Recent days have seen a surge in high-profile cybersecurity incidents, including sophisticated supply chain attacks and large-scale financial frauds targeting individuals and corporations. This report examines key events, technical details, and mitigation strategies.
Axios NPM Package Compromise
The March 30, 2026 attack on the Axios NPM package highlighted the vulnerabilities in supply chain security. Threat actors linked to North Korea executed an account takeover, targeting a lead maintainer. They bypassed GitHub Actions CI/CD protections by hijacking the maintainer’s NPM account and altering its associated email. This allowed them to publish two malicious versions of the package via NPM CLI. The compromised versions injected a hidden dependency ([email protected]) that acted as a cross-platform Remote Access Trojan (RAT) dropper for macOS, Windows, and Linux systems. The malware contacted a command-and-control (C2) server (sfrclak[.]com) to deliver platform-specific payloads, then self-deleted and replaced its package.json with a clean version to evade detection.
Security experts recommend a series of measures to mitigate such attacks. Organizations should review dependency files (package.json, package-lock.json, yarn.lock) for suspicious entries and downgrade to known clean versions. Monitoring for connections to malicious domains and using private registry proxies are also advised. Enforcing strict dependency controls and applying least privilege principles are crucial steps in bolstering defenses. These incidents underscore the need for robust supply chain security measures and continuous monitoring to detect and respond to such threats.
Axios NPM Package Compromise
On March 30, 2026, security researchers discovered that the Axios NPM package—a popular HTTP client library—was compromised via an account takeover attack targeting a lead maintainer. Threat actors, linked to North Korea, bypassed GitHub Actions CI/CD protections by hijacking the maintainer’s NPM account and altering its associated email. Two malicious versions were manually published via NPM CLI, injecting a hidden dependency ([email protected]) that acted as a cross-platform Remote Access Trojan (RAT) dropper for macOS, Windows, and Linux systems.
The malware contacted a command-and-control (C2) server (sfrclak[.]com) to deliver platform-specific payloads, then self-deleted and replaced its package.json with a clean version to evade detection. Zscaler’s ThreatLabz recommends reviewing dependency files (package.json, package-lock.json, yarn.lock) for suspicious entries, downgrading to known clean versions, and monitoring for connections to malicious domains. Additional measures include using private registry proxies, enforcing strict dependency controls, and applying least privilege principles.
Financial Fraud and Social Engineering Scams
Cybercriminals continue to exploit social engineering and impersonation tactics to defraud individuals and corporations. Recent cases include WhatsApp-based CEO fraud, CBI impersonation scams, and interstate cyber gangs leveraging mule accounts for large-scale financial crimes. In Hyderabad, a new WhatsApp fraud scheme targets CEOs, CFOs, and accountants by compromising corporate email accounts via phishing links.
Attackers gain control of corporate systems through phishing links, exploit active WhatsApp Web sessions, and send urgent payment requests posing as executives. Victims are pressured to transfer large sums to fraudulent accounts under the pretense of critical meetings. Hyderabad Police Commissioner VC Sajjanar advised companies to adopt strict verification protocols for transactions and avoid acting on WhatsApp payment requests without direct confirmation. The fraud highlights the risks of session hijacking and business email compromise (BEC).
Another case involved an interstate cyber gang operating under the guise of ‘Crown Pay,’ a fake investment/trading firm. The group used Telegram to lure victims with lucrative offers and recruited mule account holders across 25 states, siphoning Rs 67 crore through 700 mule accounts. The gang’s modus operandi included APK-based OTP interception, crypto laundering, and document forgery to open current accounts. Ghazipur SP Iraj Raja revealed that accused Rishiraj, Rohan Kumar, and Sachin Singh earned significant sums from the scam. Authorities alerted the MHA and Lucknow Cyber Crime HQ due to the gang’s pan-India operations.
Additionally, a 42-year-old man from Thane lost Rs 71.1 lakh to fraudsters posing as CBI officers. The scam began with a call from a TRAI impersonator, accusing the victim of sending abusive messages. The fraudsters then escalated threats, forging Supreme Court documents and demanding payments to ‘settle’ the case. The victim complied until his wife discovered discrepancies in the documents. The case, registered under the IT Act, highlights the psychological manipulation tactics used in government impersonation scams. Authorities urge victims to verify such claims through official channels.
Public Advisories and Mitigation Strategies
In response to rising cyber threats, law enforcement agencies have issued public advisories to raise awareness and promote preventive measures. The Rajasthan Police Cyber Crime Branch warned citizens against handing over unlocked phones to strangers, citing a surge in call-forwarding scams. Fraudsters at bus stands, railway stations, and tourist spots request phones to make ‘urgent calls’ but instead enable call forwarding, install spyware/keyloggers, and misuse contacts for extortion. Recommendations: (1) Avoid handing over unlocked phones, (2) use speaker mode for stranger-assisted calls, (3) disable call forwarding with ##002#, and (4) secure payment apps with biometric/PIN locks. Report incidents to the cybercrime helpline (1930).
Final words
The incidents documented reflect the evolving tactics of cybercriminals, from supply chain sabotage to psychological manipulation in financial fraud. Organizations must adopt a proactive, layered defense strategy, combining technical controls, user awareness, and rapid incident response. Collaboration between law enforcement, the private sector, and individuals is paramount to mitigate risks. Report incidents via the national cybercrime portal.