Daily Threat Intelligence Brief - April 6, 2026
Executive Summary
- Cisco IMC and SSM On-Prem (CVSS 9.8 each): CVE-2026-20093 allows unauthenticated password reset of any user including admin via crafted HTTP requests. CVE-2026-20160 exposes an internal service API enabling root-level RCE. IMC operates below the OS layer, surviving reinstalls
- North Korea steals $285M from Drift Protocol: UNC4736 executed a 6-month social engineering operation culminating in a 12-minute drain of Solana's largest perpetual futures exchange. Largest DeFi hack of 2026
- Reasoning models as autonomous jailbreak agents: Nature Communications research shows DeepSeek-R1 and Gemini 2.5 Flash achieve 97.14% jailbreak success rate against other AI models, converting jailbreaking from a specialized skill into an automated commodity
- Axios npm supply chain RAT: North Korean UNC1069 socially engineered the maintainer's npm account, pushing malicious versions with a cross-platform RAT to approximately 100 million weekly downloads
- Citrix NetScaler actively exploited (CVE-2026-3055): CVSS 9.3 out-of-bounds read via SAML IdP configuration leaks admin session IDs. Added to CISA KEV March 30 with April 2 remediation deadline
- n8n workflow platform CVSS 10.0 RCE (CVE-2026-21858): Unauthenticated attackers can leak database credentials and escalate to full RCE. Approximately 59,500 servers remain vulnerable
- Prompt injection surges 340% year-over-year: OWASP ranks prompt injection as the #1 LLM vulnerability category. Indirect injection now accounts for 55% of observed attacks with 20-30% higher success rates
- French Ministry of Agriculture hit by Lapsus$: 60.9 GB of stolen data including FTP credentials, SQL databases, and application logs spanning 32 departments published to BreachForums
- Qilin dominates Q1 2026 ransomware: 342 victims across three months with advanced EDR-killing capabilities targeting 300+ drivers from virtually every major security vendor
Critical Vulnerabilities
CVE-2026-20093: Cisco IMC Authentication Bypass (CVSS 9.8)
Incorrect handling of password change requests in Cisco Integrated Management Controller allows an unauthenticated remote attacker to send crafted HTTP requests to alter passwords of any user, including the admin account, gaining full administrative control. Because IMC operates below the OS layer with persistent out-of-band access, compromise grants hardware-level control that survives operating system reinstallation.
- CVSS: 9.8 (Critical)
- CWE: Improper Authentication
- Exploitation status: No confirmed wild exploitation yet. Patch available
- Action: Patch immediately, audit IMC access logs for unauthorized password changes
- Source: The Hacker News | Help Net Security
CVE-2026-20160: Cisco SSM On-Prem RCE (CVSS 9.8)
Unintentional exposure of an internal service in Cisco Smart Software Manager On-Prem allows an unauthenticated attacker to send crafted requests to the exposed API, enabling command execution with root-level privileges.
- CVSS: 9.8 (Critical)
- Patch: SSM On-Prem version 9-202601
- Action: Upgrade immediately, review network segmentation around SSM instances
- Source: SecurityWeek | SecPod
CVE-2026-3055: Citrix NetScaler ADC/Gateway (ACTIVELY EXPLOITED)
Out-of-bounds read in NetScaler ADC/Gateway when configured as SAML Identity Provider. Attackers send crafted SAMLRequest payloads to /saml/login omitting the AssertionConsumerServiceURL field, triggering memory leak via NSC_TASS cookie. Leaked data includes admin session IDs enabling full appliance takeover.
- CVSS: 9.3 (Critical)
- Affected: Versions before 14.1-66.59, before 13.1-62.23, and before 13.1-37.262
- Exploitation status: Active exploitation since March 27, 2026. Added to CISA KEV March 30
- CISA deadline: April 2, 2026 (PAST DUE)
- Action: Patch immediately if not already done, audit SAML IdP configurations
- Source: Rapid7 | The Hacker News
CVE-2026-21858: n8n Workflow Platform RCE ("Ni8mare", CVSS 10.0)
Unauthenticated attackers with access to n8n web forms can leak internal files including database credentials and secret keys, then escalate to full RCE via the Execute Command node. Estimated 100,000+ servers impacted globally with approximately 59,500 still vulnerable.
