North Korea Hit Axios npm While TeamPCP Burned 1,000 Environments

TL;DR

• TeamPCP blast radius quantified: Mandiant confirms 1,000+ SaaS environments compromised, vx-underground estimates 500,000 machines affected, Lapsus$ claims 4 TB from $10B startup Mercor
• North Korean group UNC1069 compromises Axios npm package (183M+ weekly downloads across affected branches) in a separate supply chain attack, attributed by Google GTIG
• OpenSSH 10.3 patches five security vulnerabilities, including shell injection via ProxyJump, and drops legacy rekeying compatibility
• HarfBuzz 14.0 ships a GPU-accelerated text rendering library using direct fragment shader rasterization (no bitmap atlas)
• Rust DRM abstractions and NVIDIA Nova driver additions queued for Linux 7.1 merge window, rc7 networking fixes shipped ahead of Sunday release

👑 Top Story

TeamPCP Campaign Scope Revealed: 1,000+ SaaS Environments, 500,000 Machines, Lapsus$ Joins Extortion

• The full scale of the TeamPCP supply chain campaign became clear this week as multiple incident response firms published scope estimates. At RSA Conference, Mandiant Consulting CTO Charles Carmakal confirmed Google's incident response team knew of "over 1,000 impacted SaaS environments" actively dealing with cascading effects from the TeamPCP compromises, adding that the number "will probably expand into another 500, another 1,000, maybe another 10,000." Threat intelligence collective vx-underground estimates data and secrets were exfiltrated from 500,000 machines. Separately, the Lapsus$ extortion group claimed it obtained 4 TB of data from Mercor AI (a $10 billion AI recruiting startup whose customers include OpenAI, Anthropic, and Meta), including 939 GB of source code, a 211 GB user database, and 3 TB of storage buckets containing video interviews and identity verification passports. Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply chain compromise.
• Recurring: Ninth day tracking this campaign. Progression: supply chain expansion (March 19-27), ransomware pivot (March 30), first victim disclosure (April 1), scope quantification and Lapsus$ involvement (April 2-3). Previous dailies covered Trivy (March 23), Checkmarx/LiteLLM (March 24-25), telnyx (March 28), ransomware pivot (March 31), and Mercor confirmation (April 1).
• Source: The Register | Help Net Security | Fortune

Two separate groups are running supply chain attacks on open source right now. One backed by North Korea. The other is a criminal syndicate that just hit a ten-billion-dollar AI startup. And the scary part? They've got nothing to do with each other.

Welcome back. Today, we're talking about what happens when the attacks come in parallel. Two major supply chain campaigns are running at the same time, one criminal and one state-backed. What does that actually mean for defenders? And why one quiet release this week might change how every screen on earth displays text.

Let's get into it.

If you've been following me, you know I've been tracking TeamPCP for over a week now. What started as a supply chain expansion has turned into something much bigger. We went from compromised packages to ransomware to the first victim disclosures. And now, the scope numbers are coming in.

At RSA Conference this week, Mandiant's CTO Charles Carmakal put a number on it. Over 1,000 compromised SaaS environments. And he said that number will probably expand into another 500, another 1,000, maybe another 10,000.

Those are real environments already burning, not hypothetical projections.

Threat intelligence collective vx-underground went further. They estimate that attackers pulled data from 500,000 machines. Half a million machines. In a single campaign.

Then Lapsus$ showed up. They claimed 4 terabytes from Mercor AI. That's a ten-billion-dollar recruiting startup. Their customers include OpenAI, Anthropic, and Meta.

What was in those four terabytes? 999 gigabytes of source code. A 207-gigabyte user database. And 3 terabytes of storage buckets. Video interviews. Identity verification passports. The kind of data you can't rotate like a password. You can't change your face. You can't unrecord a video interview.

The downstream exposure is worse. Mercor is a recruiting platform. Their database doesn't just contain Mercor's data. It contains candidate data from the companies they serve. So when OpenAI, Anthropic, and Meta use Mercor for hiring, the people who applied through that platform are now exposed to.

Mercor confirmed it. They called themselves "one of thousands of companies" affected by the LiteLLM supply chain compromise.

It's like a break-in at a locksmith's warehouse. They didn't just steal locks. They stole the master keys to every building the locksmith ever serviced.

Now. While all of that was dominating headlines, something else happened. Quietly.

