Tenable Blog

Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching

Ziga Cerkovnik — Thu, 16 Apr 2026 14:35:00 -0400

See how Tenable Hexa AI custom agents empower you to counter machine-speed threats by automating vulnerability remediation. Learn how the Model Context Protocol (MCP) automates execution of risk-driven patching workflows, shifting your strategy from reactive tracking to continuous exposure management.

Key takeaways

Even in previews, powerful AI models like Claude Mythos show us how quickly adversaries could weaponize newly discovered vulnerabilities. Traditional, manual patching cycles can’t keep up with machine-speed threats.
Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, allows you to build custom agents to automate vulnerability prioritization and remediation at machine speed and scale.
Because Tenable Hexa AI uses the Model Context Protocol (MCP), it can function as the orchestration layer linking any LLMs you’re using to your other security tools. In other words, with Tenable Hexa AI, you can use an LLM to trigger vulnerability remediation workflows that leverage custom agents alongside your preferred patching tools to eliminate manual delays and accelerate risk reduction.

Frontier AI models like Anthropic’s Claude Mythos have demonstrated the potential to collapse the window between vulnerability discovery and exploitation from days to hours. In internal testing, Anthropic says Mythos Preview provided a fully functional exploit kit fully autonomously for a 17-year-old remote code execution (RCE) vulnerability within “several hours.”

In an environment where attackers operate at machine speed, traditional 30-day patch cycles and manual ticketing systems are not just slow, they’re a liability.

As Tenable CTO Vlad Korsunsky recently wrote in a blog on Claude Mythos, closing your patch gap has never been more critical. Tenable Hexa AI is built to close this gap, accelerate exposure and vulnerability remediation cycles from human speed to machine speed, and automate a variety of complex, multi-step security tasks.

The power of custom Tenable Hexa AI agents

In our first blog on use cases for the Tenable Hexa AI agentic engine, we showed how you can use Tenable Hexa AI to identify assets impacted by the Axios npm supply chain attack. While rapid identification and prioritization form the bedrock of exposure management, the sheer volume of modern threats requires teams to scale their response by automating mitigation for the specific risks that actually impact their environment.

Tenable Hexa AI enables you to build custom agents to automate workflows tailored to your unique environment. By utilizing the Model Context Protocol (MCP), Tenable Hexa AI securely connects large language models (LLMs) like Claude with your internal tech stack and execution tools. With this capability, you aren't just asking an LLM what is vulnerable; you’re mobilizing an agent to fix it.

Automating vulnerability prioritization and remediation with Tenable Hexa AI

Let’s look at a real-world workflow where we use an LLM (in this case, Claude) combined with a custom Tenable Hexa AI agent to conduct automated patching and instantly accelerate risk reduction.

Step 1: Command the agent using natural language

The workflow begins in Claude with a natural language prompt:

“Use Tenable Vulnerability Management and Tenable Patch Management to identify and patch any critical VPR vulnerabilities on the asset, rsac-svr-2022”

Tenable Hexa AI functions as the orchestration layer connecting your preferred LLM to your preferred patching tool, allowing you to trigger autonomous actions directly from your LLM.

Step 2: Prompt triggers agentic vulnerability prioritization

The prompt triggers the custom Tenable Hexa AI agent to immediately query Tenable, locate the specific asset, and filter the findings using Tenable’s Vulnerability Priority Rating (VPR).

In contrast with other vulnerability scoring systems, like CVSS and EPSS, which score based on theoretical risk and probability of exploitation, the Vulnerability Priority Rating pinpoints the roughly 1.6% of vulnerabilities that actually pose an immediate risk to your organization based on real-world exploitability data and potential business impact.

By using the Tenable Vulnerability Priority Rating as a strict filtering criteria, custom agents can then trigger automated workflows exclusively for your most critical CVEs.

A simple prompt in Claude triggers a custom Tenable Hexa AI agent to carry out the command.

Step 3: Agent automates patch deployment

Once the true priorities are identified, the Tenable Hexa AI agent directly triggers your patching tool of choice (in this example, Tenable Patch Management) to seamlessly deploy the fix to the asset, removing manual delays from the remediation cycle.

To deliver trusted execution alongside machine speed, the Tenable Hexa AI agent relies on Tenable’s Exposure Data Fabric, the industry’s richest repository of contextualized exposure data. The Exposure Data Fabric maps the interactions among vulnerabilities, identities, and assets to provide the deep environmental context that agents need to take safe, precise action. Limiting network changes strictly to material exposures earns the operational confidence from IT required to successfully scale automated VulnOps workflows.

With custom agents, you maintain total authority over the execution phase. You can build specific human-in-the-loop (HITL) checkpoints directly into the agent’s logic — choosing exactly when to unleash full automated execution and when to require a strategic manual sign-off — allowing you to confidently close the exploit window without risking operational disruption.

The custom Tenable Hexa AI agent automates patch deployment, eliminating manual delays.

Scaling vulnerability remediation efforts with agentic AI

The economics of cyberattacks have fundamentally shifted. With high-level exploits now costing attackers under $2,000 and taking less than one day to develop, the accelerating volume of AI-discovered vulnerabilities will quickly overwhelm even the most well-resourced security teams. To survive, defenders must shift their economics, too.

Tenable Hexa AI acts as the crucial force multiplier to make that shift possible. By integrating custom AI agents into your security workflows, you reduce the “cost per remediation.” This empowers a single analyst to automate repetitive tasks, efficiently triage patches, and manage exposures at a scale.

Ultimately, establishing these automated remediation pipelines allows defenders to operate at machine speed without burning out. You successfully transition your strategy from reactive tracking to proactive exposure management, permanently closing the gap between how fast vulnerabilities are found and how fast your organization can respond.

Ready to build your own custom automated workflows and beat the exploit clock?

Tenable Hexa AI is currently in private preview for select Tenable One customers. Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities.

Unlocking foundational visibility for cyber-physical systems with OT vulnerability management

Anthony Johnson — Wed, 15 Apr 2026 08:50:00 -0400

Stop managing risk in silos. VM-Native OT Discovery, now available in Tenable Vulnerability Management and Tenable Security Center provides unified visibility across IT and OT domains. See every asset and manage your total cyber exposure in a unified view.

Key takeaways

The air gap is dead. IT security teams are inheriting responsibility for operational technology (OT), but often lack visibility into these systems.
Security teams face significant barriers with OT security. Fear of disrupting fragile devices and the high cost of specialized hardware have created a dangerous "black box" in the attack surface.
The perfect “on-ramp” to OT security. A new OT Discovery engine embedded in Tenable Vulnerability Management and Tenable Security Center allows security teams to safely profile OT, IoT, and shadow IT assets using the tools they already own.

For decades, the concept of the "air gap" — a physical isolation between IT networks and critical operational technology (OT) — provided security leaders with a sense of comfort. The assumption was simple. Digital threats stay on the corporate network, while physical operations run safely in isolation.

In today's hyper-connected world, that assumption is often wrong and leaves your OT environment exposed to preventable cyber risk.

From modern data centers and smart hospitals to commercial real estate and universities, the line between the digital and the physical has blurred. IT security teams are increasingly inheriting responsibility for securing cyber-physical systems (CPS) — the HVAC controllers keeping servers cool, the badge readers securing facility entrances, and the power distribution units keeping the lights on.

Yet, for many organizations, these OT assets are a massive blind spot.

The "black box" problem

While vulnerability management programs have matured rapidly for IT assets, covering everything from cloud workloads to laptops, operational environments are often a "black box."

This visibility gap usually stems from two distinct barriers:

There is a pervasive (and historically valid) fear that scanning OT/IoT assets with traditional IT security tools could knock fragile devices offline, disrupting critical business operations.
Traditional OT security tools often require a massive undertaking. The complexity and cost of deploying expensive specialized hardware, managing long-term evaluations, architecting complex mirror ports, and navigating the political minefield of installing new appliances in sensitive production environments make these projects difficult to justify.

The result is a dangerous paradox. Security teams are responsible for the risk of interconnected systems, but don’t have the tools to see or secure them. Attackers, however, face no such barriers, frequently pivoting from compromised IT networks to poorly defended OT assets to maximize impact.

Rethinking converged OT/IT security

To secure the modern attack surface, organizations must stop managing IT and OT risk in silos. Security leaders need a unified view that treats a vulnerability on a programmable logic controller (PLC) with the same rigor and context as a vulnerability on a Windows server.

Achieving this requires a fundamental shift in how we approach asset discovery. Security teams need streamlined methods that provide the necessary depth of OT visibility for compliance and risk reduction, without the friction of deploying hardware across physical sites. They need a way to safely seeshadow OT assets using the infrastructure already in place.

^{Image: A segment of Tenable’s research and testing lab for operational technology (OT).}

Introducing VM-Native OT Discovery

Our latest release fundamentally changes the economics and accessibility of OT security tools. We are excited to announce OT Discovery, a new capability embedded directly inside the Tenable One Exposure Management Platform that provides security teams with foundational visibility into OT and IoT environments. It’s the perfect on-ramp to OT security, so you can uncover hidden OT risks and deep asset-level details.

