04/08/2026-04/15/2026 Marimo RCE Flaw, 0-Day Vulnerability Actively Exploited, New FortiClient EMS flaw And More.

1. Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure

A critical vulnerability in Marimo, an open-source Python notebook for data science, was exploited within 10 hours of disclosure, according to Sysdig. The flaw, CVE-2026-39987 (CVSS 9.3), is a pre-authentication remote code execution bug affecting versions up to 0.20.4 and fixed in 0.23.0.

The issue stems from the /terminal/ws WebSocket endpoint lacking authentication checks. Unlike other endpoints, it skips validation entirely, allowing attackers to gain a full interactive shell without credentials and execute arbitrary commands.

Sysdig observed exploitation just under 10 hours after disclosure, even without public proof-of-concept code. An attacker accessed a honeypot system, explored files, and attempted to extract sensitive data such as .env contents and SSH keys. The intruder returned multiple times, suggesting manual activity.

The incident highlights how quickly attackers weaponize new vulnerabilities, shrinking response time. It also shows that any internet-exposed system—not just popular platforms—can become an immediate target.

2. CISA Warns of Chrome 0-Day Vulnerability Actively Exploited in Attacks

 A critical zero-day vulnerability in Google Chrome is being actively exploited, prompting urgent warnings for users worldwide. Tracked as CVE-2026-5281, the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on April 1, 2026.
The bug is a Use-After-Free issue in Google Dawn, enabling attackers to execute code after tricking users into visiting a malicious webpage. Successful exploitation can lead to system compromise, data theft, or malware installation. Because the issue affects the Chromium engine, other browsers like Microsoft Edge, Opera, Vivaldi, and Brave are also impacted.

Security agencies urge immediate updates once patches are available. CISA requires federal agencies to mitigate the flaw by April 15, highlighting the urgency of patching or discontinuing vulnerable systems.

3. Exposed ComfyUI Servers Hijacked For Cryptomining and Proxy Botnet Operations

Hackers are hijacking exposed ComfyUI servers, turning them into cryptomining systems and proxy botnet nodes. Over 1,000 internet-accessible instances—often running on GPU-rich cloud platforms—present a valuable target due to weak or absent authentication.

According to Censys ARC, attackers scan for vulnerable servers and exploit ComfyUI’s custom node feature, which can execute arbitrary Python code. By submitting malicious workflows, they achieve remote code execution without needing a traditional vulnerability.

Compromised systems run XMRig and lolMiner to mine Monero and Conflux, while also joining a Hysteria-based proxy botnet. A Flask-based control panel manages infected machines.

The malware uses stealth techniques like fileless execution and rootkits to persist. Experts warn administrators to secure ComfyUI deployments, restrict risky nodes, and monitor for unusual activity to prevent compromise.

4. New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

Cybersecurity researchers report a new variant of Chaos malware targeting misconfigured cloud environments, expanding beyond routers and edge devices. The malware now actively exploits weak cloud setups such as exposed Hadoop instances.

Chaos is a cross-platform threat affecting Windows and Linux. It can execute remote commands, deploy payloads, mine cryptocurrency, and launch DDoS attacks. The latest version drops older propagation methods and introduces a SOCKS proxy feature, allowing infected systems to relay malicious traffic and hide attacker activity. Researchers observed the malware being deployed via malicious shell commands that download and execute a binary, then erase traces. Infrastructure linked to the campaign overlaps with past activity from Silver Fox. This evolution shows attackers are diversifying botnets for profit, combining cryptomining, DDoS, and proxy services.

5. New FortiClient EMS flaw Exploited in Attacks, Emergency Patch Released

Fortinet has issued an emergency update for a critical vulnerability in FortiClient Enterprise Management Server that is actively exploited. Tracked as CVE-2026-35616, the flaw is an improper access control issue allowing unauthenticated attackers to execute code via crafted requests. The bug affects versions 7.4.5 and 7.4.6 and was patched over the weekend. Fortinet confirmed in-the-wild exploitation and urged users to install hotfixes immediately. The issue will also be resolved in version 7.4.7, while version 7.2 is not impacted.

The flaw enables attackers to bypass authentication entirely. Researchers observed it being used as a zero-day before disclosure. Meanwhile, Shadowserver Foundation reported over 2,000 exposed EMS instances online.

