Cybersecurity Radar — 2026-04-07

---

🔴 Critical Alerts

1. Fortinet FortiClient EMS Zero-Day (CVE-2026-35616) — Active Exploitation, Full Patch Still Pending

A critical improper access control vulnerability in Fortinet FortiClient EMS (versions 7.4.5–7.4.6) has been actively exploited in the wild since at least March 31, 2026. Rated CVSS 9.1, the flaw enables privilege escalation and has prompted emergency hotfixes from Fortinet — but as of April 7, a comprehensive patch remains unavailable. Security firm Defused Cyber first spotted the in-the-wild exploitation, and Tenable published a detailed advisory within the last 18 hours. CyberScoop reports that experts are pressing all affected organizations to apply the interim hotfix immediately and avoid delayed remediation. Affected: Enterprises running FortiClient EMS 7.4.5–7.4.6. Recommended action: Apply Fortinet's emergency hotfix without delay; monitor privileged account activity for anomalous escalation.

2. Weekly CVE Digest: 1,361 Vulnerabilities Identified (March 30–April 5, 2026) — 129 Critical

The CVE Watchtower weekly intelligence briefing, published one day ago, flagged 1,361 newly identified vulnerabilities for the period ending April 5, of which 129 are rated critical. The digest specifically calls out Chrome's Dawn exploit (CVE-2026-5281), the FortiClient EMS zero-day, and a new class of AI pipeline attacks as the highest-priority items requiring immediate triage. Security teams are urged to prioritize patching across browser, network security, and AI/ML infrastructure layers simultaneously. Recommended action: Cross-reference your asset inventory against the full critical list; fast-track remediation for any AI inference or pipeline tooling in addition to browser and endpoint agents.

---

Threat Landscape

1. North Korean Actors Target Axios Open-Source Ecosystem via Social Engineering

BleepingComputer reported (April 5, 2026) that maintainers of the widely-used Axios HTTP client published a detailed post-mortem revealing one of its developers was targeted in a sophisticated social engineering campaign, believed to have been conducted by North Korean threat actors. The incident raises fresh supply-chain risk concerns for the millions of applications that depend on Axios. The TTPs align with a pattern of DPRK-linked groups embedding malicious contributors or compromising existing ones to introduce backdoors into high-dependency open-source packages. Targeted sector: Software supply chain / developer tooling.

2. Stolen Credentials Fueling Combined Ransomware and Nation-State Operations

SecurityWeek (approximately one week ago, within freshness window) reports that stolen login credentials have become the universal accelerant for both financially motivated and state-sponsored threat actors. New research highlights the Shai-Hulud actor — a financially motivated group that will attempt to delete a target's home directory when it finds little of financial value to harvest, underscoring that even opportunistic actors now deploy destructive payloads. The report notes that the boundary between ransomware gangs and state-backed groups continues to erode, with actors operating with implicit or explicit state approval pursuing both profit and geopolitical objectives simultaneously.

3. Nation-State Attacks on Critical Infrastructure Surging, Masking Ransomware Slowdown

The Waterfall Threat Report 2026 (published approximately two weeks ago, included for contextual trend depth) finds that while ransomware incident counts have nominally declined, the drop conceals a deeper and more dangerous shift: nation-state actors are increasing direct, destructive attacks against critical infrastructure — energy, water, manufacturing, and transportation sectors. The report warns that the apparent "slowdown" in ransomware may lull defenders into a false sense of security while OT/ICS environments face an elevated and qualitatively different threat.

---

Vulnerabilities & Patches

1. CVE-2026-35616 — Fortinet FortiClient EMS (CVSS 9.1) | Actively Exploited

• Product: Fortinet FortiClient EMS versions 7.4.5–7.4.6
• Issue: Improper access control enabling privilege escalation
• Status: Emergency hotfix available; full patch pending as of April 7
• Action: Apply hotfix immediately; add to CISA KEV watch list

2. CVE-2026-5281 — Google Chrome Zero-Day in Dawn Engine | Patched

• Product: Google Chrome (all platforms)
• Issue: In-the-wild exploit in the Dawn graphics engine; fourth Chrome zero-day fixed in 2026
• Status: Patch released (21 total CVEs fixed in the same update)
• Action: Ensure Chrome auto-update has applied the latest stable build; verify via chrome://settings/help

3. AI Pipeline Attacks — Emerging Vulnerability Class Flagged in Weekly Digest

• Product/Area: AI/ML inference pipelines and model-serving infrastructure
• Issue: The CVE Watchtower weekly digest (April 6, 2026) specifically calls out attacks targeting AI pipeline components as a new critical priority alongside traditional CVEs, suggesting adversaries are now probing ML toolchains — including model registries, prompt ingestion endpoints, and orchestration frameworks — for exploitable weaknesses.
• Action: Audit AI/ML infrastructure for exposed endpoints; apply least-privilege controls to model registries and pipeline orchestration layers.