Here is how it changes the game for your security program:

Safe visibility for cyber-physical systems. OT Discovery uses the same Active Query engine found in our specialized Tenable OT Security solution—now natively integrated into Tenable Vulnerability Management and Tenable One. It performs "smart," protocol-aware handshakes to verify assets before querying them so you can safely profile PLCs, human-machine interfaces (HMIs), IoT devices, and shadow IT assets across your environment.
Unified OT/IT exposure management. By integrating OT asset data, including vendor, model, and firmware details, directly into your existing dashboards, you can break down silos and view your organization's total risk exposure in a single pane of glass.
Extend the value of your security investments. No need to rip and replace or install new hardware. This capability enables you to extend the value of your existing vulnerability management toolsets to uncover the OT risk hiding on your network.

Breaking down silos across IT and OT

Adopting a unified approach to OT/IT exposure management builds trust.

Historically, the relationship between IT security and facility operations teams has been strained. IT wants to scan and patch known vulnerabilities. Operations teams require uptime and stability. When IT security teams try to enter the OT space with aggressive scans or unfamiliar hardware, friction is inevitable.

VM-Native OT Discovery changes the conversation. Because Tenable relies on trusted, safe query methods through familiar infrastructure, the security team can approach the ops team with reliable data and real-time exposure intelligence.

Instead of asking, "Can we install a black box on your network?" you can say, "We noticed three unmanaged PLCs communicating on the subnet. Here is exactly what they are. Let’s work together to secure them now rather than waiting 6-12 months to patch during the next maintenance interval."

Get started with OT security today

OT security is no longer just for industrial giants and organizations managing critical national infrastructure. Every manufacturer, warehouse operator, and organizations smart building management systems face operational risk.

Ready to get visibility into your OT blind spots? You don't need a massive budget or a year-long deployment project to get started. Watch this quick demo to see how you can secure your most critical assets with the vulnerability management tools you already use.

Are you an existing Tenable customer? Explore the user guide documentation for Scan Templates and Discovery Settings to get started.

Learn more

Dive deeper into the challenges and solutions for securing OT with our eBook, “Blackbox to blueprint: A security leader’s guide to managing OT and IT risk.”
Explore our complete Tenable One exposure management platform, offering scalable security solutions for the entire attack surface.
Request a demo to find out how Tenable exposure management solutions fit into your cybersecurity roadmap.

Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic

Vlad Korsunsky — Tue, 14 Apr 2026 16:45:00 -0400

With the Federal Reserve Chairman meeting with bank CEOs to discuss the security implications of Claude Mythos, you can bet that your board of directors will ask you about the impact of the AI model on your cybersecurity strategy. Here’s how to prepare.

Key takeaways

Anthropic announced Claude Mythos Preview, its most powerful general-purpose frontier model to date, and highlighted its exceptional ability to find software vulnerabilities that no human vulnerability research had previously discovered.
With Claude Mythos continuing to dominate traditional news and social media, your board of directors will have questions for you about the impact of the new AI model on your cybersecurity strategy and risk posture.
As the pace of vulnerability discovery accelerates with the use of frontier models like Claude Mythos, exposure management can help organizations quickly, continuously, and autonomously assess if they’re impacted by these vulnerabilities, evaluate the risk they pose, and orchestrate remediation.

On April 7, 2026, Anthropic unveiled Claude Mythos Preview, its most powerful frontier model to date and one that excels at cybersecurity tasks, specifically, vulnerability discovery in code. (I previously wrote about Claude Opus 4.6 and its impact on cybersecurity.)

I’ll spare you the details of the decades-old, zero-day vulnerabilities that Claude Mythos proved capable of finding and exploiting in internal testing, as I’m sure you’re already aware. But suffice it to say the model was so powerful, Anthropic thought it prudent to assemble a group of technology partners in an initiative called Project Glasswing to apply Mythos’ capabilities to defensive security.

And now, with Federal Reserve Chairman Jerome Powell meeting with leaders of the largest U.S. banks to discuss the cybersecurity implications of this mythic new model, you can bet that your board of directors and executive management team will have questions for you about Claude Mythos at the next quarterly meeting — or sooner.

We’re here to help you provide answers.

The question every board will ask about Claude Mythos

When it’s time for your 15-minute cyber update, your board of directors will inevitably ask you, “What are you doing about Claude Mythos? How are you preparing for a world in which AI-assisted attackers can find and exploit vulnerabilities in minutes?”

Essentially, your board-friendly answer needs to be, “We’re fighting fire with fire. We’re transforming our security operations with agentic AI so that we can autonomously and preemptively find and fix our exposures at machine speed.” You can then report on the number of security workflows you’ve automated with AI and the increases in efficiency and effectiveness that you’re achieving as a result.

Depending on your board’s security savvy, you may need to address how you’re evolving your vulnerability management function to handle this new reality of AI-driven vulnerability discovery.

One new approach that forward-leaning security leaders have begun implementing is exposure management, or CTEM.

What is exposure management?

Exposure management is a strategic approach to preemptive security designed to reduce cyber risk. It continuously assesses, prioritizes, and remediates your organization’s most critical cyber exposures. Cyber exposures are toxic combinations of preventable cyber risks (such as vulnerabilities, misconfigurations, and excessive permissions) that give threat actors a path to your most sensitive systems and data.

By continually and agentically assessing, prioritizing, and remediating risks, exposure management provides the answer to the question of how to build a “Mythos-ready” security program. It offers the solution to the single biggest challenge associated with AI-vulnerability discovery: how security and remediation teams will address the massive backlog of findings that AI-assisted vulnerability discovery will create.

Exposure management is a “Mythos-ready” security program

To understand the role exposure management plays in a world flooded with AI-driven vulnerability discoveries, it’s important to understand the difference between frontier models and exposure management solutions.

What frontier models do: Claude Code Security and Mythos Preview read and reason about source code. They identify logic flaws, memory corruption vulnerabilities, injection weaknesses, and authentication bypasses by tracing data flows and understanding how software components interact. Mythos does this with extraordinary autonomy and can chain vulnerabilities into working exploits. Fundamentally, this is application security: static and dynamic analysis of codebases operating at the source-code layer.

What exposure management does: Exposure management allows you to discover every asset across your environment (IT, cloud, identity, AI, and OT); determine whether they’re vulnerable; prioritize exposures based on business and technical context; orchestrate staged remediation; and validate that fixes are closed. An individual vulnerability may not appear dangerous until it forms an attack chain leading to a critical system. Exposure management helps you see individual vulnerabilities in context and how they combine to create high-risk attack paths.

Bottom line: Frontier models and exposure management operate in categorically different domains and solve fundamentally different problems.

Exposure management and the preemptive security lifecycle

To put a finer point on the difference between frontier models and exposure management, let’s examine the complete preemptive security lifecycle that enterprises require. Frontier AI — even at Mythos-class capability — addresses only the first stage of this lifecycle. Exposure management addresses everything else.

Stage 1 — Software vulnerability discovery. Identifying that a flaw exists in software. This is where frontier models excel. Mythos has demonstrated extraordinary capability here, finding bugs that survived decades of human review and millions of automated test runs. This capability is genuine and consequential.

Stage 2 — Asset discovery. Employing multiple discovery methods, including scanners, agents, OT-specific sensors, and more, to identify every asset in an enterprise: endpoints, servers, cloud workloads, containers, network devices, OT/ICS assets, identity objects, AI applications, MCP servers. This is something Mythos can’t do.

Stage 3 — Assessment. Determining whether specific deployed assets are affected by specific vulnerabilities. This requires deep interrogation of the asset: connecting to live systems, parsing configurations, checking patch levels, inspecting running services across IT, cloud, OT, and identity environments at enterprise scale — and doing so without impairing the performance of the live asset. A model that found a Linux kernel vulnerability cannot determine which of an organization's 50,000 Linux hosts are running the affected version without sensor-level access.

Stage 4 — Prioritization. This stage becomes more critical, not less, in an AI-accelerated world. When frontier models can discover thousands of new vulnerabilities in weeks and generate working exploits on demand, the volume flowing into the remediation pipeline explodes, but the operational constraints don’t change. Enterprises still have finite maintenance windows, change management processes, compatibility dependencies, and business continuity requirements. Patching 40,000+ CVEs simultaneously across 100,000 assets is not operationally feasible. The math only works with the intelligent prioritization that exposure management provides.

4 steps to building a Mythos-ready security program: How Tenable can help

In a recent blog, Anthropic offered several recommendations to prepare your security program for an AI-accelerated offense. Here’s how Tenable can help you strengthen your organization’s cybersecurity posture and reduce your risk in the age of AI-driven attacks:

1 - “Close your patch gap.” Anthropic says to patch everything in the CISA KEV immediately, use EPSS to prioritize the rest, and automate deployment. In theory, this advice makes sense. In practice, it’s a bit misguided.

For one thing, even if you patched everything in the CISA KEV immediately, you’d still have gaps. The CISA KEV catalog operates off of strict inclusion criteria, so just because a CVE hasn’t landed in the KEV doesn’t mean it’s less critical. On the contrary, Tenable Research is currently tracking 201 CVEs that are being actively exploited in the wild, yet that aren’t part of the KEV. The Citrix Session Recording Vulnerability (CVE-2024-8069) provides an example of a CVE for which Tenable Research issued a watch designation nearly a full year (286 days) before it hit the KEV.