This follows another actively exploited flaw, CVE-2026-21643, highlighting the urgency for organizations to patch systems or upgrade promptly.

6. CVE-2026-39363: Arbitrary File Read via WebSocket Authorization Bypass in Vite

CVE-2026-39363 is a high-severity vulnerability in the Vite development server that allows attackers to read arbitrary files from the host system. The flaw lies in a WebSocket-based RPC channel used for features like Hot Module Replacement. Unlike Vite’s HTTP middleware, this channel fails to enforce filesystem access restrictions. An unauthenticated attacker with network access can send crafted WebSocket messages to invoke internal functions like fetchModule, forcing the server to read sensitive files (e. g., /etc/passwd or .env). The server then returns the file contents, exposing source code, credentials, and system data. The issue stems from missing authorization checks in the WebSocket layer, which bypasses security controls defined in server.fs.allow. Patches fix this by enforcing validation within core logic and disabling vulnerable features by default. Users should upgrade to secure Vite versions immediately, restrict server access to localhost, and avoid exposing development servers to public networks to reduce risk.

7. New MacOS Stealer Campaign Uses Script Editor in ClickFix Attack

A new campaign is spreading Atomic Stealer (AMOS) malware to macOS users by abusing Script Editor in a variant of the ClickFix attack. Instead of tricking users into running Terminal commands, attackers use fake Apple-themed websites offering “disk cleanup” guides. These pages include instructions that trigger Script Editor via a special link, automatically loading malicious AppleScript. The script executes an obfuscated command that downloads and runs malware directly in memory. It installs a hidden binary, bypasses security checks, and launches AMOS.

Atomic Stealer can extract sensitive data such as Keychain information, browser passwords, cookies, crypto wallets, and credit card details. It may also install a backdoor for persistent access. Although newer macOS versions warn against similar Terminal attacks, this method avoids those protections. Users are advised to treat unexpected Script Editor prompts as high-risk and only follow trusted, official Apple documentation when troubleshooting.

04/01/2026-04/08/2026 N. Korean Hackers Spread 1,700 Malicious Packages, Docker Flaw (CVE-2026-34040), Next.js React2Shell Flaw, 36 Malicious npm Packages.

1. N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

The North Korea-linked campaign Contagious Interview has expanded by publishing malicious packages across Go, Rust, PHP, npm, and PyPI ecosystems. These packages mimic legitimate developer tools but secretly act as malware loaders, delivering second-stage payloads with infostealer and remote access trojan (RAT) capabilities. They mainly target browser data, passwords, and cryptocurrency wallets.

Some variants, especially on Windows, include advanced features like keystroke logging, file uploads, remote access via AnyDesk, and command execution. Notably, the malicious code is hidden inside normal-looking functions, making detection difficult.

Researchers have identified over 1,700 related malicious packages since early 2025. The campaign is part of a broader supply chain attack strategy linked to North Korean groups such as UNC1069, also known as BlueNoroff.
These attackers use long-term social engineering via platforms like LinkedIn and Telegram, sending fake meeting links that deploy malware. Their delayed execution tactics help them remain undetected longer, maximizing data theft and espionage opportunities.

2. Docker Flaw (CVE-2026-34040) Lets Attackers Bypass Security Controls and Take Over Hosts

A critical Docker flaw, CVE-2026-34040, allows attackers to bypass authorization controls and potentially gain full access to host systems. The issue affects environments using authorization (AuthZ) plugins—commonly relied on to enforce container security policies. The vulnerability stems from how Docker handles large API requests. When a request exceeds 1 MB, Docker truncates it before sending it to the authorization plugin, but still executes the full request.

This mismatch allows attackers to slip malicious actions past security checks, such as launching privileged containers or accessing sensitive data like SSH keys and cloud credentials.With a CVSS score of 8.8, the flaw impacts Docker versions dating back nearly a decade. Exploitation is simple, requiring just one crafted request and leaving little trace.

Docker has released a fix. Organizations should update immediately, restrict API access, monitor activity, and apply layered security controls to reduce risk.

