Welcome to Tech Alerts – April 2026
We know your time is scarce. That’s why we’ve created this newsletter: to cut through the noise and deliver only the most critical, high-impact alerts. Whether it’s a zero-day exploit requiring an immediate patch or a new trend in social engineering, our goal is to keep you informed, prepared, and one step ahead.
In this month’s briefing:
- Axios npm Package Compromised in Supply Chain Attack
- Last week in review: BlueHammer, RedSun, UnDefend. Three Windows Defender zero-days. All actively exploited.
Monitoring the threats so you don’t have to. Here are this month’s essentials.
1. Axios npm Package Compromised in Supply Chain Attack
On March 30-31, 2026, one of the most widely used JavaScript libraries was turned into a weapon.
Axios was compromised after a threat actor hijacked the npm account of its lead maintainer (jasonsaayman) and published two backdoored versions (1.14.1 and 0.30.4) within a 39-minute window, a clear sign of a pre-planned, coordinated operation.
No source code was modified. Instead, a malicious dependency (plain-crypto-js) was silently injected. On install, it deployed a cross-platform Remote Access Trojan targeting Windows, macOS, and Linux.
The attack was pre-staged over ~18 hours: a clean decoy version of plain-crypto-js@4.2.0 was published on March 30 at 05:57 UTC to build registry history and bypass “new package” scanners, before the malicious 4.2.1 was dropped at 23:59 UTC.
The malicious window ran from 00:21 UTC to 03:29 UTC on March 31, 2026:
- axios@1.14.1 live for ~3h08 (00:21 to 03:29 UTC)
- axios@0.30.4 live for ~2h29 (01:00 to 03:29 UTC)
a. What to look for (IoCs)
- axios@1.14.1 or axios@0.30.4 in your lockfiles
- plain-crypto-js anywhere in node_modules
- Outbound connections to sfrclak[.]com / 142.11.206.73
- RAT artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)
b. How to remediate
- Downgrade to axios@1.14.0 (1.x) or axios@0.30.3 (0.x)
- Remove plain-crypto-js from node_modules
- Block C2 domain/IP at firewall and DNS level
- If RAT artifacts found: do NOT clean, rebuild from scratch and rotate ALL credentials (npm tokens, SSH keys, cloud creds, CI/CD secrets)
This is a reminder that a single compromised maintainer account, pre-staged 18 hours in advance, with three parallel OS-specific payloads and built-in anti-forensic self-deletion, can turn a trusted package into an attack vector affecting millions of environments.
Audit your dependencies. Check your lockfiles. Stay sharp.
2. Last week in review: BlueHammer, RedSun, UnDefend. Three Windows Defender zero-days. All actively exploited.
a. What actually happened
In the span of 13 days this April, a single researcher dropped three working exploits targeting Microsoft Defender. No coordinated disclosure. No heads-up to Microsoft. Full proof-of-concept code, straight to GitHub.
The researcher, known as “Chaotic Eclipse“, was vocal about why: frustration with how Microsoft’s MSRC handled their reports. Whether you agree with the approach or not, the code works. And attackers moved fast.
One of the three has been patched. Two are still open today.
b. What we observed from the SOC side
What caught our attention was not just the individual bugs. It was the architecture behind them.
- BlueHammer escalates privileges by abusing Defender’s file remediation logic.
- RedSuntakes a different path through cloud-file handling, also reaching SYSTEM.
- UnDefend does not escalate anything. It just quietly starves Defender of signature updates until your endpoint protection is running blind.
Together, they cover initial escalation, an alternate escalation path if the first is patched, and silent persistence. That is a complete post-exploitation toolkit, not three unrelated bugs.
c. What we saw in the wild
- BlueHammer exploitation was confirmed in real intrusions from April 10th.
- RedSun and UnDefend followed by April 16th.
Entry point in observed cases was compromised SSL-VPN credentials, with attackers dropping renamed exploit binaries into user-writable folders like Pictures or Downloads after gaining initial access.
This is hands-on-keyboard activity. Not automated scanning.
d. What to do right now?
✅ Apply the April 2026 Patch Tuesday update if you have not already. It covers BlueHammer (CVE-2026-33825).
❌ For RedSun and UnDefend, there is no patch yet, so behavioral detection is what you have.
And do not rely only on static signatures since the PoC source is public and trivial to recompile.
Our commitment
We remain fully mobilized to detect and alert our clients quickly whenever abnormal activity is observed. If a specific action were needed on their end, they would be contacted directly, with one goal in mind: preserving their Cyber-Serenity.