Google's Threat Intelligence Group published an attribution of a completely separate supply chain attack: different actor, different vector, completely different target.

North Korean group UNC1069 pushed two trojanized versions of Axios to npm.

If you don't know Axios, it's the most popular JavaScript HTTP client library. Over 100 million weekly downloads.

Within 40 minutes, 2 malicious versions were added to the registry. Versions 1.14.1 and 0.30.4. They added a dependency called plain-crypto-js that dropped a cross-platform backdoor. WAVESHAPER.V2. Windows through PowerShell. macOS through Mach-O. Linux through Python.

The malicious versions stayed live for under 3 hours before npm pulled them.

But how many installs happen in three hours when your package gets a hundred million downloads a week? If we assume download distribution is the same all the time (no peek at a specific day and time), it makes ~1.8 million.

What makes this week different? These two campaigns are completely unrelated. TeamPCP is a credential-harvesting tool using PyPI and GitHub Actions. UNC1069 is financial exfiltration through npm. Different motivations, different vectors, two separate threat actors in the same two-week window against the same ecosystem.

And that brings us to a very different story.

While the supply chain was burning, HarfBuzz shipped version 14.0.

You might not know HarfBuzz by name, but you use it every day. It's the text shaping engine behind Firefox, Chrome, Android, GNOME, KDE, LibreOffice. When your phone turns Unicode into the glyphs you actually read, HarfBuzz does the work.

Version 14.0 brought GPU text rendering using the Slug algorithm.

So what does that change? For decades, GPU text rendering relied on bitmap atlases. You pre-render glyphs into a texture, then paste them onto the screen. It works. But it's like photocopying a book at one size and then trying to zoom in. You lose quality fast. And on high-DPI displays, which is basically every modern phone and laptop, that quality gap gets more obvious every year.

The Slug approach flips this. The CPU encodes glyph outlines. Then the GPU decodes and rasterizes them directly in the fragment shader. No atlas. No pre-rendering. The text stays sharp at any size and resolution. You zoom in, and the letters stay crisp. That's a different category of rendering.

It supports GLSL, WGSL, Metal MSL, and HLSL. That covers Vulkan, WebGPU, Metal, and DirectX. Every GPU platform that matters.

Behdad Esfahbod created HarfBuzz. He's been working on text rendering for over two decades. His code already runs on billions of devices. And this week, he shipped a change to how they could all display type. Quietly. No keynote. No press release. Just a version bump and a commit log.

One story about how fragile the foundations are. Another about someone strengthening a foundation.

Let's pull back for a second.

The industry measures supply chain attacks one at a time. One CVE, one advisory, you pull out your incident response playbook. You get the alert, triage, remediate, and write the postmortem.

But what happens when the attacks are concurrent?

Your incident response team is triaging TeamPCP. Different IOCs, different remediation steps, completely different blast radius. And then the Axios alert fires. Your PyPI response doesn't help with npm. Your GitHub Actions playbook doesn't cover WAVESHAPER.V2.

Defender capacity is finite. You don't get a second incident response team because a second adversary showed up. I've worked in environments where a single incident keeps every senior engineer occupied for a week. Now, picture two incidents from two different adversaries landing on the same Tuesday.

Carmakal said, "Another five hundred, another thousand, maybe another ten thousand." That's one campaign. Now layer on a second, unrelated campaign from a nation-state actor. Layer on the OpenSSH shell injection that also shipped this week. Five security fixes in a single release, including shell injection through ProxyJump.

The attack surface is multiplicative, not additive.

And where does your dependency audit start when threats come from two different registries at once?

Meanwhile, the whole Linux stack is under pressure too. Linux 7.0 rc7 shipped with a WiFi bug fix that's been sitting there since 2019. 7 years. Ubuntu 26.04 LTS depends on this kernel. Fedora 44 depends on this kernel.

If the rc7 stabilizes, we get a final release on April 12. If it doesn't, Linus pushes an rc8 and the whole timeline slides to April 19. Two major distributions are watching that date. Every day that the kernel stays in release candidate is a day those distributions can't finalize their own testing.

And Rust code in the kernel is picking up speed. DRM abstractions, the NVIDIA Nova driver, and a GPU buddy allocator are all queued for the 7.1 merge window. The stack is evolving while it's being stress-tested. From npm packages at the top to the kernel at the bottom, everything is in motion at once.

