Axios NPM Package Compromised: Supply Chain Threat — Dark Reading

The Axios NPM package, a widely used JavaScript HTTP client, was compromised in a precision supply chain attack. Hackers hijacked the npm account to distribute cross-platform malware, potentially affecting over 100 million weekly downloads. This incident underscores the critical need for robust supply chain security measures and continuous monitoring of third-party dependencies to prevent unauthorized code execution and data breaches.

Cisco Source Code Breach Linked to Trivy Exploit — BleepingComputer

Cisco has reported a security breach where threat actors exploited stolen credentials from a Trivy-related incident to access and steal source code from its development environment. This breach highlights the vulnerabilities in developer environments and the need for stringent access controls and monitoring. Organizations should review their security practices around credential management and third-party tools to mitigate similar risks.

TrueConf Zero-Day Exploited by Iranian APTs — The Hacker News

A high-severity zero-day vulnerability in TrueConf video conferencing software has been exploited by Iranian APT groups targeting Southeast Asian government networks. This exploitation involves pseudo-ransomware tactics, blurring the lines between state-sponsored and cybercriminal activities. Security teams should prioritize patching this vulnerability and enhance monitoring for indicators of compromise related to these APT activities.

• Google's Vertex AI Has an Over-Privileged Problem [Dark Reading]
• Claude AI finds Vim, Emacs RCE bugs that trigger on file open [BleepingComputer]
• CISA orders feds to patch actively exploited Citrix flaw by Thursday [BleepingComputer]
• Lloyds Data Security Incident Impacts 450,000 Individuals - SecurityWeek [Google News Security]
• Fortinet Forticlient EMSの重大な脆弱性、攻撃での悪用始まる：CVE-2026-21643 - 株式会社マキナレコード [Google News Security (JP)]