Skip to main content

CISO Daily Brief: npm Supply Chain Threats, Fortinet Vulnerability, and Device Code Phishing Surge (2026-04-05)

Today’s cybersecurity landscape continues to evolve rapidly, with new threats targeting both the software supply chain and core enterprise infrastructure. CISOs must remain vigilant and proactive, ensuring that their organizations are prepared to respond to emerging risks. Below, we highlight the most pressing security items for executive awareness and action.

Top Items CISOs Should Care About (Priority)

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

  • What happened: Attackers published 36 malicious npm packages designed to exploit Redis and PostgreSQL databases, enabling persistent implants in enterprise environments.
  • Why it matters: This represents a significant supply chain risk, potentially allowing attackers long-term access to critical systems.
  • What to verify internally:
    • Inventory and review all npm packages in use, especially recent updates.
    • Check for any connections or unusual activity involving Redis and PostgreSQL instances.
    • Assess current controls for third-party package vetting and monitoring.
    • Review incident detection and response plans for supply chain compromise scenarios.
  • Exec questions to prepare for:
    • Are any of our applications using the affected npm packages?
    • How do we vet and monitor third-party code dependencies?
    • What is our exposure to persistent implants via supply chain attacks?
    • What steps are we taking to detect and remediate such threats?
  • Sample CISO response: "We are conducting a comprehensive review of all npm dependencies and database activity, and have enhanced our monitoring for suspicious package behavior."

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

  • What happened: Fortinet released a patch for CVE-2026-35616, a vulnerability in FortiClient EMS that is being actively exploited in the wild.
  • Why it matters: Unpatched systems are at immediate risk of compromise, potentially leading to enterprise breaches.
  • What to verify internally:
    • Identify all FortiClient EMS deployments and their patch status.
    • Ensure immediate application of the latest security update.
    • Review logs for signs of exploitation attempts.
    • Validate incident response readiness for potential Fortinet-related breaches.
  • Exec questions to prepare for:
    • Are any of our systems running vulnerable versions of FortiClient EMS?
    • How quickly can we apply critical patches across the organization?
    • Have we detected any exploitation attempts?
    • What is our plan if a compromise is identified?
  • Sample CISO response: "We have prioritized patching all FortiClient EMS instances and are actively monitoring for any signs of exploitation."

Axios npm hack used fake Teams error fix to hijack maintainer account

  • What happened: Attackers used a fake Microsoft Teams error fix to compromise the maintainer account of the popular Axios npm package, risking malicious code injection.
  • Why it matters: Maintainer account hijacks can result in trusted packages being weaponized against enterprises.
  • What to verify internally:
    • Audit usage of the Axios npm package and check for recent updates.
    • Review controls around developer account security and MFA enforcement.
    • Assess monitoring for suspicious package updates or code changes.
    • Communicate with development teams about recent supply chain risks.
  • Exec questions to prepare for:
    • Do we use Axios or other npm packages with similar risk profiles?
    • How do we secure our own developer accounts and package publishing processes?
    • What is our process for validating package integrity?
    • How are we communicating these risks to our engineering teams?
  • Sample CISO response: "We are reviewing all use of Axios and similar packages, and have reinforced developer account security and package validation procedures."

Device code phishing attacks surge 37x as new kits spread online

  • What happened: Device code phishing attacks have increased 37-fold, with new phishing kits targeting user credentials and authentication flows.
  • Why it matters: The surge in attacks increases the risk of credential theft and potential account compromise across the organization.
  • What to verify internally:
    • Assess current phishing detection and prevention controls.
    • Review user awareness training on device code phishing tactics.
    • Monitor authentication logs for suspicious device code activity.
    • Ensure MFA is enforced and functioning as intended.
  • Exec questions to prepare for:
    • Have we seen any device code phishing attempts targeting our users?
    • What protections are in place to detect and block these attacks?
    • How are we educating users about new phishing techniques?
    • Is our MFA implementation resilient to these attack vectors?
  • Sample CISO response: "We are increasing monitoring for device code phishing and reinforcing user training on emerging phishing tactics."

CISO Action Checklist Today

  • Review and inventory all npm packages in use; identify and remove any flagged as malicious.
  • Ensure immediate patching of all FortiClient EMS instances to address CVE-2026-35616.
  • Audit usage of Axios and other high-risk npm packages; validate package integrity.
  • Reinforce developer account security, including MFA and access controls.
  • Increase monitoring for suspicious activity in Redis, PostgreSQL, and authentication logs.
  • Communicate recent supply chain and phishing risks to development and IT teams.
  • Validate incident response plans for supply chain and phishing attack scenarios.
  • Update user awareness training to cover device code phishing and new attack vectors.
  • Confirm that MFA is enforced and functioning for all critical accounts.
  • Engage with threat intelligence to stay updated on evolving supply chain and phishing threats.
Labels:

Comments

Post a Comment

Popular posts from this blog

CISO Daily Brief: Key Threats and Action Items – February 24, 2026

Today's cyber threat landscape continues to evolve, with notable activity from nation-state actors, ransomware groups, and sophisticated fraud campaigns. Several high-severity vulnerabilities are being actively exploited, and recent incidents highlight the importance of robust access controls and employee awareness. Below is a prioritized summary of the most relevant items for CISOs, along with actionable steps and executive considerations. Top Items CISOs Should Care About (Priority) North Korean Lazarus group linked to Medusa ransomware attacks What happened: The Lazarus group, a North Korean state-sponsored actor, has been linked to recent Medusa ransomware attacks targeting enterprises globally. Why it matters: This represents a high-severity, board-level risk due to the potential for operational disruption and regulatory exposure. What to verify internally: Current ransomware detection and response capabilities Backup and recovery procedure...
Post a Comment
Read more

CISO Daily Brief: Major Data Breach, Critical Vulnerabilities, and Android Banking Malware – February 19, 2026

Today’s cybersecurity landscape presents several high-impact developments that require CISO attention. From a major fintech data breach to critical vulnerabilities in widely used devices and software, the risks span operational, regulatory, and reputational domains. This briefing distills the most urgent items and provides actionable steps to help you prepare your organization and leadership for board-level discussions. Top Items CISOs Should Care About (Priority) Data breach at fintech firm Figure affects nearly 1 million accounts What happened: Fintech company Figure suffered a data breach impacting nearly one million accounts, exposing sensitive financial data. Why it matters: This incident carries significant regulatory, reputational, and board-level risk due to the scale and sensitivity of the data involved. What to verify internally: Exposure to Figure as a vendor, partner, or service provider Controls over sensitive customer and financial dat...
Post a Comment
Read more

CISO Daily Brief: AI-Assisted FortiGate Breaches & Emerging Threats (Feb 22, 2026)

Today’s security landscape is shaped by rapid advances in attacker capabilities, notably through AI-assisted techniques. Recent incidents highlight the need for CISOs to stay vigilant and proactive in protecting critical infrastructure. This brief summarizes the most pressing issues and provides actionable steps for security leaders. Top Items CISOs Should Care About (Priority) AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries What happened: An AI-assisted threat actor exploited vulnerabilities to compromise over 600 FortiGate devices across 55 countries. Why it matters: This large-scale, automated attack on widely deployed firewall infrastructure presents significant enterprise and regulatory risks. What to verify internally: Inventory and patch status of all FortiGate devices Review of firewall logs for indicators of compromise Assessment of remote access and VPN configurations Validation of incident respons...
Post a Comment
Read more