CyberheistNews Vol 16 #17 [Heads Up] This Sophisticated Scam Should Be a Warning to All Companies

[Heads Up] This Sophisticated Scam Should Be a Warning to All Companies

By Roger Grimes

Scams are becoming more sophisticated over time, but this latest scam should be a wake-up call to all organizations and employees as to how far some scammers will go to damage your organization or its stakeholders.

On March 31, 2026, malicious hackers hijacked the development account of a lead maintainer of a popular open-source product called Axios used by many companies. It has over 100 million downloads a week.

Note: The Axios involved here is not Axios, the news media company. The hackers, reportedly likely to be North Korean nation-state hackers, compromised the Node Package Manager (npm) account of Axios lead maintainer, Jason Saayman.

NPM is a popular open-source development repository (like GitHub), particularly around JavaScript and Node.js programs. The "npm" command is commonly used to install programs into Linux and other types of distributions. A user or admin can type in something like: "npm install " to install a program.

Maintainers upload code updates to NPM so that users and administrators can download, install and update the software they want to use.

Using the Axios maintainer's compromised account, they published two fake malicious versions of Axios, axios@1.14.1 and axios@0.30.4. These versions injected a fake dependency, plain-crypto-js@4.2.1, which executed a malicious post-install script to silently deploy a cross-platform (e.g. Microsoft Windows, Linux and MacOS) malicious remote access trojan (RAT) program targeting developer machines and development pipelines without modifying the Axios source code itself.

Users and administrators downloading, using and updating Axios unknowingly installed the malicious backdoor into their systems, allowing the hackers to gain access to their systems.

But the scam started two weeks ago.

We are very fortunate that the involved maintainer, Jason Saayman, went public with what happened and how he was scammed. If I could give him an international award, I would.

[Continued] Blog post with links:
https://blog.knowbe4.com/this-sophisticated-scam-should-be-a-warning-to-all-companies

Your Guide to Beating 2026's Phishing Epidemic

In 2026, the threat landscape has shifted from scattergun to hyper-automation of sophisticated threats. AI-driven toolkits aren't new, it's what they're doing that matters. With top threat actors achieving greater scale and agility, the window to detect and react has all but vanished.

Join us for a first look at the 2026 Phishing Threat Trends Report. Jack Chapman, KnowBe4's SVP of Threat Intelligence, will break down the data from extensive analysis of phishing attacks that successfully landed in users' inboxes in 2026. Get the intelligence you need for proactive risk management.

You'll gain insight into:

• The latest tactics, techniques and procedures behind the criminal landscape in email security and the reality of how AI is changing the threat landscape
• How multi-channel threats continue to evolve and why Teams-based attacks have surged 41%
• Dealing with the 139% spike in sophisticated M365 credential theft
• How a 49% surge in fake invites is weaponizing business processes to manufacture instant urgency
• Battle-tested guidance to transform your cloud email security from reactive to proactive

Don't miss this exclusive preview of the new 2026 Phishing Threat Trends Report, and earn CPE for attending!

Date/Time: TOMORROW, Wednesday, April 29 @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/2026-phishing-threat-trends-report?partnerref=CHN3

Alert: WhatsApp Phishing Campaign Delivers Malware

A new phishing campaign is using WhatsApp messages to deliver malware, according to researchers at Microsoft. The attackers are attempting to trick users into installing malicious Visual Basic Script (VBS) files. "The campaign relies on a combination of social engineering and living-off-the-land techniques," Microsoft says.

"It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution."

If a user falls for the phishing attack, the malicious VBS file creates a hidden folder on the infected system and creates renamed versions of legitimate Windows utilities to evade detection.