3. 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Researchers uncovered 36 malicious npm packages posing as Strapi plugins. Disguised with names like “strapi-plugin-*,” they mimic legitimate tools but execute hidden payloads during installation via a postinstall script. These packages enable attacks such as Redis and PostgreSQL exploitation, reverse shells, credential theft, and persistent backdoors. Because the scripts run automatically with user privileges, they are especially dangerous in CI/CD pipelines and Docker environments.

The campaign evolved over time—from aggressive exploits (e. g., Redis-based remote code execution and container escape) to reconnaissance and targeted data theft, including cryptocurrency wallets and database secrets. Some payloads even used hard-coded credentials, suggesting prior access. Researchers believe the activity may target crypto platforms. Users who installed these packages should assume compromise and rotate credentials immediately. This incident highlights a broader rise in software supply chain attacks, where trusted ecosystems like npm are increasingly used to distribute malware at scale.

4. Hackers Exploit Next.js React2Shell Flaw to Steal Credentials From 766 Hosts in 24 Hours

A fast-moving cyberattack campaign is exploiting React2Shell (CVE-2025-55182), a critical flaw in Next.js apps using React Server Components. With a maximum CVSS score of 10.0, the bug allows attackers to execute code on servers using a single unauthenticated HTTP request. Researchers from Cisco Talos tracked the campaign as UAT-10608. In just 24 hours, attackers breached 766 servers across platforms like AWS, Google Cloud, and Azure, stealing over 10,000 files. Exposed data includes passwords, SSH keys, cloud tokens, and database credentials. The attack is fully automated, using internet-wide scanning tools to find vulnerable systems. Stolen data is managed via a custom command-and-control system called NEXUS Listener.
Beyond immediate breaches, stolen registry credentials could enable supply chain attacks. Organizations should patch immediately, rotate all secrets, restrict access, and monitor unusual outbound traffic to detect ongoing compromises.

03/25/2026-04/01/2026 Axios npm Package, N8n Patches Critical Remote Code Execution Vulnerability, LiteLLM PyPI Compromise And More.

1. Axios npm Package Backdoored in Major North Korea-Linked Supply Chain Attack

Google has formally attributed the Axios npm supply chain compromise to UNC1069, a financially motivated North Korean threat cluster active since 2018. Attackers seized the package maintainer’s npm account and pushed two trojanized versions — 1.14.1 and 0.30.4 — that introduced a malicious dependency, plain-crypto-js, as a payload delivery vehicle. A postinstall hook silently executed an obfuscated JavaScript dropper (SILKBELL), which fetched platform-specific second-stage implants for Windows, macOS, and Linux. The backdoor, WAVESHAPER.V2, beacons to its C2 server every 60 seconds and supports remote command execution, directory enumeration, and arbitrary binary injection. After execution, the dropper deleted itself and replaced its package.json with a clean stub to hinder forensic analysis.

Action: Audit dependency trees for [email protected], [email protected], or plain-crypto-js. Pin Axios to 1.14.0 in your lockfile, block C2 domain sfrclak[.]com (IP: 142.11.206[.]73), and rotate all credentials from affected environments immediately.

2. Two Chrome Zero-Days Exploited in the Wild: What CVE-2026-3909 and CVE-2026-3910 Mean for Your Business

Google patched two actively exploited Chrome zero-days — CVE-2026-3909 and CVE-2026-3910 — both carrying a CVSS score of 8.8 and discovered internally on March 10, 2026. CVE-2026-3909 is an out-of-bounds write in Skia, Chrome’s 2D graphics engine, capable of causing memory corruption or remote code execution via a malicious webpage. CVE-2026-3910 is an inappropriate implementation flaw in V8, Chrome’s JavaScript engine, allowing arbitrary code execution inside the browser sandbox — again, triggered simply by visiting a crafted page. CISA added both to its Known Exploited Vulnerabilities catalog on March 13, requiring federal agencies to patch by March 27. These are the second and third actively exploited Chrome zero-days of 2026. Chromium-based runtimes used in headless deployments for PDF generation or CI pipelines are equally affected.

Action: Update Chrome to 146.0.7680.75 or later (146.0.7680.76 on macOS) across all workstations and headless environments. A browser restart is required — do not assume auto-update has completed.

