Cyber Intelligence Weekly

Cyber Intelligence Weekly (April 5, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Apr 05 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Dr. Trebor Evans (Dollar Bank) — “Be uncomfortable.”

In this episode, I sat down with Dr. Trebor Z. Evans, PMP, CCISO, CDPSE, Senior Vice President and CISO at Dollar Bank, whose career is the definition of a “long and winding road.” Trebor didn’t start in cybersecurity—he grew into it through decades across IT, project management, and multiple industries including insurance, healthcare, education, and banking. What’s striking is that he didn’t follow a predefined path. Instead, he built a foundation of principles—least privilege, framework alignment, strong customer service—long before he ever held a formal security title. When the opportunity presented itself, he stepped outside his comfort zone, trusted his experience, and made the leap into cybersecurity leadership.

What stood out most in our conversation was Trebor’s mindset around intentional growth through discomfort. One defining moment came after he had already become a CISO—he chose to pursue a doctorate, not because he needed it professionally, but because he wanted to challenge himself. That decision reflects a deeper philosophy: growth doesn’t come from external validation, it comes from pushing yourself into hard things purely for the sake of becoming better. That mindset has clearly shaped how he leads, how he develops others, and how he approaches the ever-changing nature of cybersecurity.

He also shared a grounded and practical view of what it means to operate as a CISO in a fast-moving field within a historically stable industry like banking. While cybersecurity evolves daily, most business functions do not—and that’s exactly the point. Trebor sees his role as absorbing that complexity so the business doesn’t have to, allowing bankers and operators to focus on what they do best while he manages risk behind the scenes. It’s a reminder that security isn’t about creating noise—it’s about enabling the business to run safely and effectively.

Additional takeaways from the conversation:

  • Your past experience is never wasted. Even roles that aren’t labeled “security” build the foundation for future leadership.
  • Self-efficacy matters. Trebor earned his CISO role by clearly articulating what he could do immediately, what he would need to learn, and how he would close those gaps.
  • Cybersecurity is constant uncertainty. Unlike other functions, you never know what the day will bring—and that’s part of the job.
  • Not all hype is reality. AI as a perfect control is overhyped, and traditional third-party risk approaches (like surface-level site visits) often provide less value than assumed.
  • There is no business without risk. The goal is not to eliminate risk—it’s to manage probability and impact in a way that enables the business to operate.
  • Burnout doesn’t have a one-size-fits-all solution. Great leaders focus on understanding individual motivation, not forcing generic work-life balance advice.
  • People are driven by different things. The best leaders help individuals connect their work to what personally motivates them—and then challenge them to grow.
  • The CISO role is not about technology alone. Communication, relationship-building, and translating risk into business terms are a massive part of the job.
  • Face-to-face interaction still matters. Especially for younger professionals, developing interpersonal skills is critical to long-term success.
  • Perspective reduces stress. Concepts like “don’t sweat the small stuff” help maintain focus on what truly matters in a high-pressure field.

His billboard message for every new CISO was simple and powerful: Be uncomfortable. Growth, opportunity, and fulfillment all live outside the comfort zone. If you stay where it’s safe, you stay where you are.

If there was one thread that ran through this conversation, it was this: the best security leaders aren’t just technical experts—they are self-aware, adaptable, and willing to push themselves and others beyond what feels easy.

Watch the Full Interview Here: https://www.youtube.com/watch?v=k632H5dIU6s

Echelon Thought Leadership Highlight

We’re heading to CS5 West in San Diego!

As CMMC continues to take center stage, we’re looking forward to connecting with organizations navigating what compliance really looks like in practice.

You can find us at Booth 49, where our team will be on-site:

Chris Callahan, Partner

Alyson Pisarcik, Manager

Greg DeLeonardis, Client Solutions Manager

If you’re planning to attend, let's connect! https://cs5west.org/

Away we go!