Microsoft offers the following advice to help organizations thwart these attacks:

• "Strengthen Endpoint Controls: Block or restrict execution of script hosts (wscript, cscript, mshta) in untrusted paths, and monitor for renamed or hidden Windows utilities being executed with unusual flags.
• Enhance Cloud Traffic Monitoring Inspect and filter traffic to cloud services like AWS, Tencent Cloud and Backblaze B2, ensuring malicious payload downloads are detected even when hosted on trusted platforms.
• Detect Persistence Techniques: Continuously monitor registry changes under HKLM\Software\Microsoft\Win and flag repeated tampering with User Account Control (UAC) settings as indicators of compromise.
• Block direct access to known C2 infrastructure where possible, informed by your organization's threat-intelligence sources.
• Educate Users on Social Engineering: Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery."

Blog post with links:
https://blog.knowbe4.com/alert-whatsapp-phishing-campaign-delivers-malware

Your Kit for Securing AI Adoption

Your workforce has shifted to include autonomous agents, yet 83% of orgs lack visibility into what their agents are actually doing. While one in three enterprise employees now uses an assistant daily, most do so without security governance.

This oversight gap leaves you vulnerable as threats evolve toward sophisticated deepfakes and the new frontier of prompt injections. This kit cuts through the noise, guiding you through the next phase of agentic defense and governance to help you manage your hybrid attack surface effectively and securely.

Your kit includes:

• Webinar: Why Your Human Risk Management Strategy Can't Ignore AI
• Whitepaper: Securing The Hybrid Workforce: Protecting Humans and AI Agents in a New Era
• Webinar: How to Secure AI Adoption in Your Organization
• Whitepaper: AI vs. AI: Combating Cybercriminals with an AI-Powered Human Risk Management Program
• Whitepaper: Critical Capabilities When Evaluating AI-Powered Security Awareness Training
• Whitepaper: The KnowBe4 Approach to Human Risk Management - Meet AIDA: Artificial Intelligence Defense Agents
• Datasheet: Agent Risk Manager

Download Your Kit Now:
https://info.knowbe4.com/secure-ai-adoption-kit?utm_source=chn_email&utm_medium=email&utm_campaign=dg-sat-campaign-26&utm_content=chn_ai_kit

Nobody Runs a Marathon by Accident

By Javvad Malik

Nobody wakes up on a Sunday, stretches, checks the weather and accidentally clocks 26.2 miles before brunch. A marathon is built on lonely mornings, careful plans, lost toenails and no social life. You train for weeks or months. You get injured. You ice. You tape. You pick protein over pudding. All because you know without this, you won't cross that finish line.

Security culture works the same way. You do not stumble into it. You do not print three posters, throw in a quiz and discover that everyone is serenely immune to scams. Culture is the accumulated result of small choices made in the same direction, under pressure, when nobody is watching. It is early miles in the rain, not a photo finish.

Runners don't vibe; they start with a plan. Security needs the equivalent. A once-a-year training module will not help someone when they're looking at their inbox at 4.43 p.m. on a Thursday.

Training and coaching need to be embedded into the flow of work. Short prompts. Fast checks. Small frictions at the moment of choice. Teach the legs to keep turning over, not just how to read a manual about running.

Things will go wrong. A hamstring twinges at mile seven. A blister turns up when you least want it. The fix is never to shout at the leg for being weak. You adjust. You rest. You learn.

If you punish people for those moments, they will hide them. If you praise fast reporting, they will tell you early and often. That is how you prevent real damage. Mental safety is not a poster. It is a policy you prove with how you behave when things go wrong.

Runners do not live on junk food when they are building up to a marathon. Because rubbish in means rubbish out. Security culture needs the right inputs too. Tools that reduce friction instead of adding it. Policies written so a human will read them. Leaders who say "no" publicly to the insecure shortcut, not just privately in a DM.

You can run a marathon in the wrong trainers, you just will not like your feet afterward. In security, clunky processes are the wrong shoes. If reporting a suspicious email requires five menus, a ticket and your grandmother's maiden name, do not act surprised when nobody reports anything. Make the safe path the easy path. Spend money on trainers, not plasters.