The missing column is concurrent threat density.

Everyone tracks individual incidents. Nobody tracks the probability that multiple unrelated adversaries attack the same ecosystem simultaneously. And when they do, your triage capacity doesn't scale. Your response playbooks don't compose. The defender's burden compounds exponentially.

That's the column nobody has added to their risk dashboard.

Start asking: what happens when two hit at once? Because this week, they did.

💥Open Source News

North Korean Group UNC1069 Compromises Axios npm Package in Separate Supply Chain Attack

• Google's Threat Intelligence Group attributed a supply chain compromise of the Axios npm package to UNC1069, a financially motivated North Korean threat actor active since 2018. On March 31, two trojanized versions (1.14.1 and 0.30.4) were pushed to npm within 40 minutes, introducing a malicious dependency called "plain-crypto-js" that deployed the WAVESHAPER.V2 cross-platform backdoor (Windows via PowerShell, macOS via Mach-O binary, Linux via Python). Axios is the most popular JavaScript HTTP client library, with the affected branches receiving over 183 million weekly downloads combined (the 1.x branch alone exceeds 100 million). The malicious versions were available for under three hours before removal. Palo Alto Networks documented Axios compromise impact across the US, Europe, Middle East, South Asia, and Australia, affecting financial services, technology, retail, insurance, and higher education. This attack is separate from, and concurrent with, the TeamPCP campaign.
• Source: The Hacker News | Google Cloud Blog

OpenSSH 10.3 Patches Shell Injection, Drops Legacy Rekeying Compatibility

• OpenSSH 10.3, released April 2, patches five security vulnerabilities. The most significant: a shell injection flaw where metacharacters in usernames supplied via the command line could expand through %-tokens in ssh_config before validation. In configurations using %u tokens in Match exec blocks, this allows arbitrary command execution. A second fix addresses the -J (ProxyJump) option where user and host names were not validated against shell injection. Other fixes cover incorrect certificate principal matching with commas, ECDSA algorithm enforcement failures, and scp setuid/setgid bit preservation when running as root. The release also drops backward compatibility for SSH implementations that do not support rekeying, meaning older clients and servers lacking rekeying will now fail to connect.
• Source: Help Net Security | Linuxiac

HarfBuzz 14.0 Introduces GPU-Accelerated Text Rendering Library

• HarfBuzz 14.0 ships libharfbuzz-gpu, a new library for GPU-accelerated text rasterization using the Slug algorithm. Glyph outlines are encoded on the CPU into compact blobs that the GPU decodes and rasterizes directly in the fragment shader, without the traditional bitmap atlas. The library supports GLSL, WGSL, Metal MSL, and HLSL shaders for cross-platform GPU coverage. A new hb-gpu utility demonstrates interactive GPU text rendering, and a live web demo uses WebGPU and WebGL. If browsers, game engines, and UI toolkits adopt this, text rendering changes at the architectural level.
• Source: Phoronix

PHP BSD Relicense Vote: Final Day Tomorrow, Passage Certain

• The PHP community vote to relicense under BSD 3-Clause closes April 4. The count has reached 51 yes, 0 no, 2 abstentions, well above the two-thirds supermajority threshold. The change takes effect in PHP 9.0, replacing the PHP License 3.01 and Zend Engine License 2.00 with a standard OSI-approved license (Modified BSD). This eliminates GPL incompatibility issues and simplifies SPDX compliance for downstream packagers. Vote surged from 23 to 51 yes votes.
• Source: PHP RFC

Servo 0.0.6 Released with Layout Performance and Developer Tools Improvements

• Servo 0.0.6, the Rust-based web rendering engine, shipped with layout performance improvements, a new servo:config page for preference management, and developer tools enhancements. The project continues building toward a lightweight, embeddable alternative to Chromium's Blink and Firefox's Gecko for applications that need web rendering capabilities without a full browser stack. Servo supports WebGL and WebGPU and targets desktop, mobile, and embedded use cases.
• Source: Servo.org

