ARTICLES 2026 APRIL January(387) February(431) March(447) April(451) May(23) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 30.4.26 | New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials | Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to | Virus | The Hacker News |
| 30.4.26 | EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades | Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically | Virus | The Hacker News |
| 30.4.26 | New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions | Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. | Vulnerebility | The Hacker News |
| 30.4.26 | Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution | Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini- | AI | The Hacker News |
| 30.4.26 | SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack | Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing | Hack | The Hacker News |
| 30.4.26 | New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs | Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is " | APT | The Hacker News |
| 29.4.26 | Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately | cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to | Vulnerebility | The Hacker News |
| 29.4.26 | CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, | Exploit | The Hacker News |
| 29.4.26 | LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure | In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python | Vulnerebility | The Hacker News |
| 29.4.26 | Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push | Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could | Vulnerebility | The Hacker News |
| 29.4.26 | Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign | A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new | CyberCrime | The Hacker News |
| 28.4.26 | VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi | Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its | Ransom | The Hacker News |
| 28.4.26 | Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE | Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot , Hugging Face's open-source robotics platform with nearly | Vulnerebility | The Hacker News |
| 28.4.26 | Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks | A Chinese national accused of being a member of the Silk Typhoon hacking group has been extradited to the U.S. from Italy. Xu Zewei, 34, was arrested in | APT | The Hacker News |
| 28.4.26 | Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover | An administrative role meant for artificial intelligence (AI) agents within Microsoft Entra ID could enable privilege escalation and identity takeover | Vulnerebility | The Hacker News |
| 28.4.26 | Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 | Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been | Vulnerebility | The Hacker News |
| 28.4.26 | Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack | Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data | CyberCrime | The Hacker News |
| 27.4.26 | TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns | This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG's formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. | Hack | SANS |
| 27.4.26 | PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks | A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing | Exploit | The Hacker News |
| 27.4.26 | Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware | Cybersecurity researchers have flagged dozens of Microsoft Visual Studio Code (VS Code) extensions on the Open VSX repository that are linked to a | Virus | The Hacker News |
| 27.4.26 | Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud | Cybersecurity researchers have disclosed details of a telecommunications fraud campaign that uses fake CAPTCHA verification tricks to dupe | Cryptocurrency | The Hacker News |
| 26.4.26 | Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software | Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear | Virus | The Hacker News |
| 26.4.26 | New BlackFile extortion group linked to surge of vishing attacks | A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. | Hack | BleepingComputer |
| 26.4.26 | Microsoft to roll out Entra passkeys on Windows in late April | Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April. | OS | |
| 26.4.26 | New ‘Pack2TheRoot’ flaw gives hackers root Linux access | A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions. | Exploit | |
| 26.4.26 | DORA and operational resilience: Credential management as a financial risk control | Article 9 of DORA makes authentication and access control a legal obligation for EU financial entities. Here is what the regulation requires, and what a breach looks like when those controls are missing. | Security | BleepingComputer |
| 26.4.26 | Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks | Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw. | Vulnerebility | BleepingComputer |
| 26.4.26 | Microsoft now lets admins uninstall Copilot on enterprise devices | Microsoft says IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting, which has become broadly available after the April 2026 Patch Tuesday. | OS | BleepingComputer |
| 26.4.26 | Hackers exploit file upload bug in Breeze Cache WordPress plugin | Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. | Exploit | |
| 26.4.26 | Bitwarden CLI npm package compromised to steal developer credentials | The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects | Incindent | |
| 26.4.26 | Trigona ransomware attacks use custom exfiltration tool to steal data | Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently. | Ransom | BleepingComputer |
| 26.4.26 | New Checkmarx supply-chain breach affects KICS analysis tool | Hackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. | Incindent | BleepingComputer |
| 26.4.26 | Cosmetics giant Rituals discloses data breach affecting customers | Dutch cosmetics giant Rituals disclosed a data breach after attackers stole the personal information of an undisclosed number of customers from its "My Rituals" membership database. | Incindent | BleepingComputer |
| 26.4.26 | Regular Password Resets Aren’t as Safe as You Think | Password resets are one of the easiest ways for attackers to bypass security controls. Specops Software shows how helpdesk social engineering turns a seemingly legitimate reset request into full account compromise. | Security | |
| 26.4.26 | Microsoft: Some Teams users can’t join meetings after Edge update | Microsoft confirmed that a recent Microsoft Edge browser update introduced a bug that prevents Windows users from joining Teams meetings. | OS | |
| 26.4.26 | UK warns of Chinese hackers using proxy networks to evade detection | The United Kingdom's National Cyber Security Centre (NCSC-UK) and international partners warned that China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection and disguise their malicious activity. | BigBrothers | BleepingComputer |
| 26.4.26 | New GopherWhisper APT group abuses Outlook, Slack, Discord for comms | A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities. | APT | |
| 26.4.26 | CISA orders feds to patch BlueHammer flaw exploited as zero-day | CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation flaw (dubbed BlueHammer) that has been exploited in zero-day attacks. | Exploit | |