Then there’s the issue of prioritization. With the vulnerability discovery capabilities of Mythos falling into the wrong hands, the number of vulnerabilities could grow by 10X or more. As Tenable Co-CEO Steve Vintz pointed out in a recent LinkedIn post, “Prioritization is no longer optional. It’s survival.”

But prioritizing based on EPSS alone will leave you chasing your tail. EPSS prioritizes based only on probability of exploitation. In contrast, Tenable One provides much finer-grained prioritization than both EPSS and CVSS. Through the proprietary Vulnerability Priority Rating (VPR), Tenable uses machine learning to narrow the 60% of CVEs flagged as critical or high by CVSS to the 1.6% that create actual risk for your organization. Tenable One additionally factors other criteria into its prioritization engine, including reachability (is this asset actually exposed through the network topology?), identity context (what permissions does a compromised asset inherit? does it create a path to domain admin?), business criticality (is this a revenue-generating system or a development sandbox?), and attack path analysis. Answering those questions requires cross-domain telemetry at a scale and specificity that no external model possesses and that only Tenable One can provide.

Finally, more vulnerabilities means more to patch, even as your patching constraints remain the same: you still have to sort through compatibility dependencies and business continuity requirements, among other things. Tenable One gives you the speed, scale, automation, and control to manage your entire update lifecycle. You can deploy autonomous patching across 20,000+ products and 250,000+ unique patches spanning Windows, Linux, and macOS while using customizable controls to test patches and prevent deployment of problematic updates.

And our newly announced agentic AI engine, Tenable Hexa AI, will automate asset discovery, tagging, triage, prioritization, and remediation workflows so that your organization can keep pace as vulnerability discovery escalates.

2 - “Prepare for much higher vulnerability volume.” Tenable has a proven track record when it comes to developing and releasing plugins to identify new vulnerabilities. We deliver over 100 new plugins each week and, because we use AI to accelerate the speed and scale of plugin development, in general, we can deliver fully automated plugin coverage within 12 to 24 hours.

When a plugin assesses whether a server is missing a specific patch, it returns a clear, binary, deterministic answer (yes or no) with six-sigma accuracy (0.32 defects per million scans). This precision underpins every downstream decision: whether to open a remediation ticket, whether to take a production system offline, whether to report a finding to an auditor, whether to trigger a staged patch deployment.

In contrast, frontier AI models are probabilistic by design. Anthropic's own documentation for Mythos reveals the model occasionally attempts to conceal its methods, circumvent sandboxes, and produce inconsistent outputs. Running the same prompt twice can yield different results. For code-level security research, this variability is tolerable — a human researcher reviews and validates findings. But for operational vulnerability management at enterprise scale, where tens of thousands of assets are assessed continuously and findings flow directly into compliance reporting and remediation workflows, probabilistic output is not acceptable.

Compliance frameworks like SOC 2, FedRAMP, PCI-DSS, HIPAA, and FISMA require reproducible, auditable assessment results. Cyber insurance underwriters require them. Board-level risk reporting requires them.

The deterministic scanning foundation that Tenable has built over 24 years — with more than 318,000 plugins — is not a legacy artifact. It’s a structural requirement of the market Tenable serves.

3 - “Reduce and inventory what you expose.” Tenable One sensors — scanners, endpoint agents, passive network monitors, web application scanners, OT-specific sensors, identity directory connectors, and cloud API integrations — are designed to discover every asset across live enterprise environments and deterministically assess whether deployed systems are vulnerable. The Tenable One platform then prioritizes exposures based on runtime exploitability context, orchestrates staged remediation, and validates that fixes are closed. Tenable's sensors continuously discover assets across environments that are heterogeneous, distributed, and often air-gapped. We can even assess your shadow AI footprint. A model cannot discover what it cannot reach.

4 - “Design for breach.” The attack path analysis capabilities of Tenable One provide visibility into how threat actors chain together vulnerabilities, misconfigurations, and excessive permissions to reach your critical assets. This attack path mapping enables you to proactively close those gaps and preemptively disrupt the attacker’s journey.

Tenable One can also help you implement zero trust by mapping assets and identities across your environment, showing how they’re connected, and where trust boundaries are. It also adds governance for your fastest growing risk surface: AI agents with admin-level access.

Navigating the new era of AI-driven risk

The arrival of Claude Mythos marks a fundamental shift in the cyber landscape, where the speed of vulnerability discovery is now measured in minutes rather than months. While this “mythic” new model provides attackers with an unprecedented ability to find and chain exploits, it also serves as a catalyst for organizations to modernize their defense.

To stay ahead, security leaders must move beyond traditional methods and embrace exposure management. By integrating the deterministic precision of Tenable One with the automated power of Tenable Hexa AI, your organization will be able to transform its security operations into an agentic, preemptive force capable of moving at machine speed.

Don't let the coming flood of AI-generated vulnerabilities overwhelm your team. By focusing on intelligent prioritization, closing your patch gaps, and gaining full visibility into your attack paths, you can confidently answer your board’s toughest questions and build a truly “Mythos-ready” security program.

Forward-Looking Statements

This blog post contains "forward-looking statements" within the meaning of the federal securities laws, including statements regarding the potential impact of LLMs like Mythos on the cybersecurity landscape and our expectations for the future of Exposure Management. These statements involve risks and uncertainties that could cause actual results to differ materially, including the risks and uncertainties described in our most recent Annual Report on Form 10-K and other SEC filings from time to time. All forward-looking statements in this blog post are based on information available to Tenable as of the date of this post. Tenable assumes no obligation to update any forward-looking statements contained in this post.

Learn more

Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)

Research Special Operations — Tue, 14 Apr 2026 13:52:08 -0400

8Critical
154Important
1Moderate
0Low

Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild.

Microsoft patched 163 CVEs in its April 2026 Patch Tuesday release, with eight rated critical, 154 rated as important and one rated as moderate. This is the second largest Patch Tuesday release, nearing the record set by the October 2025 Patch Tuesday release with 167 CVEs. Our counts omitted two non-Microsoft CVEs from this month's release.

This month’s update includes patches for:

.NET
.NET and Visual Studio
.NET Framework
.NET,.NET Framework, Visual Studio
Applocker Filter Driver (applockerfltr.sys)
Azure Logic Apps
Azure Monitor Agent
Desktop Window Manager
Function Discovery Service (fdwsd.dll)
GitHub Copilot and Visual Studio Code
Microsoft Brokering File System
Microsoft Defender
Microsoft Dynamics 365 (on-premises)
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft High Performance Compute Pack (HPC)
Microsoft Management Console
Microsoft Office
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Power Apps
Microsoft PowerShell
Microsoft Windows
Microsoft Windows Search Component
Microsoft Windows Speech
Remote Desktop Client
Role: Windows Hyper-V
SQL Server
Universal Plug and Play (upnp.dll)
Windows Active Directory
Windows Admin Center
Windows Advanced Rasterization Platform
Windows Ancillary Function Driver for WinSock
Windows Biometric Service
Windows BitLocker
Windows Boot Loader
Windows Boot Manager
Windows Client Side Caching driver (csc.sys)
Windows Cloud Files Mini Filter Driver
Windows COM
Windows Common Log File System Driver
Windows Container Isolation FS Filter Driver
Windows Cryptographic Services
Windows Encrypting File System (EFS)
Windows File Explorer
Windows GDI
Windows Hello
Windows HTTP.sys
Windows IKE Extension
Windows Installer
Windows Kerberos
Windows Kernel
Windows Kernel Memory
Windows Local Security Authority Subsystem Service (LSASS)
Windows LUAFV
Windows Management Services
Windows OLE
Windows Print Spooler Components
Windows Projected File System
Windows Push Notifications
Windows Recovery Environment Agent
Windows Redirected Drive Buffering
Windows Remote Desktop
Windows Remote Desktop Licensing Service
Windows Remote Procedure Call
Windows RPC API
Windows Sensor Data Service
Windows Server Update Service
Windows Shell
Windows Snipping Tool
Windows Speech Brokered Api
Windows SSDP Service
Windows Storage Spaces Controller
Windows TCP/IP
Windows TDI Translation Driver (tdx.sys)
Windows Universal Plug and Play (UPnP) Device Host
Windows USB Print Driver
Windows User Interface Core
Windows Virtualization-Based Security (VBS) Enclave
Windows WalletService
Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys)
Windows Win32K - GRFX
Windows Win32K - ICOMP

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

Important

CVE-2026-20945 and CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability

CVE-2026-20945 and CVE-2026-32201 are spoofing vulnerabilities affecting Microsoft SharePoint. CVE-2026-20945 received a CVSSv3 score of 4.6, while CVE-2026-32201 received a score of 6.5. According to Microsoft, CVE-2026-32201 was exploited in the wild as a zero-day. Microsoft has released updates for SharePoint 2016, 2019 and SharePoint Server Subscription Edition to address these flaws.

Important

CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability

CVE-2026-33825 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available. While Microsoft’s advisory made no mention of public exploit code, the description appears to match a zero-day exploit, known as BlueHammer, with code posted to GitHub on April 3rd. A researcher using the alias "Chaotic Eclipse" released the exploit and expressed concern about Microsoft’s handling of the vulnerability disclosure process.

