Week of April 6–12, 2026
Since the last edition: CERT-EU and the European Commission connect the europa.eu cloud compromise to the TeamPCP Trivy pipeline intrusion — with ShinyHunters publishing the exfiltrated archive. In parallel, CISA’s KEV catalog added a rapid sequence of in-the-wild flaws (Chrome Dawn, FortiClient EMS, TrueConf, Ivanti EPMM) while Cisco Talos documents industrialized React2Shell credential harvesting.
REF · CERT-EU/EC-2026-04-02 · CISA KEV APR-2026 STACK · TALOS UAT-10608 · BOD 22-01
Intel-01 / Breach follow-up · Union institutions
Development since March 22: What began as an industry-wide CI/CD panic is now a formal Union-institution case file. CERT-EU’s April 2 publication states the Commission notified it on March 25; the investigation ties initial access to the Trivy supply-chain compromise attributed to TeamPCP, with extortion publication following on March 28.
Incident narrative — high confidence chain
The affected AWS account supported the Commission’s public web presence. CERT-EU’s timeline places credential acquisition on 2026-03-19, CSOC alerts on March 24, public disclosure March 27, and leak-site publication March 28. Internal Commission systems are assessed as not breached via this path — the drama is cloud-hosted citizen-facing infrastructure and downstream Union clients of the hosting service.
Intel-02 / CISA KEV · Binding Operational Directive 22-01
CISA added four distinct catalog entries across the first eight days of April — each with evidence of in-the-wild use. Federal civilian agencies inherit hard remediation dates; everyone else should treat the catalog as priority intelligence, not background noise.
Intel-03 / Endpoint management plane
Two parallel nightmares for desktop operations teams: Fortinet confirms FortiClient EMS improper access control under active exploitation, while Ivanti’s Endpoint Manager Mobile stack faces a fresh KEV entry for unauthenticated RCE — both products sit where attackers want to be before they touch employee laptops.
CVE-2026-35616
Fortinet’s PSIRT advisory documents CWE-284 (improper access control) in EMS 7.4.5–7.4.6, observed exploited in the wild, with hotfix guidance ahead of 7.4.7.
CISA KEV · FCEB due 2026-04-09
CVE-2026-1340
Ivanti’s security advisory covers the mobile endpoint management plane; CISA’s April 8 listing underscores active abuse. Patch cadence should outrun executive email debates.
CISA KEV · FCEB due 2026-04-11
Intel-04 / Browser zero-day
Google’s April 1 stable-channel update carries an in-the-wild flag for CVE-2026-5281 — a use-after-free in Dawn affecting Chromium-derived browsers. Same-day KEV listing means enterprise patch boards and desktop SOE teams move in lockstep.
Treat this as a cross-ecosystem signal: Edge and other Chromium consumers inherit the same underlying graphics stack debt. Pair browser updates with extension policy review — renderer bugs often arrive chained with social engineering rather than silent drive-bys alone.
Intel-05 / Nation-state adjacent · Video stack
Check Point’s Operation TrueChaos reporting describes targeted intrusions against Southeast Asian government environments abusing TrueConf’s update validation path — the kind of flaw that turns a legitimate on-prem video server into a software-distribution weapon.
Compromise or control of the on-premises TrueConf server lets an actor push malicious update packages to every connected desktop client.
TrueConf shipped client fixes (Check Point cites Windows client 8.5.3); CISA’s KEV entry forces federal visibility on the same weakness.
Video conferencing infrastructure is now in the same patch-critical tier as VPN concentrators — monitor updater integrity and isolate management planes.
Intel-06 / Web apps · Cloud credentials
Talos’s early-April disclosure outlines automated post-exploitation: scan vulnerable Next.js surfaces, drop ephemeral shell scripts from /tmp, and vacuum secrets into a centralized NEXUS Listener panel — a credential marketplace architecture applied to React Server Components flaws.
BleepingComputer’s parallel reporting reinforces the scale of automated harvesting. If you still have internet-facing RSC builds without the December 2025 patch train, you are not competing with human red teams — you are competing with cron jobs.
IOC STRIP — VERIFY ON HOST, NOT IN BROWSER DevTools
Intel-07 / AI gateway supply chain
Follow-on to the Trivy wave: Attackers published trojanized LiteLLM builds that executed on import — placing stolen LLM routing secrets and cloud tokens one pip install away from production agents.
Malicious versions appeared on PyPI; vendor post-mortem documents a bounded exposure window before quarantine.
Payloads targeted gateway code paths such as proxy_server.py and abused .pth persistence in later builds per public analysis.
LiteLLM maintainers published clean rebuild guidance; any host that resolved the bad versions needs full secret rotation — not just package bump.
Intel-08 / IaC scanners · GitHub Actions
Wiz documents a tight exposure window where TeamPCP force-pushed malicious commits across KICS GitHub Action tags — the same impostor-commit pattern as Trivy, but aimed at infrastructure-as-code scanning pipelines that often hold Terraform/AWS secrets.
Intel-09 / Threat campaign cartography
Unit 42’s consolidated analysis frames TeamPCP as a cloud-native adversary pivoting across security tooling, AI gateways, and telecom SDKs — useful for leadership briefings that need a single authoritative narrative instead of vendor tweet threads.
Intel-10 / Disclosure · Retail / entertainment
Hasbro’s April 1 SEC filing describes unauthorized network access discovered March 28, containment including selective systems offline, and continuity plans to sustain orders — a textbook modern incident cadence under the SEC’s cybersecurity disclosure regime (filed as other events under Item 8.01).
“Upon discovery, the Company promptly activated its security incident response protocols, implemented containment measures, including proactively taking certain systems offline, and launched an investigation with the assistance of third-party cybersecurity professionals.”
Intel-11 / Forward intelligence
April 14, 2026
Second Tuesday release cycle. Expect kernel, Office, and platform security bundles; pre-stage testing rings because March preview noise stressed change windows.
April 15, 2026
Federal remediation date for the Google Dawn use-after-free KEV entry. Enterprise browsers should already be on 146.0.7680.x; validate mobile Chromium forks too.
April 16, 2026
Two-week federal patch window for the TrueConf client integrity issue tied to Operation TrueChaos reporting.
April 8–11 window
CISA added CVE-2026-1340 with an April 11 due date. Treat MDM appliances like perimeter firewalls for change-control priority.
Ongoing
CERT-EU notes direct engagement with Europa web hosting clients beginning March 31 — if you operate adjacent Union sites, monitor official mailboxes for compromise guidance.
April 18–20
Re-scan external attack surface for FortiClient EMS exposure and internet-facing Next.js builds; attackers love deploying harvesters when on-call benches are thin.