| 26.4.26 | Apple fixes bug that let the FBI recover deleted Signal messages | Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device | OS | BleepingComputer |
| 26.4.26 | New Mirai campaign exploits RCE flaw in EoL D-Link routers | A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet. | Exploit | BleepingComputer |
| 26.4.26 | Kyber ransomware gang toys with post-quantum encryption on Windows | A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. | Ransom | |
| 26.4.26 | Spain dismantles major $4.7M manga piracy platform, arrests four | The Spanish police have dismantled the largest Spanish-language manga piracy platform, operating since 2014, with millions of monthly users from around the globe. | CyberCrime | |
| 26.4.26 | Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process | Fraud operations now operate like call centers, complete with hiring, training, and performance tracking. Flare reveals how cybercriminals manage "Caller-as-a-Service" operations like a professional sales team. | Spam | BleepingComputer |
| 26.4.26 | New npm supply-chain attack self-spreads to steal auth tokens | A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. | Hack | |
| 26.4.26 | Microsoft Teams to get efficiency mode on PCs with limited resources | Microsoft is preparing to roll out a new Efficiency Mode for Microsoft Teams for systems with limited CPU and memory resources to improve app responsiveness. | OS | |
| 26.4.26 | Microsoft traces Universal Print issues to Graph API code change | Microsoft says that an ongoing Universal Print sharing issue that prevents users from creating some printer shares is due to a Microsoft Graph API code change. | OS | BleepingComputer |
| 26.4.26 | New GoGra malware for Linux uses Microsoft Graph API for comms | A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. | Virus | BleepingComputer |
| 25.4.26 | Microsoft releases emergency patches for critical ASP.NET flaw | Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. | Vulnerebility | BleepingComputer |
| 25.4.26 | Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks | Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. | Vulnerebility | |
| 25.4.26 | French govt agency confirms breach as hacker offers to sell data | France Titres, the government agency in France for issuing and managing administrative documents has disclosed a data breach after a threat actor claimed the attack and stealing citizen data. | BigBrothers | |
| 25.4.26 | New Lotus data wiper used against Venezuelan energy, utility firms | A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela. | Virus | BleepingComputer |
| 25.4.26 | Stopping Fraud at Each Stage of the Customer Journey Without Adding Friction | Fraud prevention and user experience don't have to be a tradeoff. IPQS shows how combining identity, device, and network signals stops fraud without adding friction. | CyberCrime | BleepingComputer |
| 25.4.26 | UK probes Telegram, teen chat sites over CSAM sharing concerns | Ofcom, the United Kingdom's independent communications regulator, has launched an investigation into Telegram based on evidence suggesting it's being used to share child sexual abuse material (CSAM). | Social | |
| 25.4.26 | CISA flags new SD-WAN flaw as actively exploited in attacks | CISA has given U.S. government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability it flagged as actively exploited in attacks. | Exploit | |
| 25.4.26 | Actively exploited Apache ActiveMQ flaw impacts 6,400 servers | Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. | Exploit | BleepingComputer |
| 25.4.26 | Former ransomware negotiator pleads guilty to BlackCat attacks | 41-year-old Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023. | Ransom | |
| 25.4.26 | NGate Android malware uses HandyPay NFC app to steal card data | A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool. | Virus | |
| 25.4.26 | KelpDAO suffers $290 million heist tied to Lazarus hackers | State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday. | APT | BleepingComputer |
| 25.4.26 | FakeWallet crypto stealer spreading through iOS apps in the App Store | In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. | Cryptocurrency | SECURELIST |
| 25.4.26 | CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 | Exploit | The Hacker News |
| 25.4.26 | FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running | Virus | The Hacker News |
| 25.4.26 | NASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software | The Office of Inspector General (OIG) of the U.S. National Aeronautics and Space Administration (NASA) has revealed how a Chinese national posed as a | Phishing | The Hacker News |
| 25.4.26 | 26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases | Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an | Cryptocurrency | The Hacker News |
| 25.4.26 | Supply chain attacks hit Checkmarx and Bitwarden developer tools | Two supply chain attacks, same day, same command-and-control domain | Security blog | SOPHOS |
| 25.4.26 | Strengthening authentication with passkeys: A CISO playbook | Our passkey rollout took three tries. Here's a playbook to make your implementation smoother. | Security blog | SOPHOS |
| 25.4.26 | Sophos Firewall v22 MR1 is now available | Sophos Firewall v22 bolstered Secure by Design, taking it to a whole new level with major updates to the architecture and new features like the Health Check to help identify high-risk configurations. | Security blog | SOPHOS |
| 25.4.26 | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. | Hacking blog | GTI |
| 25.4.26 | Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign | CRIL uncovered 16,800+ spoofed domains by analyzing URL trust abuse, cloud infra clustering, and human‑centric deception instead of technical exploits. | Hacking blog | Cyble |
| 25.4.26 | The Week in Vulnerabilities: SharePoint, Fortinet, OpenClaw, and GPL Odorizers | Cyble Research & Intelligence Labs (CRIL) tracked 1,675 vulnerabilities, last week, reflecting continued high disclosure volume across enterprise software, cloud services, and emerging AI ecosystems. | Cyber blog | Cyble |
| 25.4.26 | Why AI Cybersecurity Is No Longer Optional for Australian Organizations: Moving from Reactive to Predictive Defense | AI cybersecurity is crucial for Australian businesses as they face rising cyber threats. Predictive solutions help detect, prevent, and respond to attacks in real-time. | AI blog | Cyble |
| 25.4.26 | Why Indian Enterprises Are a Prime Target for Dark Web Credential Markets | Dark web credential markets in India are fueling enterprise data breaches, corporate leaks, and escalating cybersecurity threats across Indian organizations. | Cyber blog | Cyble |
| 25.4.26 | Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks, and Critical Exploitation Trends | March 2026 threat landscape saw 702 ransomware attacks, rising data breaches, active access brokers, and critical vulnerability exploitation across industries globally. | Cyber blog | Cyble |
| 25.4.26 | When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA | A closer look at how Bedep used foreign exchange data and advanced math to generate hard-to-predict domains, making its command-and-control infrastructure more difficult for defenders to block and disrupt | Malware blog | GENDIGITAL |
| 25.4.26 | Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. | Incident blog | SECURITY.COM |
| 25.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT blog | SECURITY.COM |