---

Breaches & Incidents

1. Axios HTTP Client Developer Targeted in DPRK Social Engineering Campaign

As reported by BleepingComputer on April 5, 2026, the Axios open-source HTTP library — used across a vast portion of the JavaScript/Node.js ecosystem — was the subject of a confirmed supply-chain social engineering attack attributed to North Korean threat actors. The developer targeted by the campaign published a detailed post-mortem. While the full downstream impact is still being assessed, the incident signals an active and ongoing DPRK effort to compromise widely-used developer dependencies. Response status: Post-mortem published; project maintainers are reviewing contribution and access controls.

2. 766 Next.js Hosts Breached via CVE-2025-55182 — Credential Theft Campaign

(Reported within coverage window; story first broke April 2, 2026 and remains an active incident.) Hackers exploited CVE-2025-55182 in Next.js deployments to breach 766 hosts and conduct mass credential theft, according to The Hacker News. The vulnerability enabled targeted follow-on attacks using the harvested credentials. Organizations running Next.js applications that have not yet patched should treat any credential stores accessible from those hosts as compromised. Response status: Patch available; incident scope under ongoing review.

---

Industry & Policy

1. CSIS Significant Cyber Incidents Tracker Updated (April 7, 2026)

The Center for Strategic and International Studies (CSIS) updated its live "Significant Cyber Incidents" tracker within the last 17 hours. The tracker, which focuses on state actions, espionage, and attacks causing losses exceeding $1 million, serves as a key reference for policy teams monitoring the escalating intersection of geopolitics and cyberspace. Security and policy teams should review the updated timeline for newly logged incidents involving state-linked actors.

2. Cybersecurity Veteran Mikko Hyppönen Pivots to Counter-Drone Security

In an interview published by TechCrunch on April 4, 2026, F-Secure's Mikko Hyppönen — one of the industry's most recognized figures after 35+ years fighting malware — disclosed that he is now working on systems to detect and disable killer drones. The pivot reflects a broader trend: cybersecurity expertise is increasingly being applied to physical-domain threats, particularly as autonomous weapons and drone warfare blur the line between cyber and kinetic operations. This signals a potential new frontier for security professionals and defense contractors.

---

What to Watch

• FortiClient EMS full patch release: Fortinet has not yet issued a complete fix for CVE-2026-35616. Watch for an official patch drop in the coming days — and watch for exploitation activity to intensify before it arrives, as attackers race to exploit the window.
• AI pipeline attacks gaining momentum: The explicit callout of AI/ML infrastructure in the weekly CVE digest is a leading indicator. Expect more formalized CVE disclosures targeting model-serving frameworks, LLM orchestration tools, and prompt injection endpoints over the next several weeks.
• DPRK supply-chain escalation: The Axios social engineering campaign fits an established and accelerating DPRK pattern of targeting open-source maintainers. High-value packages in the npm, PyPI, and Go ecosystems should be considered elevated-risk targets; watch for additional post-mortems and emergency security advisories from popular library maintainers.

---

Reader Action Items

1. Patch FortiClient EMS now. If your organization runs FortiClient EMS 7.4.5 or 7.4.6, apply Fortinet's emergency hotfix immediately — do not wait for the full patch. Audit privileged account activity on any host managed by FortiClient EMS for signs of unauthorized escalation since March 31, 2026.

2. Audit your open-source dependency pipeline. In light of the confirmed DPRK social engineering attack on Axios, review your software bill of materials (SBOM) for critical JavaScript/Node.js dependencies. Verify the integrity of recent package updates using checksums or provenance attestation, and review contributor access controls on any packages your organization maintains.

3. Verify Chrome is fully updated across your fleet. CVE-2026-5281 was patched by Google, but enterprises with managed browser deployments or users who disable auto-updates remain exposed. Force-push the latest stable Chrome build across endpoints and confirm version currency — this is the fourth Chrome zero-day exploited in 2026 alone.