ADVISORIES & THREAT INTEL

North Korean threat group UNC1069 is targeting Node.js core maintainers with fabricated LinkedIn and Slack identities, aiming to embed malware in popular npm modules. The supply‑chain attack could affect any organization that relies on compromised packages, making third‑party risk oversight essential.

Device‑code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant have increased more than 37× in 2026, driven by kits such as EvilTokens, VENOM, and others. The kits lower the barrier for credential theft, threatening any third‑party service that supports the flow.

ShinyHunters announced the resurrection of BreachForums after hacking its own hosting server and selling the full database for $10 k. The new admin released 918 historic breach dumps—including credentials, payment cards and health data—free on Telegram, dramatically expanding the attack surface for third‑party vendors.

Enterprises are struggling to move generative AI pilots like Microsoft 365 Copilot into production, creating unmanaged “shadow AI” that bypasses security controls. This advisory outlines the associated third‑party risk and mitigation steps.

Recorded Future reports that fraudsters are increasingly hijacking SMS‑based one‑time passcodes to bypass MFA, enabling account takeover and payment fraud across banks and payment processors. The trend highlights a critical weakness in OTP‑centric authentication that third‑party risk programs must address.

Rising DRAM costs have pushed users toward virtual RAM on Windows 11 PCs. While it offers modest speed bumps, virtual RAM cannot replace physical memory and may increase storage wear, a consideration for third‑party risk managers.

Threat actors are leveraging high‑profile brand impersonation to lure job seekers into a fake scheduling flow that captures Google Workspace passwords and defeats two‑factor authentication. Organizations using Google services should tighten verification processes and enforce hardware‑based MFA.

Unit 42’s research reveals that malicious prompts can compromise Amazon Bedrock’s multi‑agent framework, exposing data and enabling unauthorized tool execution when Guardrails are mis‑configured. Third‑party risk programs must verify AI guardrail settings and incorporate prompt‑injection testing.

Privacy labels on mobile apps are currently inconsistent and vague, making it difficult for users and enterprises to assess data‑handling practices. This lack of transparency creates compliance and reputational risks for organizations that rely on third‑party apps.

LinkedIn injects undisclosed JavaScript that silently detects thousands of Chrome extensions and gathers detailed device information, linking the data to user profiles. The practice creates privacy‑compliance and competitive‑intelligence risks for enterprises that rely on the platform for recruiting and sales outreach.

The FCC has moved to fine Voxbeam Telecommunications $4.5 million for routing unauthorized foreign call traffic that spoofed major banks, highlighting a compliance gap that can expose downstream partners to large‑scale financial‑impersonation scams.

TA416, a China‑aligned threat group, has been targeting European government and diplomatic organizations since mid‑2025 using OAuth‑based phishing and the PlugX remote‑access trojan. The campaign threatens third‑party risk by compromising credentials and establishing persistent footholds in public‑sector supply chains.

Threat actors altered the Axios HTTP client and injected malicious code into the Trivy security scanner, exposing millions of downstream organizations that rely on these open‑source components. The incidents highlight the systemic risk of third‑party dependencies and the need for rigorous supply‑chain controls in third‑party risk programs.

FortiGuard Labs reports a high‑severity espionage campaign where North Korean actors used malicious GitHub repositories and CI/CD pipelines to harvest credentials and exfiltrate proprietary source code from South Korean firms, highlighting a critical supply‑chain risk for third‑party development platforms.

Two compromised Axios npm releases (v1.14.1 and v0.30.4) were published on March 31 2026, each containing a post‑install script that fetched a platform‑specific remote‑access trojan. The supply‑chain breach puts any organization that depends on the library at risk of credential exfiltration and further lateral attacks, making rapid remediation essential for third‑party risk management.

Google has introduced native Google Meet support for Apple CarPlay, enabling audio‑only meetings from the car’s infotainment screen. The limited feature set removes video and chat functions to keep drivers focused, but it creates new data‑in‑transit paths that third‑party risk managers should evaluate.

ZDNet’s hands‑on review finds the $84 MSI Pro MP243W delivers acceptable performance for everyday office tasks, but its limited brightness and speaker quality mean organizations should verify firmware update policies before large‑scale deployment.

ZDNet’s side‑by‑side review of the Oura Ring and Apple Watch highlights continuous biometric monitoring and cloud syncing, raising privacy and third‑party risk concerns for organizations allowing wearables in the workplace.

Security researchers discovered the NoVoice Android malware hidden in 50 Google Play applications, collectively downloaded over 2.3 million times. The infection targets outdated devices and bypasses Google’s automated scans, raising supply‑chain risk for enterprises that allow third‑party mobile apps.

Microsoft Defender researchers reveal a novel technique where attackers use HTTP cookies to command PHP web shells on Linux servers, persisting via cron jobs. The approach bypasses typical URL‑parameter filters and threatens any third‑party service running PHP, raising urgent TPRM concerns.

Mercor, an AI SaaS vendor, disclosed a breach after a malicious LiteLLM update enabled attackers to steal roughly 4 TB of proprietary data and internal systems, highlighting critical supply‑chain risks for third‑party risk managers.