| 25.4.26 | The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables | An OAuth supply chain compromise at Vercel exposed how trusted third party apps and platform environment variables can bypass traditional defenses and amplify blast radius. This article examines the attack chain, underlying design tradeoffs, and what it reveals about modern PaaS and software supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories | Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. | Hacking blog | Trend Micro |
| 25.4.26 | Ghost CMS Content API Blind SQL Injection | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-26980, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Ghost CMS Content API slug Filter SQL Injection, is a critical unauthenticated SQL injection vulnerability affecting Ghost in versions 3.24.0 through 6.19.0. | Hacking blog | SonicWall |
| 25.4.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 25.4.26 | Frontier AI and the Future of Defense: Your Top Questions Answered | Over the last several weeks, Palo Alto Networks and Unit 42 have been talking with CISOs and security leaders globally to discuss the emergence of frontier AI models and their broader implications on cybersecurity. | AI blog | Palo Alto |
| 25.4.26 | TGR-STA-1030: New Activity in Central and South America | TGR-STA-1030 remains an active threat. Since February, we have observed widespread activity from this group across multiple countries. Most recently, their efforts appear to be heavily focused on regions within Central and South America. | Cyber blog | Palo Alto |
| 25.4.26 | DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy | The Gentlemen ransomware‑as‑a‑service (RaaS) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks (240) occurring in the first months of 2026. | Ransom blog | CHECKPOINT |
| 25.4.26 | IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist | Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vertical for initial access since Q2 2025. | Cyber blog | CISCO TALOS |
| 25.4.26 | It pays to be a forever student | In this newsletter, Joe discusses why understanding other disciplines can often flow back into the macro and micro of cybersecurity, especially in a world of AI. | AI blog | CISCO TALOS |
| 25.4.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 25.4.26 | Bad Apples: Weaponizing native macOS primitives for movement and execution | Cisco Talos documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture. | OS Blog | CISCO TALOS |
| 25.4.26 | [Podcast] It's not you, it's your printer: State-sponsored and phishing threats in 2025 | In this episode of Talos Takes, Amy and Martin Lee unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. | Cyber blog | CISCO TALOS |
| 25.4.26 | Phishing and MFA exploitation: Targeting the keys to the kingdom | In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations. | Phishing blog | CISCO TALOS |
| 25.4.26 | The calm before the ransom: What you see is not all there is | A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability | Vulnerebility blog | Eset |
| 25.4.26 | GopherWhisper: A burrow full of malware | ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian governmental institutions | Malware blog | Eset |
| 25.4.26 | New NGate variant hides in a trojanized NFC payment app | ESET researchers discover another iteration of NGate malware, this time possibly developed with the assistance of AI | AI blog | Eset |
| 25.4.26 | What the ransom note won’t say | An attack is what you see, but a business operation is what you’re up against | Ransom blog | Eset |
| 25.4.26 | PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing | PureRAT is an advanced Remote Access Trojan (RAT) characterized by its complex infection stages. The intrusion sequence is initiated by a malicious .LNK file that triggers a concealed PowerShell command to retrieve a heavily obfuscated VBS loader. | Malware blog | Trelix |
| 24.4.26 | Apple Patches Exploited Notification Flaw | Apple yesterday released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8. This update fixes a single Notification Services vulnerability, CVE-2026-28950: | OS | SANS |
| 24.4.26 | Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2 | Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post- | Virus | The Hacker News |
| 24.4.26 | LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure | A high-severity security flaw in LMDeploy , an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation | Vulnerebility | The Hacker News |
| 24.4.26 | UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware | A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to | Hack | The Hacker News |
| 23.4.26 | Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign | Bitwarden CLI has been compromised as part of the newly discovered and ongoing Checkmarx supply chain campaign , according to new findings from | Hack | The Hacker News |
| 23.4.26 | China's Apple App Store infiltrated by crypto-stealing wallet apps | A set of 26 malicious apps on Apple App Store impersonate popular wallets, such as Metamask, Coinbase, Trust Wallet, and OneKey, to steal recovery or seed phrases and drain them of cryptocurrency assets. | Cryptocurrency | BleepingComputer |
| 23.4.26 | The Gentlemen ransomware now uses SystemBC for bot-powered attacks | A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate. | Ransom | |
| 23.4.26 | Seiko USA website defaced as hacker claims customer data theft | The Seiko USA website was defaced over the weekend, displaying a message from attackers claiming they stole its Shopify customer database and threatening to leak it unless a ransom is paid. | Incindent | |
| 23.4.26 | Microsoft: Teams increasingly abused in helpdesk impersonation attacks | Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks. | OS | BleepingComputer |
| 23.4.26 | The backup myth that is putting businesses at risk | Backups protect data, but don't keep your business running during downtime. Datto shows why BCDR is essential to keep operations running during ransomware and outages. | Security | BleepingComputer |
| 23.4.26 | British Scattered Spider hacker pleads guilty to crypto theft charges | A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft. | CyberCrime | |
| 23.4.26 | Microsoft tests Windows Explorer speed, performance improvements | Microsoft is rolling out multiple File Explorer changes to Windows 11 users in the Insider program, including improvements to launch speed and performance | OS | |
| 23.4.26 | Microsoft pulls service update causing Teams launch failures | Microsoft has reverted a recent service update that was preventing some customers from launching the Microsoft Teams desktop client. | OS | BleepingComputer |
| 23.4.26 | Microsoft releases emergency updates to fix Windows Server issues | Microsoft has released out-of-band (OOB) updates to fix issues affecting Windows Server systems after installing the April 2026 security updates. | OS | BleepingComputer |
| 23.4.26 | Vercel confirms breach as hackers claim to be selling stolen data | Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data. | Incindent | |
| 23.4.26 | Apple account change alerts abused to send phishing emails | Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. | Phishing | BleepingComputer |
