The first week of April 2026 witnessed a surge in high-profile cybersecurity incidents. This roundup consolidates key events, including sophisticated supply chain attacks, large-scale financial frauds, and ransomware attacks on political organizations.
Supply Chain Attacks on Open-Source Libraries
The global software supply chain faced severe disruptions in March 2026, with at least five major attacks targeting popular open-source packages. Two notable incidents involved the Axios NPM package and the LiteLLM PyPI library, both compromised by threat actors to distribute malware or harvest sensitive credentials. These attacks underscore the fragility of open-source ecosystems and the cascading risks posed to downstream users, including enterprises and AI infrastructure providers. Read more.
On March 30, 2026, security researchers discovered that the Axios NPM package—a widely used HTTP client—was hijacked via an account takeover attack targeting a lead maintainer. The threat actors, attributed to a North Korean group, bypassed GitHub Actions CI/CD protections by compromising the maintainer’s NPM account and manually publishing two malicious versions via the NPM CLI. These releases injected a hidden dependency, [email protected], which acted as a cross-platform Remote Access Trojan (RAT) dropper for macOS, Windows, and Linux systems.
The malware contacted a command-and-control (C2) server at sfrclak[.]com to deliver platform-specific payloads, then self-deleted and replaced its package.json with a clean version to evade detection. Zscaler’s ThreatLabz has flagged the threat with detection names such as JS.Malicious.npmpackage and OSX.RAT.npmpackage. Organizations are advised to audit dependencies and enforce multi-factor authentication (MFA) for maintainer accounts. Read more.
On March 26, 2026, a supply chain attack targeted LiteLLM, a PyPI library with 3.4 million daily downloads, used to interface with AI models. The threat group TeamPCP published two malicious versions of LiteLLM, which were available for three hours before being quarantined. The poisoned packages were designed to harvest high-value secrets, including AWS/GCP/Azure tokens, SSH keys, and Kubernetes credentials, enabling lateral movement in CI/CD environments. The breach had ripple effects across the AI ecosystem. Mercor, a $10 billion AI startup partnering with Anthropic, OpenAI, and Meta, confirmed a data breach linked to the LiteLLM attack. The incident exposed sensitive data from users, contractors, and clients, with the Lapsus$ group claiming to have leaked internal communications and system records. Mercor has initiated a third-party forensic investigation and is notifying affected parties. Read more.
Actionable Recommendations:
- Audit open-source dependencies for suspicious changes or unauthorized maintainer activity.
- Enforce MFA and least-privilege access for package repositories.
- Monitor for unexpected network traffic to known C2 domains (e.g.,
sfrclak[.]com). - Use SBOMs (Software Bill of Materials) to track component provenance.
WhatsApp and Interstate Cyber Fraud
Cybercriminals are leveraging social engineering and malware to target corporate executives and individuals, with losses amounting to crores of rupees. Two prominent cases highlight the evolving tactics: WhatsApp-based CEO fraud in Hyderabad and a Rs 67 crore interstate cyber fraud bust in Varanasi. The Hyderabad Police reported multiple incidents where employees transferred crores of rupees to fraudulent accounts, assuming the messages were legitimate. Read more.
In Hyderabad, a sophisticated phishing campaign targeted CEOs, CFOs, and accountants. The attack began with malicious email links that installed malware, granting hackers remote access to executives’ systems. Fraudsters then impersonated senior officials via WhatsApp, sending urgent payment requests to accountants under the pretext of critical meetings. Authorities advise strict verification protocols for financial transactions. Financial fraud is a growing concern, necessitating robust security measures.
In Varanasi, the Ghazipur Cyber Crime Cell arrested three members of an interstate gang operating under the guise of ‘Crown Pay’. The group used Telegram to lure victims with investment, trading, and gaming scams, routing funds through 700 mule accounts across 25 states. The fraudsters befriended individuals in need of cash to open mule accounts using their Aadhaar/PAN details. They registered fake GST/MSME certificates to create current accounts and used APK files to intercept OTPs and transaction alerts. The gang earned Rs 4.25 crore collectively, with seized evidence including 19 SIM cards, 12 ATM cards, and crypto trading IDs. The MHA and Lucknow Cyber Crime HQ have been alerted due to the pan-India scale. Read more.
Ransomware and Data Breaches Targeting Political and Corporate Entities
Germany’s Die Linke political party confirmed a ransomware attack by the Qilin group, resulting in the theft of 1.5 terabytes of data, including internal communications and administrative files. While membership databases and donation records appear unaffected, the breach highlights risks to political organizations handling sensitive data. The party has engaged forensic specialists and notified authorities. Read more.
Public Advisories on Mobile Phone and OTP Scams
The Rajasthan Police issued a public advisory warning against handing over unlocked phones to strangers, a tactic used in call-forwarding scams. Fraudsters at bus stands, railway stations, and tourist spots request phones to make ‘urgent calls’ but instead:
- Dial USSD codes (e.g., *#21#) to forward OTPs to their numbers.
- Install spyware/keyloggers to steal banking credentials.
- Misuse contacts to extort relatives.
This tactic leverages social engineering to exploit trust. Victims often realize the scam when they receive unexpected OTPs or notice unauthorized transactions.
Preventive Measures:
- Dial numbers yourself and use speaker mode.
- Check call-forwarding status via *#21#; disable with ##002#.
- Secure payment apps with biometric/PIN locks.
Final words
The incidents from March–April 2026 reveal three dominant trends: supply chain vulnerabilities, social engineering evolution, and extortion via leak sites. Organizations must audit dependencies, enforce MFA, and prepare for data leaks. Stay vigilant and subscribe to threat intelligence feeds for real-time updates. Report fraud if encountered.