APJ Ransomware, Axios NPM Hijack, and AI Privacy Nightmares
This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined by Ben Archie to break down a high-velocity week of supply chain compromises and surging regional threats. We cover the explosive growth of ransomware in the APJ region, the North Korean state-actor hijack of the Axios NPM package, and the TrueConf zero-day exposing Southeast Asian governments. Plus, we discuss how the recent Anthropic Claude code leak could weaponize package management and the frightening implications of AI on personal data extortion.
Topics & References:
Part 1: The APJ Threat Landscape & TrueConf Zero-Day
Ransomware Surge: APJ is currently the fastest-growing region for ransomware, marking a 59% year-on-year increase and accounting for 64% of global incidents.
Healthcare Under Fire: The Dragonforce ransomware group recently claimed a breach of the Australian health management system, underscoring massive third-party risks across the country's health sector.
TrueConf Zero-Day (CVE-2026-3502): A critical vulnerability in video conferencing software is being abused to compromise on-prem servers and push Havoc malware to connected endpoints. This supply chain attack heavily targets Southeast Asian government networks and was recently added to the CISA KEV catalog.
Part 2: Supply Chain Nightmares & The Axios Compromise
The Axios NPM Hijack: Attackers compromised the NPM publishing account of Axios' lead maintainer, releasing two malicious legacy versions (1.14.1 and 0.30.40). The threat actors injected a phantom runtime dependency without altering the source code, and the packages remained live for roughly two to three hours before NPM yanked them.
Attribution: Microsoft has attributed the Axios NPM compromise infrastructure to Sapphire Sleet, a known North Korean state actor.
Shiny Hunters Target Cisco: The group claims to have breached Cisco’s internal development environment using credentials stolen during the Trivy GitHub compromise. They allege the theft of AWS keys and over three million Salesforce records, setting an extortion deadline of April 3.
Part 3: Threat Actor Drama & AI Privacy Risks
Ransomware Soap Opera: Threat groups like Team PCP and The Comm are engaging in public trash-talk, echoing previous incidents where The Comm publicly dumped an Oracle EBS zero-day to humiliate Klopp.
Anthropic Claude Code Leak: The team discusses how leaked source code could lower the barrier to entry for attackers, allowing them to better understand package management prioritization and weaponize AI models for supply chain attacks.
Handala Hack & AI Extortion: Iranian activist group Handala breached the personal email of FBI Director Kash Patel. This sparks a broader discussion on the future of personal extortion, warning that attackers could soon use LLMs to scrape and weaponize the intimate, sensitive data users dump into AI mental health and companion apps.
Events & Community:
RISE Ireland: April 14 -25 in Dublin, Ireland
🔗 to register: https://go.team-cymru.com/rise-ireland
RISEx Sydney: May 6 in Sydney, Australia
🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026
RISEx Frankfurt: May 28th in Frankfurt, Germany
🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
RISEx New York: June 16 in New York City, US
🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
FirstCon26 (Denver): Eli Woodward will be presenting two sessions.
🔗 to register: https://www.first.org/conference/2026/registration-options
Connect with Us:
Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.