- CVSS: 10.0 (Critical, maximum)
- Patch: Upgrade to n8n v1.121.0+
- Action: Patch immediately, audit web form exposure, rotate all credentials
- Source: Cyera Research
CVE-2026-25536: MCP SDK Cross-Client Data Leak
High-severity vulnerability in MCP TypeScript SDK versions 1.10.0 through 1.25.3 where a single McpServer instance with StreamableHTTPServerTransport leaks responses across client boundaries. One client receives another client's data.
- CVSS: High
- Patch: MCP TypeScript SDK v1.25.4+
- Action: Upgrade MCP SDK, audit for multi-tenant deployments
- Source: Practical DevSecOps
CISA KEV Status
| CVE | Product | Added | Deadline |
|---|---|---|---|
| CVE-2026-3055 | Citrix NetScaler | March 30 | April 2 (!) |
| CVE-2026-5281 | Chrome (Dawn/WebGPU) | April 1 | April 15 |
| CVE-2026-3502 | TrueConf Client | April 2 | April 16 |
AI Security Threats
Reasoning Models as Autonomous Jailbreak Agents
A Nature Communications study found that large reasoning models (DeepSeek-R1, Gemini 2.5 Flash) can independently plan and execute multi-turn jailbreak strategies against other AI models, achieving a 97.14% overall jailbreak success rate. The models autonomously develop attack plans, adapt strategies when initial attempts fail, and iterate until defenses break. This converts jailbreaking from a specialized human skill into an inexpensive, fully automated activity available to anyone with API access.
- Significance: Jailbreak-as-a-service is now trivially automatable using reasoning models
- Defense gap: Current guardrails were designed against human adversaries, not adaptive reasoning agents
- Source: Nature Communications | CyberArk
Prompt Injection: 340% Year-over-Year Surge
Wiz Research tracked a 340% year-over-year increase in documented prompt injection attempts against enterprise AI systems in Q4 2025, with successful attacks (causing data exfiltration or unauthorized action) up 190%. OWASP's March 2026 LLM Security Project now classifies prompt injection as the #1 severity vulnerability category for deployed language models. The UK NCSC issued a formal assessment warning that prompt injection may never be fully mitigated, characterizing LLMs as "inherently confusable deputies."
- Indirect injection dominance: Now 55% of observed attacks, with 20-30% higher success rates than direct injection
- Microsoft Copilot "Reprompt" attack: Session hijacking and sensitive data exfiltration through prompt injection in Copilot Personal
- Unit 42 wild observations: Palo Alto documented web-based indirect prompt injection targeting AI agents in production
- Source: Prompt Injection Statistics | Unit 42 | OpenAI
MCP Vulnerability Explosion: 30+ CVEs in 6 Weeks
In January and February 2026 alone, researchers documented over 30 CVEs in MCP-related systems. Over 8,000 MCP servers are exposed on the public internet, with 43% having at least one vulnerability. A dedicated vulnerability database (vulnerablemcp.info) was established to track the growing list. Palo Alto Unit 42 disclosed new prompt injection attack vectors through MCP sampling, and the Postmark MCP supply chain breach demonstrated how a compromised npm package could direct MCP servers to blind-copy every outgoing email to attackers.
- CVE-2026-25536: MCP SDK cross-client data leak (see Critical Vulnerabilities above)
- Structural gap: No major framework cryptographically verifies MCP payloads for authenticity, modification, or replay
- Source: Unit 42 | Vulnerable MCP Project | Red Hat
Agentic AI: 88% of Organizations Report Security Incidents
88% of organizations reported a confirmed or suspected AI agent security incident in the last year (92.7% in healthcare). Despite 82% of executives believing their policies provide protection, only 21% have actual visibility into what agents access. Shadow AI breaches now cost an average of $4.63 million per incident, with 80.9% of technical teams having active agent deployments but only 14.4% going live with full security approval.
- $45M crypto AI trading agent breach: Protocol-level weaknesses in AI trading agents triggered losses, with attackers targeting agents' long-term memory
- Memory poisoning: Lakera AI demonstrated how indirect prompt injection via poisoned data sources can corrupt an agent's long-term memory, causing persistent false beliefs about security policies
- 48% predict agentic AI as top attack vector by end of 2026
- Source: Dark Reading | Help Net Security | KuCoin
AI-Generated Code: 2.74x More Vulnerabilities
Veracode's GenAI Code Security Report found AI-generated code contains 2.74 times more vulnerabilities than human-written code across 100+ LLMs and 4 languages. 45% of samples introduced OWASP Top 10 vulnerabilities. At least 35 new CVE entries in March 2026 were the direct result of AI-generated code (up from 6 in January and 15 in February). Injection flaws account for 33.1% of confirmed AI code vulnerabilities. One in five organizations using vibe-coding platforms face systemic security risks.
