Weekly Cyber Update: 03 April 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

NCSC urges organisations to patch critical BIG-IP flaw

The National Cyber Security Centre (NCSC) has encouraged F5 customers to urgently patch a critical vulnerability in the firm’s BIG-IP Access Policy Manager (APM) product. CVE-2025-53521 is under active exploitation and could lead to remote code execution “when a BIG-IP APM access policy is configured on a virtual server.” It was originally classed as a denial-of-service vulnerability with a CVSS score of 7.5, but then re-categorised in March with a score of 9.8.

Why it matters

As of Thursday, an estimated 14,000 BIG-IP APM instances were still exposed online. Given that BIG-IP APM manages user access to enterprise apps, threat actors could exploit RCE for long-term, persistent access.

Assured’s recommended action

Follow F5’s advice on patching and investigating for evidence of compromise. If this isn’t possible, the affected system should be “erased/destroyed and rebuilt as new”.

---

Axios supply chain attack delivers RATs at scale

Suspected North Korean hackers have hijacked an open source maintainer’s account to deliver remote access Trojans (RATs) via one of the most popular npm packages around. Axios is a JavaScript library downloaded over 100 million times a week. With access to the maintainer’s account, the threat actors published malicious package versions v1.14.1 and v0.30.4 that feature cross-platform RATs.

Why it matters

Google has warned of a potentially extensive blast radius from this attack, given the number of popular packages with dependencies on Axios. CI/CD pipelines and/or developers may have automatically pulled and executed the malware without any human intervention, during the window of compromise. The RAT malware may have hoovered up secrets to deliver access to production and cloud systems.

Assured’s recommended action

Check lockfiles (package-lock.json, yarn.lock, or pnpm-lock.yaml) to see if plain-crypto-js, Axios v1.14.1, or Axios v0.30.4 are present. Hunt for IoCs across developer machines and CI/CD infrastructure. Rotate credentials and remediate exposed systems.

---

TeamPCP compromises Telnyx package to spread malware

Notorious cybercrime group TeamPCP has continued to launch new campaigns targeting the open-source ecosystem. Hot on the heels of its Trivy compromise last week, it compromised the popular Telnyx package on PyPI to spread credential-stealing malware hidden inside a WAV file. The malware was disguised inside versions 4.87.1 and 4.87.2.

Why it matters

Telnyx is a popular PyPI package with 740,000 monthly downloads, suggesting the campaign could have a broad reach. The malware in question reportedly steals SSH keys, credentials, cloud tokens, cryptocurrency wallets, environment variables, and other secrets. It’s virtually invisible to traditional scanning tools.

Assured’s recommended action

Scan for affected Telynx versions (4.87.1 and 4.87.2), assume full compromise of the developer environment, and immediately rotate any affected secrets.

---

NCSC warns of message app threats targeting high-risk individuals

The NCSC has warned organisations to be on the lookout for threats to executives from messaging apps such as WhatsApp, Messenger and Signal. It pointed to an uptick in Russian state-backed efforts to compromise accounts by:

• Tricking users into sharing logins or account recovery codes
• Adding threat actor devices to the targeted account without users noticing
• Joining group chats without detection
• Impersonating someone known to the victim
• Phishing victims using malicious links or QR codes

Why it matters

With covert access to messaging accounts, threat actors could silently monitor highly sensitive executive conversations, potentially exposing IP and trade secrets and increasing compliance risk.

Assured’s recommended action

Update policies to mandate use of corporate secure messaging services for executive comms. Enable passkeys or MFA on all messaging accounts. Update education/awareness programmes to remind users not to share sensitive information via messaging apps. Advise using disappearing messages on personal accounts. Consult NCSC guidance on protecting accounts/devices of high-risk individuals.

---

Attackers exploit critical vulnerability in Fortinet’s FortiClient EMS

Threat actors are exploiting a critical vulnerability in Fortinet’s FortiClient EMS platform to execute arbitrary commands. CVE-2026-21643 is a SQL injection flaw with a CVSS score of 9.8 that could allow unauthenticated attackers to execute unauthorised code via specially crafted HTTP requests.

Why it matters

By hijacking organisations’ endpoint management infrastructure, threat actors could push malicious updates to endpoints and launch deeper attacks into cloud systems, for possible espionage and ransomware.

Assured’s recommended action

Upgrade to version 7.4.5 or later, or at least disconnect the administrative web interface from the internet. Hunt for IoCs: HTTP 500 errors on the /api/v1/init_consts endpoint; unusual database error messages in PostgreSQL logs; and unauthorised remote monitoring and management tools.