the threat gazette
Morning Edition 2026-04-14
Vulnerabilities

FortiClient EMS Management Plane Flaw Among Six KEV Additions

CVE-2012-1854 CVE-2020-9715 CVE-2023-21529 CVE-2023-36424 CVE-2025-60710 CVE-2026-21643 Medusa Ransomware Storm-1175 MEDUSA Medusa Ransomware

CISA added six actively exploited vulnerabilities on April 13, with CVE-2026-21643 (Fortinet FortiClient EMS) as the immediate priority. FortiClient EMS is a management plane component — successful exploitation typically grants broad lateral movement capability with visibility into the entire managed endpoint fleet. The same batch includes CVE-2023-21529 (Exchange Server, EPSS 0.59) linked to Medusa ransomware operations, CVE-2020-9715 (Adobe Acrobat, EPSS 0.78 — the highest exploitation probability in the set), and CVE-2012-1854, a 14-year-old VBA flaw still exploitable in unpatched legacy environments. If FortiClient EMS is present in your environment, this is today's work. Exchange with CVE-2023-21529 unpatched is the second priority given Medusa's documented financial sector targeting (see related Medusa story below).

The age range of this KEV batch — 2012 through 2026 — is the story within the story. A 14-year-old VBA vulnerability appearing in KEV in 2026 says more about enterprise patching backlogs than it does about attacker innovation. The flaws that kill you are rarely the ones dominating Patch Tuesday discourse.

2026-04-13
1 source
+ CVE-2012-1854 · + CVE-2020-9715 · + CVE-2023-21529 · + CVE-2023-36424 · + CVE-2025-60710 · + CVE-2026-21643 · + Medusa Ransomware · + Storm-1175
The Hacker News

Editorial

The CISA KEV additions deserve more attention than they'll probably get — not for the CVEs themselves, but for the attribution. Medusa ransomware is now confirmed exploiting both a FortiClient EMS management plane RCE and a three-year-old Exchange Server flaw, with financial sector targeting called out explicitly. When a ransomware operation is chaining a 2023 Exchange bug with a current Fortinet management plane vulnerability against your sector specifically, the question isn't whether you've patched — it's whether every acquisition, subsidiary, and managed service provider in your environment has too. Storm-1175 showing up alongside Medusa in the same KEV batch suggests Microsoft is tracking an access broker pipeline feeding directly into ransomware deployment.

The other thread worth pulling is the sheer density of supply chain stories this week. The Axios npm compromise (maintainer account takeover deploying a cross-platform RAT), the Stardrop campaign targeting VC and AI firms, 108 malicious Chrome extensions, and now the Wiz GitHub Actions threat model all landed within 48 hours. Wiz's contribution is the most strategically interesting: by framing tj-actions and Axios as instances of the same threat class — CI/CD pipeline compromise via trusted dependency manipulation — they're articulating what this week's evidence already shows. The attack surface has migrated from your application code to the toolchain that builds and ships it, and most organizations' security controls haven't followed.

Critical

Ransomware

Medusa Ransomware Confirmed Exploiting Exchange Server with Financial Sector Targeting

CVE-2012-1854 CVE-2020-9715 CVE-2023-21529 CVE-2023-36424 CVE-2025-60710 CVE-2026-34621 Medusa Ransomware Storm-1175 MEDUSA Medusa Ransomware

The same KEV batch carries explicit Medusa ransomware and Storm-1175 attribution, with CVE-2023-21529 (Exchange Server) identified as the primary initial access vector in active ransomware operations. CVE-2025-60710, a Windows link-following privilege escalation, is under active exploitation and likely serves as the LPE component in post-access kill chains. Financial institutions remain a documented primary Medusa target sector, and Storm-1175 has overlapping infrastructure consistent with Medusa affiliate activity. Internet-exposed Exchange with CVE-2023-21529 unpatched is a direct, confirmed Medusa entry vector — this is not a theoretical risk.

2026-04-13
1 source
+ CVE-2012-1854 · + CVE-2020-9715 · + CVE-2023-21529 · + CVE-2023-36424 · + CVE-2025-60710 · + CVE-2026-34621 · + Medusa Ransomware · + Storm-1175
The Register Security
Supply Chain

Axios npm Supply Chain Attack Deploys Cross-Platform RAT via Maintainer Account Takeover

Continuing from prior reporting with the forensic picture now solidified: attackers compromised an axios maintainer account and published two malicious versions (axios@1.14.1 and axios@0.30.4) embedding a covert dependency (plain-crypto-js@4.2.1) that executes a post-install script deploying a cross-platform RAT across Windows, macOS, and Linux. The blast radius is significant given axios's download volume (~50M weekly). Attribution points to TeamPCP, UNC1069, and UNC6780 — Mandiant-style cluster designations indicating structured analytical tracking. The key vector here is maintainer account takeover — not a typosquat, not dependency confusion, but a legitimate account compromise that bypasses the 'only run trusted packages' heuristic most engineers rely on. OpenAI confirmed its macOS applications were affected (see Story 3447). Any environment that pulled axios during the compromise window should be treated as a potential implant host pending forensic review.

