Security Briefing March 31, 2026 · 9 min read

Axios npm Supply Chain Attack Delivers Cross-Platform RAT, CISA Orders Emergency Citrix Patching, Silver Fox Deploys AtlasCross RAT, Fortinet EMS Exploitation Begins

The massively popular Axios npm package (83M+ weekly downloads) is compromised via a hijacked maintainer account, delivering a cross-platform RAT targeting Windows, macOS, and Linux. CISA issues an emergency directive ordering federal agencies to patch actively exploited Citrix NetScaler CVE-2026-3055 by Thursday. Chinese APT Silver Fox expands across Asia with a new AtlasCross RAT delivered via typosquatted domains. Fortinet FortiClient EMS critical SQL injection flaw exploitation begins in the wild. Dutch Finance Ministry takes treasury banking portal offline as breach investigation expands.


1. Axios npm Supply Chain Attack — Cross-Platform RAT Hits 83M Weekly Downloads

⚠ CRITICAL — Active Supply Chain Compromise

Axios versions 1.14.1 and 0.30.4 contain a malicious dependency that drops a cross-platform RAT targeting Windows, macOS, and Linux. The attack was executed via compromised npm credentials of the primary maintainer. Immediate downgrade and secret rotation required.

The Axios HTTP client library — one of the most widely used packages in the JavaScript ecosystem with over 83 million weekly downloads — has suffered a sophisticated supply chain attack. Two malicious versions (1.14.1 and 0.30.4) were published to npm using the compromised credentials of primary maintainer "jasonsaayman."

Attack Mechanics

The attacker injected a fake dependency called "plain-crypto-js" (version 4.2.1), whose sole purpose is to execute a postinstall script acting as a cross-platform RAT dropper. The malware contacts a live C2 server and delivers platform-specific second-stage payloads for macOS, Windows, and Linux. After execution, it self-destructs and replaces its own package.json with a clean version to evade forensic detection.

Precise Attack Timeline

StepSecurity researcher Ashish Kurmi emphasized: "This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct."

Immediate Actions Required


2. CISA Orders Emergency Citrix NetScaler Patching — CVE-2026-3055 Actively Exploited

⚠ CRITICAL — Emergency Federal Directive with Thursday Deadline

CISA has added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog and ordered all federal agencies to patch Citrix NetScaler appliances by April 2. The flaw is technically similar to the devastating CitrixBleed vulnerabilities and is already being exploited to steal admin session IDs.

CISA has issued an emergency patching directive after adding Citrix NetScaler vulnerability CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must secure all vulnerable appliances by Thursday, April 2, under BOD 22-01.

Technical Details

The vulnerability stems from insufficient input validation in Citrix ADC and Citrix Gateway appliances configured as SAML identity providers (IDPs). Unauthenticated remote attackers can exploit it to leak sensitive application memory, including admin authentication session IDs — potentially enabling full appliance takeover.

Cybersecurity firm Watchtowr confirmed active exploitation began days after Citrix released patches on March 23, with attackers targeting the same memory-leak class of bugs that made CitrixBleed and CitrixBleed2 so devastating.

Exposure Scale


3. Silver Fox APT Deploys AtlasCross RAT via Typosquatted Domains

🔶 HIGH — New RAT in Chinese APT Arsenal

Chinese cybercrime group Silver Fox has deployed a previously undocumented AtlasCross RAT via 11+ typosquatted domains impersonating Surfshark, Signal, Telegram, Zoom, and Microsoft Teams.

Chinese-speaking users are being targeted by Silver Fox (also tracked as SwimSnake, Valley Thief, UTG-Q-1000, and Void Arachne) in an active campaign using typosquatted domains impersonating trusted software brands. The campaign delivers a previously undocumented remote access trojan named AtlasCross RAT.

Campaign Infrastructure

German cybersecurity firm Hexastrike identified 11 confirmed delivery domains covering:

Technical Evolution

AtlasCross RAT represents a significant evolution from Silver Fox's previous arsenal of Gh0st RAT derivatives (ValleyRAT/Winos 4.0, Gh0stCringe, HoldingHands RAT). The attack chain uses bogus websites to deliver ZIP archives containing a trojanized Autodesk binary that launches a shellcode loader, extracting C2 details from an embedded Gh0st RAT configuration and downloading second-stage payloads over TCP port 9899.

Defensive Recommendations


4. Fortinet FortiClient EMS Critical SQL Injection — Active Exploitation Begins

⚠ CRITICAL — Enterprise Endpoint Management at Risk

A critical SQL injection vulnerability in Fortinet FortiClient EMS allows unauthenticated attackers to execute arbitrary code remotely via crafted HTTP requests. Exploitation in the wild has been confirmed.

Exploitation of a critical-severity SQL injection flaw in Fortinet FortiClient Enterprise Management Server (EMS) has begun in the wild. The vulnerability allows unauthenticated remote attackers to execute arbitrary code via specially crafted HTTP requests targeting the management console.

Impact Assessment

FortiClient EMS is widely deployed across enterprises for centralized endpoint management, patch deployment, and security policy enforcement. A successful exploit gives attackers:

Immediate Actions


5. Dutch Finance Ministry Expands Breach Response — Treasury Portal Offline

🔶 HIGH — Government Digital Infrastructure Disrupted

The Dutch Finance Ministry has taken its treasury banking portal and multiple systems offline, affecting ~1,600 public institutions' ability to access treasury accounts online.

The Dutch Ministry of Finance has significantly expanded its breach response, taking the digital treasury banking portal offline along with multiple other systems after the March 19 cyberattack. Minister of Finance Eelco Heinen disclosed in a statement to the Dutch House of Representatives that the shutdown affects approximately 1,600 public institutions.

Cascading Impact

Investigation Status

The Dutch National Cyber Security Center (NCSC) is assisting the investigation. No threat actor or cybercrime group has claimed responsibility. The ministry initially disclosed the breach last week, stating tax collection and citizen-facing services were unaffected, but today's expanded shutdown reveals the incident's impact is broader than initially communicated.


Threat Landscape Summary

ThreatSeverityAction Required
Axios npm supply chain RATCRITICALDowngrade to 1.14.0/0.30.3, rotate all secrets
Citrix NetScaler CVE-2026-3055CRITICALPatch SAML IDP appliances by April 2
Silver Fox AtlasCross RATHIGHBlock typosquatted domains, monitor TCP 9899
Fortinet FortiClient EMS SQLiCRITICALPatch EMS, restrict management interface access
Dutch Finance Ministry breachHIGHDutch partners: verify shared infrastructure exposure

Stay Ahead of the Threat Curve

Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.

Explore KENSAI

— KENSAI Security Intelligence · Published March 31, 2026

Related Articles

Trivy Supply-Chain Attack Steals Credentials Redirecting... SOC 2 Security Testing & Vulnerability Management Guide