Sign in Subscribe
8 min read Newsletters

this week in security — april 5 2026 edition

North Korea breaches Axios project, ICE now using spyware, Iran targeting U.S. tech firms, DarkSword fixes for iOS 18 holdouts, a bunch of data breaches, and more.
~ ~

North Korean hackers breached maintainer of Axios open source project, used everywhere on the web
The Register: Axios, a major open source project downloaded tens of millions of times weekly, was hacked and malicious code pushed to potentially countless downstream projects that rely on its code. Axios is used to connect apps to the internet, and is practically everywhere on the web. Google's top hacker hunters blamed the breach on suspected North Korean hackers, known for hacks that aim to steal crypto, lured in the project's primary maintainer, tricked them into installing malware using a ClickFix lure via a fake meeting update, and used that access to push out malicious versions of the Axios code, all the while locking them out of the account, per a post-mortem. It's not yet known how many malicious installs were made during this hack window. The after-effects, including further downstream breaches, may be felt for some time. If you're a developer using Axios, check your pipelines. 
More: Google Threat Intelligence | Bloomberg ($) | Aikido | @IntCyberDigest | @campuscodi | @samsabin

Hasbro says it may take several weeks to recover after hack
TechCrunch ($): New, from Hasbro: Cyberattack™, a game where you're the CEO of a toymaker that just got hacked and now you have to get back up and running again. Except for the folks at Hasbro, this is no fun. The toymaking multinational told investors in an 8-K that it may take "weeks" to resolve after hackers raided its systems. Hasbro hasn't said what kind of cyberattack it is, but said it was putting its contingency plans in place to ensure it can keep taking orders, shipping products, and function as a business. It's unclear if any data was stolen. The company also holds a metric heckton of intellectual property, including Monopoly and Peppa Pig, whose website was brought down during the cyberattack, and now says that the website can't be loaded "at the moment due to a technical issue." That's one way of putting it… (Disclosure alert: I wrote this story!) No hacker group has yet taken credit for the breach.
More: BBC News ($) | Reuters ($) | GovInfoSecurity

Data breaches: Cisco, Mercor, Hims & Hers, CareCloud, European Commission
Not to be outdone by Hasbro's hack, there's a fair number of data breaches to get through this week. Alright, *breathes in*... Cisco had some of its source code stolen after hackers broke in by way of an earlier hack of the Trivy open-source project, which Cisco and others rely on… AI recruiting startup Mercor was hacked, potentially exposing its training data, prompting Meta to stop work with the company… The ShinyHunters gang took credit for breaching the customer service ticketing system telehealth giant Hims & Hers, and that might expose some patients' sensitive information…. What else? Oh… CareCloud, a company that stores electronic medical records on millions of patients, had one of its six databases raided, but it's still unclear on how many people had medical data stolen…. and last but not least: The European Commission's cyber agency confirmed its AWS account was hacked and tens of gigabytes stolen, including some email data. The top executive body blamed the TeamPCP hacking group for the breach, and ShinyHunters for the data leak. In an unexpected twist, a rep from ShinyHunters told TechCrunch that its hackers actually stole the data from TeamPCP's servers…! Never a dull moment in the cybercriminal world.
More: Bleeping Computer | TechCrunch ($) | HIPAA Journal | SecurityWeek | CERT-EU

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.

Subscribe to support this newsletter

~ ~

Fintech firm reveals post-incident data breach report
Betterment: Betterment detailed how an earlier hack and data breach of 1.4 million customers' data went down. Good transparency here after a high-profile incident that saw the hackers flood customers with fake notifications with crypto scams.

ICE says it bought spyware to use in drug trafficking cases
Bloomberg ($): America's immigration goons now have access to spyware made by Paragon Systems. ICE's acting director says its staff can use spyware as part of drug trafficking investigations... but don't count on it stopping there. Paragon's spyware was also used in Italy, where it was used to hack journalists, prompting Paragon to nuke its contract with Italy's spy agencies. More via TechCrunch and Cyberscoop.

Security experts have thoughts about vulnerability research and AI
The discussions around the use of AI to perform security bug hunting work is hotting up. Security researcher Thomas Ptacek wrote a deep essay on the future of human vulnerability discovery. Meanwhile, Trail of Bits CEO Dan Guido explains how his company uses AI to find flaws during security engagements, despite some early hesitancy. It seems that advances in how AI can be used to find flaws and secure code are taking some of even the world's top bug hunters by surprise. Case in point

Tavis Ormandy tweet: "I dunno. A big part of research is developing good instincts on where to look and sink stupid amounts of time. AI doesn't have that problem, it can just look everywhere, so shallow bugs are easy to shake out. AI obviously has the breadth, but how deep can it go and how many weird threads can it tie together? The output I've seen suggests the answer is already more than I was expecting."