- Source: The Register | The Hacker News
LiteLLM Supply Chain Attack: AI Infrastructure as Single Point of Failure
TeamPCP first compromised Trivy (a security scanner) to obtain LiteLLM maintainer credentials, then published two malicious versions (1.82.7, 1.82.8) to PyPI. The library gets 3.4 million downloads per day. Malicious versions harvested environment variables, API keys, SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes configs, CI/CD secrets, and database credentials. This cascaded into the Mercor breach, compromising AI training data supplied to Anthropic, OpenAI, and Meta.
- CVE-2026-35030: Critical authentication bypass affecting JWT-enabled LiteLLM deployments. Fixed in v1.83.0
- Source: SIG | HeroDevs
Threat Actor Activity
UNC4736 (North Korea): $285M Drift Protocol Heist
On April 1, 2026, DPRK-linked UNC4736 drained approximately $285 million from Drift Protocol (Solana's largest decentralized perpetual futures exchange) in approximately 12 minutes. The operation began six months earlier in fall 2025. Attackers built trust by attending conferences in person using intermediaries with constructed identities, deposited over $1M, integrated an Ecosystem Vault, then compromised developer devices via a malicious TestFlight app and VSCode/Cursor vulnerability to obtain multisig approvals. Largest DeFi hack of 2026.
UNC1069 (North Korea): Axios npm Supply Chain Compromise
North Korean UNC1069 spent weeks building a fake company identity with active LinkedIn presence and Microsoft Teams meetings to socially engineer the Axios npm maintainer. Compromised versions (1.14.1, 0.30.4) introduced a cross-platform RAT via a postinstall hook, affecting Windows, macOS, and Linux. Approximately 100 million weekly downloads makes this one of the most consequential supply chain attacks in JavaScript ecosystem history.
APT28 (Russia): Operation Neusploit
APT28 weaponized CVE-2026-21509 (Microsoft Office security feature bypass) just 3 days after public disclosure, targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, UAE, and Ukraine. A concentrated 72-hour spear-phishing campaign delivered 29+ distinct emails across 9 nations. Deployed MiniDoor (Outlook VBA backdoor) and PixyNetLoader with Covenant C2 infrastructure.
- Source: Trellix | Zscaler ThreatLabz
Sandworm (Russia): DynoWiper Attack on Poland's Power Grid
ESET attributed the December 29-30, 2025 attack on Poland's power grid to Sandworm (medium confidence). Targeted two combined heat and power plants plus renewable energy management systems using newly discovered DynoWiper malware. The attack was thwarted but could have affected 500,000 people. Occurred on the 10th anniversary of Sandworm's Ukrainian power grid blackout.
- Source: ESET/WeLiveSecurity | Dark Reading
Iranian Cyber Escalation Post-Strikes
Following US/Israel coordinated strikes on Iran (February 28, 2026), 60+ Iranian-aligned cyber groups activated within hours, targeting US and allied critical infrastructure with DDoS, reconnaissance against industrial systems, destructive malware, and credential-harvesting campaigns. Handala group disrupted manufacturing, order processing, and shipping at Stryker Corp (medical devices) on March 11.
- Source: Axios | Route Fifty
Ransomware & Data Breaches
Weekly Ransomware Metrics
| Metric | Value |
|---|---|
| Weekly victims (first week) | 168 across 43 countries |
| Active operators | 31 data-leaking groups (3 newly found) |
| March 2026 total | 808 victims (19% jump from February) |
| Q1 2026 dominant group | Qilin: 342 victims, EDR-killer malware |
| Active ransomware groups | 65 distinct operators (up from 54 in Feb) |
| Annualized 2026 pace | 8,660+ victims (18.5% over 2025) |
Notable Incidents
| Target | Operator | Details |
|---|---|---|
| French Ministry of Agriculture | Lapsus$ | 60.9 GB: FTP creds, SQL DBs, logs across 32 departments |
| Nissan Motor Corp | Everest | 910 GB via third-party file transfer; dealership and loan data |
| Drift Protocol | UNC4736 (DPRK) | $285M drained in 12 minutes after 6-month social engineering op |
| Hims and Hers Health | Unknown | Zendesk support system breached via social engineering |
| Minot, ND Water Treatment | Unknown | Forced manual operations; FBI investigating |
| Stryker Corp | Handala (Iran) | Manufacturing and shipping disrupted March 11 |
| AXCERA.IO | Lapsus$ | Claimed April 5, details emerging |
Ransomware Ecosystem Evolution
The ransomware ecosystem continues to demonstrate antifragile properties. Black Basta collapsed in Q1 but its criminal capabilities quickly reappeared through affiliate migration and code reuse. Hunters International rebranded to World Leaks despite announcing shutdown. Two US cybersecurity professionals pleaded guilty to running ransomware operations, highlighting insider threat risks. The ecosystem expanded from 54 to 65 active groups in a single month.
