⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Phishing surge, LinkedIn tracking claims, spyware use, and rising stealers expose growing abuse of trusted systems.
A packed week in cybersecurity. Axios suffered a breach exposing internal communications, Google shipped emergency patches for an actively exploited Chrome zero-day, Fortinet rushed fixes for FortiClient EMS flaws under attack, and new details emerged about Paragon's spyware being used against journalists. Here's what matters and what to do about it.
Axios Breach Exposes Internal Data
News outlet Axios confirmed a security incident that exposed internal company data. While customer data was not reportedly impacted, the breach highlights that media organizations are increasingly in the crosshairs. Attackers target newsrooms for leverage, source identification, and pre-publication access. Organizations handling sensitive communications should review access controls and vendor permissions regularly.
Chrome Zero-Day Under Active Exploitation
Google released an out-of-band Chrome update to patch a vulnerability that threat actors were using in the wild. Browser zero-days remain one of the most effective initial access vectors because users are slow to update. If you manage fleet browsers, enforce auto-update policies. For individual users, restart Chrome now.
Fortinet FortiClient EMS Under Attack
Fortinet issued emergency hotfixes for CVE-2026-35616, a critical zero-day in FortiClient EMS allowing unauthenticated remote code execution. Shadowserver estimates 2,000 instances are internet-exposed. This is the second critical FortiClient EMS flaw this year after CVE-2026-21643 was patched in February. Patch immediately or restrict external access to EMS consoles.
Paragon Spyware Targets Journalists
New reports show Paragon's Graphite spyware was deployed against journalists and media figures, continuing a disturbing trend of commercial surveillance tools being used against press freedom. Governments and organizations supporting at-risk journalists should invest in device hardening and monitoring capabilities.
WAFplanet Take
Three of these four stories share a common thread: perimeter defenses and endpoint software are the entry points. Whether it is a browser zero-day, an unpatched Fortinet server, or compromised admin credentials at a media company, the attack surface is well-known. The defenders who get breached are the ones who treat patching and access reviews as quarterly tasks instead of daily operations. Cloudflare, Imperva, and Akamai all offer layered protection that reduces exposure, but none of them help if you ignore the basics on the endpoints behind them.