| 23.4.26 | NIST to stop rating non-priority flaws due to volume increase | The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. | BigBrothers | BleepingComputer |
| 23.4.26 | China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors | Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) | APT | The Hacker News |
| 23.4.26 | Vercel Finds More Compromised Accounts in Context.ai-Linked Breach | Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that | Incindent | The Hacker News |
| 23.4.26 | Apple Patches iOS Flaw That Stored Deleted Signal Notifications in FBI Forensic Case | Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the | OS | The Hacker News |
| 23.4.26 | Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain | Cybersecurity researchers have warned of malicious images pushed to the official " checkmarx/kics " Docker Hub repository. In an alert published today, | Hack | The Hacker News |
| 23.4.26 | Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens | Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads | Virus | The Hacker News |
| 23.4.26 | Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API | The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting | Virus | The Hacker News |
| 22.4.26 | [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Inciden | A few weeks ago, my honeypot logged an incident that changed how I think about modern attacks. A | Cryptocurrency | SANS |
| 22.4.26 | A .WAV With A Payload | There have been reports of threat actors using a .wav file as a vector for malware. It's a proper .wav file, but they didn't use staganography. The .wav file will play, but you'll just hear noise: | Virus | SANS |
| 22.4.26 | Handling the CVE Flood With EPSS | Every morning, security people around the world face the same ritual: opening their vulnerability feed to find a lot of new CVE entries that appeared overnight. Over the past decade, this flood has become a defining challenge of modern defensive security. | Vulnerebility | SANS |
| 22.4.26 | Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack | Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year | Virus | The Hacker News |
| 22.4.26 | Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug | Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The | Vulnerebility | The Hacker News |
| 22.4.26 | Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles | Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking | APT | The Hacker News |
| 22.4.26 | Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape | A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, | AI | The Hacker News |
| 22.4.26 | SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation | Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy | Ransom | The Hacker News |
| 22.4.26 | 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters | Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be | Vulnerebility | The Hacker News |
| 22.4.26 | Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 | A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. | Ransom | The Hacker News |
| 21.4.26 | No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks | The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI- | Exploit | The Hacker News |
| 21.4.26 | NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs | Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate | Virus | The Hacker News |
| 21.4.26 | Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution | Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited | Vulnerebility | The Hacker News |
| 21.4.26 | CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) | Exploit | The Hacker News |
| 21.4.26 | SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files | A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible | Vulnerebility | The Hacker News |
| 20.4.26 | Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain | Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's ( MCP ) architecture that could pave the way for | AI | The Hacker News |
| 20.4.26 | Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems | Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and | Virus | The Hacker News |
| 20.4.26 | Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials | Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems. | AI | The Hacker News |
| 19.4.26 | Critical flaw in Protobuf library enables JavaScript code execution | Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. | Vulnerebility | BleepingComputer |
| 19.4.26 | Microsoft Teams right-click paste broken by Edge update bug | Microsoft is warning that a recent Microsoft Edge browser update introduced a bug that breaks right-click paste in chats in the Microsoft Teams desktop client. | OS | |
| 19.4.26 | NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support | NAKIVO Inc. announced the general availability of NAKIVO Backup & Replication v11.2, focused on fast, reliable, and proactive data protection. | Ransom | |
| 19.4.26 | Payouts King ransomware uses QEMU VMs to bypass endpoint security | The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. | Ransom | |
| 19.4.26 | Grinex exchange blames "Western intelligence" for $13.7M crypto hack | Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. | Cryptocurrency | BleepingComputer |
| 19.4.26 | Inside an Underground Guide: How Threat Actors Vet Stolen Credit Card Shops | In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. | CyberCrime | |
| 19.4.26 | CISA flags Apache ActiveMQ flaw as actively exploited in attacks | CISA warned that attackers are now exploiting a high-severity Apache ActiveMQ vulnerability, which was patched earlier this month after going undetected for 13 years. | Exploit | BleepingComputer |
| 19.4.26 | Microsoft: Some Windows servers enter reboot loops after April patches | Microsoft warns that some Windows domain controllers are entering restart loops after installing the April 2026 security updates. | OS | |
| 19.4.26 | Man gets 30 months for selling thousands of hacked DraftKings accounts | 23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. | CyberCrime | |
| 19.4.26 | Recently leaked Windows zero-days now exploited in attacks | Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. | Exploit | BleepingComputer |
| 19.4.26 | Operation PowerOFF identifies 75k DDoS users, takes down 53 domains | The latest wave of "Operation PowerOFF," on April 13, 2026, targeted the distributed denial-of-service (DDoS) ecosystem and its users across 21 countries. | BigBrothers | BleepingComputer |
| 19.4.26 | ZionSiphon malware designed to sabotage water treatment systems | A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. | Virus | |
| 19.4.26 | New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges | A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. | Exploit | |
| 19.4.26 | Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face | Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces. | Virus | |
| 19.4.26 | Google expands Gemini AI use to fight malicious ads on its platform | Google says it is increasingly using its Gemini AI models to detect and block harmful ads on its advertising platforms, as scammers and threat actors continue to evolve their tactics to evade detection. | AI | BleepingComputer |
| 19.4.26 | New ATHR vishing platform uses AI voice agents for automated attacks | A new cybercrime platform called ATHR can harvest credentials via fully automated voice phishing attacks that use both human operators and AI agents for the social engineering phase. | AI | |
