Originally reported by The Hacker News, Microsoft Security, Qualys, SANS ISC, MSRC Security Updates
TL;DR
A critical supply chain attack compromised the popular Axios HTTP client library through malicious npm packages, while OpenAI addressed ChatGPT data exfiltration flaws and Microsoft published numerous CVE advisories covering Chromium, libssh, and other components.
The Axios supply chain attack represents a critical threat given the widespread usage of the HTTP client library and the successful compromise of npm credentials to distribute cross-platform RAT malware. This type of supply chain attack affects potentially millions of downstream applications and requires immediate response from development teams.
The popular Axios HTTP client library suffered a critical supply chain attack after threat actors compromised the primary maintainer's npm credentials. According to StepSecurity's analysis, malicious versions 1.14.1 and 0.30.4 were published containing a fake dependency called "plain-crypto-js" version 4.2.1, which delivered a cross-platform remote access trojan.
The attack demonstrates the continuing vulnerability of the npm ecosystem to credential compromise, affecting one of JavaScript's most widely-used HTTP libraries. Development teams using Axios should immediately audit their dependencies and pin to verified safe versions.
ReliaQuest researchers identified a new malware loader dubbed DeepLoad that leverages ClickFix social engineering tactics to establish persistence via Windows Management Instrumentation (WMI). The malware employs AI-assisted obfuscation and process injection techniques to evade static analysis while immediately beginning credential theft operations targeting browser sessions and stored passwords.
The campaign highlights the evolution of social engineering attacks, combining familiar user interface deception with advanced evasion techniques to compromise systems even when primary payloads are blocked.
Check Point researchers disclosed a vulnerability in OpenAI's ChatGPT that enabled covert data exfiltration through malicious prompts. The flaw allowed attackers to extract sensitive conversation data, uploaded files, and other user content without detection or user consent through specially crafted prompts that turned normal conversations into exfiltration channels.
OpenAI has patched the vulnerability alongside a separate issue affecting GitHub token handling in their Codex system. The disclosure underscores emerging security challenges in large language model platforms as they handle increasingly sensitive user data.
Microsoft published guidance on addressing OWASP's Top 10 risks for agentic AI applications within Copilot Studio. The framework maps specific security risks introduced by autonomous AI agents to concrete mitigation strategies, providing practitioners with actionable guidance for securing AI-driven applications in enterprise environments.
Microsoft released multiple CVE advisories covering vulnerabilities in third-party components integrated into Microsoft products:
CVE-2026-4676: Use-after-free vulnerability in Chromium's Dawn component affecting Microsoft EdgeCVE-2026-0965: Denial of service vulnerability in libssh through improper configuration file handlingCVE-2026-33937: JavaScript injection vulnerability in Handlebars.js via AST type confusionCVE-2026-33416: Use-after-free vulnerability in libpng affecting pointer aliasing in transparency functionsCVE-2026-33895: Signature forgery vulnerability in Forge Ed25519 implementation due to missing validationAdditional CVEs were published for brace-expansion (CVE-2026-33750), Incus container management (CVE-2026-33542), and Linux kernel components (CVE-2025-71233, CVE-2025-71236).
SANS researchers documented application control bypass methods used for data exfiltration, noting that organizations often fear data theft more than encryption-based attacks due to the permanent loss of data control. The research provides insights into how attackers circumvent security controls to establish covert data channels.
Industry analysis identified three key process improvements that significantly enhance Tier 1 SOC analyst productivity: streamlined workflows, automated triage processes, and improved early-stage visibility. The findings suggest that operational bottlenecks often impact incident response more than the complexity of threats themselves.
Qualys announced optimizations to their Gateway Service (QGS) platform focused on vulnerability discovery and remediation efficiency. Given that unpatched vulnerabilities account for nearly 60% of successful compromises, the enhancements address network efficiency and bandwidth constraints that can limit large-scale vulnerability management operations.
Originally reported by The Hacker News, Microsoft Security, Qualys, SANS ISC, MSRC Security Updates