Security Check-in Quick Hits: Hyperbridge Bridge Exploit, Supply Chain Warnings, and Evolving Device Code Phishing

For April 13, 2026

Hyperbridge Ethereum Gateway Exploit Allows Unauthorized Minting of 1 Billion DOT Tokens

In the early hours of April 13, 2026, a significant exploit targeted the Hyperbridge gateway contract on Ethereum, specifically affecting bridged Polkadot (DOT) tokens. An attacker forged a malicious proof to bypass the Merkle tree verifier, gaining unauthorized admin control over the DOT token contract. This enabled the minting of approximately 1 billion fake DOT tokens, which were immediately dumped into liquidity pools in a single transaction, draining roughly 108.2 ETH (valued at around $237,000–$240,000 at the time).

Official responses were swift. Polkadot confirmed the issue was isolated to Hyperbridge-bridged DOT on Ethereum and did not impact the native Polkadot ecosystem, parachains, or DOT bridged through other providers. Hyperbridge was paused pending investigation and upgrades. Venus Protocol, a major DeFi platform, proactively paused DOT supply/borrowing, set the collateral factor to zero, and removed the DOT market from certain wallets as a precaution—though users can still repay or withdraw directly.

The incident highlights a recurring vulnerability in third-party bridging infrastructure for wrapped or bridged assets. Commentators noted the irony: Hyperbridge had posted an April Fools’ joke about an exploit just 12 days earlier. THORChain emphasized the broader lesson—native asset movement without third-party minting or wrapping reduces such risks. DOT’s price dipped about 4% in response.

This event serves as a stark reminder for DeFi users and protocols: bridge security remains a weak link. Projects should prioritize audited, minimized-trust designs, while users are advised to monitor bridged asset liquidity and official announcements closely. Investigations continue, with updates expected from Hyperbridge, Polkadot, and security firms like PeckShield and CertiK.

Supply Chain Attacks Continue to Target Open-Source Libraries and Security Tools

Supply chain compromises remain a top concern, with multiple recent incidents underscoring risks in widely used open-source components and security tooling. High-profile examples circulating in the last day include the Axios npm package hijack (late March 2026), where malicious actors stole maintainer credentials and pushed compromised versions delivering a cross-platform RAT to millions of downstream developers and applications.

Ongoing campaigns have also abused Aqua Security’s Trivy scanner by poisoning Docker images and GitHub repositories, leading to source code exfiltration from environments like Cisco’s internal dev setup. Weekly threat recaps further highlight AI-themed lures, evolving infostealers (such as STX RAT, Lumma, and Remus), and MaaS (Malware-as-a-Service) operations alongside ransomware groups.

These attacks exploit trust in popular dependencies and scanning tools, allowing lateral movement into enterprise environments with minimal detection. The Axios case alone exposed apps across Windows, macOS, and Linux due to its massive download volume. Organizations are urged to implement strict dependency scanning, SBOM (Software Bill of Materials) tracking, and rapid credential rotation where compromises are suspected.

The pattern shows no signs of slowing: threat actors increasingly target the software supply chain as a high-yield vector. Security teams should treat open-source updates with heightened scrutiny and prioritize tools that verify package integrity at every stage.

Device Code Phishing Surges as Attackers Bypass MFA and Traditional Auth Controls

A notable rise in device code phishing has been documented, with detections of phishing pages increasing dramatically—up to 37.5-fold in recent tracking periods. This technique abuses OAuth 2.0 Device Authorization Grant flows to steal access tokens without needing passwords or real-time MFA interaction.

Threat actors, including groups tracked as Storm-2372 and variants of Scattered Lapsus Hunters, leverage kits like EvilTokens (a Phishing-as-a-Service tool launched in February 2026). These kits use redirects through trusted domains, antibot evasion, and pop-up interfaces that prompt victims to enter device codes on legitimate login pages (e.g., Microsoft, Google, Salesforce). Modern variants poll for fresh codes, extending the attack window and scaling operations.

The method is particularly dangerous because it occurs on genuine service domains, evading many URL-based defenses, and works against phishing-resistant setups like passkeys. Targeted sectors include SaaS platforms, cloud services, and transport/logistics. Related TTPs involve tools such as AITM, ClickFix, and Squarephish.

Defenders should monitor for anomalous device authorization requests, implement strict app consent policies, and educate users never to enter codes from unsolicited prompts. As this tactic mainstreams via PhaaS kits, proactive blocking of known IOCs (domains and IPs) and enhanced session monitoring are essential. No immediate quantum or large-scale ransomware breakout dominated today’s chatter beyond these patterns, but the bridge exploit and supply chain activity reinforce that infrastructure-layer trust assumptions continue to be tested daily. Stay vigilant and patch promptly.