 

1. M-Trends 2026: Attackers Are Slower, Smarter, and Harder to Detect

Every year, the Google Mandiant M-Trends report gives us a great view into how attackers are actually operating in the real world, and the 2026 edition reinforces something we’ve been seeing firsthand: attackers aren’t necessarily getting louder, they’re getting more efficient. Based on hundreds of thousands of hours of incident response engagements, one of the most telling data points is that dwell time is back on the rise, now sitting at a global median of 14 days. That might not sound dramatic at first glance, but it signals a shift toward more deliberate, persistent intrusions, especially in espionage-driven campaigns where staying undetected matters more than moving fast.

Initial access is evolving just as quickly. Exploits remain the dominant entry point for the sixth straight year, but what stood out to me is the rise of voice-based social engineering, now the second most common intrusion vector. We’re no longer just dealing with phishing emails; we’re dealing with real-time human manipulation, often targeting help desks and identity workflows. At the same time, email phishing continues to decline as a primary vector, which tells you attackers are shifting toward methods that bypass traditional controls and lean into human trust instead.

On the back end of these intrusions, the objective is changing in a meaningful way. Ransomware isn’t just about encrypting data anymore, it’s about destroying the ability to recover. Attackers are systematically targeting backups, identity systems, and virtualization layers to create maximum operational pressure. Combine that with a growing trend of “access brokers” handing off compromised environments to other actors, sometimes in under 30 seconds, and you start to see how fragmented, but highly coordinated, the threat ecosystem has become.

And then there’s AI. While it’s not yet the primary cause of breaches, it’s clearly becoming a force multiplier. Threat actors are using it to scale reconnaissance, personalize social engineering, and even evade detection mid-execution. But the bigger takeaway from this year’s report is this: most breaches are still rooted in fundamental gaps, unpatched systems, weak identity controls, and poor visibility across environments. The tools are evolving, but the root causes aren’t. And that’s where organizations need to stay focused if they want to keep pace.

CI/CD Supply Chain Attacks Are Now a Cloud Problem (Not Just a Dev Problem)

One of the more important stories this week isn’t a traditional “cloud outage” or misconfiguration, it’s the ripple effect of the Trivy supply chain compromise, and it’s a perfect example of how cloud risk is shifting. What started as a compromised open-source security tool quickly spread into CI/CD pipelines, GitHub Actions, Docker images, and ultimately cloud environments. Over a thousand SaaS environments have already been impacted, and that number is likely just the beginning.

What makes this particularly dangerous in cloud environments is how much trust we place in automation. Pipelines are pulling images, running workflows, and injecting secrets at machine speed, and attackers are now inserting themselves directly into that flow. In this case, malicious updates were pushed to what appeared to be legitimate container images and GitHub Actions, executing credential-stealing malware inside build pipelines. Once inside, attackers harvested cloud metadata, API keys, and tokens, effectively gaining access to downstream environments without ever “breaking in” the traditional way.

What you should be doing right now:

  • Pin all GitHub Actions and dependencies to immutable commit hashes (not version tags)
  • Audit any workflows using pull_request_target or external triggers
  • Rotate all CI/CD credentials and tokens (especially PATs, cloud API keys, and service accounts)
  • Scan for unusual outbound traffic or exfiltration from build environments
  • Treat your CI/CD pipeline as a Tier 0 asset, because attackers already do

Real-world takeaway: We’re seeing more organizations get compromised “sideways,” not through their perimeter, but through trusted pipelines. If your cloud security strategy doesn’t deeply include DevOps and CI/CD, you’ve got a blind spot.

2. Axios Incident: How One Package Put Millions of Systems at Risk

At the end of March, one of the most widely used JavaScript libraries in the world quietly became a distribution mechanism for malware. Attackers successfully compromised the official Axios package on npm, an open-source dependency embedded in everything from web apps to backend services and CI/CD pipelines. With more than 100 million weekly downloads, Axios isn’t just popular, it’s foundational. And for a brief window, that foundation was poisoned.

What stands out about this incident isn’t just the scale, it’s the precision. The malicious update was short-lived, reportedly active for only a few hours, but it was enough. During that time, the compromised package delivered a cross-platform remote access trojan (RAT) capable of infecting Windows, macOS, and Linux developer systems. The attackers also took steps to mask their activity, manipulating package metadata to make the compromised version appear legitimate while quietly executing malicious code behind the scenes.