Community helps more than people often realize. Ask any first-timer what got them through and you will hear about club runs, mentors and that stranger at mile twenty who offered a hydration gel sachet. Build your champions. Celebrate the people who catch near misses. Tell the stories of quiet wins, not just loud mistakes.

You can always tell who treated culture like a sprint and who treated it like a marathon. One group hopes for good weather and a flat course. The other has a rain plan, a pace band, a spare pair of socks and the number of someone who will come get them if it all goes sideways. Security is not about never making mistakes. It is about building a team that notices early, recovers fast and finishes together.

You will not build a positive security culture by accident. You will build it the long way. With repetition. With patience and with a few sore muscles.

You will get it wrong, then get it less wrong, then get it right more often than not. One day you will look up and realize your people are scanning for risks without being asked, reporting without being shamed and helping each other over the line.

That is the finish worth training for.

Wise words from Javvad in this blog post. Share it with your peers!
https://blog.knowbe4.com/nobody-runs-a-marathon-by-accident

[ROUNDTABLE] When Agents Go Off the Rails: Closing the Governance Gap

86% of organizations have no insight into their AI data flows. Those agents are already running — traversing your network, touching sensitive systems, executing decisions. Some were handed corporate policies at build time. Almost none of them are being held to those policies at runtime, and almost no one is watching to find out.

The security conversation is often overly fixated on the prompt. Meanwhile, the real exposure is downstream: what the agent retrieves, what it decides, and what it does with both.

Join us for this roundtable as we discuss where the visibility gaps actually live in an agentic architecture, what a working monitoring framework looks like, and how to close the loop before your next audit does it for you.

We’ll explore how to:

• Establish continuous observability, moving beyond static logging to active governance, identifying "permission creep" in real-time before autonomous agents scale into your greatest liability.
• Neutralize indirect injections, and implement guardrails that prevent external data from hijacking internal workflows, stopping attackers from "prompting" your agents via email, web scrapes, or third-party APIs.
• Prevent autonomous exfiltration and secure unmonitored data flows to stop agents from inadvertently leaking PII, secrets, or intellectual property through non-deterministic outputs.
• Mitigate "runaway" logic & resource abuse by identifying and throttling agent overstepping and API consumption loops that create silent security incidents and "hallucinated" financial costs.

Join the conversation to close the agent governance gap and earn CPE credit for attending the live session.

Date/Time: Wednesday, May 6 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/closing-the-governance-gap?partnerref=CHN

KnowBe4 and Synthesia Transform Cybersecurity Training with AI Video

We have exciting news to share that empowers us improve your customer experience. Today, we officially announced a strategic partnership with Synthesia, the world's leading AI video platform.

At KnowBe4, we are a leader in securing both humans and AI agents. The Synthesia partnership allows us to significantly innovate by making high-quality, personalized training more accessible than ever. By integrating Synthesia's AI avatars directly into the KnowBe4 platform, you can now:

• Scale Content Creation: Use AI avatars to produce studio-quality training videos in minutes; no cameras, studios or production teams required.
• Global Localization: Use AI dubbing to instantly translate content into 130+ languages, ensuring every employee trains in their native language.
• Real-Time Updates: Edit video scripts and publish refreshed custom content the moment threats or compliance requirements change.
• Seamless Delivery: Distribute Synthesia AI-powered videos through our trusted KnowBe4 Platform.

What's Next?

This partnership comes just ahead of a major update to the ModStore, which will soon feature advanced AI search to help you find the right content instantly.

Read the Press Release:
https://www.knowbe4.com/press/knowbe4-and-synthesia-transform-cybersecurity-training-with-ai-video

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [SEND TO YOUR EXECS] How Cybercrime Became a Leading Industry in 'Scambodia':
https://www.wsj.com/world/asia/cambodia-cybercrime-rise-why-2f2c03cc

PPS: Yet another ex-ransomware negotiator admits turning rogue after payoff from crime lords:
https://www.theregister.com/2026/04/21/yet_another_ex_ransomware_negotiator_pleads/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-17-heads-up-this-sophisticated-scam-should-be-a-warning-to-all-companies

FBI: Americans Lost More Than $20 Billion to Fraud Last Year

Cyber-enabled crimes cost Americans nearly $21 billion in 2025, a 26% increase from the previous year, according to the FBI's latest Internet Crime Report. Phishing, extortion and investment scams were the most commonly reported attacks, with AI-related scams driving some of the costliest losses.

