6 April 2026 • 5 min read
ZYMP IT Security — 6 April 2026
Critical FortiClient EMS Zero-Day Actively Exploited, Emergency Patch Released
VULNERABILITY
Fortinet has released an emergency weekend security update for a critical vulnerability in its FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-35616. The flaw, classified as an improper access control vulnerability, allows unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Fortinet has confirmed active exploitation in the wild.
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, with hotfixes now available. Cybersecurity firm Defused, which discovered the flaw, described it as a pre-authentication API access bypass that circumvents authentication and authorisation controls entirely. Shadowserver has identified over 2,000 exposed FortiClient EMS instances online, predominantly in the United States and Germany. This marks the second critical FortiClient EMS flaw in as many weeks, following CVE-2026-21643, also discovered by Defused and similarly exploited in attacks.
North Korean Hackers Compromise Axios npm Package in Elaborate Social Engineering Campaign
SUPPLY CHAIN ATTACK
The maintainers of the widely-used Axios HTTP client have published a detailed post-mortem revealing how a sophisticated social engineering campaign — attributed to North Korean threat actors tracked as UNC1069 — led to the publication of two malicious package versions (1.14.1 and 0.30.4) on npm. The attack injected a dependency named plain-crypto-js that installed a cross-platform remote access trojan targeting macOS, Windows, and Linux systems.
The compromise began weeks earlier when attackers impersonated a legitimate company, cloned its branding, and invited the project’s lead maintainer into a fabricated Slack workspace complete with staged channels and fake employee profiles. During a scheduled Microsoft Teams meeting, a fake error message prompted the maintainer to install a fraudulent Teams update — which was in fact RAT malware. The malicious packages were live for approximately three hours before removal. Google’s Threat Intelligence Group confirmed the use of WAVESHAPER.V2, an updated tool previously associated with UNC1069 operations dating back to 2018.
React2Shell Exploit Compromises 766 Hosts in 24-Hour Automated Credential Harvesting Operation
CYBERSECURITY
Cisco Talos has uncovered a large-scale automated credential theft campaign exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications. At least 766 hosts across multiple cloud providers and geographies were compromised within a single 24-hour period. The operation, attributed to threat cluster UAT-10608, employs a framework named NEXUS Listener to automate the extraction and exfiltration of sensitive data.
The harvested data includes environment variables, API keys, database credentials, GitHub and GitLab tokens, SSH private keys, AWS and cloud IAM credentials, Kubernetes tokens, Docker container information, and command history. Data is exfiltrated in chunks via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component, which provides attackers with search, filtering, and statistical analysis capabilities. Cisco Talos gained access to an exposed NEXUS Listener instance, revealing the full scope of the operation and the breadth of stolen credentials that could enable cloud account takeovers, supply chain attacks, and lateral movement across networks.
Device Code Phishing Attacks Surge 37-Fold as Phishing-as-a-Service Kits Proliferate
PHISHING
Device code phishing attacks abusing the OAuth 2.0 Device Authorization Grant flow have surged more than 37 times since the start of 2026, according to research from Push Security. The technique, first documented in 2020, involves attackers sending device authorisation requests to service providers and tricking victims into entering codes on legitimate login pages, thereby granting attackers persistent account access through valid tokens.
The dramatic increase is attributed primarily to the EvilTokens phishing-as-a-service platform, which has democratised the technique for low-skilled cybercriminals. However, Push Security has identified at least ten competing kits operating in the same space — including VENOM, SHAREFILE, CLURE, LINKID, and DOCUPOLL — each offering distinct themes, lures, and infrastructure configurations. The kits use varied pretexts ranging from Microsoft Teams notifications and DocuSign document sharing to Adobe file transfers and even luxury brand themes. The diversification of available tooling suggests that device code phishing has become firmly mainstream in the cybercriminal arsenal, and the disruption of any single platform is unlikely to stem the tide.
LinkedIn Covertly Scans Browsers for Over 6,000 Chrome Extensions, Raises Privacy Concerns
PRIVACY
A report from Fairlinked e.V., an association of commercial LinkedIn users, has revealed that Microsoft’s LinkedIn platform injects hidden JavaScript into user sessions to scan visitors’ browsers for installed extensions and collect device data. The so-called “BrowserGate” report claims that LinkedIn checks for over 6,236 Chrome extensions — a significant increase from the approximately 2,000 extensions detected by the same script in 2025.
BleepingComputer independently confirmed the scanning behaviour, observing a JavaScript file with a randomised filename checking extension IDs — a well-known fingerprinting technique. The script also collects extensive device information including CPU core count, available memory, screen resolution, timezone, language settings, battery status, and audio characteristics. The report alleges that LinkedIn scans for over 200 products competing with its own sales tools, including Apollo, Lusha, and ZoomInfo, potentially enabling the platform to map competitor usage by company. LinkedIn denies misusing the data, stating the detection is used to protect the platform and identify extensions that violate its terms of service.
ZY Media Productions
IT • Music • Technology