- Source: BreachSense | Barracuda | SecurityWeek
Recommended Actions
Immediate (24-48 hours)
- Patch Cisco IMC and SSM On-Prem: CVE-2026-20093 and CVE-2026-20160 are both CVSS 9.8. IMC compromise persists below the OS layer
- Verify Citrix NetScaler patches: CVE-2026-3055 is actively exploited and the CISA KEV deadline (April 2) has already passed
- Audit n8n deployments: CVE-2026-21858 is CVSS 10.0 with 59,500 vulnerable servers. Upgrade to v1.121.0+ immediately
- Verify Axios npm versions: Remove versions 1.14.1 and 0.30.4 from all environments. Run
npm auditacross all projects - Continue FortiClient EMS monitoring: CVE-2026-35616 exploitation ongoing. Verify hotfix applied, audit logs back to March 31
Short-Term (This Week)
- Upgrade MCP TypeScript SDK: CVE-2026-25536 leaks cross-client data. Upgrade to v1.25.4+
- Audit LiteLLM deployments: Verify no malicious versions (1.82.7, 1.82.8) are cached. Upgrade to v1.83.0+, rotate all API keys and credentials
- Review AI agent access controls: 88% of organizations had agent security incidents, only 21% have visibility into agent access
- Prepare for April Patch Tuesday: April 14, expect 80-100+ Microsoft vulnerabilities
- Scan for Qilin IOCs: Dominant Q1 group with EDR-killing capabilities targeting 300+ security product drivers
Strategic
- Implement AI agent telemetry: Agent activity is invisible in default logging. Deploy agent-specific audit trails with identity binding
- Establish MCP security posture: Audit all MCP integrations, implement payload verification, restrict exposed MCP servers
- Harden software supply chain: Pin dependency versions, enable lockfile integrity checks, monitor for maintainer account compromise patterns (the Axios and LiteLLM attacks both succeeded via social engineering of maintainers)
- Evaluate AI code review automation: AI-generated code has 2.74x more vulnerabilities. Implement automated security scanning in CI/CD for all AI-assisted development
- Review DeFi and cryptocurrency exposure: North Korean operations are becoming more sophisticated with 6-month timelines and in-person social engineering
Sources
- Cisco IMC/SSM Vulnerabilities - The Hacker News
- Cisco IMC CVE-2026-20093 - Help Net Security
- Cisco Critical Infrastructure Alert - SecPod
- Citrix NetScaler CVE-2026-3055 - Rapid7
- n8n Ni8mare CVE-2026-21858 - Cyera Research
- Drift Protocol $285M Heist - TRM Labs
- Drift Protocol Hack - CoinDesk
- Axios npm Supply Chain - Unit 42
- Axios Compromise - InfoQ
- LLM Jailbreak Agents - Nature Communications
- Prompt Injection Statistics 2026
- AI Agent Prompt Injection - Unit 42
- MCP Attack Vectors - Unit 42
- MCP Vulnerabilities - Practical DevSecOps
- Vulnerable MCP Project
- Agentic AI Attack Surface - Dark Reading
- AI Agent Security Risks - Help Net Security
- AI Trading Agent Breach - KuCoin
- LiteLLM Supply Chain Attack - SIG
- AI Code Vulnerabilities - The Register
- APT28 Operation Neusploit - Trellix
- Sandworm Poland Power Grid - ESET
- Iran Cyber Escalation - Axios
- Microsoft AI Threat Report
- March 2026 Ransomware Report - BreachSense
- French Ministry Breach - RedPacket Security
- Nissan Breach - SC Media
- Hims and Hers Breach - TechCrunch
- CISA KEV Catalog
- Cisco State of AI Security 2026
- Supply Chain Attacks Surge - Zscaler ThreatLabz