Phishing was the top attack vector, with these attacks leading to more than $215 million in losses.

Notably, AI-assisted business email compromise (BEC) attacks cost victims more than $30 million. "Chat generators can quickly create official-sounding emails mimicking a company's CEO or other officials," the report says. "These emails can contain phishing links or directions to wire funds.

"Voice cloning can also be used to request wire payment or provide employee data. There are multiple BEC tactics and not all are AI-enabled. In 2025, businesses reported losses over $30 million to BEC scams involving AI." Investment scams were the primary driver of theft, accounting for just under half of the losses.

"Subjects in investment scams often use AI to enhance their conversations with potential victims allowing the scammers to quickly generate thousands of conversations that appear different to each prospective victim," the FBI says.

"Investment clubs employ AI-generated videos and voices of celebrities, CEOs or trusted figures to create fraudulent, high-stakes opportunities. These scams often feature fake, professional-looking endorsements on social media or in video calls. This makes it harder for victims to detect they are in a scam.

"In 2025, losses in Investment complaints with a reported AI-nexus, surpassed $632 million. However, overall losses to investment scams exceeded $8 billion, demonstrating that many victims do not realize the extent AI may be involved in scams."

Blog post with links:
https://blog.knowbe4.com/fbi-report-americans-lost-20-billion-to-fraud-2025

Phishing Campaigns Abuse AI Workflow Automation Platforms

Threat actors are abusing agentic AI automation platforms to deliver malware and send phishing emails, according to researchers at Cisco Talos. The researchers observed attackers using n8n, a legitimate platform that automates workflows in web apps and services like Slack, GitHub, Google Sheets and others.

"Talos' investigation found that a primary point of abuse in n8n's AI workflow automation platform is its URL-exposed webhooks," the researchers explain. "A webhook, often referred to as a "reverse API," allows one application to provide real-time information to another. These URLs register an application as a "listener" to receive data, which can include programmatically pulled HTML content.

"When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient's browser acts as the receiving application, processing the output as a webpage."

These URLs allow attackers to send phishing links that appear legitimate, and can be tailored to specific users.

"Talos has observed a significant rise in emails containing n8n webhook URLs over the past year," the researchers write. "For example, the volume of these emails in March 2026 was approximately 686% higher than in January 2025.

"This increase is driven, in part, by several instances of platform abuse, including malware delivery and device fingerprinting. Because webhooks mask the source of the data they deliver, they can be used to serve payloads from untrusted sources while making them appear to originate from a trusted domain.

"Furthermore, since webhooks can dynamically serve different data streams based on triggering events — such as request header information — a phishing operator can tailor payloads based on the user-agent header."

Blog post with links:
https://blog.knowbe4.com/phishing-campaigns-abuse-ai-workflow-automation-platforms

What KnowBe4 Customers Say

"I would like to take a moment to give extreme praise to Marcela C. for her outstanding support she provided throughout our recent efforts. Marcela demonstrated exceptional professionalism, deep technical knowledge and remarkable patience as she worked with us to resolve configuration challenges.

"Although I joined the process later than planned on our group member setup, she ensured we were able to efficiently address and resolve all outstanding issues. Thanks to her expertise and steady guidance, we are now in a strong position to successfully move our phishing exercise application into production.

"Her contributions were instrumental, and I truly appreciate the level of care and excellence she brought to this effort."

