Cyber Weekly News — 3 April 2026

Episode 2 — Supply Chains, Smart Coffee, and AI-Powered Malware

This week's episode is packed. From supply chain attacks cascading through thousands of businesses to a coffee machine that brought down a corporate network, Peter and Emily break down the stories that matter — and what you should be doing about them right now.

What We Cover This Week

Supply Chain Attacks at Industrial Scale

The TeamPCP supply chain campaign has claimed its first publicly-named victim in AI recruiting firm Mercor, but Mandiant estimates over a thousand cloud environments are actively affected — and that number could grow tenfold. The criminal group is now collaborating with Lapsus$, who claim to have stolen four terabytes of data, as well as ransomware gangs CipherForce and Vect.

North Korean Hackers Poison the Axios npm Package

A North Korean threat actor compromised the maintainer account for axios, a JavaScript library downloaded over a hundred million times per week. The malicious versions deployed a cross-platform backdoor across Windows, Mac, and Linux. They were live for only hours, but with that download velocity, even a brief window creates enormous exposure.

Fake Claude Code Downloads Spreading Malware

Criminals weaponised the recent Claude Code source code exposure by creating malicious GitHub repositories disguised as the leaked source. Downloads actually installed credential-stealing malware and turned victims' machines into proxy infrastructure. One repository accumulated nearly 800 forks before being flagged.

DeepLoad — AI-Powered Malware That Survives Removal

A new malware strain called DeepLoad uses AI-generated obfuscation to evade detection, arrives via the ClickFix social engineering technique, and plants a hidden persistence mechanism that reinfects machines three days after they've been cleaned. Standard incident response won't catch it.

Hasbro and Stryker Cyberattack Disruption

Hasbro is struggling to process orders and ship products after a confirmed cyberattack. Stryker has been restoring manufacturing operations for nearly three weeks. Both cases underscore the real-world operational impact that cyberattacks have on businesses.

The Coffee Machine That Caused a Data Breach

A forensic investigation found that an internet-connected coffee machine — with a default password and no firewall — was the entry point for a corporate data breach. Every cup brewed was sending data to overseas attackers. A reminder that your network is only as secure as the least-secured device on it.

RSAC 2026 — Attribution Risks and AI Budget Warnings

Experts at RSAC warned that cyberattack attribution is almost always probabilistic, not definitive, and carries real risks when made public. A separate panel delivered a clear message: don't shift your security budgets to AI at the expense of your existing, proven defences.

Your Action List

• Audit your software supply chain — check dependencies against compromise-window versions of Trivy, LiteLLM, and axios
• Segment your IoT devices — every connected device needs unique credentials and should sit on a separate network
• Warn staff about ClickFix attacks — if a pop-up asks you to paste a command to fix an error, report it immediately
• Enable PowerShell Script Block Logging — essential visibility against fileless malware like DeepLoad
• Review your incident response plan — include WMI subscription auditing and operational continuity, not just technical recovery
• Restrict software downloads — only allow installations from official, verified sources

Read the Full Analysis

This episode accompanies our weekly written briefings. For the full-length article with detailed guidance for your business, read our SMB Cyber Roundup for this week.