cybr.cx Daily Digest — April 02, 2026

Critical Vulnerabilities

CVE-2026-34791 through CVE-2026-34797 — Endian Firewall ≤3.3.25 | CVSS 8.8
Seven near-identical command injection flaws affect Endian Firewall's CGI logging endpoints (logs_proxy, logs_clamav, logs_firewall, logs_ids, logs_log, logs_openvpn, logs_smtp). In each case, the DATE parameter is passed unsanitised into a Perl open() call — a classic pattern that incomplete regex validation fails to block. An authenticated attacker can chain any of these to execute arbitrary OS commands on the firewall itself. The blast radius is severe: full compromise of a network security appliance. Patch to 3.3.26 or later immediately; if you can't, restrict administrative access aggressively.

CVE-2026-5349 — TRENDnet TEW-657BRM 1.00.1 | CVSS 8.8
A stack-based buffer overflow in the add_apcdb function within setup.cgi allows remote attackers to execute arbitrary code without physical access. A public exploit already exists. The vendor's response is essentially a shrug — the device is end-of-life and won't receive a patch. If this router is still in your environment, replace it now. EOL hardware with publicly available exploits is a gift to attackers.

Headline News

Axios npm Supply Chain Compromise
On March 31, two malicious Axios npm package versions (1.14.1 and 0.30.4) were published and configured to beacon out to attacker-controlled C2 infrastructure. Microsoft Threat Intelligence attributed the campaign to a tracked threat actor, marking one of the more significant npm supply chain incidents in recent memory given Axios's ubiquity — it sits inside hundreds of thousands of JavaScript projects across virtually every sector. Developers and security teams should audit their dependency trees immediately, check for installations of either affected version, and rotate any credentials or tokens that may have been accessible in environments where those packages executed. This is a sharp reminder that even the most trusted, mundane utility packages are high-value targets.

ShinyHunters Breaches Cisco via Trivy Supply-Chain Attack
ShinyHunters — the threat group behind several high-profile breaches — has claimed responsibility for stealing Cisco source code, reportedly exfiltrating over 300 repositories and compromising AWS keys in the process. The attack vector is notable: the group is said to have leveraged a supply-chain weakness in Trivy, the open-source vulnerability scanner widely used in CI/CD pipelines, effectively weaponising a security tool against its users. The scope is significant — source code exposure can facilitate targeted exploitation, enable bypass of proprietary security controls, and inform future campaigns against Cisco customers. Practitioners should review whether Trivy or similar scanning tools in their pipelines have access to sensitive credentials or repositories, and audit what those tools can reach.

Apple Patches DarkSword Exploit — Including for iOS 18 Holdouts
Apple has released iOS 18.7.7 specifically to address the DarkSword exploit, an unusual move that extends security coverage to users who declined to upgrade to iOS 26. Until recently, Apple had withheld security patches from users remaining on iOS 18 despite their hardware being capable of running the newer OS — leaving a significant population exposed. DarkSword is serious enough that Apple reversed course, and if you're managing a fleet with iOS 18 devices, this update is not optional. Push it now.

Nerdy Corner

Tailscale has solved one of the great aesthetic injustices of the Apple Silicon era: their macOS menu bar app now lives in the notch, neatly tucked into the display cutout that Apple insists is a design feature. Rather than crowding the already cluttered menu bar, the Tailscale icon retreats into the void that most apps politely ignore. It's a small, unnecessary, and completely delightful piece of engineering — the kind of thing that happens when developers have both taste and too much time. Peak nerd energy: spending non-trivial effort making a VPN client's icon slightly more elegant.