2026-04-14
1 source
FortiGuard Labs | FortiGuard Center - IR Advisories

Notable

Supply Chain

Anodot Third-Party Breach Enables Snowflake Token Theft; ShinyHunters Rockstar Data Leak Imminent

Scattered Spider

Continuing: ShinyHunters obtained Rockstar Games analytics data by leveraging Snowflake authentication tokens stolen during a breach at Anodot, a data analytics and monitoring vendor. The attack chain — third-party vendor compromise → Snowflake token theft → downstream data exfiltration — is a direct operational replay of the 2024 Snowflake credential harvesting campaign that affected Ticketmaster, Santander, and dozens of others. The April 14 extortion deadline has passed with no confirmed payment, making a data leak imminent. Notable attribution discrepancy: this activity is tagged to Scattered Spider in some reporting but identified as ShinyHunters in the extortion phase. These groups share infrastructure and personnel but have distinct operational profiles — Scattered Spider operating access, ShinyHunters monetizing it.

The structural problem here is architectural, not a patching issue: Snowflake environments accessed through vendor integrations carrying stale or insufficiently scoped credentials. Any Snowflake-connected analytics, monitoring, or observability vendor in your third-party inventory — Anodot, Datadog, Grafana Cloud, similar — warrants a review of access scopes, credential age, and MFA posture. The 2024 campaign proved the TTPs work; eighteen months later they remain operational and productive.

Geopolitical

OpenAI Confirms Axios Supply Chain Impact; UNC1069 and UNC6780 Attribution Emerges

TeamPCP UNC1069 UNC6780

OpenAI confirmed its macOS applications were affected by the Axios npm compromise, requiring certificate rotation and mandatory application updates for all Mac users. OpenAI reports no evidence of user data access or system compromise beyond the infected dependency. The more analytically significant element is the attribution in CyberScoop's coverage: UNC1069 and UNC6780 are Mandiant-style cluster designations indicating at least one major threat intelligence provider has accumulated sufficient activity to maintain separate actor dossiers — this is not a one-off incident. OpenAI's disclosure serves as a blast radius calibrator: a company with substantial security investment and a high-value threat surface was caught by this attack. The long tail of affected organizations without comparable detection capability is almost certainly larger than public reporting suggests.

The eCrime vs. state-nexus classification for these UNC clusters remains unconfirmed. Worth tracking — the answer materially changes the threat model for affected organizations.

Supply Chain

GitHub Actions CI/CD Threat Model Published Amid Active Supply Chain Campaign

Wiz published a two-part threat model for GitHub Actions security covering three primary risk categories: pull request injection (untrusted fork workflows triggering against privileged secrets), script injection, and malicious third-party actions. The research grounds the model in concrete recent incidents — the tj-actions compromise (22,000 affected repositories), Ultralytics PyPI cryptominer injection, and Trivy supply chain breach. This is reference material rather than new threat disclosure, but its release timing against the active Axios supply chain campaign makes it directly applicable as a review framework for CI/CD pipeline hardening.

The pull request injection vector — untrusted fork workflows triggering against privileged secrets — remains systematically underappreciated in pipeline security reviews and is the highest-consequence misconfiguration in this model. If your GitHub Actions pipelines haven't been reviewed against tj-actions patterns, this is the framework to use.

Malware

108 Malicious Chrome Extensions Harvesting Google and Telegram Credentials

Continuing: the coordinated 108-extension campaign is confirmed harvesting Google account and Telegram credentials across approximately 20,000 users. The scale — 108 extensions deployed simultaneously with consistent quality — suggests an industrialized submission pipeline. Prior digest covered the C2 domain (cloudapi[.]stream) and blocking recommendations. New detail: the Telegram credential harvesting component is specifically relevant for organizations where Telegram is used for internal communication or where employees use it for 2FA flows. Compromised Telegram accounts can serve as high-value pivot points for social engineering and account takeover.

Direct enterprise risk is limited where Chrome extension management is enforced via policy, but BYOD and personal devices remain an exposure surface. Google's post-approval update mechanism — allowing extension behavior to change after review — continues to be the structural enabler, and 108 simultaneous extensions indicates the actors have industrialized the process.

Briefs