APJ Ransomware, Axios NPM Hijack, and AI Privacy Nightmares

This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined by Ben Archie to break down a high-velocity week of supply chain compromises and surging regional threats. We cover the explosive growth of ransomware in the APJ region, the North Korean state-actor hijack of the Axios NPM package, and the TrueConf zero-day exposing Southeast Asian governments. Plus, we discuss how the recent Anthropic Claude code leak could weaponize package management and the frightening implications of AI on personal data extortion.Topics & References:Part 1: The APJ Threat Landscape & TrueConf Zero-DayRansomware Surge: APJ is currently the fastest-growing region for ransomware, marking a 59% year-on-year increase and accounting for 64% of global incidents.Healthcare Under Fire: The Dragonforce ransomware group recently claimed a breach of the Australian health management system, underscoring massive third-party risks across the country's health sector.TrueConf Zero-Day (CVE-2026-3502): A critical vulnerability in video conferencing software is being abused to compromise on-prem servers and push Havoc malware to connected endpoints. This supply chain attack heavily targets Southeast Asian government networks and was recently added to the CISA KEV catalog.Part 2: Supply Chain Nightmares & The Axios CompromiseThe Axios NPM Hijack: Attackers compromised the NPM publishing account of Axios' lead maintainer, releasing two malicious legacy versions (1.14.1 and 0.30.40). The threat actors injected a phantom runtime dependency without altering the source code, and the packages remained live for roughly two to three hours before NPM yanked them.Attribution: Microsoft has attributed the Axios NPM compromise infrastructure to Sapphire Sleet, a known North Korean state actor.Shiny Hunters Target Cisco: The group claims to have breached Cisco’s internal development environment using credentials stolen during the Trivy GitHub compromise. They allege the theft of AWS keys and over three million Salesforce records, setting an extortion deadline of April 3.Part 3: Threat Actor Drama & AI Privacy RisksRansomware Soap Opera: Threat groups like Team PCP and The Comm are engaging in public trash-talk, echoing previous incidents where The Comm publicly dumped an Oracle EBS zero-day to humiliate Klopp.Anthropic Claude Code Leak: The team discusses how leaked source code could lower the barrier to entry for attackers, allowing them to better understand package management prioritization and weaponize AI models for supply chain attacks.Handala Hack & AI Extortion: Iranian activist group Handala breached the personal email of FBI Director Kash Patel. This sparks a broader discussion on the future of personal extortion, warning that attackers could soon use LLMs to scrape and weaponize the intimate, sensitive data users dump into AI mental health and companion apps.Events & Community:RISE Ireland: April 14 -25 in Dublin, Ireland🔗 to register: https://go.team-cymru.com/rise-irelandRISEx Sydney: May 6 in Sydney, Australia🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026RISEx Frankfurt: May 28th in Frankfurt, Germany🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026RISEx New York: June 16 in New York City, US🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026Underground Economy: September 7th -9th in Strasbourg, FranceTo be hosted at the Council of Europe, expecting 600-700 attendees. FirstCon26 (Denver): Eli Woodward will be presenting two sessions.🔗 to register: https://www.first.org/conference/2026/registration-options Connect with Us:Follow us on LinkedIn: https://www.linkedin.com/company/team-cymruSubscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnbDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.