# Top Stories

Fortinet patched CVE-2026-35616 (CVSS 9.1), a critical pre-authentication API access bypass in FortiClient EMS that allows privilege escalation and has been actively exploited in the wild. The vulnerability stems from improper access control (CWE-284) and received out-of-band patches due to active exploitation. This affects enterprise endpoint management systems and requires immediate patching by organizations using FortiClient EMS.

Researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and install persistent implants. Each package contains three files (package.json, index.js, postinstall.js) with no description or repository information, targeting developers through supply chain attacks. This highlights the ongoing threat to JavaScript development environments through compromised package repositories.

Axios HTTP client maintainers revealed their developer was targeted by North Korean threat actors using a fake Microsoft Teams error fix in a social engineering campaign to hijack the maintainer account. The attack represents a sophisticated supply chain targeting effort against one of JavaScript's most popular HTTP libraries. This demonstrates how nation-state actors are increasingly targeting open-source maintainers to compromise widely-used development tools.

The European Commission confirmed hackers stole over 300GB of data from their AWS environment through a Trivy supply chain attack, including personal information of EU staff and contractors. CERT-EU attributed the breach to TeamPCP threat group, affecting at least 29 other EU entities beyond the Commission. This represents a significant compromise of European government infrastructure through open-source tool manipulation.

Microsoft's LinkedIn is using hidden JavaScript scripts to scan visitors' browsers for over 6,000 Chrome extensions and collect device data without user consent. The "BrowserGate" report reveals LinkedIn's fingerprinting practices that monitor installed browser extensions for potential tracking and profiling purposes. This privacy violation affects millions of LinkedIn users and demonstrates how major tech companies collect unauthorized browser telemetry.

Device code phishing attacks exploiting OAuth 2.0 Device Authorization Grant flow have surged 37 times this year as new attack kits spread online. These attacks abuse the legitimate device authorization process to hijack user accounts by tricking victims into entering codes on attacker-controlled devices. The dramatic increase indicates cybercriminals are rapidly adopting this technique to bypass traditional authentication protections.

A Chinese threat actor exploited a zero-day vulnerability in TrueConf video conferencing platform to attack Asian government targets, performing reconnaissance, privilege escalation, and payload execution. The attacks targeted government organizations across Asia using the previously unknown vulnerability in the Russian-developed video conferencing solution. This demonstrates continued nation-state targeting of government communications infrastructure through zero-day exploits.

Hackers exploited React2Shell vulnerability in a large-scale credential harvesting campaign, compromising over 750 systems using automated scanning and the Nexus Listener collection framework. The campaign demonstrates how attackers are systematically exploiting web application vulnerabilities to steal credentials at scale. The use of automated tools and collection frameworks indicates a sophisticated, organized operation targeting multiple organizations simultaneously.

A new SparkCat malware variant has been discovered on Apple App Store and Google Play Store, hiding in enterprise messenger and food delivery apps to steal cryptocurrency wallet recovery phrase images. The malware specifically targets crypto wallet seed phrases stored as images on mobile devices, representing an evolution in mobile cryptocurrency theft techniques. This cross-platform threat demonstrates how malware authors adapt to target valuable cryptocurrency assets through legitimate app stores.

CERT-EU attributed the European Commission cloud hack to TeamPCP threat group, revealing the breach exposed data from at least 29 other EU entities beyond the Commission itself. The attack leveraged supply chain vulnerabilities to access multiple European Union organizations through shared cloud infrastructure. This represents one of the largest documented breaches of EU government systems, highlighting the interconnected risk in shared cloud environments.