Sources: Google GTIG · Microsoft Security Blog · Palo Alto Unit 42 · SANS · Huntress · The Hacker News · March 31, 2026
On March 31, North Korean hackers hijacked the npm account of the lead Axios maintainer through a highly targeted social engineering campaign. The attackers cloned a real company founder’s identity and company brand, created a fake Slack workspace with branded channels and fake LinkedIn posts, and scheduled a fake Microsoft Teams meeting. During the call, a bogus error message prompted the maintainer to run malicious commands. Using a stolen long-lived npm access token, the attackers published two backdoored Axios versions (1.14.1 and 0.30.4) that injected a hidden dependency called plain-crypto-js. This dependency silently deployed a cross-platform Remote Access Trojan (WAVESHAPER.V2) targeting Windows, macOS, and Linux. The RAT harvested environment variables, authentication tokens, AWS credentials, SSH keys, and npm tokens. The malicious packages were live for approximately 3 hours before removal. Huntress observed at least 135 endpoints contacting the C2 infrastructure during that window. Mandiant CTO Charles Carmakal warned that the stolen secrets “will enable more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.” Axios is present in approximately 80% of cloud and code environments — any defense contractor with JavaScript-based applications is potentially affected.
Action Required: Immediately audit all npm dependencies for axios@1.14.1 or axios@0.30.4 and plain-crypto-js. If found, treat the host as fully compromised. Rotate all credentials, SSH keys, AWS tokens, and npm tokens on affected systems. Pin axios to version 1.14.0 or earlier. Block all traffic to sfrclak[.]com and 142.11.206.73. Clear npm, yarn, and pnpm caches on all workstations and build servers. Disable npm lifecycle scripts (postinstall) by default. Require OIDC provenance checks for all critical packages.
Sources: Rankiteo · SecurityWeek · Cybersecurity Research Reports · April 2, 2026
Handala breached PSK Wind Technologies, a critical defense contractor supplying military communications equipment to the Israel Defense Forces, via supply chain compromise. The breach resulted in the public release of highly classified military data including: photographs of active IDF command and control centers revealing physical layouts and security configurations, internal documents detailing daily operations and strategic communications, and technical schematics of advanced military communications hardware with product manuals and installation guides. The leaked materials provide adversaries with a comprehensive blueprint of Israeli military infrastructure. This is Handala’s fourth major escalation in under a month — following the Stryker destructive wipe (March 11), the FBI Director breach (March 27), and the Lockheed Martin employee data leak (March 26). The trajectory demonstrates increasing capability and willingness to target defense supply chains directly. U.S. defense contractors with Israeli defense partnerships, joint ventures, or shared programs are at heightened risk.
Action Required: Defense contractors with Israeli defense partnerships should immediately assess shared systems and communication channels for compromise indicators. Review all supply chain vendor access to classified or sensitive programs. Brief facility security officers on Handala’s expanding target set. Ensure separation between unclassified and classified networks is rigorously maintained. Report any suspicious activity to FBI CyWatch at (855) 292-3937.
Sources: Cisco Advisory · The Hacker News · April 2, 2026
Cisco released patches for a critical vulnerability in the Integrated Management Controller (IMC) that allows an unauthenticated, remote attacker to bypass authentication and gain system access with elevated privileges. The flaw (CVE-2026-20093, CVSS 9.8) is caused by incorrect handling of password change requests. An attacker can exploit it by sending a crafted HTTP request to alter any user’s password, including administrator accounts. Cisco IMC is widely deployed in defense contractor server infrastructure for out-of-band management. A compromised IMC gives an attacker persistent access below the operating system level — invisible to most endpoint detection tools.
Action Required: Patch all Cisco IMC instances immediately. Audit IMC access logs for unauthorized password change requests. Restrict IMC management interfaces to dedicated management VLANs — do not expose to the internet. Implement monitoring for anomalous IMC administrative activity. Verify all IMC admin passwords have not been altered.
Sources: Google Threat Intelligence Group · SecurityWeek · February–April 2026
Google’s Threat Intelligence Group published a comprehensive report warning of escalating, multifaceted cyber threats targeting the global defense industrial base. The report details a “relentless barrage” of operations from China-nexus groups (UNC4841, UNC3886, UNC5221) exploiting edge devices and zero-days; Russian actors (APT44/Sandworm, UNC5125) targeting battlefield-adjacent technologies including drones; Iranian groups using fake job portals and survey lures to target personnel at major defense contractors; and North Korean actors (UNC1069) conducting supply chain attacks. Critically, the report emphasizes that threats are increasingly targeting soft vectors — hiring processes, personal emails and devices, and unmanaged edge appliances — methods that evade traditional security systems. Pro-Russia and pro-Iran hacktivist groups are conducting DDoS attacks, doxxing, and hack-and-leak campaigns against defense targets.
Action Required: Review hiring and onboarding processes for social engineering vulnerabilities. Audit all edge devices and appliances for unpatched firmware. Brief HR departments on fake job portal campaigns targeting defense personnel. Ensure all employee personal devices used for work are covered by MDM policies. Monitor for hacktivist DDoS indicators during periods of geopolitical escalation.
Sources: GAO Report · Merrill Research · CyberSheath · Nextgov/FCW · 2026
CMMC requirements are now being written directly into DOD contracts. A Merrill Research report found that only 4% of defense contractors are fully prepared to meet DOD minimum cybersecurity requirements. Only 21% use multi-factor authentication. The average Supplier Performance Risk System (SPRS) score across surveyed contractors is -12, far below the required 110 for CMMC compliance. A GAO report highlighted risks to the CMMC rollout including C3PAO assessment capacity constraints and training gaps. Non-compliance now means losing contracts — not just failing audits. Other agencies including DOE, DHS, and FAA are beginning to adopt similar compliance frameworks. IBM’s 2025 X-Force report showed a 71% rise in vulnerability exploitation as the initial entry point for ransomware — the same controls CMMC mandates are the ones being actively exploited.