But the real story here is what happened next. Even after organizations patched their environments and updated Axios, many were still exposed. The malware wasn’t limited to build pipelines, it landed on developer workstations, creating a secondary layer of risk. In several cases, teams believed they were in the clear until deeper inspection of endpoints revealed indicators of compromise days later. That’s the danger with modern supply chain attacks: they don’t just compromise software, they compromise the people and systems building it.

There’s a broader lesson here that’s hard to ignore. We’ve built our development ecosystems on trust; trust in open source, trust in automation, trust in speed. Attackers understand that better than anyone. The Axios incident is another reminder that securing your software supply chain isn’t just about scanning code, it’s about visibility across your entire development lifecycle, from dependencies to developer endpoints to production secrets.

AI Is Supercharging Social Engineering—and It’s Working

The latest findings from Mandiant’s M-Trends 2026 report confirm something we’ve been talking about with clients: AI isn’t replacing attackers, it’s making them more effective. One of the biggest shifts is the rise of voice phishing (vishing), now the second most common initial access vector. Attackers are using AI-generated scripts, deepfake audio, and real-time conversation support to convincingly impersonate employees, executives, and even IT help desk interactions.

What’s changed is the quality and scale. Instead of generic phishing emails, attackers are now running interactive, AI-assisted campaigns that adapt in real time. We’re seeing cases where attackers call help desks, request MFA resets, and walk away with full account access without touching malware. In some campaigns, that initial access is then handed off to ransomware operators almost immediately, accelerating the path from compromise to impact.

There’s also a more subtle but important trend: attackers are using AI during execution. Some malware strains are now querying language models mid-operation to adjust behavior, evade detection, or improve persistence. This isn’t theoretical, it’s already happening in the wild.

What you should be doing right now:

  • Implement strict identity verification for help desk and support workflows (no exceptions)
  • Train employees on voice-based and real-time social engineering, not just email phishing
  • Monitor for abnormal identity changes (MFA resets, password resets, privilege escalation)
  • Use AI defensively: scan for exposed secrets, detect anomalies, and accelerate response
  • Treat identity as your primary control plane, not just a supporting function

Real-world takeaway: AI didn’t create social engineering, but it just made it scalable, believable, and fast. The organizations that win here won’t just deploy more tools, they’ll rethink how trust works inside their environment.

3.  Claude Code Leak Sparks Wave of Malware-Laced Fakes

In one of the more unusual incidents this week, a mistake, not an attack, set off a chain reaction across the software ecosystem. Anthropic inadvertently exposed the source code for its Claude Code CLI tool after publishing an npm package that included a debug source map file. The issue was caught and removed quickly, but not before more than half a million lines of code made their way into the wild. Within hours, copies began circulating across GitHub and other platforms, sparking intense interest and, predictably, opportunistic abuse.

What followed is where the real risk emerged. Threat actors wasted no time capitalizing on the moment, seeding fake repositories and typosquatted npm packages that claimed to offer “enhanced” or “unlocked” versions of the leaked tool. In reality, these downloads delivered payloads like infostealers, proxy malware, and remote access trojans. It is a familiar pattern. Take a high-interest event, wrap it in urgency and curiosity, and turn it into a distribution channel for malware. The difference here is the speed. This pivot from leak to weaponization happened almost immediately.

There is another layer that makes this incident even more concerning. The leak coincided with the Axios npm supply chain compromise, creating a scenario where developers pulling Claude Code during a specific window may have unknowingly introduced a second, unrelated threat through compromised dependencies. That overlap highlights a growing challenge in modern environments: risk stacking. It is no longer about a single vulnerability or event. It is about how multiple issues intersect and amplify each other inside complex ecosystems.

The takeaway is straightforward, even if the environment is not. Curiosity is now a threat vector. Developers chasing leaked tools or early access code can unintentionally become the entry point for attackers. At the same time, organizations need to rethink how they validate code, protect proprietary assets, and monitor developer environments. Because in today’s landscape, a simple packaging mistake can quickly turn into a full-scale supply chain event.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?