- E.A., Senior M365 Engineer/Admin

1. U.S. accuses China of "industrial-scale" AI theft. China says it’s "slander." Yeah, right:
   https://arstechnica.com/tech-policy/2026/04/us-accuses-china-of-industrial-scale-ai-theft-china-says-its-slander/
   
   
2. Bloomberg: China's 360 Hunts Software Flaws With AI, Echoing Mythos:
   https://www.bloomberg.com/news/articles/2026-04-22/china-s-360-hunts-software-flaws-with-ai-echoing-mythos
   
   
3. Phishing reclaims its spot as the most common initial access vector in Q1 2026:
   https://blog.talosintelligence.com/ir-trends-q1-2026/
   
   
4. YouTube's AI Deepfake Detector Now Lets Any Celebrity Take Down Infringing Videos:
   https://www.cnet.com/tech/services-and-software/youtubes-ai-deepfake-detector-now-lets-any-celebrity-take-down-infringing-videos/
   
   
5. UK cyber agency handling four major incidents a week as nation-state attacks surge:
   https://therecord.media/UK-cyberattacks-ncsc-china
   
   
6. China's cyber capabilities now equal to the U.S., warns Dutch intelligence:
   https://therecord.media/china-cyber-capabilities-match-us-dutch-intel-says
   
   
7. But did Mythos miss vulnerability #272?:
   https://arstechnica.com/ai/2026/04/mozilla-anthropics-mythos-found-271-zero-day-vulnerabilities-in-firefox-150/
   
   
8. Users advised to drop passwords and make room for passkeys. But are you OK with that?:
   https://www.helpnetsecurity.com/2026/04/24/ncsc-passkey-adoption-cybersecurity/
   
   
9. AI models are getting better at social engineering:
   https://www.wired.com/story/ai-model-phishing-attack-cybersecurity/
   
   
10. Threat actors use hidden website instructions to trick AI assistants:
    https://hackread.com/hackers-hidden-site-instruction-attack-ai-assistants/
    
    

• Virtual Vaca #1 - Siena Italy in Stunning 4K WITH Drone Views of Tuscany’s Medieval Masterpiece:
  https://youtu.be/ATry_SvOI7M
  
  
• Virtual Vaca #2 - Top 10 Places To Visit in Oman:
  https://youtu.be/ZavW9eZa2R0
  
  
• Virtual Vaca #3 - MAUI, HAWAII (2026) | 15 Best Things To Do On The Island Of Maui:
  https://youtu.be/uinQh6xe_OU
  
  
• The Glide: 2025 Backcountry Film Festival Jury Award Winner:
  https://youtu.be/AQsqUvNjFOc
  
  
• Ten Years Of Awesome - Best Of All Time:
  https://www.flixxy.com/ten-years-of-awesome-best-of-all-time.htm?utm_source=chn&utm_medium=email
  
  
• Precision Wingsuit Road Fly-By | With Live Stats!:
  https://youtu.be/9o0euL2ec-M
  
  
• Can We Sustain The Data Centre Construction Boom?:
  https://youtu.be/sLEnn-sgpIk
  
  
• LockPickingLawyer - Defiant’s $80 Smart Deadbolt:
  https://youtu.be/liZJhHWlxLY
  
  
• Star Wars: The Mandalorian and Grogu Final Trailer, In Theaters May 22:
  https://youtu.be/uwild1rw7Aw
  
  
• For Da Kids #1 - Kind man rescues terrified badger stuck in fence:
  https://youtu.be/PDr8_mS_YhY
  
  
• For Da Kids #2 - Massive Gorilla Shows Incredible Compassion to Tiny Bird:
  https://youtu.be/7_pregNBNls
  
  
• For Da Kids #3 - Dog heartbroken when dad leaves him alone (with mom):
  https://youtu.be/Y8RwWa-A8oI
  
  
• For Da Kids #4 - Rescued Chimp Pauses To Hug Jane Goodall Before Returning To The Wild:
  https://youtu.be/v3P20h2-FS4
  
  
• For Da Kids #5 - From Highway Rescue To Full-Time Baby Pig Bestie:
  https://youtu.be/E3SayTlcYbY