Action Required: Assess current SPRS score against the 110 threshold. Prioritize MFA deployment if not already implemented. Begin CMMC Level 1 self-assessment if not already started. Identify and engage a C3PAO for Level 2 assessment. Review NIST SP 800-171 Revision 3 requirements for upcoming changes. Budget for CMMC compliance as an operational cost, not a project.
Sources: CISA ICSA-26-092-01 · Siemens ProductCERT · April 2, 2026
CISA published an advisory for multiple vulnerabilities affecting Siemens SICAM 8 products including SICAM A8000 Device firmware, CPCI85 for CP-8031/CP-8050, SICORE for CP-8010/CP-8012, and RTUM85. The vulnerabilities could lead to denial of service in critical power systems. SICAM 8 products are deployed in energy infrastructure that defense contractors and military installations depend on. This is relevant in the context of Volt Typhoon’s known pre-positioning inside U.S. utility control loops — ICS vulnerabilities in energy grid equipment directly expand the attack surface for disruption of defense operations.
Action Required: Apply Siemens security updates using vendor-documented procedures. Ensure all ICS/OT devices are behind firewalls and not accessible from the internet. Use VPNs for remote access to control system networks. Implement CISA ICS-TIP-12-146-01B recommended practices. Coordinate with facility utility providers to verify their patching status.
Sources: Google GTIG · SecurityWeek · February–April 2026
Google GTIG identified fake job descriptions, portals, and survey lures hosted on Iranian-linked UNC1549 infrastructure masquerading as aerospace, technology, and thermal imaging companies — including drone manufacturing entities — to target personnel interested in major defense contractors. Separately, the Axios maintainer social engineering campaign demonstrated that North Korean actors are building elaborate fake company identities, complete with cloned Slack workspaces and Microsoft Teams environments, to target key individuals in the software supply chain. This represents a convergence of cyber and physical pre-positioning: adversaries are mapping the human supply chain before attacking the technical one. Defense contractor employees who receive unsolicited job offers, meeting invitations from unknown companies, or requests to join unfamiliar collaboration platforms should treat these as potential targeting indicators.
Action Required: Brief all employees — particularly those with cleared positions, overseas assignments, or technical specializations — on fake job portal campaigns. Instruct staff to verify any unsolicited meeting invitations through independent channels before accepting. Report suspicious recruitment approaches to your facility security officer and FBI CyWatch. Review LinkedIn and job board profiles for operational security exposure.
Sources: FARA Registration Database · OSINT Corporate Filings · DOJ Public Records
Two entities with foreign principal registrations under FARA identified in previous weeks continue to operate within proximity of defense facilities in the Ohio corridor — relevant to organizations in Columbus and the Dayton/Wright-Patterson AFB region. No new activity identified. This watch item remains active as a standing indicator. Cross-reference with the Iranian fake job portal campaign — the combination of digital social engineering and physical proximity represents the full-spectrum pre-positioning that this brief’s 80/10/10 framework is designed to surface.
Action Required: Maintain heightened physical security awareness at facilities in the Columbus/Dayton corridor. Report any unusual physical surveillance or unexpected vendor/visitor activity to your facility security officer. Cross-reference any new vendor relationships against the FARA registration database.
Financially motivated North Korean threat actor responsible for the Axios npm supply chain compromise. Historically focused on cryptocurrency and DeFi theft, now demonstrating capability and willingness to target the broader software supply chain. The social engineering tradecraft shown in this campaign — cloned company identities, fake Slack workspaces with branded channels, fake Teams calls — represents a significant evolution in sophistication. Malware deployed: WAVESHAPER.V2 RAT with anti-forensic self-deletion capability. The stolen credentials from this attack will enable follow-on operations for weeks to months. Microsoft tracks the same actor as Sapphire Sleet and confirmed attribution independently.
Primary TTPs
Supply Chain Compromise, Social Engineering, npm Hijacking, RAT Deployment
Target Sectors
Software Supply Chain, Cryptocurrency, Defense (indirect)
Activity Level
Critical · Active · Follow-on attacks expected
Continues as the most operationally active Iranian cyber group in the current conflict. This week added PSK Wind Technologies (Israeli defense contractor) to its target list via supply chain compromise — leaking classified IDF command center photographs, operational documents, and military communications schematics. Escalation timeline over 4 weeks: Stryker destructive wipe (March 11) → Lockheed Martin employee data (March 26) → FBI Director Patel email breach (March 27) → PSK Wind Technologies classified military data (April 2). Each operation demonstrates increasing access to classified defense ecosystems. Not financially motivated — operations are explicitly framed as retaliation. Negotiation is not a viable response strategy.
Primary TTPs
Supply Chain Compromise, Destructive Wipes, Data Exfiltration and Publication
Target Sectors
Defense, Medical Tech, Intelligence Community, Military Contractors
Activity Level
Critical · Rapidly Escalating · 4 major ops in 4 weeks
Remains embedded inside U.S. critical infrastructure into Q2 2026. No change in posture from last week — continues living-off-the-land pre-positioning inside utility control loops. This week’s Siemens SICAM 8 ICS vulnerabilities (CISA ICSA-26-092-01) are directly relevant: additional ICS attack surface in the same energy infrastructure where Volt Typhoon is known to operate. Defense contractors dependent on public utilities remain in the blast radius.
Primary TTPs
LOLBins, SOHO Router C2, NTDS.dit Credential Theft, ICS Targeting
Target Sectors
Energy, Defense, Telecom, Transportation
Activity Level
Active · Embedded · Persistent · 300+ days dwell time