3. N8n Patches Critical Remote Code Execution Vulnerability (CVE-2026-33660)

CVE-2026-33660, publicly disclosed on March 25, 2026, affects n8n’s Merge node when its “Combine by SQL” mode is used. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an authenticated attacker to read local files on the n8n host and achieve remote code execution.The vulnerability has a CVSS score of 9.4 and requires only low-level privileges — specifically, the ability to create or modify workflows — with no user interaction needed.This is at least the third RCE through AlaSQL in n8n’s Merge node in 2026, following CVE-2026-27497 and CVE-2026-27577. The fix in versions 2.14.1, 2.13.3, and 1.123.27 moves execution into an isolated-vm sandbox, eliminating the entire class of attack.n8n workflows routinely hold credentials for databases, APIs, and cloud services, making a compromised instance a high-value pivot point.

Action: Upgrade n8n immediately to 2.14.1, 2.13.3, or 1.123.27. If patching is not immediately possible, add n8n-nodes-base.merge to the NODES_EXCLUDE environment variable to disable the Merge node, and restrict workflow-editing permissions to fully trusted users only.

4. TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP, the threat actor behind the recent LiteLLM and Trivy compromises, struck again on March 27, 2026, pushing two malicious versions of the Telnyx Python package (4.87.1 and 4.87.2) to PyPI. The malware hid its payload inside .WAV audio files using steganography — a technique previously seen in this group’s tooling — to evade network inspection and EDR detection. On Windows, the payload achieves persistence by dropping an executable into the Startup folder as msbuild.exe. On Linux and macOS, it performs a smash-and-grab credential harvest, exfiltrating secrets as tpcp.tar.gz to 83.142.209[.]203:8080 before self-destructing. Endor Labs researchers believe TeamPCP likely obtained Telnyx’s PyPI token through the earlier LiteLLM compromise, where environment variables and CI secrets were swept from affected systems.

Action: Audit environments for telnyx==4.87.1 or 4.87.2, downgrade to 4.87.0, block C2 IP 83.142.209[.]203, check Windows Startup folders for msbuild.exe, and rotate all secrets from any pipeline that imported the package.

5. LiteLLM PyPI Compromise Triggers Mercor Breach — AI Supply Chain Under Fire

Threat actors known as TeamPCP targeted LiteLLM, a popular open-source API gateway that lets developers talk to over 100 different large language models. The attackers gained initial access by compromising the Trivy vulnerability scanner through a misconfigured GitHub Actions workflow, then stole the PyPI publishing token for LiteLLM and pushed two malicious versions, 1.82.7 and 1.82.8, directly to the public registry. The malware was designed to harvest credentials and establish persistent system access, targeting SSH keys, .env files, cloud credentials, and AI API keys.
Mercor, an AI recruiting and training-data startup, has confirmed it was “one of thousands of companies” hit by the attack. The attackers were only caught because of a small bug in their code that caused a massive memory leak.

Action: If your stack uses LiteLLM, immediately upgrade beyond version 1.82.8 and audit all environments that ran it during late March. Harden GitHub Actions workflows by pinning action versions to commit SHAs and storing PyPI tokens as short-lived OIDC-based credentials rather than long-lived secrets.

6. LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

Three vulnerabilities in LangChain and LangGraph — collectively downloaded over 84 million times on PyPI last week — expose filesystem data, environment secrets, and conversation history. CVE-2026-34070 (CVSS 7.5) is a path traversal flaw in LangChain’s prompt-loading API that allows arbitrary file reads without validation. CVE-2025-68664 (CVSS 9.3) is a deserialization vulnerability that leaks API keys and environment secrets by tricking the application into treating attacker-supplied input as a pre-serialized LangChain object. CVE-2025-67644 (CVSS 7.3) is an SQL injection flaw in LangGraph’s SQLite checkpoint implementation, enabling arbitrary queries against the conversation history database. Because LangChain sits at the center of a large dependency web, vulnerable code paths propagate through every downstream wrapper and integration that inherits them.

Action: Upgrade immediately: langchain-core >=1.2.22 (CVE-2026-34070), langchain-core 0.3.81 or 1.2.5 (CVE-2025-68664), and langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644). Audit any LangChain-based agentic workflows that handle secrets or privileged data.