That's a lot of poison in a lot of wells...

Danny Brugmann

7 min read
Share
That's a lot of poison in a lot of wells...
Multiple breaches of open source projects have occurred the last couple weeks.

Five Cyber Stories - April 5th, 2026 - Issue 003

Howdy! Welcome to the first April edition of Five Cyber Stories. This week we're exploring more poison, preparing for the worst, and (you guessed it) more! Plus a short bonus story about astronauts and emails.

Without further ado, let's blast off.

1. More poison in more wells

Chaos: Last week, I wrote about the ongoing attacks against open source projects. This week, not only did another attack occur, but the consequences of the previous attacks began to reveal themselves.

The new attack breached the popular open source Axios NPM which "...is downloaded more than 400 million times per month..." Though the culprit was likely a different bad actor (North Korea), this is believed to be yet another supply chain attack.

Also this week, the European Union and the AI training company, Mercor, both announced they had been affected by TeamPCP's earlier attacks on open source projects. The European Union had up to 340 GB of data stolen including personal information, emails, and usernames. Another hacking group, Lapsus$, has made claims about what was stolen from Mercor, but Mercor has yet to confirm the nature of the stolen data. Even more concerning is how multiple hacking groups seem to be coordinating on some level (and also feuding?) in their extortion efforts.

Additionally, these breaches have put strain on the business relationships of both LiteLLM (another victim of TeamPCP's attacks) and Mercor ($).

Times are a-changin'? To continue the metaphor, these supply chain attacks have poisoned a lot of wells, and worse, they have the potential to hurt more victims. The infected version of the Axios NPM project was possibly downloaded 600,000 times. The fallout from the TeamPCP attacks has now reached the upper echelons of European government and the wealthy world of Silicon Valley.

My goal for this newsletter is to highlight stories that reveal how cyber security affects our non-digital lives. The average person living their non-digital life doesn't always connect our governments and businesses to cyber security in the same thought, but attacks like these show that we certainly should. The collaboration of cyber criminals might mean that hacking groups already see governments as a vector to undermine the digital security of ordinary individuals.

On a personal note, I also wonder if this spells a sea change in the world of open source development. Like I said last week, if people can’t trust the code being shared - code that was literally designed to be shared in good faith - it’s less likely that public interest code will be shared and utilized. That may feel a little nebulous (and this newsletter was meant to highlight the tangible effects of cyber security), but another blow (however nebulous) to the public interest is bad for all of us. Time will tell.

Apple backported software updates for iOS 18 revealing the risks from DarkSword exploits.

2. Shielding against DarkSword ($)

Digital armor: Apple did something last Wednesday that it rarely does. It "backported" updates to iPhones running old versions of iOS to protect against the threat of DarkSword. Backporting is the concept of updating old/outdated software to protect users, and Apple's use of the practice could protect millions of iPhones. Typically, Apple only updates new software. If you don’t have the new software, you don’t have the new protections.

It's a big deal: Reader, I am writing about this for a third week in a row because it matters. Apple clearly agrees given the change from their "...historic practice of avoiding patching older versions of iOS." ($) Apple’s decision to backport updates clearly indicates that it believes the threat of this kit is real and pervasive. The DarkSword exploit kit is now available to the public, and it's been discovered being used on websites ($) very recently.

So, to be brief, please update your iPhone.

The well-known toy company, Hasbro, revealed they had experienced a major cyberattack.

3. Hasbro hack

Toy repair: Unfortunately, this story was no April Fool's joke. The well known toy company, Hasbro, filed a disclosure with the S.E.C. on April 1st that their systems had been compromised. Although, according to TechCrunch, the exact nature of the attack wasn’t disclosed, the outlet reported that it could take the company some time - possibly several weeks - to recover. The business has shared few other details about the cyberattack so far.

On an especially worrying note, Zack Whittaker, at TechCrunch, noted that Hasbro's statement gave some hints that the attackers "...may still be in the company's systems."

The good news is that Hasbro's filing with the SEC indicated it's managing to continue operating due to "continuity plans."

Some assembly required: When I think about cyberattacks, I often think of governments, militaries, big tech, healthcare and other sensitive arenas. I should know better given what I read, and I've even had a front row seat to a cyberattack affecting a smaller org. They can affect anyone - even toy companies.

