Top stories.
- Commercial cloud infrastructure is now a wartime target.
- Stryker is back to normal operations following Iranian cyberattack.
- North Korean threat actor compromises axios npm package.
- WhatsApp warns Italian users of spyware campaign.
- Threat actors exploit critical F5 BIG-IP vulnerability.
- Hackers begin exploiting critical Citrix NetScaler vulnerability.
Commercial cloud infrastructure is now a wartime target.
Iran's Islamic Revolutionary Guard Corps (IRGC) claimed on Thursday to have struck an Oracle data center in Dubai and an Amazon facility in Bahrain, Tom's Hardware reports. Dubai officials denied the claims, saying reports that the IRGC had launched an attack in Dubai were false, according to Gulf News. Bahrain's Ministry of Interior, however, confirmed that an Iranian attack had set "a facility of a company" on fire. The company is reported to be telecom provider Batelco, which hosts AWS infrastructure.
The IRGC earlier this week said it would begin targeting 18 US technology and finance companies across the Middle East, including Microsoft, Apple, Google, Meta, IBM, Cisco, JP Morgan, Tesla, Boeing, and Nvidia. Iran launched drone strikes against AWS facilities last month, and CNBC cites experts as saying the targeting of tech assets is now a sustained pattern. These companies often provide services to the US military, and their facilities contain hardware worth billions of dollars.
Stryker is back to normal operations following Iranian cyberattack.
US medical technology giant Stryker is now "fully operational" following an Iran-linked wiper attack the company sustained on March 11th, CyberScoop reports. The company said in an update on Wednesday, "Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering, and distribution systems. Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care."
Handala, a hacktivist group tied to the Iranian government, claimed responsibility for the attack. The threat actor reportedly gained access to Stryker's Microsoft environment and used the Microsoft Intune device-management platform to wipe tens of thousands of corporate devices.
North Korean threat actor compromises axios npm package.
A North Korean threat actor on Tuesday inserted a malicious dependency into two npm releases for axios, the most popular JavaScript library for making HTTP requests, according to researchers at Google's Threat Intelligence Group (GTIG) and Mandiant. The two packages, versions 1.14.1 and 0.30.4, respectively have over 100 million and 83 million weekly downloads, and were compromised for about two hours. The malicious dependency was "an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux." The backdoor is designed to "collect system information, enumerate directories, or execute additional payloads."
Google attributes the attack to UNC1069, a financially motivated threat actor tied to North Korea. The researchers note that the impact of the attack "is broad and has ripple effects as other popular packages rely on axios as a dependency."
The report concludes, "GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring."
WhatsApp warns Italian users of spyware campaign.
WhatsApp has notified around 200 users who downloaded an unofficial iOS version of the app that contained spyware, TechCrunch reports. Most of the affected users were in Italy. WhatsApp stated, "We have logged [the users] out, alerted [them] to the risks to their privacy and security that come with downloading fake unofficial clients, and encouraged them to remove it and download the official WhatsApp app." WhatsApp alleges that Italian surveillance firm SIO created the malicious app, and the Meta subsidiary says it plans to "send a formal legal demand to stop any such malicious activity to this spyware firm."
SIO's subsidiary ASGINT develops spyware for government clients. US-Israeli spyware firm Paragon cut ties with the Italian government last year following reports that the country's intelligence agencies had used Paragon's products to target members of civil society.
Threat actors exploit critical F5 BIG-IP vulnerability.
F5 Networks has reclassified a BIG-IP Access Policy Manager denial-of-service flaw as an unauthenticated remote code execution vulnerability, raising its severity score from 7.5 to 9.8. The vulnerability (CVE-2025-53521) is being actively exploited, and organizations are urged to apply fixes as soon as possible.
The UK's National Cyber Security Centre (NCSC) has published an advisory on the vulnerability, recommending that organizations "[investigate] for compromise on all affected products regardless of when the system was updated."
Hackers begin exploiting critical Citrix NetScaler vulnerability.
Threat actors have begun exploiting a critical vulnerability (CVE-2026-3055) affecting Citrix NetScaler ADC and NetScaler Gateway appliances that was disclosed on March 23rd, BleepingComputer reports. The flaw, which has been compared to the CitrixBleed and CitrixBleed2 vulnerabilities, is an "insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread."
Researchers at watchTowr observed exploitation of the vulnerability beginning on Sunday, March 27th. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems by Thursday, April 2nd, noting that "[t]his type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