'Secure' chat app's security is so bad it's meaningless
404 Media ($): TeleGuard, an ostensibly "secure" app downloaded more than a million times, has pretty much no real security and that messages can be easily decrypted, per reporting by @josephcox. It's a reminder not to take app claims at face value, and to use only tried and tested technologies that have been scrutinized or tested. 

Mikko Hyppönen hacks drones and Benjamin Brundage takes on botnets
TechCrunch ($), WSJ ($): Two excellent cybersecurity profiles dropped this week as security veteran Mikko Hyppönen, whose decades of work in malware research now sees him countering killer drones. He shares the spotlight with college student Benjamin Brundage, who set up his one-man shop Synthient to help warn about botnets like Kimwolf that hijack residential internet bandwidth to carry out massive DDoS attacks and enable cybercrime. These human-interest profiles are worth your time!

~ ~

Iran says it'll start attacking U.S. tech firms: Iran said it's going to start attacking mostly U.S. companies across the Middle East starting April 1 (not a joke) as the U.S.-Israel-Iran war continues. The threat was open-ended, but suggested more "missiles hitting datacenters" than "popping shells on your web servers." Iran's military has already struck an Oracle datacenter and AWS several times. Adjust your threat models accordingly… to include flying bombs, it seems. (via The Hill, Wired ($), Jerusalem Post) 

Chinese hack of FBI spy system is 'major incident': I mean, no sh*t, but legally speaking a Chinese hack of an FBI surveillance system in March may have compromised national security, and as such qualifies as a "major incident," which means having to actually notify Congress. This is because a new report this week said the hackers allegedly accessed phone numbers of surveillance targets, potentially revealing the identities of FBI suspects. The hackers allegedly broke in by "leveraging an ISP's infrastructure to exploit FBI network security controls." That itself is noteworthy. (via Politico ($), @johnnysaks130)

John Sakellariadis tweet: "Update re. FBI: The bureau has determined that the breach likely exposed the phone numbers of certain FBI wiretap targets, per notice to congress this week. DOJ launching a 'working group' in response to hack, per notice, and remediation is 'ongoing'."

North Korea nicks $280M from Drift: Blockchain watchers blamed North Korea for stealing some $280 million in stolen cryptocurrency from decentralized finance platform Drift Protocol, prompting the site to pause customer deposits and withdrawals. Drift, in its own post-hack report, also blamed North Korea, and explained how the hack — some six months in the making — went down. (via The Record, @DriftProtocol)

No more DarkSword risk for iOS 18: The potentially millions of iOS 18 users who refused to upgrade to iOS 26 (a lot of people hate how it looks, which, fair) can now receive backported security updates for DarkSword, the leaked hacking tools that can steal data from an affected iPhone or iPad simply by a user visiting a malicious website. (via Wired ($), 9to5Mac, Apple)

Dating sites shared personal data with AI firms: The Federal Trade Commission effectively banned dating sites OkCupid (and its owner Match Group) from misrepresenting its privacy policy after accusing the company of giving the personal data of at least 3 million users, including photos and location data, to a facial recognition firm. Match settled without admitting wrongdoing or paying a fine. (via FTC, Ars Technica, PetaPixel)

Quack security: Canadian money transfer service Duc App exposed potentially hundreds  of thousands of driver's licenses and passport photos that users uploaded as part of its know-your-customer checks. The data was left in a public Amazon S3 bucket, open to the web, no password needed whatsoever. Anyone with a web browser who knew the easy-to-guess bucket address could have found it. (Disclosure: I wrote this, too!) Another reason to be careful when being asked to upload your government-issued IDs to the web. (via TechCrunch ($))

~ ~

A very warm welcome to this week's happy corner, where we start in Space! The place where nobody can hear you scream. But when you are going to space, everyone can see your tablet password. Practice safe security, even when you're in a space shuttle!

an animated GIF of one of the crew in the Artemis II shuttle ahead of launch typing in a passcode on their tablet from the camera.

This cat appears to have invented its own tank for launching ground-based feline attacks.

Meanwhile, this trans porter is almost ready to ship to production.

And lastly, this week, The Verge has a really solid read on breathing new life into a laptop running the now-doomed Windows 10, since it no longer receives updates, with Linux Mint. It's a pretty inspiring read for anyone with legacy tech who wants to spin up a new old device with a fresh lick of digital paint. (via @grackle, @majhium)

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

This week's cyber cat is Silvia, who — wait — stop! That's the face of a void floof who was just caught in the act buying catnip off the dark web using a stolen credit card. Thanks so much to Genaro for the snap!

Silvia is a black cat (aka void floof) who can be seen, seemingly startled, sat on a chair at a table facing an open MacBook, as if working on it.

🐈 Send in your cyber cats! 🐈‍⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

~ ~

Going once... going twice... and I'm out! Join me again next week with your usual digest from the week. To keep in touch, drop me an email with your thoughts, any news, analysis, or fun things for the newsletter — it's great to hear from you.

Enjoy your week,
@zackwhittaker