Critical

CVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability

CVE-2026-33826 is a RCE vulnerability affecting Windows Active Directory. It received a CVSSv3 score of 8, was rated as critical and was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Successful exploitation requires an authenticated attacker to send a specially crafted RPC call to a vulnerable RPC host, resulting in code execution with the same permissions as the RPC host. Despite the exploitation assessment and severity, the Microsoft advisory does note that an attacker would need to be in the “same restricted Active Directory domain as the target system” in order to exploit this flaw.

Critical

CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

CVE-2026-33824 is a RCE affecting Windows Internet Key Exchange (IKE) Service Extensions. It received a CVSSv3 score of 9.8 and was rated as critical. This vulnerability can be exploited by an unauthenticated attacker by sending crafted packets to a target with IKE version 2 enabled. Microsoft’s advisory includes some mitigations that can be applied in the event immediate patching cannot be performed. This includes firewall rules for UDP ports 500 and 4500.

Important

CVE-2026-27913 | Windows BitLocker Security Feature Bypass Vulnerability

CVE-2026-27913 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 7.7 and was rated as important. Successful exploitation could allow an attacker to bypass Secure Boot, a UEFI firmware security feature used to allow only trusted and properly signed software runs during the startup process. While there’s no known exploitation of this vulnerability as of the time this blog was published, Microsoft assesses this vulnerability as “Exploitation More Likely.”

Important

CVE-2026-26151 | Remote Desktop Spoofing Vulnerability

CVE-2026-26151 is a spoofing vulnerability in Remote Desktop. It was assigned a CVSS v3 score of 7.1 and rated important. Microsoft assesses this vulnerability as more likely to be exploited. An attacker could exploit this vulnerability by convincing a target to open a crafted file. This vulnerability was credited to the United Kingdom's National Cyber Security Centre (NCSC).

Previously, users would not receive any warning when attempting to open a Remote Desktop Protocol (RDP) file. However, starting with the April 2026 Security Update, users will now receive more sufficient warning dialogues when interacting with potentially malicious RDP files. For more information, visit this link.

Tenable Solutions

A list of all the plugins released for Microsoft’s April 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI

James Davies — Fri, 10 Apr 2026 08:10:00 -0400

See how you can use Tenable Hexa AI to determine in minutes if you’re impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable.

Key takeaways:

Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, can tell you in minutes if your organization is running compromised versions of the Axios npm package following a recent discovery of a supply chain attack.
Tenable Hexa AI configures and launches scans; tags affected assets by severity, owner, or business unit to scope the blast radius of the threat; and automates remediation scans to verify remediation effectiveness.
The workflow that Tenable Hexa AI automates (targeted scan, tag, remediate, verify) applies to any emerging threat, whether the discovery of a new CVE, zero-day vulnerability, or supply chain compromise.

When a highly utilized code package like the Axios npm package is compromised in a supply chain attack, news of the compromise often sets off a mad scramble for security teams. Responding to the discovery can take days, and typically involves manually configuring different assessments to identify if vulnerable versions of the software are present in your environment, and if so, which assets are affected by them. Then, of course, you have to implement recommended remediations, which in the case of the Axios npm supply chain attack include:

Downgrade to safe versions: axios@1.14.0 or axios@0.30.3
Remove the phantom dependency: node_modules/plain-crypto-js/
Block C2 traffic to sfrclak[.]com and 142.11.206.73
Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux).

Even if you can respond and remediate within hours, it’s still not fast enough for AI-assisted threat actors. These days, we need to answer three critical questions in minutes:

Are we exposed?
Where are we exposed?
How quickly can we mitigate the threat?

In the first of a series of blogs on use cases for the Tenable Hexa AI agentic engine, we show you how Tenable Hexa AI accelerates this exact workflow to reduce your window of risk.

Using Tenable Hexa AI to discover the Axios threat and answer “Are we exposed?”

When researchers discover a new zero-day or supply chain compromise, the first question on security teams’ minds isn’t “How do we fix it?” It’s “Are we affected?” Answering that question shouldn’t be difficult, and with Tenable Hexa AI, it couldn’t be simpler.

Open Tenable Hexa AI and type something like, “Show me all assets in my environment vulnerable to the Axios Supply Chain vulnerability.”

Tenable Hexa AI then queries the Tenable One Exposure Data Fabric, the data already collected from your existing scans, agents, and integrations. Within seconds, Tenable Hexa AI produces a clear picture of which assets are running the compromised Axios versions, where they sit in your network, and how critical they are to your business.

No query language. No console-hopping. No waiting for a new scan to finish. Just ask the question and get the answer.

Using Tenable Hexa AI to scope the blast radius with asset tagging

Now you know which assets are affected, but a flat list isn’t a response plan; it’s a starting point. The next step is to scope the blast radius and organize it for action. With Tenable Hexa AI, this is as simple as telling Tenable Hexa AI to “Tag this with the category Supply Chain and value Axios.”

Tenable Hexa AI then bulk-applies the tag across every asset in one action. And just like that, you’ve turned a raw discovery into a structured, queryable incident surface.

This matters because tagging is the bridge between exposure discovery and remediation by the right team. Once assets are tagged, you can slice them by business unit or owner to route remediation work. You can feed tagged assets into dashboards for executive visibility, and critically, the tag preserves a snapshot of the blast radius as the environment changes.

Why this capability matters beyond Axios

Supply chain attacks have seen a staggering increase in recent years, with the Sonatype 2024 State of the Software Supply Chain report showing a 156% year-over-year surge in attacks targeting upstream repositories like npm and PyPI. So the question isn’t if another package will be poisoned, but how much of your weekend it will consume when it happens.

What we’ve shown here with the Axios response (i.e., scope, discover, prioritize) is more than just a fix for one npm package. It represents a fundamental shift in how security teams handle emergency response.

By using Tenable Hexa AI, you are building agentic and operational muscle memory. You can deploy the exact same conversational workflow you used to hunt for malicious versions of Axios the moment the next Log4j, XZ Utils, or MoveIt-style vulnerability hits the news.

Tenable Hexa AI transforms high-pressure fire drills like the discovery of the Axios npm supply chain attack into a structured, repeatable, and sane workflow. Instead of writing custom scripts or manually configuring policies under duress, you simply tell Tenable Hexa AI what to do, and the agentic engine handles the grunt work for you.

Use cases for agentic AI: Additional ways to use Tenable Hexa AI

Stay tuned for more use cases demonstrating the agentic power of Tenable Hexa AI. Here’s what’s coming next:

Using Tenable Hexa AI to target remediation scans at tagged assets, schedule post-patch verification, and compare before/after results to confirm the threat is neutralized
Using Tenable Hexa AI to automate the creation of risk dashboards and report on security KPIs
Using Tenable Hexa AI to map vulnerabilities to asset owners (via Okta, CMDB, or custom mappings) and automatically notify the right teams.
Using Tenable Hexa AI to trigger patching workflows and network isolation for compromised assets

Tenable Hexa AI is currently in private preview for select Tenable One customers. Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities.

What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure

Research Special Operations — Thu, 09 Apr 2026 16:28:27 -0400

An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. critical infrastructure sectors.

Key takeaways:

CyberAv3ngers is a state-directed threat group operating under Iran's IRGC Cyber-Electronic Command. The U.S. Treasury sanctioned six named officials in February 2024 and the State Department has offered a $10 million bounty for information on the group's activities.
The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. water, energy, and government facilities (2026). There is no vendor patch for this vulnerability; only defense-in-depth mitigations are available.
A six-agency joint advisory (CISA AA26-097A) issued on April 7, 2026, confirmed operational disruption and financial loss at multiple U.S. organizations. CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ affiliated groups, meaning the threat persists even if the core group is degraded. Defenders operating internet-exposed PLCs should take immediate action.

Background

On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S. critical infrastructure. The advisory, designated AA26-097A, confirmed operational disruption and financial loss at multiple victim organizations in the Government Services, Water and Wastewater Systems, and Energy sectors. The authoring agencies linked this activity to the same threat ecosystem behind CyberAv3ngers, a group the U.S. government has formally attributed to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

CyberAv3ngers is not a new actor, but its capabilities have matured significantly since it first drew international attention in late 2023. This FAQ provides defenders, vulnerability management teams, and security leadership with a comprehensive profile of the group: its history, technical capabilities, targeted sectors, and the specific steps organizations should take to reduce their exposure.

FAQ

Who is CyberAv3ngers?

CyberAv3ngers is an Iranian state-directed cyber threat group operating as a persona for the IRGC-CEC. The group has been active since at least 2020 and is tracked by the security community under multiple designations, including Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten, UNC5691 (Mandiant), and MITRE ATT&CK ID G1027.

Despite initially presenting itself as a hacktivist collective motivated by anti-Israel ideology, subsequent investigations by CISA, the U.S. Treasury Department, and multiple cybersecurity research organizations established that the group's funding, tooling, and operational sophistication far exceeded typical hacktivist capabilities. The group is a state-sponsored actor, not an independent activist collective.

Who is behind the group?

