical infrastructure sectors are at risk of potential disruption or sabotage.
  • What to do: Segment ICS networks from the public internet, patch known vulnerabilities, and monitor for unusual activity on PLCs.

Daptin Unauthenticated Path Traversal

  • What happened: A critical vulnerability in Daptin's cloudstore.file.upload action allows unauthenticated attackers to write arbitrary files via path traversal and zip slip attacks.
  • Who's affected: Organizations using Daptin's file upload functionality are at risk of remote code execution (RCE).
  • What to do: Immediately update to the latest version of Daptin and restrict file uploads to trusted directories.

Juju Controller CloudSpec API Unauthorized Credential Exposure

  • What happened: Unauthenticated credential disclosure in Juju CloudSpec API allows any authenticated controller user to retrieve cloud bootstrap credentials, bypassing role-based access controls.
  • Who's affected: Organizations using Juju for cloud orchestration are at risk of privilege escalation attacks.
  • What to do: Apply patches for CVE-2026-5412 and review access controls on CloudSpec API endpoints.

Paperclip Authentication Bypass Chain Leading to Unauthenticated RCE

  • What happened: Paperclip instances with default configurations allow unauthenticated account creation, authentication bypass, and privilege escalation to RCE through a six-step API chain.
  • Who's affected: Any organization exposing Paperclip in an authenticated mode without hardening is at risk of unauthorized access.
  • What to do: Immediately apply configuration hardening to restrict access and disable unnecessary API endpoints.

Notable developments

German Law Enforcement Unmasks REvil and GandCrab Operator

  • What happened: German authorities identified Daniil Maksimovich Shchukin as the operator behind REvil and GandCrab ransomware groups. This attribution success raises questions about law enforcement coordination and timing in the geopolitical context.
  • Why it matters: The disclosure could impact ongoing operations and relationships between law enforcement agencies.

QR code pivot in traffic violation scams

  • What happened: Scammers are using fake traffic violation notices with embedded QR codes to direct victims to phishing sites. This shift reflects successful SMS URL filtering by carriers, forcing attackers to adapt their tactics.
  • Why it matters: Users should be cautious of unexpected QR codes and verify the legitimacy of any official communication.

Storm-2755 Targeting Microsoft Employees

  • What happened: A financially motivated threat actor is compromising Microsoft employee accounts to redirect salary payments. This campaign marks a shift in targeting from external victims to internal credential compromise.
  • Why it matters: Organizations should reinforce employee account security and monitor for unauthorized transactions.

Vulnerability landscape

Severity distribution

This week, 229 new CVEs were tracked, with severity distribution as follows:

  • High: 179
  • Critical: 7
  • Other: 43

Top affected vendors

The vulnerability landscape continues to be dominated by widely used frameworks and tools. The top affected vendors this week include:

  • Mozilla
  • Changedetection.io
  • Axios/Axios
  • Wasmtime
  • React
  • PraisongAI (multiple products)

Recommended actions

  1. Patch critical vulnerabilities immediately: Prioritize patches for CVE-2025-55182 (React2Shell), GHSA-9cp7-j3f8-p5jx (Daptin Path Traversal), and CVE-2026-5412 (Juju CloudSpec API).
  2. Monitor supply chains: Exercise caution with third-party tools, especially hardware monitoring utilities like CPU-Z and HWMonitor.
  3. Secure industrial control systems: Segment ICS networks from the public internet and monitor for异常activity on Rockwell Automation PLCs.
  4. Review API security: Implement strict access controls and regularly audit APIs for misconfigurations, particularly in cloud orchestration tools like Juju.
  5. Harden Paperclip configurations: Disable unnecessary endpoints and apply configuration hardening to prevent authentication bypass attacks.

Looking ahead

Next week, defenders should monitor for:

  • Further exploitation of the CPUID supply-chain compromise, including potential updates to malware distribution methods.
  • Additional social engineering campaigns targeting critical infrastructure, particularly in light of recent Iranian activity against Rockwell Automation PLCs.
  • Emerging vulnerabilities in widely used tools and frameworks, given the high volume of new CVEs this week.

Newsletter

One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.

Back to weekly digests