Daily Briefing for 04.13.26

Top stories.

• US and Indonesian law enforcement shut down multi-million-dollar phishing operation.
• Threat actors quickly exploit a flaw in the Marimo Python notebook platform.
• North Korea-linked attack on the Axios supply chain impacts OpenAI.

US and Indonesian law enforcement shut down multi-million-dollar phishing operation.

The US Federal Bureau of Investigation's (FBI's) Atlanta field office and Indonesian law enforcement took down a popular phishing platform called "W3LL" that was used to steal more than $20 million, Fox 5 Atlanta reports. The FBI and Indonesian National Police also said the developer of the phishing kit has been identified and detained.

The kit sold for $500 through the W3LL Store, which was active from 2019 to 2023, and investigators believe the marketplace facilitated the sale of over 25,000 compromised accounts. Activity continued after the store's closure via encrypted messaging apps, with more than 17,000 victims targeted between 2023 and 2025. The W3LL operation was analyzed by researchers at Group-IB in 2023, who noted that the platform was "specifically designed to compromise corporate email accounts" for use in business email compromise (BEC) attacks.

Threat actors quickly exploit a flaw in the Marimo Python notebook platform.

Researchers at Sysdig warn that threat actors began exploiting a critical flaw in the open-source Python notebook environment Marimo hours after its disclosure on April 8th. The vulnerability, tracked as "CVE-2026-39987," is "a pre-authentication remote code execution (RCE) vulnerability in the terminal WebSocket endpoint that allows attackers to obtain a full interactive shell on any exposed marimo instance through a single WebSocket connection – no credentials required." An attacker used the advisory description to build a working exploit and launched a credential theft operation 9 hours and 41 minutes after the advisory was published.

Sysdig notes that Marimo is a relatively niche product, and the speed of this exploitation indicates that "threat actors are monitoring advisory feeds broadly, not just for high-profile targets."

North Korea-linked attack on the Axios supply chain impacts OpenAI.

OpenAI has disclosed that it was one of the companies impacted by a North Korea-linked supply-chain attack that compromised the Axios npm library late last month, SecurityWeek reports. Axios is the most popular JavaScript library for making HTTP requests. Google's Threat Intelligence Group found that a North Korean threat actor inserted a malicious dependency into the Axios npm release, compromising the release for several hours on March 31st.

OpenAI said in a statement, "Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered. We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk—however unlikely—of someone attempting to distribute a fake app that appears to be from OpenAI."