In February 2024, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned six IRGC-CEC officials for directing CyberAv3ngers operations: Hamid Reza Lashgarian (head of IRGC-CEC and an IRGC-Qods Force commander), Hamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher Shirinkar. The State Department's Rewards for Justice program is currently offering up to $10 million for information on the "Mr. Soul" persona, which the State Department has linked to CyberAv3ngers and which is suspected to be an alias for one of the sanctioned officials.

In December 2025, leaked internal operational records exposed structured spreadsheets tracking domain registrations, European virtual private server hosting, and cryptocurrency payments routed through Bitcoin wallets. These records confirmed direct infrastructure and administrative overlap with the Moses Staff operation, formally connecting what had previously been treated as separate Iranian cyber personas into a single coordinated effort directed by the state.

The group has also demonstrated resilience through serial rebranding. When the "APT IRAN" Telegram channel, widely assessed as a CyberAv3ngers rebrand, was deleted, a new "Cyber4vengers" channel emerged in January 2026 to continue operations. Taking down individual channels and personas has not disrupted the underlying organizational capability.

Should CyberAv3ngers' public claims be taken at face value?

No. CyberAv3ngers operates a deliberate parallel influence campaign alongside its technical operations, and defenders should evaluate the group's public claims with skepticism.

DomainTools Investigations (DTI) characterized the group's strategy as "engineering beliefs" rather than merely breaching systems. CyberAv3ngers has refined its cyber activity into what DomainTools describes as a propaganda apparatus: each operation becomes a performance calibrated to sow fear and disrupt public trust, recycled data leaks are theatrically repackaged to simulate fresh compromises, and social media personas sustain the perception of threat even during operational pauses.

The October 2023 Dorad power station incident is the clearest example. CyberAv3ngers posted on Telegram claiming to have breached a major Israeli power plant, sharing what appeared to be screenshots of compromised control systems. DomainTools' forensic investigation demonstrated that the images were recycled from a 2022 Moses Staff data leak, cropped and rebranded with CyberAv3ngers logos. No indicators of compromise, malware samples, or valid forensic evidence were released. Despite this, the fabricated claim generated media coverage and threat intelligence discussion.

This dual-track strategy of blending genuine industrial control systems (ICS) operations with fabricated claims is not early-phase immaturity that the group outgrew. It is a standing operational doctrine that persists alongside the group's increasingly sophisticated technical campaigns. When CyberAv3ngers claim a new compromise, organizations should look for corroborating technical evidence before treating the claim as confirmed.

What does CyberAv3ngers target?

The group's primary focus is operational technology and ICS in critical infrastructure. Targeted sectors include:

Water and wastewater systems, the group's most persistent target since 2023, with confirmed compromises at U.S. water utilities and a private water scheme in Ireland
Energy, including fuel management systems (Orpak and Gasboy) and PLC-controlled energy infrastructure
Government services and facilities, including local municipalities targeted in the current 2026 campaign
Healthcare and food and beverage sectors, where Unitronics PLCs were deployed and compromised during the 2023 campaign

The targeting logic follows two principles: Israeli-manufactured technology, regardless of where it is deployed, and U.S. critical infrastructure as retaliatory targeting aligned with geopolitical hostilities between the United States and Iran.

Why do small utilities and municipal operators keep getting hit?

CyberAv3ngers has repeatedly compromised small water utilities, municipal facilities, and rural energy operators, and the reason is structural, not coincidental.

Many of these organizations manage their operational technology environments with consumer-grade remote access tools such as TeamViewer or AnyDesk, or by exposing PLC management interfaces directly to the public internet. These access methods bypass enterprise security controls entirely, creating an attack surface that is invisible to conventional security monitoring. The compromised Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania was directly accessible from the internet with default credentials and no security gateway in between.

The problem is compounded by inadequate network segmentation between IT and OT environments. When a PLC is reachable from the same network as email servers and employee workstations, the blast radius of any compromise extends well beyond the initial point of entry. A 2024 CISA assessment found over 70% non-compliance with existing safety requirements at U.S. water utilities.

Organizations in these sectors typically lack dedicated OT security staff and operate under constrained budgets that make comprehensive security architecture difficult. The result is a persistent systemic exposure condition: the same type of misconfiguration that CyberAv3ngers exploited in 2023 remains available for the group and the 60+ affiliated hacktivist groups that have adopted its playbook to exploit today.

How has CyberAv3ngers evolved over time?

The group's operational history reveals a deliberate capability escalation across four distinct phases.

Phase 1: Propaganda (2020–2022): The "Cyber Avengers" persona first appeared in 2020, claiming responsibility for power outages and rail disruptions in Israel. These claims were dismissed by Israeli officials and no supporting evidence was identified. DomainTools Investigations later demonstrated that several of these claims reused imagery from a 2022 Moses Staff data leak, cropped and rebranded to simulate a fresh intrusion.

Phase 2: Default Credential Exploitation (October 2023 – January 2024): The group compromised at least 75 Unitronics Vision Series PLCs across the United States, Israel, the United Kingdom, and Ireland by exploiting default passwords on internet-exposed devices. The Municipal Water Authority of Aliquippa, Pennsylvania, was the highest-profile victim. In Ireland, an attack left residents without water for several days. CISA, the FBI, NSA, and other agencies issued joint advisory AA23-335A documenting the campaign.

Phase 3: Custom ICS Malware (Mid-2024): Claroty's Team82 identified and analyzed IOCONTROL, a custom-built Linux malware platform designed for IoT and OT environments. The malware targets routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems from multiple vendors. IOCONTROL uses the MQTT protocol over TLS for command-and-control communications, a standard IoT protocol that allows traffic to blend with legitimate network activity. Team82 characterized IOCONTROL as a cyberweapon used by a nation-state to attack civilian critical infrastructure. Separately, OpenAI disclosed in October 2024 that CyberAv3ngers had used ChatGPT to perform reconnaissance on targets and debug code, indicating the group incorporates commercially available AI tools into its operational workflow.

Phase 4: Authentication Bypass Exploitation (March 2026 – Present): The group pivoted to exploiting CVE-2021-22681, a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation Logix controllers. Actors used leased overseas infrastructure with Rockwell's Studio 5000 Logix Designer software to connect to internet-facing PLCs, bypassing authentication to manipulate project files and HMI/SCADA displays. This phase represents a platform shift from Israeli-made Unitronics devices to U.S.-made Rockwell Automation controllers, targeting a more widely deployed industrial platform.

This four-phase arc is not just a historical record, it is a capability escalation trajectory with a predictable direction. Dragos, which tracks the overlapping threat activity as BAUXITE, assessed in its 2026 OT/ICS Cybersecurity Year in Review that Iranian adversaries are moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes. CyberAv3ngers' progression from default credentials to custom IoT malware to CVE exploitation against tier-1 ICS platforms tracks this maturation pattern. The group's next capability step is likely to involve additional ICS vendor platforms or deeper process manipulation, not a retreat to simpler techniques.

What is IOCONTROL?

IOCONTROL is a custom-built malware platform attributed to CyberAv3ngers by Claroty Team82. It is designed to run on a variety of Linux-based IoT and OT devices due to its modular architecture. Affected device types include IP cameras, routers, PLCs, HMIs, firewalls, and fuel management systems from vendors including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Key technical characteristics include MQTT over TLS for C2 communications on port 8883, DNS-over-HTTPS to evade network monitoring when resolving C2 domains, AES-256-CBC encrypted configuration data, persistence through a systemd boot script, and capabilities including OS command execution, port scanning, and self-deletion. The malware was previously tracked under the names OrpraCab and QueueCat in 2023 before being identified under the IOCONTROL designation in 2024.

Has CyberAv3ngers used AI tools?

Yes. In October 2024, OpenAI published a threat intelligence report disclosing that CyberAv3ngers had used ChatGPT to assist with target reconnaissance and code debugging. The group used the platform to research ICS, explore exploitation techniques against specific device types, and troubleshoot code, incorporating a commercially available AI tool into the operational preparation phase of ICS-targeted campaigns.

This is consistent with a broader pattern across state-sponsored threat actors. AI tools lower the research and development overhead for operations that previously required more specialized expertise, and they are particularly useful for actors expanding into unfamiliar technology domains, such as CyberAv3ngers' pivot from Unitronics to Rockwell Automation controllers. The OpenAI disclosure does not suggest that AI fundamentally changed the group's capabilities, but it does indicate that AI-assisted reconnaissance is now part of the standard toolkit for state-directed ICS threat actors.

What is CVE-2021-22681 and why does it matter?

CVE-2021-22681 is a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation's Logix controller ecosystem. The flaw stems from an insufficiently protected cryptographic key used to verify communications between the Studio 5000 Logix Designer engineering software and Logix PLCs. A remote, unauthenticated attacker who obtains or intercepts this key can impersonate legitimate engineering software, bypass authentication, and establish a direct connection to affected controllers without valid credentials.

The vulnerability affects a wide range of Rockwell Automation products including RSLogix 5000 (versions 16–20), Studio 5000 Logix Designer (version 21 and later), and multiple Logix controller families: CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix. CVE-2021-22681 was originally disclosed in February 2021 and was added to the CISA Known Exploited Vulnerabilities catalog in March 2026 after active exploitation by Iranian-affiliated actors was confirmed.

