← Back to Blog
Security Briefing3 min read2026-04-19

Security Briefing, April 19 2026: protobuf.js RCE, Mirai Nexcorium, and Operation PowerOFF

Today’s security briefing tracks three concrete signals: a critical protobuf.js code-execution flaw with public PoC, Mirai-driven exploitation of TBK DVRs and aging routers, and a global takedown that hit the DDoS-for-hire ecosystem.


Top line: This morning is about exposure concentration. One story hits software supply chains, one hits neglected edge devices, and one shows how aggressively law enforcement is pressuring the cheap DDoS market. Security teams should split work into dependency patching, IoT containment, and abuse monitoring.


1. protobuf.js moved into the urgent dependency queue

A critical protobuf.js flaw, tracked as GHSA-xq3m-2v4x-88gg, can lead to remote code execution when applications load attacker-influenced schemas. Endor Labs says exploitation is straightforward because unsafe dynamic code generation allows malicious identifiers to inject code into generated functions. The library sits deep in many JavaScript stacks and sees roughly 50 million weekly npm downloads.


2. Mirai operators are still farming old IoT gear

Fortinet says the Nexcorium Mirai variant is exploiting CVE-2024-3721 in TBK DVR devices and combines that access with brute-force activity and older Huawei exploit logic. Palo Alto Networks also saw attempts to hit end-of-life TP-Link routers. This is the familiar lesson again: old internet-facing appliances become cheap botnet inventory when patching and credential hygiene rot.


3. Operation PowerOFF raised the cost of DDoS-for-hire abuse

Europol-backed Operation PowerOFF seized 53 domains, exposed databases tied to more than 3 million criminal accounts, and targeted services used by over 75,000 customers. The important defensive signal is not that DDoS is gone. It is that pressure on booter infrastructure is rising, which can trigger retaliation, migration, or short-term noise as operators and users scatter.


What security teams should do today

  1. Patch protobuf.js exposure in internet-facing or multi-tenant JavaScript services first.
  2. Pull an inventory of vulnerable DVRs, routers, and any device still reachable with weak credentials or Telnet.
  3. Ask your network and SOC teams whether DDoS monitoring thresholds need a temporary tuning pass after Operation PowerOFF.
  4. Send one plain-language note to leadership: dependency risk, IoT botnet risk, and DDoS ecosystem churn are separate problems and need separate owners.

Bottom line: Bottom line: today’s threat picture is a stack problem, an edge problem, and a market problem at the same time. Patch the library, clean up the appliances, and do not assume takedowns mean quiet networks.

Separate urgent patching from noisy distraction

KENSAI helps security teams verify exposed dependencies, weak edge devices, and active abuse pressure before the next alert storm turns into real damage.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team