SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, April 6th, 2026: TeamPCP Update and Axio Post Mortem; Fortinet 0-Day
Apr 6, 2026
A rundown of Team PCP activity and why some compromise lists may be incomplete. A social engineering trick that led a developer to install malware during a video call. Rapid detection and removal of a malicious Axios npm package. Compromised Strapi-related npm plugins acting as covert C2 agents. A Fortinet unauthenticated RCE that was actively exploited and patched.
AI Snips
Chapters
Transcript
Episode notes
Team PCP Activity Has Plateaued
- Team PCP's visible activity has slowed with few new attributions over the last two weeks.
- Many compromises were discovered after the initial wave as organizations surfaced breached systems and exfiltration details.
Axios Compromise Came From Sophisticated Social Engineering
- Axios was not breached by Team PCP but via a separate social engineering campaign that targeted a lead developer.
- The attacker posed as a fake company, lured the developer into a video call, and used a fake update/error prompt to get malware installed.
One Deceptive Call Can Compromise A Package
- Supply-chain compromises can be triggered by single-user deception during routine tasks like joining a video call.
- The Axios incident shows even maintainers trusting a call link can be tricked into installing malicious updates.