| 19.4.26 | Most "AI SOCs" Are Just Faster Triage. That's Not Enough. | AI-powered SOC tools promise automation, but most only speed up triage instead of reducing real workload. Tines shows how real gains come from end-to-end workflows that execute actions across systems, not just summarize alerts. | AI | BleepingComputer |
| 19.4.26 | Cisco says critical Webex Services flaw requires customer action | Cisco has released security updates to patch four critical vulnerabilities, including a fixed improper certificate validation flaw in the company's cloud-based Webex Services platform that requires further customer action. | Vulnerebility | |
| 19.4.26 | Data breach at edtech giant McGraw Hill affects 13.5 million accounts | The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, stolen after breaching the company's Salesforce environment earlier this month. | Incindent | |
| 19.4.26 | US nationals behind DPRK IT worker 'laptop farm' sent to prison | Two U.S. nationals have been sent to prison for helping North Korean remote information technology (IT) workers to pose as U.S. residents and get hired by over 100 companies across the country, including many Fortune 500 firms. | APT | |
| 19.4.26 | Microsoft: April Windows Server 2025 update may fail to install | Microsoft is investigating an issue causing this month's KB5082063 security update to fail to install on some Windows Server 2025 systems. | OS | BleepingComputer |
| 19.4.26 | Critical Nginx UI auth bypass flaw now actively exploited in the wild | A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication. | Exploit | |
| 19.4.26 | New AgingFly malware used in attacks on Ukraine govt, hospitals | A new malware family named 'AgingFly' has been identified in attacks against local governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger. | Virus | |
| 19.4.26 | WordPress plugin suite hacked to push malware to thousands of sites | More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them. | Virus | |
| 19.4.26 | Signed software abused to deploy antivirus-killing scripts | A digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors. | Security | BleepingComputer |
| 19.4.26 | Microsoft pays $2.3M for cloud and AI flaws at Zero Day Quest | Microsoft has awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year's Zero Day Quest hacking contest. | Security | |
| 19.4.26 | CISA flags Windows Task Host vulnerability as exploited in attacks | CISA warned U.S. government agencies to secure their systems against a Windows Task Host privilege escalation vulnerability that could allow attackers to gain SYSTEM privileges. | Exploit | |
| 19.4.26 | Rolling Networks: Securing the Transportation Sector | Modern trucks are rolling networks packed with sensors, connectivity, and attack surfaces, creating new cyber risks. NMFTA's Cybersecurity Conference brings industry leaders together to tackle emerging threats in transportation. | Security | |
| 19.4.26 | Microsoft: April updates trigger BitLocker key prompts on some servers | Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update. | OS | |
| 19.4.26 | Microsoft fixes bug behind Windows Server 2025 automatic upgrades | Microsoft has finally fixed a known issue that was causing systems running Windows Server 2019 and 2022 to "unexpectedly" upgrade to Windows Server 2025. | OS | |
| 18.4.26 | $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims | Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed | CyberCrime | The Hacker News |
| 18.4.26 | Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet | Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai -botnet variants on compromised devices, | BotNet | The Hacker News |
| 18.4.26 | Lumma Stealer infection with Sectop RAT (ArechClient2) | This diary provides indicators from a Lumma Stealer infection that was followed by Sectop RAT (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after | Virus | SANS |
| 18.4.26 | Microsoft adds Windows protections for malicious Remote Desktop files | Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default. | OS | |
| 18.4.26 | Crypto-exchange Kraken extorted by hackers after insider breach | The Kraken cryptocurrency exchange announced that a cybercrime group is trying to extort the company by threatening to release videos showing internal systems that host client data. | Cryptocurrency | BleepingComputer |
| 18.4.26 | Over 100 Chrome Web Store extensions steal user accounts, data | More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. | Incindent | |
| 18.4.26 | Microsoft releases Windows 10 KB5082200 extended security update | Microsoft has released the Windows 10 KB5082200 extended security update to fix the April 2026 Patch Tuesday vulnerabilities, including 2 zero-days. | OS | |
| 18.4.26 | McGraw-Hill confirms data breach following extortion threat | Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data. | Incindent | |
| 18.4.26 | Windows 11 cumulative updates KB5083769 & KB5082052 released | Microsoft has released Windows 11 KB5083769 and KB5082052 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. | OS | BleepingComputer |
| 18.4.26 | Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days | Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. | OS | |
| 18.4.26 | Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto | A malicious Ledger Live app for macOS available from Apple's App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month. | Cryptocurrency | BleepingComputer |
| 18.4.26 | Microsoft rolls out fast-track to reinstate Windows hardware dev accounts | Microsoft has rolled out a fast-track process to help developers regain access to accounts recently suspended from its Windows Hardware Program, following widespread complaints that they were locked out without warning. | OS | |
| 18.4.26 | European Gym giant Basic-Fit data breach affects 1 million members | Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers. | Incindent | |
| 18.4.26 | Stolen Rockstar Games analytics data leaked by extortion gang | Rockstar Games has suffered a data breach linked to a recent security incident at Anodot, with the ShinyHunters extortion gang now leaking the stolen data on its data leak site. | Incindent | |
| 18.4.26 | Critical flaw in wolfSSL library enables forged certificate use | A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. | Vulnerebility | BleepingComputer |
| 18.4.26 | FBI takedown of W3LL phishing service leads to developer arrest | The FBI Atlanta Field Office and Indonesian authorities have dismantled the "W3LL" global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer. | Phishing | |
| 18.4.26 | OpenAI rotates macOS certs after Axios attack hit code-signing workflow | OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. | AI | |
| 18.4.26 | New Booking.com data breach forces reservation PIN resets | Booking.com has confirmed via a statement to BleepingComputer that it has detected unauthorized access to its systems that has exposed sensitive reservation and user data. | Incindent | BleepingComputer |
| 18.4.26 | Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw | Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December. | Vulnerebility | |
| 18.4.26 | The silent “Storm”: New infostealer hijacks sessions, decrypts server-side | New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. | Virus | |