Luckily, Hasbro did know better and seems to have had plans in place. Preventing cyber events would likely be everyone's first choice, but I think preparing for the worst is a close second. Speaking of...

When it comes to cyberattacks, we should plan how we'll duck and cover.

4. Cyberattack drills?

A dress rehearsal: Last week at a cyber security conference, RSAC, Joseph Izzo, San Joaquin General Hospital's Chief Medical Information Officer, spoke about the value of hospitals practicing for possible cyber attacks. Even still, he said the real deal was more intense. He shared tips from his experience including advice on handling patient records during an attack or preparing for an influx of patients from a nearby hospital experiencing its own cyber event. Izzo said, "Preparation determines if the situation escalates or stabilizes,".

Duck and cover: I'll admit it. When I first came across this article, I had little to zero intention of including it in this week's letter. Talking about “practicing for an attack” feels a lot like spending middle school P.E. doing a tornado drill (yes, I’m from the Midwest).

But then I thought more about how cyberattacks are affecting society. A couple weeks ago, I wrote about attacks on hospitals no longer being considered niche, and in a poll from Politico, many stated they considered cyberattacks acts of war. I think it's time for every industry (businesses, schools, governments, you name it) to explore what it means for their orgs to "duck and cover" under a cyberattack.

There are of course hurdles to practicing this type of preparedness. Human brains are very bad at assessing risk, particularly risk that is ambiguous.

But if I was told there was a new type of weapon being fired from across the globe that is disrupting hospitals and even leading to an unnecessary death, I'd be a little on edge. All of us - as individuals, employers and neighbors - should start thinking about these types of attacks in tangible terms. When you think about it that way it’s anything but boring.

The state of digital privacy depends on one's perspective.

5. Schrödinger's privacy

The breakthrough: Two weeks ago, Google released a blog announcing that they are setting a deadline to be prepared for what's called Post Quantum Cryptography (PQC) by 2029. PQC is the state of encryption when quantum computers reach the projected ability to easily crack today's best encryption algorithms. This could spell disaster for unprepared governments, businesses, and organizations, and it could affect everyday people if swaths of personal, private information are suddenly made public.

My hypothesis: Because governments and businesses are taking highly technical steps to be prepared for a PQC reality, I think (and hope!) this prep work will mostly go unnoticed by the public. The reason I included the story this week, after it was revisited by Dan Goodin at Ars Technica, is because of the nature of digital privacy. One of the risks from PQC is that actors are hoarding encrypted data now so they can decrypt it with quantum computing in the near future.

Imagine a future unprepared for PQC where one's texts, digital journals, passwords, spending habits, internet browsing history, and more can be "hacked" with ease. Actually, we live in that world now, and though today's encryption tools work great, today's bad actors continue to find methods to bypass encryption altogether via malware, exploits (see DarkSword), scams, or other means. Sometimes, even, the lack of privacy in an app is a feature not a bug ($).

So, while I'm glad bigger stakeholders are preparing for a PQC world, I strongly believe we need to consider our digital privacy now, before 2029. My rule of thumb is that most digital information rarely stays private. So, here are some questions I recommend asking before using a digital service or application:

  • How does this business make money?
  • Does this application's terms of service admit to selling my information?
  • What types of privacy safeguards has this organization installed?
  • Who are the stakeholders or beneficiaries of this business model?
  • The big one: Am I ok with the risk that this data I enter into this interface might be seen by others?

Ultimately, all of these questions still lead to a personal decision to use an application or service, but practically, I think they can help us calculate some of the true privacy costs to our digital convenience.

BONUS: Microsoft's Outlook from space

As a bonus on Easter weekend, here's a quick article about how even astronauts have problems with Microsoft Outlook (and code browns). The 404 Media article's subheading reads, "In space, no one can hear you scream at Microsoft’s legacy software." The original source's Bluesky post had this reply. I couldn't help but share.

A great 2001: A Space Odyssey reference.

Signing off...

Before I go, some honorable mentions for this week include Skull Vibrations (related to last week's story about self-surveillance), threats from Iran ($) on April 1st, and federal law enforcement's use of spyware. Did I miss anything? Let me know by replying to this email!

Also, if you know someone who might enjoy this newsletter, I'd be grateful if you could pass this edition along.

Thanks as always for reading, and happy Easter!

Danny

Read more