A critical operational detail for vulnerability management teams: Rockwell Automation has stated that this vulnerability cannot be fully addressed with a patch. There is no software update to deploy and no patch cycle to wait for. Rockwell directs customers to apply defense-in-depth mitigations instead, including network segmentation, engineering workstation isolation, CIP Security enablement, and physical mode switch hardening. This means the exposure is permanent absent architectural controls, and organizations that rely on patch-based remediation workflows will not resolve this vulnerability through their standard processes.

How severe is the current threat?

The current threat level is critical. The convergence of three factors: a confirmed state-directed actor with demonstrated willingness to disrupt civilian infrastructure, a custom-built ICS malware capability alongside exploitation of a critical authentication bypass with no available patch, and active kinetic hostilities between the United States and Iran following Operation Epic Fury, creates the most acute Iranian cyber threat to U.S. critical infrastructure on record.

CISA Advisory AA26-097A confirmed that organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with PLC project files and manipulation of data displayed on HMI and SCADA systems, resulting in operational disruption and financial loss. The FBI assessed that the actors' intent is to cause disruptive effects within the United States.

The threat does not depend on CyberAv3ngers remaining intact as an organization. Unverified reports have circulated that individuals linked to the group may have been killed in the Operation Epic Fury strikes, but these reports remain unconfirmed, and the continued exploitation activity documented in the April 7 advisory demonstrates that the operational capability persists regardless. More importantly, CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ pro-Iranian hacktivist groups. This "swarm effect" creates a distributed threat surface with no single point of disruption, lowers the capability threshold so less experienced actors can attempt ICS attacks using shared knowledge, and increases the risk of unintended physical consequences from operators who lack the discipline or understanding to control the effects of PLC manipulation. The threat may actually become less predictable as it becomes more diffuse.

Finally, the systemic exposure condition that enables this threat–internet-exposed PLCs with weak or default authentication–is structural, not transient. It has persisted across every phase of CyberAv3ngers' operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable for any group that adopts the playbook.

What should organizations do right now?

Organizations operating internet-exposed PLCs, particularly Rockwell Automation and Unitronics devices, should take the following actions immediately:

Disconnect PLCs from the public internet. Any internet-accessible Rockwell Logix controller is exploitable via CVE-2021-22681 without authentication. There is no patch for this vulnerability. If remote access is operationally necessary, deploy a secure gateway with multifactor authentication.
Set physical mode switches to "Run." This prevents remote modification of PLC logic and configurations.
Back up all PLC logic and configurations offline. Store backups on secured physical media and test restore procedures.
Ingest IOCs from CISA Advisory AA26-097A. Download the STIX-formatted indicators of compromise and deploy them in SIEM, IDS, and firewall platforms. Monitor for traffic on ports 44818, 2222, 102, 22, and 502 from overseas hosting providers.
Implement IT/OT network segmentation. Isolate engineering workstations running Studio 5000 Logix Designer from untrusted network segments. Deploy allowlisting so only authorized workstations can communicate with controllers.
Audit remote access to OT environments. Identify and replace any consumer-grade remote access tools (TeamViewer, AnyDesk, or similar) with enterprise VPN solutions that enforce multifactor authentication and centralized logging. Ensure all remote OT access is monitored.
Audit Unitronics devices. Verify that all Unitronics Vision Series PLCs have had default passwords changed per VisiLogic version 9.9.00.
Deploy behavioral detection for IOCONTROL indicators. Alert on MQTT over TLS (port 8883) and DNS-over-HTTPS traffic originating from OT network segments.

Has Tenable released product coverage for the vulnerabilities discussed?

A Tenable plugin is available for CVE-2021-22681, which was updated in March 2026. Tenable OT Security detects this vulnerability in Rockwell Automation Logix controller environments.

Organizations using the Tenable One Exposure Management Platform can leverage vulnerability intelligence capabilities to identify affected Rockwell Automation assets in their environment. The platform's exposure assessment capabilities can help prioritize remediation based on the active exploitation context documented in this post.

A list of Tenable plugins for this vulnerability can be found on the CVE-2021-22681 plugins page. These plugins will be updated as additional detection coverage is developed.

For the latest information on Tenable detection coverage and ongoing updates, visit the Tenable CVE page for CVE-2021-22681.

Conclusion

CyberAv3ngers has evolved from a propagandistic hacktivist persona into one of the most consequential Iranian threats to U.S. operational technology infrastructure. The group's trajectory from default credential exploitation in 2023, to custom ICS malware deployment in 2024, to active exploitation of Rockwell Automation controllers in 2026, demonstrates a deliberate capability escalation that tracks the broader maturation pattern Dragos identified across Iranian ICS-targeting groups–adversaries moving beyond pre-positioning to actively understanding and manipulating physical processes.

Three factors make this threat durable. First, the systemic exposure condition: internet-exposed PLCs with weak or absent authentication has persisted across every phase of the group's operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable. Second, the exploitation playbook has proliferated to dozens of semi-autonomous groups, meaning the threat persists regardless of CyberAv3ngers' own organizational status. Third, CVE-2021-22681 has no vendor patch. Affected organizations cannot resolve this vulnerability through standard patch management workflows and must implement architectural controls instead.

Organizations operating Rockwell Automation or Unitronics devices should treat the recommendations in this post and CISA Advisory AA26-097A as urgent action items, not longer-term roadmap items. The threat is accelerating.

Tenable Research Special Operations will continue to track CyberAv3ngers and the broader Iranian ICS threat ecosystem. We will update this post as new intelligence becomes available.

Get more information

CISA Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure (April 7, 2026)
CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Updated December 2024)
Rewards for Justice — CyberAv3ngers
Claroty Team82 — Inside a New OT/IoT Cyberweapon: IOCONTROL (December 2024)
DomainTools — CyberAv3ngers Influence Operations Analysis (June 2025)
Tenable CVE Page — CVE-2021-22681

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild

Scott Caveza — Mon, 06 Apr 2026 10:21:05 -0400

Exploitation has been observed for CVE-2026-35616, a critical improper access control zero-day vulnerability affecting Fortinet FortiClientEMS devices.

Key takeaways:

CVE-2026-35616, an improper access control vulnerability, has been exploited in the wild as a zero-day.
Public exploit code has been identified and Fortinet products have a long history of targeting by malicious actors.
Hotfixes have been released by Fortinet and should be applied as soon as possible to protect from this threat.

Change log

Update April 6: The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV.

Click here to review the change history

April 6:The blog has been updated to include that CVE-2026-35616 has been added to the CISA KEV.

Background

On April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS.

CVE	Description	CVSSv3
CVE-2026-35616	Fortinet FortiClientEMS Improper Access Control Vulnerability	9.1

Analysis

CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication.

While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw.

At the time this blog was published, Tenable Research has classified this flaw as a Vulnerability of Interest according to our Vulnerability Watch classification system.

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, with 24 Fortinet CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list, with 13 of those being linked to ransomware campaigns. Targeting of Fortinet flaws have been attributed to a number of threat actors, including Salt Typhoon.

Just over a week ago, Defused reported exploitation in the wild for CVE-2026-21643, SQL injection vulnerability affecting FortiClientEMS. Fortinet’s advisory now reflects that exploitation has been observed but as of April 6, the flaw has not yet been added to the KEV.

🚨 Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data

Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj
— Defused (@DefusedCyber) March 28, 2026

At the time this blog was published on April 6, CVE-2026-35616 had not been added to the KEV, however shortly after publication, the KEV was updated to include CVE-2026-35616.

As Fortinet devices have been popular targets for attackers, the Tenable Research Special Operations Team (RSO) has authored several blogs about vulnerabilities affecting these devices. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.

CVE	Description	Published	Tenable Blog
CVE-2025-64155	Fortinet FortiSIEM Command Injection Vulnerability	January 2026	CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
CVE-2025-64446	Fortinet FortiWeb Path Traversal Vulnerability	November 2025	CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild
CVE-2025-25256	Fortinet FortiSIEM Command Injection Vulnerability	August 2025	CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
CVE-2025-32756	Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution Vulnerability	May 2025	CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
CVE-2024-55591	Fortinet Authentication Bypass in FortiOS and FortiProxy	January 2025	CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
CVE-2024-21762	Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd	February 2024	CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
CVE-2023-27997	FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability	June 2023	CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)
CVE-2022-42475	FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability	December 2022	CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
CVE-2022-40684	FortiOS and FortiProxy Authentication Bypass Vulnerability	October 2022	CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy

Proof of concept

As of April 6, a public proof-of-concept has been identified on GitHub, however Tenable Research has not yet verified the exploit. Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released.

Solution

The following table details the affected and fixed versions of Fortinet FortiClientEMS devices for CVE-2026-35616:

Product Version	Affected Range	Fixed Version
FortiClientEMS 7.2	Not affected	N/A
FortiClientEMS 7.4	7.4.5 through 7.4.6	7.4.7 or above

As of April 6, Fortinet has provided a hotfix for FortiClient EMS 7.4.5 and 7.4.6 to address this vulnerability. Version 7.4.7 has not yet been released, but will be an upcoming release that addresses this vulnerability. Until that release, the hotfix must be applied to be protected against this vulnerability. We recommend reviewing the security advisory as Fortinet may make future updates to the document.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-35616 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

Get more information

Fortinet FG-IR-26-099 Security Advisory

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The developer credential economy: Why exposure data is the new front line in the supply chain war

Research Special Operations — Fri, 03 Apr 2026 14:50:57 -0400

Recent supply chain attacks have highlighted an urgent need for organizations to shift from a reactive security posture to a preemptive exposure management strategy. Learn why endpoint detection and response tools don’t have you covered when highly privileged developer credentials get exposed.

