Two separate but related security incidents this week have highlighted growing abuse of WhatsApp as a malware delivery vector. On April 1–2, 2026, WhatsApp told roughly 200 users — primarily in Italy — they had installed a counterfeit iPhone client that was actually government-grade spyware attributed to Italian surveillance firm SIO (through its ASIGINT unit). The malware, linked to a family researchers call “Spyrtacus,” can exfiltrate messages, call logs and record audio/video; WhatsApp has logged affected accounts out, urged users to reinstall the official app and said it will issue a formal legal demand to SIO. Separately, Microsoft on March 31 flagged a broad campaign that has been delivering malicious Visual Basic Script (VBS) files via WhatsApp since late February to compromise Windows machines. That chain uses social engineering, “living‑off‑the‑land” techniques (renamed legitimate Windows utilities), trusted cloud hosting (AWS, Tencent Cloud, Backblaze) and unsigned MSI installers to gain persistence and attempt UAC elevation. Both operations rely on user deception rather than zero‑day exploits, complicating automated defenses and increasing the reliance on user vigilance and endpoint controls.

On March 31, 2026, researchers discovered a supply‑chain compromise of Axios — a widely used JavaScript HTTP client with roughly 80–100 million weekly downloads — after attackers published two malicious versions (1.14.1 and 0.30.4) to the npm registry. The intruders, who Google’s Threat Intelligence Group attributed to a North Korea‑nexus actor tracked as UNC1069, hijacked a maintainer account (jasonsaayman) and injected a bogus dependency (plain-crypto-js@4.2.1) that deployed a cross‑platform remote access trojan (WAVESHAPER.V2) targeting Windows, macOS and Linux. The poisoned releases were live for only a few hours but could have been pulled into millions of downstream projects and CI/CD pipelines. Security firms including StepSecurity, Elastic, Wiz and Huntress helped identify the campaign, which bypassed OIDC/GitHub Actions protections by using a long‑lived npm token and direct CLI publishes. Google warned of broad ripple effects — credential theft, SaaS and cloud compromises, ransomware, extortion and cryptocurrency theft — and advised immediate auditing of lockfiles, rotation of secrets and remediation of potentially compromised developer machines.

Apple on April 1, 2026 rolled out an unusual security update — iOS 18.7.7 and iPadOS 18.7.7 — to expand protections against a powerful exploit toolkit known as DarkSword. The backported fixes cover a broader set of devices still running iOS 18, including some hardware that can run the newer iOS 26 but whose owners have not upgraded. DarkSword, first flagged by Google Threat Intelligence and security firms, can seize an iPhone after a user visits a compromised website and exfiltrate messages, browser history, location, photos and cryptocurrency. The toolkit has been used in attacks in Saudi Arabia, Turkey, Malaysia and Ukraine and was recently posted to GitHub, raising the risk of wider opportunistic abuse. Apple said devices with automatic updates will receive the patch and reiterated that iOS 26 provides the strongest protections; Lockdown Mode also defends against the exploit. The move follows a prior emergency fix for a different toolkit, Coruna, in March and marks a rare reversal of Apple’s usual policy of pushing users to upgrade to receive security fixes.

Security researchers this week disclosed two powerful iPhone and iPad exploit toolkits — dubbed Coruna and DarkSword — that have been used by both state-linked actors and cybercriminals to steal data. DarkSword, portions of which were published to GitHub late March, contains exploits effective against devices running recent iOS 18.x builds and has been described as “plug-and-play,” making mass exploitation easier for less-skilled attackers. Coruna includes exploits that target older iOS versions; some components have been linked to Trenchant, a unit within U.S. contractor L3Harris. Google, Apple and independent analysts say many vulnerabilities have been patched in recent iOS updates, and Apple has urged users on unsupported or out-of-date software to install security updates or enable Lockdown Mode. Apple also told reporters it is not aware of any successful mercenary spyware attacks on devices when Lockdown Mode was enabled. Researchers warn that leaked government-grade tools increase the risk of widescale watering‑hole and web-based attacks against unpatched devices worldwide.

Hasbro Inc., the U.S. toy and entertainment group behind brands such as Peppa Pig, Transformers, Monopoly and Dungeons & Dragons, disclosed an unauthorized intrusion into its network first detected on March 28. In an 8-K filing to the U.S. Securities and Exchange Commission, the company said it proactively took select systems offline, activated incident-response protocols, engaged third-party cybersecurity specialists and implemented business continuity plans to continue taking orders and shipping products. Hasbro warned those interim measures may need to remain in place “for several weeks” and could cause delivery and operational delays. Parts of Hasbro’s websites were unavailable after the breach was detected. The company said its investigation is ongoing and it is reviewing potentially impacted files; it has not disclosed whether data were stolen or whether the incident involved ransomware. The disclosure comes as Hasbro reported strong recent revenue momentum, underscoring the operational and commercial risks posed by prolonged outages. Hasbro said it will provide legally required notifications if necessary while it works to restore systems and secure its operations.