100M Downloads. One Backdoor.

North Korea Compromised Axios, and Your Supply Chain Assumptions Along With It

Between midnight and 3 AM UTC on March 31, a North Korean threat actor pushed malicious code into axios, the single most downloaded HTTP library in the JavaScript ecosystem. Versions 1.14.1 and 0.30.4 shipped with a hidden dependency called "plain-crypto-js" that dropped the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux. The package pulls over 100 million downloads per week. If your developers ran npm install during that three-hour window, you may already have a problem.

Google's Threat Intelligence Group attributed the attack to UNC1069, a financially motivated North Korean cluster active since at least 2018. The attribution is based on the WAVESHAPER malware lineage and infrastructure overlaps, including C2 traffic routed through an AstrillVPN node previously tied to the same group. Microsoft published its own mitigation guide on April 1. When both Google and Microsoft release advisories for the same supply chain incident within 48 hours, the blast radius is real.

This is not the first npm supply chain compromise, and it will not be the last. But the target selection tells you where the threat is heading. Axios is not some obscure utility. It is embedded in CI/CD pipelines, internal tooling, customer-facing applications, and SaaS platforms across nearly every enterprise stack. Compromising it is the equivalent of poisoning the water supply rather than breaking into individual houses.

The tactical response is straightforward: audit your lockfiles, pin your dependency versions, check whether the compromised versions ever entered your build artifacts. The strategic question is harder. Most enterprises still treat software composition analysis as a compliance checkbox. They scan quarterly. They review reports. They do not monitor their dependency trees in real time. That gap between "we scan for known vulnerabilities" and "we detect malicious code injection within hours" is exactly where nation-state actors are operating.

If your security team cannot tell you within four hours which internal applications consumed a compromised package version, your supply chain security program exists on paper only. This incident is the forcing function to fix that.

Oracle Ships Emergency Patch for Identity Manager RCE

Oracle released an out-of-band security update for CVE-2026-21992, a CVSS 9.8 unauthenticated remote code execution flaw in Oracle Identity Manager and Oracle Web Services Manager. The vulnerability requires no authentication, no user interaction, and is low complexity to exploit over HTTP. It affects versions 12.2.1.4.0 and 14.1.2.1.0. Oracle has not confirmed active exploitation, but the fact that they broke their quarterly patch cycle to ship this tells you everything about severity. If you run Oracle IAM, patch today.

Citrix NetScaler Memory Leak Under Active Exploitation

CVE-2026-3055, a CVSS 9.3 memory overread vulnerability in Citrix NetScaler ADC and Gateway, is being actively exploited. Attackers are sending crafted SAML request payloads that cause the appliance to leak sensitive memory contents via the NSC_TASS cookie. The flaw affects any deployment configured as a SAML identity provider, which covers most enterprise SSO environments. CISA added it to the KEV catalog with a remediation deadline of April 2. If your NetScaler handles SAML authentication, check whether you have been scanned.

Chrome's Fourth Zero-Day of 2026

Google patched CVE-2026-5281, a use-after-free in the Dawn WebGPU component, after confirming active exploitation in the wild. This is Chrome's fourth zero-day this year. The flaw is part of an exploit chain: attackers first compromise the renderer, then use the Dawn bug to escalate privileges and potentially escape the sandbox. CISA added it to the KEV catalog on April 1 with an April 15 deadline. Every Chromium-based browser, including Edge, Brave, and Opera, inherits this vulnerability until patched.

That is how frequently a new organization appeared on a ransomware leak site over the past twelve months. From March 2025 through March 2026, ransomware groups posted 7,655 victim claims publicly. The second half of that period saw a 40% increase over the first half, averaging 732 claims per month versus 521. The acceleration is not coming from new groups. It is coming from automation: shorter time-to-exploit after proof-of-concept disclosure, scaled attacks targeting vendor chains, and initial access brokers working at volume. If your incident response plan assumes you have days between vulnerability disclosure and exploitation, that assumption is already outdated.

Across the DoGood network this week, supply chain security evaluations and software composition analysis tools continued their climb in member priority submissions. More on that Wednesday.

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.