| 18.4.26 | Critical Marimo pre-auth RCE flaw now under active exploitation | A critical pre-authentication remote code execution (RCE) vulnerability in Marimo is now under active exploitation, leveraged for credential theft. | Vulnerebility | BleepingComputer |
| 18.4.26 | Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched | Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in | Exploit | The Hacker News |
| 18.4.26 | Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul | Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it | OS | The Hacker News |
| 18.4.26 | QEMU abused to evade detection and enable ransomware delivery | The use of hidden virtual machines (VMs) enables long-term access, credential harvesting, data exfiltration, and PayoutsKing ransomware deployment | Ransom blog | SOPHOS |
| 18.4.26 | Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. | AI blog | GTI | |
| 18.4.26 | Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. | BigBrother blog | GTI | |
| 18.4.26 | Four Nationally Significant Cyberattacks Every Week — Is the UK Ready? | UK cyberattacks are rising sharply, with NCSC reporting record incidents, growing infrastructure risk, and urgent calls for stronger cyber resilience. | Cyber blog | Cyble |
| 18.4.26 | The Week in Vulnerabilities: Azure AI, Spring AI, Fortinet, and Critical ICS Exposure | Cyble’s weekly vulnerability report tracked 1,431 vulnerabilities and 6 ICS flaws last week. Know more... | Vulnerebility blog | Cyble |
| 18.4.26 | How Cyble Blaze AI Delivers 360° Threat Visibility Across Dark Web and Enterprise Systems | Cyble Blaze AI transforms cybersecurity by unifying data, predicting threats, and automating response across enterprise and dark web intelligence. | AI blog | Cyble |
| 18.4.26 | MiningDropper – A Global Modular Android Malware Campaign Operating at Scale | CRIL analyzes a surge in an ongoing campaign to deliver MiningDropper — a modular Android malware framework - at scale. | Malware blog | Cyble |
| 18.4.26 | Black Hat Asia 2026 Is Coming to Singapore — Here’s What the Threat Landscape Looks Like Ahead of It | Black Hat Asia 2026 explores ransomware growth, AI-driven cyber threats, and supply chain risks reshaping global cybersecurity and digital resilience. | Ransom blog | Cyble |
| 18.4.26 | Building a last-resort unpacker with AI | Exploring how AI can assist in unpacking protected binaries, recovering payloads from unsupported packers, while reducing repetitive analysis | AI blog | GENDIGITAL |
| 18.4.26 | Chasing an Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | Malware blog | GENDIGITAL |
| 18.4.26 | Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise | The Microsoft Defender Security Research Team uncovered a sophisticated macOS intrusion campaign attributed to the North Korean threat actor Sapphire Sleet that abuses user driven execution and social engineering to bypass macOS security protections and steal credentials, cryptocurrency assets, and sensitive data. | Malware blog | Microsoft blog |
| 18.4.26 | Identity Protection in the AI Era | Enterprises aiming to predict and mitigate human, machine, and AI‑agent risks at scale demand AI‑powered identity‑first security without compromise. | AI blog | Trend Micro |
| 18.4.26 | ACRStealer The Silent Golang Threat Behind Credential and Wallet Theft | This week the SonicWall Capture Labs Threat Research Team analyzed a sample of ACRStealer, a Golang Malware-as-a-Service used by ShieldIO. This uses a binary to sideload a malicious DLL and evade AV products, harvest credentials for browsers and FTP programs, and target a number of crypto-wallets. It is highly evasive and uses a variety of techniques to prevent analysis. | Malware blog | SonicWall |
| 18.4.26 | Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) | As of April 17, 2026, Iran has begun restoring limited access to the internet after disconnecting from it for the past 47 days. Iran is limiting domestic access to only websites and applications mirrored on its National Information Network. | Cyber blog | Palo Alto |
| 18.4.26 | A Deep Dive Into Attempted Exploitation of CVE-2023-33538 | We identified active, automated scans and probes attempting to exploit CVE-2023-33538, a vulnerability in several end-of-life TP-Link Wi-Fi router models: | Vulnerebility blog | Palo Alto |
| 18.4.26 | Cracks in the Bedrock: Agent God Mode | Our first article about the boundaries and resilience of Amazon Bedrock AgentCore focused on the Code Interpreter sandbox, and how it can be bypassed using DNS tunneling. In this second part, we delve into the identity and permissions model of AgentCore and the AgentCore starter toolkit. | Malware blog | Palo Alto |
| 18.4.26 | The n8n n8mare: How threat actors are misusing AI workflow automation | Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026. | Phishing blog | CISCO TALOS |
| 18.4.26 | The Q1 vulnerability pulse | Thor provides an overview of the Q1 2026 vulnerability statistics, highlighting key trends in legacy CVEs and the evolving impact of AI on the threat landscape. | Vulnerebility blog | CISCO TALOS |
| 18.4.26 | PowMix botnet targets Czech workforce | Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” | BotNet blog | CISCO TALOS |
| 18.4.26 | State-sponsored threats: Different objectives, similar access paths | A look at 2025 state-sponsored threats, exploring how actors linked to China, Russia, North Korea, and Iran use vulnerabilities, identity, and trusted access paths to achieve their goals. | APT blog | CISCO TALOS |
| 18.4.26 | Foxit, LibRaw vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s thir | Vulnerebility blog | CISCO TALOS |
| 18.4.26 | More than pretty pictures: Wendy Bishop on visual storytelling in tech | Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research. | Security blog | CISCO TALOS |
| 18.4.26 | Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities | Overview of patch tuesday release from Microsoft for April 2026. | OS Blog | CISCO TALOS |
| 18.4.26 | That data breach alert might be a trap | Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse. Stop reacting on autopilot | Incident blog | Eset |
| 18.4.26 | Supply chain dependencies: Have you checked your blind spot? | Your biggest risk may be a vendor you trust. How can SMBs map their third-party blind spots and build operational resilience? | Cyber blog | Eset |
| 18.4.26 | DCSync Detection Without Signatures: Trellix NDR and the Power of Technique-Based Defense | This blog explores how Trellix Network Detection and Response (NDR) moves beyond static signatures to detect these attempts by focusing on the underlying behavioral patterns of the attack technique itself. | Malware blog | Trelix |
| 17.4.26 | NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions | The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures | Vulnerebility | The Hacker News |
| 17.4.26 | Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts | An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of- | Incindent | The Hacker News |
| 17.4.26 | Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation | A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and | Vulnerebility | The Hacker News |
| 17.4.26 | Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic | Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented | BotNet | The Hacker News |
