Browser Security Alert: MuPDF RCE and OAuth Phishing Actively Exploited

China-Linked TA416 Exploits OAuth Phishing Against European Governments

• Chinese state-sponsored hacking group TA416 (Scarlet Mimic, Earth Krahang) is conducting highly customized OAuth-based phishing attacks to compromise European government email accounts.
• The campaign primarily targets Exchange Outlook accounts within foreign affairs ministries and diplomatic missions through social engineering that tricks users into granting malicious third-party apps access to their email data.
• Successful phishing leads to account takeover and subsequent deployment of the PlugX remote access trojan via spear-phishing emails containing malicious URLs or attachments.

Source: The Hacker News | Date: April 4, 2026

Critical MuPDF Integer Overflow Vulnerability Enables Remote Code Execution (CVE-2026-3308)

• A critical integer overflow vulnerability, tracked as CVE-2026-3308, has been identified in MuPDF, a widely used lightweight PDF and XPS viewer/renderer.
• This flaw allows for remote code execution (RCE) when processing specially crafted PDF files, enabling attackers to hijack systems by exploiting a weakness in the jbig2_decode_template function.
• The vulnerability affects applications that embed MuPDF, including web browsers that use it for PDF rendering, and can be triggered simply by opening a malicious PDF document, bypassing typical sandbox protections.

Source: SecurityOnline | Date: April 3, 2026

References

1. China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing - The Hacker News
2. The MuPDF Vulnerability Turning “Safe” PDFs into System Hijackers - SecurityOnline
3. CVE-2026-3308 - MITRE