Key takeaways:

Recent supply chain attacks are emblematic of an insidious new trend in cybercrime: Threat actors are increasingly using supply chain attacks to harvest highly privileged developer credentials and create a “Developer Credential Economy,” a lucrative black market for API keys, secrets, and cloud access tokens.
Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because these tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization actually occur.
Neutralizing the systemic infrastructure risk created by the Developer Credential Economy requires a continuous threat exposure management (CTEM) approach to proactively identify and eliminate exposure conditions, such as long-lived access tokens, before an attacker can exploit them.

Background

The convergence of the Anthropic Claude Code source leak and the Sapphire Sleet (UNC1069) Axios compromise has collapsed the boundary between traditional malware and systemic infrastructure risk. Our analysis of the exposure intelligence data reveals that the cluster of supply chain attacks observed in March 2026 should not be viewed as disparate incidents; rather, they signify the new operational reality of a high-velocity “Developer Credential Economy,” a black market for highly privileged developer credentials.

In this new reality, attackers are no longer just hacking software supply chains; they’re systematically using supply chain attacks to harvest the very keys to the kingdom from the tools security teams trust most.

The myth of the EDR singularity

Microsoft and Google have independently attributed the recent Axios compromise to a North Korean state actor. Industry narratives have framed the compromise, which backdoored an npm-managed JavaScript library package with 100 million weekly downloads, as a victory for endpoint detection and response (EDR). The logic seems simple: EDR caught and stopped the payload at execution, therefore EDR is the solution.

This is a dangerous miscalculation. The concept of an EDR singularity, where Endpoint Detection and Response (EDR) solutions become so comprehensive, intelligent, and autonomous that they negate the need for virtually all other security tools and human intervention at the endpoint is a powerful and seductive myth dominating the current security landscape. This narrative suggests that, through advancements in machine learning, behavioral analytics, and automated response capabilities, a single, all-encompassing EDR platform will eventually unify and solve the bulk of security challenges.

Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. Our analysis shows that by the time an EDR agent fires on the WAVESHAPER.V2 RAT, the true damage — the exposure — has already occurred. This demonstrates the urgent need for organizations to shift from a reactive to a preemptive cybersecurity posture.

EDR is reactive: It monitors execution, not the conditions that allow it. It cannot see the misconfigured GitHub Action or the over-privileged npm token that enabled the compromise in the first place.
The coverage gap: EDR has zero visibility into the ephemeral CI/CD runners and build environments where these credentials are stolen. In the Developer Credential Economy, the theft happens where the agents aren't.
The fail-deadly speed: In the Axios campaign, the malware was designed to exfiltrate secrets and self-destruct within seconds; typically faster than an EDR alert can be triaged by a human analyst.
EDR evasion is not theoretical: EDR evasion is an active, industrialized capability. Threat actors routinely bypass kernel-level EDR through bring your own vulnerable driver (BYOVD) attacks, where adversaries load legitimately signed but vulnerable kernel drivers to disable or blind EDR agents.

Targeting analysis: Mapping the credential generation layer

Adversaries are increasingly compromising and weaponizing critical chokepoint tools used by developers and security teams, like the Axios npm package and the KICS IaC scanner. This trend, which involves moving upstream in the development lifecycle, reveals a distinct division of labor within this emerging threat economy.

Actor / Group	Operational focus	Primary target	Vertical Impact
TeamPCP	Generation layer: Bulk credential harvesting via tool exploitation	Trivy, LiteLLM, KICS (Security/Dev tools)	Global SaaS & AI infrastructure
Sapphire Sleet	Weaponization layer: State-sponsored exfiltration and revenue generation	Axios, npm ecosystem	Fintech, Crypto, Government
GlassWorm	Opportunistic layer: High-volume automated theft	VSCode extensions, OpenVSX	Blockchain & Web3

Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture.

Exposure intelligence: The shift to CTEM

To escape this pattern, defenders must shift from merely reacting to malware to adopting continuous threat exposure management (CTEM) as a preemptive strategy.

While AI companies market their frontier models as security tools, the recent leak of 512,000 lines of Claude source code demonstrates that AI is just another asset with its own massive exposure profile.

A mature CTEM program, powered by exposure intelligence, focuses on the preemptive actions that actually reduce risk:

Phase 1: Hardening (The Kill Switch): Organizations must audit lockfiles and kill lifecycle hooks (--ignore-scripts) immediately. This eliminates the postinstall vector that Sapphire Sleet used to deploy WAVESHAPER.V2.
Phase 2: Human/Identity defense: We must eliminate long-lived tokens. The Axios compromise succeeded because a single stolen token bypassed every security control. Transitioning to short-lived, OIDC-based automation is an exposure management requirement, not a nice-to-have.
Phase 3: Counter-recon: Use Tenable One to map your full attack surface, including the CI/CD pipelines and cloud-native build stages that EDR cannot reach.

The bottom line

The Axios and Anthropic events are a wake-up call for the C-suite. Theoretical severity and reactive detection (EDR) are insufficient against an adversary that has industrialized the theft of developer identities.

Exposure management should be your first and primary line of defense. By identifying and remediating the exposure conditions that supply chain attacks depend on, we can stop the payload before it ever reaches the endpoint.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently Asked Questions About the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069

Research Special Operations — Wed, 01 Apr 2026 16:11:28 -0400

A North Korea-nexus threat actor compromised the widely used axios npm package, delivering a cross-platform remote access trojan to potentially millions of developer environments during a three-hour window on March 31.

Key takeaways:

The axios npm package, which has over 100 million weekly downloads, was compromised in a supply chain attack attributed by Google Threat Intelligence Group (GTIG) to UNC1069, a financially motivated North Korea-nexus threat actor.
Malicious versions 1.14.1 and 0.30.4 were live on the npm registry for approximately three hours and delivered the WAVESHAPER.V2 backdoor to macOS, Windows and Linux systems.
The malicious versions have been removed from npm, and developers who installed them are advised to treat affected systems as fully compromised, rotate all credentials and rebuild from clean snapshots.

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a supply chain attack against the axios npm package.

FAQ

What happened to the axios npm package?

On March 31, 2026, an attacker published two malicious versions of the axios npm package, versions 1.14.1 and 0.30.4, to the npm registry. The attacker had compromised the maintainer account associated with the package and injected a malicious dependency called "plain-crypto-js" that served as a delivery vehicle for a cross-platform remote access trojan (RAT). The malicious versions were live on the npm registry for approximately three hours before they were identified and removed.

See how recent supply chain attacks are creating a black market for highly privileged developer credentials.

How popular is the axios npm package?

Axios is one of the most widely used JavaScript libraries, used to simplify HTTP requests. The 1.x branch typically has over 100 million weekly downloads, and the 0.x branch has over 83 million.

How was the axios maintainer account compromised?

According to analysis by StepSecurity and Google Threat Intelligence Group (GTIG), the attacker compromised the npm account belonging to @jasonsaayman and changed the associated email address to an attacker-controlled address (ifstap@proton.me).

The attacker used a long-lived classic npm access token to publish the malicious versions, bypassing the GitHub Actions OIDC workflow used for legitimate releases. Legitimate axios releases show a trusted publisher binding to GitHub Actions with a corresponding GitHub commit and tag. The malicious versions lacked this entirely, providing one of the clearest signals that the release was unauthorized.

What is the malicious dependency and how does it work?

The attacker published a purpose-built malicious package called plain-crypto-js@4.2.1 to npm approximately 22 minutes before publishing the first malicious axios version. A clean decoy version (4.2.0) was published roughly 18 hours earlier. The only change to the axios package itself was the addition of plain-crypto-js as a dependency in package.json. The package is never imported or referenced in axios source code.

When npm installs the compromised axios version, the plain-crypto-js package's postinstall hook executes an obfuscated JavaScript file called setup.js, which GTIG tracks as SILKBELL. This dropper uses a two-layer encoding scheme combining reversed Base64 and XOR cipher (key: "OrDeR_7077", constant: 333) to conceal its command-and-control (C2) URL and execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis.

After deploying the platform-specific payload, the dropper performs anti-forensic cleanup: it deletes itself, deletes the malicious package.json, and renames a clean stub file (package.md) to package.json, leaving a completely clean manifest upon post-infection inspection.

What malware does the attack deliver?

GTIG tracks the platform-specific payloads as WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously attributed to UNC1069. WAVESHAPER.V2 variants exist for macOS (native C++ binary), Windows (PowerShell) and Linux (Python).

On macOS, the dropper downloads a Mach-O binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system cache file.

On Windows, it copies the legitimate PowerShell executable to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal) and uses a VBScript launcher to execute a downloaded PowerShell script with hidden execution and policy bypass flags. Windows persistence is achieved through a hidden batch file (%PROGRAMDATA%\system.bat) and a registry run key (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) named "MicrosoftUpdate."

