Security Check-in Quick Hits: LinkedIn Spying, Supply Chain Poisoning, Cisco Data Leaks, and AI Code Exposures Shake Up the Last 24 Hours

For April 3, 2026

LinkedIn’s Hidden Code Scans Users’ Computers for Installed Software

A bombshell post from security researcher Simone Margaritelli (@evilsocket) exploded across X, revealing that LinkedIn’s website runs undisclosed JavaScript whenever any of its roughly one billion users visits linkedin.com. The code inventories installed applications on the visitor’s machine, then ships the data to LinkedIn’s servers and at least one third-party American-Israeli cybersecurity firm.

No user consent is mentioned, and the practice appears to happen silently in the background. The original analysis (linked via browsergate.eu in the thread) frames it as potentially illegal under privacy and computer-access laws. Engagement was massive—over 14,000 likes and thousands of reposts—because it hits a nerve: a professional networking giant quietly profiling users’ software environments at scale.

Why it matters: This isn’t a traditional “breach.” It’s a built-in surveillance feature that treats every visitor’s device as fair game. In an era of tightening data-protection rules, it risks regulatory blowback and user backlash. Defenders and privacy-conscious pros are already recommending browser extensions that block tracking scripts or simply avoiding the site in favor of mobile apps with different telemetry behavior. Expect follow-up stories and possible legal scrutiny in the coming days.

Poisoned Axios NPM Package Delivers Cross-Platform RAT in Massive Supply-Chain Hit

Multiple threat-intel threads flagged the Axios HTTP library compromise as one of the biggest open-source supply-chain incidents still rippling through the ecosystem. Attackers stole maintainer credentials and pushed malicious versions (1.14.1 and 0.30.4) that quietly pulled in a phantom dependency. The payload is a self-erasing remote access trojan (RAT) that works on Windows, macOS, and Linux.

With Axios boasting over 100 million weekly downloads, the reach is enormous—potentially hundreds of thousands of developer machines and CI/CD pipelines. X users noted this fits a broader 2026 pattern: stolen-credential attacks on popular libraries, accelerated by AI-assisted tooling that lets adversaries move from compromise to payload in hours instead of weeks.

Why it matters: Supply-chain attacks no longer require zero-days; they hijack trust. Developers and security teams are scrambling to audit dependencies, rotate credentials, and enforce SBOM (software bill of materials) checks. The incident also spotlighted related campaigns involving tools like Trivy and LiteLLM, showing how one poisoned package can cascade into enterprise environments.

ShinyHunters Claims Major Cisco Source-Code and Customer Data Breach

Cybersecurity news accounts amplified claims from the threat group ShinyHunters, who say they breached Cisco through multiple vectors: Salesforce CRM, Salesforce Experience Cloud (Aura), and AWS S3 buckets. The updated listing (dated March 31 but actively discussed yesterday) alleges more than 3 million records containing personal information plus internal GitHub repositories and other sensitive data.

Cisco has not issued a full public confirmation at the time of the X chatter, but the volume and specificity of the claim made it a top-trending topic. Earlier threads connected this to ongoing Trivy scanner poisoning that reportedly gave attackers a foothold in Cisco’s dev environment.

Why it matters: Even if only partially verified, the breach highlights how cloud identity and third-party SaaS integrations remain soft targets. Organizations using similar stacks are being urged to review Salesforce and AWS access logs, rotate credentials aggressively, and treat any vendor breach claim as a prompt for immediate internal hunting. The alleged exfiltration of source code also raises intellectual-property and potential downstream supply-chain risks for Cisco customers.

Anthropic’s Claude AI Code Dropped Openly on GitHub—Sparking Cyber Capability Concerns

A widely shared GitHub repo (openclaude) offering “FREE OPEN CLAUDE CODE” gained rapid traction, with users posting the full source (reportedly 1,906 files in one related npm leak). Threads tied it to earlier leaks of Anthropic’s internal Mythos model, described in leaked docs as “far ahead of any other AI model in cyber capabilities” and capable of discovering 500 zero-days in a single session.

One viral anecdote (framed as a first-day-at-CrowdStrike story) illustrated the market reaction: the leak reportedly contributed to a 7% stock drop for the cybersecurity firm. Security pros on X are debating whether open-sourcing advanced AI cyber tools accelerates defensive research or hands offensive capabilities to anyone with a laptop.

Why it matters: AI model leaks are no longer hypothetical. When code that can automate vulnerability discovery or build custom tools hits public repositories, the barrier to entry for sophisticated attacks drops dramatically. Defenders should treat any leaked frontier-model artifacts as high-priority intelligence—reviewing them for novel techniques while hardening internal AI usage policies and monitoring for derivative malware.

These four stories dominated X’s cybersecurity corner in the last 24 hours because they blend fresh incidents with systemic problems: over-reliance on third-party trust, silent data collection, and the accelerating speed of AI-augmented attacks. The common thread? Traditional perimeters and “set-it-and-forget-it” security controls are failing fast. Patch aggressively, audit supply chains, monitor identity and cloud configs, and keep an eye on emerging AI tooling—before today’s quick hits become tomorrow’s headlines. Stay safe out there.