Netrunner 26 Ships with XLibre Xserver and Debian 13 Base

• Netrunner 26 "Twilight" released after a year-long gap, rebased on Debian 13 "Trixie" with KDE Plasma 6.3.6 and Linux kernel 6.16 (not Debian's default 6.12 LTS). The standout inclusion is XLibre Xserver, a fork of Xorg that aims for backward compatibility with X11 while providing continued security maintenance. For users who prefer not to migrate to Wayland, it offers a maintained alternative. Ships with Firefox 140.7 ESR, Thunderbird 140.6 ESR, and LibreOffice 25.2.3.
• Source: Linuxiac

🐧 Linux News

Linux 7.0-rc7 Networking Fixes Ship, Sunday Release Expected

• Networking subsystem fixes for Linux 7.0-rc7 were sent out on April 2, ahead of the expected Sunday (April 5) release. The headline fix addresses a long-standing performance bug in the Qualcomm Ath11k and Ath12k WiFi drivers, where a request to stop an AMPDU session for one TID could incorrectly affect other active sessions, reducing throughput. This bug has existed in Ath11k since 2019 and Ath12k since 2022. Additional fixes include Netfilter input validation improvements to prevent exploits from malformed configurations, patches for information leaks, and miscellaneous wired and wireless driver fixes. If rc7 looks clean and stable, Linux 7.0 releases April 12. An rc8 would push it to April 19.
• Source: Phoronix

Rust DRM Abstractions and NVIDIA Nova Driver Additions Queued for Linux 7.1

• DRM Rust feature changes were sent for DRM-Next ahead of the Linux 7.1 merge window, which opens after 7.0 ships. The changes include a reworked DMA-coherent API, GPU buddy-allocator abstractions in Rust, DRM shared-memory GEM helper abstractions, I/O infrastructure improvements, and workqueue enhancements. The experimental NVIDIA Nova Core driver (the Rust-written successor to Nouveau) receives major updates: more Turing GPU enablement work, GPU System Processor (GSP) command-queue hardening, large-RPC support, refactored Falcon firmware handling, and DebugFS support for GSP-RM log buffers. The Arm Mali Tyr driver also sees improvements.
• Source: Phoronix

IPv6-Only Linux Kernel Patches: Serious Proposal Behind April 1 Humor

• David Woodhouse submitted a six-patch series on April 1, adding a CONFIG_LEGACY_IP option to toggle IPv4 support in the Linux kernel build. While the framing was humorous (labeling IPv4 as "Legacy IP"), Woodhouse clarified in follow-up discussion that the underlying work is serious: cleanly separating CONFIG_INET and CONFIG_IPV6/IPV4 to allow building with either protocol alone. Currently, the patches generate a warning when a process listens on a "legacy IP" socket. The proposal drew heavy discussion on Hacker News. A production IPv6-only kernel build option would benefit cloud environments and containerized workloads that have fully transitioned to IPv6.
• Source: Phoronix

Fedora 44 Stable Release Remains on Track for April 14

• Fedora 44 continues to target April 14 for the stable release. Key components: GNOME 50, KDE Plasma 6.6 with the new Plasma Login Manager, Mesa 26.0, DNF5, GCC 16, LLVM 22, Ruby 4.0, Go 1.26, PHP 8.5, Django 6, and NTSYNC for improved Wine/Steam gaming. The Budgie spin migrates from X11 to Wayland. Improved ARM/aarch64 out-of-the-box compatibility.
• Source: Fedora Project

Manjaro Governance Crisis: Sixth Week Continues, Silence Persists

• The Manjaro governance standoff continues deep into its sixth week. No new statements from either Philip Müller or the 19 manifesto signatories. No fork announced. No nonprofit formation timeline proposed. Technical operations continue: stable and unstable updates ship normally. The complete absence of communication since March 19 suggests the crisis has settled into indefinite paralysis rather than active resolution.
• Source: FOSS Force

Firefox 150 Beta Launches with GTK Emoji Picker and Local Network Access Restrictions

• Firefox 150 entered public beta. On Linux, GTK emoji picker support arrives (Ctrl+. keyboard shortcut). Local network access restrictions are now being extended to all users, requiring websites to request permission before connecting to local devices or services. The PDF viewer gains page reorganization (move, copy, delete). Developer-facing additions include scoped custom element registries and the ariaNotify() method for accessible announcements. Stable release targets April 21.
• Source: 9to5Linux

🤓 I'll be auditing my own package-lock.json for the third time this week, muttering at it as it owes me money. Subscribe free, or go paid for less than a parking ticket in Munich per month to have it land in your inbox every morning.

I'll see you next time.