Security Check-in Quick Hits: North Korea’s Patient $280M Crypto Heist, Fortinet Zero-Day in the Wild, LinkedIn’s Secret Browser Spyware, and 36 Malicious npm Packages Poisoning Supply Chains
For April 5, 2026
North Korea’s Most Terrifying Crypto Hack Yet: Six Months of Human Trust-Building Ends in $280 Million Theft
In one of the most sophisticated social-engineering campaigns ever documented in crypto, North Korean threat actors (via proxies) executed a six-month operation that culminated in the theft of $280 million from the Solana-based perpetuals protocol Drift.
The attackers didn’t phish or exploit smart-contract code. Instead, they built genuine relationships. Starting in fall 2025, individuals posing as a legitimate “quant trading firm” approached Drift contributors at multiple in-person conferences across countries. They followed up professionally, created a Telegram group for ongoing discussions about trading strategies and vault integrations, onboarded a real Ecosystem Vault, deposited over $1 million of their own capital to prove legitimacy, and attended working sessions for months.
By early 2026, they were trusted insiders. They then shared routine repos and tools. The kill switch? A known VSCode and Cursor vulnerability (flagged by the security community since late 2025) that enabled silent code execution simply by opening a malicious file — no prompts, no permissions required. Once inside, the malware wiped every trace, including Telegram messages, and exfiltrated the funds.
The bug has since been patched, but the real vulnerability was never technical — it was the handshake. This attack should serve as a wake-up call for every founder, contributor, and ecosystem participant: in-person trust can be weaponized just as effectively as code. Verify identities ruthlessly, isolate dev environments, and treat long-term “relationships” with the same scrutiny as suspicious links.
Fortinet FortiClient EMS Zero-Day (CVE-2026-35616) Actively Exploited — Patch Immediately
Fortinet has issued an emergency hotfix for a critical unauthenticated remote code execution vulnerability in FortiClient EMS, already being exploited in the wild.
Tracked as CVE-2026-35616 with a CVSS score of 9.1, the flaw allows attackers to completely bypass API authentication and authorization controls. No credentials, no user interaction, and no privileges are needed if the EMS instance is internet-exposed. This marks the second critical EMS flaw exploited in recent weeks, underscoring ongoing risk in Fortinet’s endpoint management solutions.
Organizations running FortiClient EMS should apply the hotfix without delay and review internet-facing deployments for signs of compromise. Threat actors move fast on high-impact endpoint-management flaws — this one gives them full command execution on vulnerable systems.
LinkedIn’s “BrowserGate” Scandal: Hidden JavaScript Quietly Scans Your Installed Extensions
A new investigation by European advocacy group Fairlinked e.V. has exposed what researchers are calling one of the largest corporate data-collection scandals in recent history.
Every time users open LinkedIn in a Chrome-based browser, hidden JavaScript silently scans thousands of installed browser extensions, compiles the results, encrypts the data, and exfiltrates it back to LinkedIn’s servers — and to third-party companies — without user consent or any mention in LinkedIn’s privacy policy.
With over one billion users, this covert profiling raises serious questions about consent, transparency, and the boundaries of corporate surveillance. The code runs without notification and collects deeply personal data about your browsing environment and software stack.
If you use LinkedIn in a browser, consider reviewing your extension footprint, using privacy-focused browsers or containers, and demanding clearer accountability from platforms that treat user devices as open books.
Supply-Chain Attack Alert: 36 Malicious npm Packages Posing as Strapi Plugins Target Redis and PostgreSQL
Security researchers discovered 36 npm packages masquerading as legitimate Strapi plugins that were actively delivering malware through postinstall scripts.
The packages exploited Redis and PostgreSQL environments, stole credentials, and deployed persistent backdoors. Once installed (often via dependency chains or CI/CD pipelines), they gained full user or environment access, enabling data theft and further compromise.
This incident highlights the growing risk of dependency confusion and malicious package campaigns in the npm ecosystem. Developers and organizations should audit recent npm installs, especially any Strapi-related packages, enable strict package verification, and monitor for anomalous postinstall behavior in build pipelines.
These four stories dominated cybersecurity chatter in the last 24 hours and illustrate a clear trend: attackers are blending patient human intelligence, zero-days, supply-chain compromise, and stealthy data collection. Stay patched, verify everything, and assume the handshake — or the dependency — could be the real vector.