| 16.4.26 | UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign | The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and | BigBrothers | The Hacker News |
| 16.4.26 | Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution | Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code | Vulnerebility | The Hacker News |
| 16.4.26 | Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks | A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute | Virus | The Hacker News |
| 16.4.26 | [Guest Diary] Compromised DVRs and Finding Them in the Wild | Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands | Hack | SANS |
| 16.4.26 | Microsoft Patch Tuesday April 2026. | This month's Microsoft Patch Tuesday looks like a record one, but let's look at it a bit closer to understand what is happening The update patches a total of 243 vulnerabilities. | OS | SANS |
| 16.4.26 | Scanning for AI Models | Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. | AI | SANS |
| 16.4.26 | Scans for EncystPHP Webshell | Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials | Hack | SANS |
| 16.4.26 |
|
Threat actors have been observed weaponizing n8n , a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated | Phishing | The Hacker News |
| 15.4.26 | Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover | A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in | Vulnerebility | The Hacker News |
| 15.4.26 | April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More | A number of critical vulnerabilities impacting products from Adobe, Fortinet, Microsoft, and SAP have taken center stage in April's Patch Tuesday releases. | Vulnerebility | The Hacker News |
| 15.4.26 | Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities | Microsoft on Tuesday released updates to address a record 169 security flaws across its product portfolio, including one vulnerability that has been | OS | The Hacker News |
| 15.4.26 | OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams | OpenAI on Tuesday unveiled GPT-5.4-Cyber , a variant of its latest flagship model, GPT‑5.4 , that's specifically optimized for defensive | AI | The Hacker News |
| 15.4.26 | New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released | Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in | Vulnerebility | The Hacker News |
| 14.4.26 | Satori Threat Intelligence Alert: Pushpaganda Manipulates Google Discovery Feeds with AI-Generated Content to Spread Malicious Notifications | HUMAN’s Satori Threat Intelligence and Research Team has identified a novel ad fraud, social engineering, and scareware threat dubbed Pushpaganda. This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages. | AI | HUMAN SECURITY |
| 14.4.26 | Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security | Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up | Security | The Hacker News |
| 14.4.26 | AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud | Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial | AI | The Hacker News |
| 14.4.26 | Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads | A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more | Virus | The Hacker News |
| 14.4.26 | 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users | Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the | Virus | The Hacker News |
| 14.4.26 | ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers | A critical security vulnerability impacting ShowDoc , a document management and collaboration service popular in China, has come under active exploitation | Vulnerebility | The Hacker News |
| 14.4.26 | CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) | BigBrothers | The Hacker News |
| 14.4.26 | JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 | Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT . | Virus | The Hacker News |
| 14.4.26 | FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts | The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with | Phishing | The Hacker News |
| 14.4.26 | North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware | The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat | APT | The Hacker News |
| 14.4.26 | OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident | OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no | AI | The Hacker News |
| 13.4.26 | CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads | Unknown threat actors compromised CPUID ("cpuid[.]com"), a website that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor | Virus | The Hacker News |
| 13.4.26 | Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 | Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The | Vulnerebility | The Hacker News |
| 12.4.26 | Over 20,000 crypto fraud victims identified in international crackdown | An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. | Cryptocurrency | |
| 12.4.26 | Nearly 4,000 US industrial devices exposed to Iranian cyberattacks | The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. | APT | BleepingComputer |
| 12.4.26 | Analysis of one billion CISA KEV remediation records exposes limits of human-scale security | Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. | Vulnerebility | |
| 12.4.26 | CPUID hacked to deliver malware via CPU-Z, HWMonitor downloads | Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. | Attack | |
| 12.4.26 | Microsoft: Canadian employees targeted in payroll pirate attacks | A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. | Hack | |
| 12.4.26 | Google rolls out Gmail end-to-end encryption on mobile devices | Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. | Safety | BleepingComputer |
| 12.4.26 | New ‘LucidRook’ malware used in targeted attacks on NGOs, universities | A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. | Virus | |
| 12.4.26 | New VENOM phishing attacks steal senior executives' Microsoft logins | Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. | Phishing | BleepingComputer |
| 12.4.26 | Healthcare IT solutions provider ChipSoft hit by ransomware attack | Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. | Ransom | |
| 12.4.26 | Google Chrome adds infostealer protection against session cookie theft | Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. | Virus | |
| 12.4.26 | Smart Slider updates hijacked to push malicious WordPress, Joomla versions | Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. | Hack | |
| 12.4.26 | When attackers already have the keys, MFA is just another door to open | Stolen credentials turn authentication systems into the attack surface. Token shows how wearable biometric authentication verifies the user—not the session—blocking phishing relays and MFA bypass | Phishing | BleepingComputer |
| 12.4.26 | Eurail says December data breach impacts 300,000 individuals | Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. | Incindent | |
| 12.4.26 | Hackers exploiting Acrobat Reader zero-day flaw since December | Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December. | Exploit | |
| 12.4.26 | Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot | Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month. | Cryptocurrency | BleepingComputer |
| 12.4.26 | Microsoft suspends dev accounts for high-profile open source projects | Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects without proper notification and no way to quickly reinstate them, effectively blocking them from publishing new software builds and security patches for Windows users. | Hack | |
