Introduction
This week's threat landscape arrived with the usual subtlety of a crowbar to the server rack. CISA added eight vulnerabilities to its Known Exploited Vulnerabilities catalog in a single drop, Apache ActiveMQ is being actively exploited at scale, and a novel npm supply-chain attack figured out how to spread itself. In other news, the concept of "trust" in software dependencies is having a rough month.
CISA KEV -- Eight at Once
CISA's KEV catalog added eight vulnerabilities this week, including CVE-2026-34197 in Apache ActiveMQ -- a remote code execution flaw with an April 30 patch deadline for federal agencies. Shadowserver confirmed over 6,400 exposed ActiveMQ servers remain unpatched and actively targeted. If your organization runs ActiveMQ and it's internet-accessible, the window between "aware" and "compromised" is closing fast.
Also added to KEV: three high-severity Cisco Catalyst SD-WAN Manager flaws, flagged as actively exploited with a four-day remediation window for federal systems. Non-federal organizations should treat that urgency as a strong suggestion, not a bureaucratic timeline.
MITRE TTPs: T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)
Self-Spreading npm Supply Chain Attack
A new supply chain attack targeting the npm ecosystem was confirmed this week. The attack steals developer credentials from compromised packages and then uses those credentials to publish additional malicious packages -- effectively spreading itself through the ecosystem. It's the software supply chain equivalent of a virus that teaches itself to cough.
The mechanism is straightforward and that's what makes it dangerous: compromise one maintainer, publish a poisoned package update, harvest credentials from downstream developers, repeat. Organizations running automated dependency updates without integrity verification are particularly exposed.
Immediate actions: audit your npm dependencies, enforce package-lock integrity checks, and review CI/CD pipeline permissions. Developer machines are an increasingly attractive first-hop into enterprise environments.
MITRE TTPs: T1195.002 (Compromise Software Supply Chain), T1078 (Valid Accounts), T1041 (Exfiltration Over C2 Channel)
Telegram Session Theft -- Beyond the Obvious
SANS ISC documented a honeypot incident this week that illustrates how attacker objectives have evolved. What started as a routine SSH brute-force and cryptominer deployment pivoted immediately to targeting Telegram Desktop's tdata directory -- the local session folder that authenticates a user without requiring re-login or 2FA bypass.
The attack chain: SSH access via weak credentials, miner competition check, tdata exfiltration, SMS-based 2FA bypass prep via modem device enumeration. The payload isn't CPU cycles -- it's persistent account access. Stolen tdata can be dropped into any Telegram Desktop install to immediately authenticate as the victim, no phone number required.
For organizations using Telegram for internal communications or client coordination: treat tdata like a credential store, because attackers already do.
MITRE TTPs: T1110.001 (Brute Force: Password Guessing), T1555 (Credentials from Password Stores), T1041 (Exfiltration)
APT28 Router Exploitation and DNS Hijacking
Russian APT28 (Fancy Bear) is actively exploiting vulnerable routers to perform DNS hijacking and adversary-in-the-middle attacks, according to the UK NCSC. The objective: intercept credentials and authentication data at the network layer -- invisible to endpoint detection tools and most SIEM configurations without network-layer telemetry.
Router firmware hygiene remains one of the most neglected attack surfaces in enterprise environments. Perimeter devices are high-value targets precisely because they're often outside the scope of standard patch management cycles.
April Patch Tuesday -- What You May Have Missed
April's Patch Tuesday addressed critical vulnerabilities in SAP, Adobe, Microsoft SharePoint (1,300+ servers still unpatched), Fortinet, and ColdFusion. Microsoft also released an out-of-band emergency patch for a critical ASP.NET Core privilege escalation flaw -- the kind that doesn't wait for the second Tuesday of the month.
SharePoint deserves specific attention: the spoofing vulnerability being actively abused was a zero-day at disclosure and remains unpatched on over 1,300 exposed servers. If SharePoint is in your environment, patch priority should be immediate.
Takeaway
This week's thread: attackers are following the path of least resistance into environments through supply chains, unpatched perimeter devices, and credential stores that defenders don't think of as credential stores. The sophistication isn't in the techniques -- it's in the targeting. Patch, audit your dependencies, and start treating developer workstations like the attack surface they've become.
Sources:
- SANS ISC Diary: Telegram tdata Credential Harvesting (April 22, 2026)
- BleepingComputer: npm supply-chain attack, Apache ActiveMQ, ASP.NET OOB patch, SharePoint spoofing
- CISA KEV: Eight new additions (April 21-22, 2026)
- UK NCSC: APT28 router exploitation advisory
- Rescana / The Hacker News: April 2026 Patch Tuesday coverage