On Linux, a Python RAT is downloaded to /tmp/ld.py and launched via nohup.

Regardless of platform, WAVESHAPER.V2 beacons to the C2 server every 60 seconds using Base64-encoded JSON and a hardcoded User-Agent string spoofing Internet Explorer 8 on Windows XP. The backdoor supports commands including:

kill (terminate)
rundir (filesystem enumeration)
runscript (execute AppleScript)
peinject (binary injection).

Who is behind this attack?

GTIG attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The group has previously been tracked as both CryptoCore and MASAN by ClearSky (2020) and GTIG (2025), respectively. The attribution is based on the use of WAVESHAPER.V2 (a direct evolution of the WAVESHAPER backdoor previously attributed to UNC1069), infrastructure overlaps (connections from a specific AstrillVPN node previously used by UNC1069) and adjacent infrastructure on the same ASN historically linked to UNC1069 operations.

How quickly was the compromise detected?

Socket.dev's automated malware scanner detected the compromise within approximately six minutes of the first malicious version being published. Both malicious axios versions were removed from the npm registry approximately three hours after publication.

Time (UTC)	Event
March 30, 05:57	plain-crypto-js@4.2.0 (clean decoy) published
March 30, 23:59	plain-crypto-js@4.2.1 (malicious) published with postinstall hook
March 31, 00:05	Socket automated scanner detects compromise (~6 min)
March 31, 00:21	axios@1.14.1 published
March 31, 01:00	axios@0.30.4 published
March 31, 01:50	Elastic Security Labs files GitHub Security Advisory to Axios repo
March 31, ~03:15	npm unpublishes both malicious axios versions
March 31, 03:25	npm initiates security hold on plain-crypto-js
March 31, 04:26	Security stub replaces malicious package

How widespread is the potential impact?

With over 100 million weekly downloads across both branches, the blast radius of a three-hour compromise window is significant. StepSecurity reported that its Harden-Runner tool detected anomalous C2 contact in over 12,000 projects. Hundreds of other npm packages depend on axios, amplifying the downstream exposure.

GTIG cautioned that "hundreds of thousands of stolen secrets could potentially be circulating" as a result of this and other recent supply chain attacks, potentially enabling further software supply chain compromises, SaaS environment breaches, ransomware events and cryptocurrency theft.

Are there indicators of compromise (IoCs)?

Yes. GTIG published a comprehensive set of IoCs in their blog post as well as Socket.dev in addition to GTIG’s free GTI Collection for registered users. Types of IoCs available include network indicators (C2 domain and IPs), file hashes (SHA256 for all platform-specific payloads and the dropper), file system artifacts by platform, YARA rules for retrospective hunting and Google Security Operations detection rules.

Key network indicators to block: sfrclak[.]com and 142.11.206.73 (port 8000).

Is this related to other recent supply chain attacks?

This attack is one of several recent open-source supply chain compromises attributed to North Korea-nexus actors. GTIG noted that UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. While UNC1069 and UNC6780 are tracked as separate threat actors, the pattern of North Korea-nexus groups targeting open-source package ecosystems represents a broader trend.

What remediation steps are available?

The malicious axios versions (1.14.1 and 0.30.4) have been removed from the npm registry. Developers and organizations that installed either version are advised to:

Downgrade to safe versions: axios@1.14.0 or axios@0.30.3
Remove the phantom dependency: node_modules/plain-crypto-js/
Block C2 traffic to sfrclak[.]com and 142.11.206.73
Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)

For long-term hardening, package managers now support version cooldown policies that prevent automatic installation of newly published versions:

Package Manager	Setting
npm (v11.10.0+)	min-release-age=7d in .npmrc
pnpm (v10.16+)	minimum-release-age=7d
Yarn (v4.10+)	npmMinimalAgeGate: "7d"
Bun (v1.3+)	minimumReleaseAge = 604800

Has Tenable released any product coverage?

Yes, Tenable plugins that detect the compromised axios npm package and the malicious plain-crypto-js npm package are available.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Axios libraries by utilizing the filter JavaScript Libraries contains Axios

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Supply chain attack on Axios npm package: Scope, impact, and remediations

Ron Popov — Tue, 31 Mar 2026 14:20:00 -0400

The Axios npm package has been compromised in a supply chain attack that uploaded new versions of the package containing malicious code. Any environment that downloaded these compromised Axios versions is at risk of severe data theft, including the loss of credentials and API keys. Scan your environment now.

Key takeaways

This incident is a confirmed supply chain attack. The presence of malicious Axios versions (1.14.1 or 0.30.4) signifies a confirmed security breach rather than a potential risk. Organizations must move beyond “patching” and initiate full incident response playbooks for any host where these packages are detected.
If affected, organizations must immediately quarantine hosts, apply incident response playbooks, and rotate all exposed secrets. In the last supply chain attacks we observed, attackers were very quick to abuse any exposed secrets, credentials, or API keys, usually abusing them a couple of hours after leakage. This highlights how short the window is for response for defenders.
Because these attacks will keep happening, passive defense is insufficient. Organizations must implement strict security measures — such as minimum package age policies, pinning dependencies, auditing lockfiles, and actively scanning environments — to protect against the next inevitable supply chain compromise.

Introduction: Axios supply chain compromise

A critical software supply chain attack compromised “Axios,” a highly popular npm package with over 100 million weekly downloads, commonly used as a promise-based HTTP client for the browser and Node.js.

Attackers successfully hijacked a maintainer account and embedded a hidden, malicious dependency into two newly published versions of Axios. The attacker injected a malicious package called “plain-crypto-js” into the dependency tree of the Axios package. The package “plain-crypto-js” utilized a postinstall script to execute a remote access trojan (RAT) dropper during the installation process.

Because the embedded malware executes immediately upon installation of this highly popular NPM package, the scope of this breach is potentially massive. Any environment that downloaded these compromised versions of Axios is at risk of severe data theft, including the loss of credentials and API keys.

For additional information on this compromise, see our follow-up blog: Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069.

See how recent supply chain attacks are creating a black market for highly privileged developer credentials.

Frequently asked questions (FAQs) about Axios supply chain attack

When was the Axios npm package first compromised?

The first malicious versions of Axios were uploaded on March 31, 2026 at 1 AM UTC.

What happened? What did threat actors do?

Attackers hijacked the npm account of Axios’s lead maintainer and published two malicious versions of the Axios package: version “1.14.1” and version “0.30.4”.

Rather than altering Axios’s source code, they added “plain-crypto-js@4.2.1” as a dependency for the Axios package.

Installing “plain-crypto-js” automatically executes a double-obfuscated Node.js dropper (setup.js) using npm’s postinstall lifecycle hook. “postinstall” hooks can be used to execute code during the installation process. This is a very common technique used by malicious npm packages that we expect to see more and more in the future.

Once deobfuscated, the dropper identified the victim’s host operating system and reached out to the attacker’s command and control (C2) server (sfrclak[.]com:8000) to pull a second-stage payload.

The second stage payload is a RAT tailored to the OS, supporting MacOS, Windows, and Linux.

Has the Axios developer addressed this issue?

All of the malicious versions of Axios have been removed from the public registry. It is now safe to install new versions of Axios.

How can I tell if I’m running malicious versions of Axios?

To determine if you are affected, scan your environment for the presence of the malicious versions of the affected packages. Look specifically for versions 1.14.1 and 0.30.4 and these other indicators of compromise (IOCs):

Name	IOC
Infected Package	Name: “Axios” Version: “1.14.1”
Infected Package	Name: “Axios” Version: “0.30.4”
Infected Package	Name: “plain-crypto-js” Version : all
SHA256 of Javascript dropper named “setup.js”	e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
Attacker C2 Domain	sfrclak[.]com

The presence of the vulnerable versions in the filesystem likely means that it was installed using the npm package manager, and therefore, infected the relevant host.

That’s why you should treat any system where you find malicious versions of Axios as fully compromised and immediately implement relevant incident response and containment playbooks.

If affected, organizations must immediately quarantine hosts, apply incident response playbooks, and rotate all exposed secrets. In the last supply chain attacks we observed, attackers were very quick to abuse any exposed secrets, credentials, or API keys, usually abusing them a couple of hours after leakage. This highlights how short the window is for response for defenders.

Because these attacks will keep happening, passive defense is insufficient. Organizations must implement strict security measures — such as minimum package age policies, pinning dependencies, auditing lockfiles, and actively scanning environments — to protect against the next inevitable supply chain compromise.

How can Tenable help me address the supply chain attack on the Axios npm package?

Tenable One continuously, automatically, and proactively detects the malicious versions of Axios across both on-premises and cloud environments.

Tenable Nessus and Tenable Cloud Security, both part of the Tenable One Exposure Management platform, continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign.

A list of Tenable plugins to identify the malicious package will appear here as soon as they're released:

Tenable Cloud Security classifies affected packages as malicious. Detected packages will appear in your Tenable console environment the next time data is synced.

For more information on remediations, see our follow-up blog: Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069.

Conclusion

This security incident affecting the Axios npm package is a critical reminder that massive software supply chain attacks remain a recurring threat. Threat actors continuously exploit the trust in open source ecosystems to get around organizations’ traditional, perimeter-based security controls and deliver malicious software at scale.