| 12.4.26 | Hackers use pixel-large SVG trick to hide credit card stealer | A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image | Hack | |
| 12.4.26 | Google: New UNC6783 hackers steal corporate Zendesk support tickets | A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. | Hack | |
| 12.4.26 | New macOS stealer campaign uses Script Editor in ClickFix attack | A new campaign delivering the Atomic Stealer malware to macOS users abuses the Script Editor in a variation of the ClickFix attack that tricked users into executing commands in Terminal. | Virus | BleepingComputer |
| 12.4.26 | CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday | CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January. | Vulnerebility | |
| 12.4.26 | 13-year-old bug in ActiveMQ lets hackers remotely execute commands | Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands | Vulnerebility | |
| 12.4.26 | Is a $30,000 GPU Good at Password Cracking? | A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords. | Hack | |
| 12.4.26 | Microsoft rolls out fix for broken Windows Start Menu search | Microsoft has pushed a server-side fix for a known issue that broke the Windows Start Menu search feature on some Windows 11 23H2 devices. | OS | BleepingComputer |
| 12.4.26 | Hackers exploit critical flaw in Ninja Forms WordPress plugin | A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. | Exploit | |
| 11.4.26 | Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data | Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use | Mobil | The Hacker News |
| 11.4.26 | GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs | Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to | Virus | The Hacker News |
| 11.4.26 | Obfuscated JavaScript or Nothing | I spotted an interesting piece of JavaScript code that was delivered via a phishing email in a RAR archive. The file was called “cbmjlzan.JS” (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) and is only identified as malicious by 15 AV’s on | Hack | SANS |
| 11.4.26 | Number Usage in Passwords: Take Two | In a previous diary, we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially | Security | SANS |
| 11.4.26 | FBI: Americans lost a record $21 billion to cybercrime last year | U.S. victims lost nearly $21 billion to cyber-enabled crimes last year, driven primarily by investment scams, business email compromise, tech support fraud, and data breaches, the Federal Bureau of Investigation says. | CyberCrime | |
| 11.4.26 | Snowflake customers hit in data theft attacks after SaaS integrator breach | Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. | Hack | BleepingComputer |
| 11.4.26 | US warns of Iranian hackers targeting critical infrastructure | Iranian-linked hackers are targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on the networks of U.S. critical infrastructure organizations. | ICS | |
| 11.4.26 | Max severity Flowise RCE vulnerability now exploited in attacks | Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. | Exploit | |
| 11.4.26 | Authorities disrupt router DNS hijacks used to steal Microsoft 365 logins | An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. | Hack | |
| 11.4.26 | German authorities identify REvil and GandCrab ransomware bosses | The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. | BigBrothers | BleepingComputer |
| 11.4.26 | New GPUBreach attack enables system takeover via GPU rowhammer | A new attack, dubbed GPUBreach, can induce Rowhammer bit-flips on GPU GDDR6 memories to escalate privileges and lead to a full system compromise. | Attack | |
| 11.4.26 | Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit | Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. | Exploit | |
| 11.4.26 | Microsoft fixes Classic Outlook bug causing email delivery issues | Microsoft has resolved a known issue that was preventing some Classic Outlook users from sending emails via Outlook.com. | OS | BleepingComputer |
| 11.4.26 | Microsoft removes Support and Recovery Assistant from Windows | Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all in-support versions of Windows updates starting March 10. | OS | |
| 11.4.26 | Microsoft links Medusa ransomware affiliate to zero-day attacks | Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks. | Ransom | |
| 11.4.26 | Drift $280M crypto theft linked to 6-month in-person operation | The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." | Cryptocurrency | BleepingComputer |
| 11.4.26 | CISA orders feds to patch exploited Fortinet EMS flaw by Friday | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. | Exploit | |
| 11.4.26 | Why Simple Breach Monitoring is No Longer Enough | Infostealers are harvesting credentials and session cookies at scale, bypassing traditional defenses. Lunar explains why simple breach monitoring alone can't keep up with modern credential-based attacks. | Virus | BleepingComputer |
| 11.4.26 | Adobe Reader zero-day vulnerability in active exploitation | On April 7, 2026, a security researcher described an Adobe Reader zero-day vulnerability that has been exploited since at least December 2025. The vulnerability allows threat actors to execute privileged Acrobat APIs via specially crafted malicious PDF files that execute obfuscated JavaScript when opened. Exploitation allows attackers to steal sensitive user and system data and to potentially launch additional attacks and remotely execute code. | Exploit blog | SOPHOS |
| 11.4.26 | We let OpenClaw loose on an internal network. Here’s what it found | “Even the most ‘risk-on’ organizations with deep AI and security experience, will likely find it challenging to configure OpenClaw in a way that effectively mitigates the risk of compromise or data loss, while still retaining any productivity value.” | AI blog | SOPHOS |
| 11.4.26 | Axios npm package compromised to deploy malware | On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate. | Incident blog | SOPHOS |
| 11.4.26 | FCC Bans Routers Made Outside USA. But What IS a Router? | The FCC recently announced a ban on the sale of consumer-grade internet routers manufactured outside the United States. More specifically, the FCC received a National Security Determination that caused them to update their “Covered List,” to include all foreign-made consumer-grade routers. | BigBrother blog | Eclypsium |
| 11.4.26 | Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521) | A vulnerability in F5 BIG-IP systems that allows unauthenticated remote code execution by attackers has been added to the CISA Known Exploited Vulnerabilities catalog. CVE-2025-53521 was disclosed on October 15, 2025, but only added to the KEV on March 27, 2026. The vulnerability was originally given a severity score of 7.5, but was adjusted upward to 9.8 when new information emerged in March. | Vulnerebility blog | Eclypsium |
| 11.4.26 | When Geopolitical Conflict Spills into Cyberspace — How US Organizations Should Respond | The 2026 Iran-US-Israel escalation shows how cyber warfare attacks are reshaping conflict, merging cyber warfare attacks with kinetic operations AI. | AI blog | Cyble |
| 11.4.26 | The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs | Vulnerabilities in OpenClaw, FreeBSD, F5 BIG-IP, and industrial control systems show risks growing across enterprise and critical infrastructure environments. | Vulnerebility blog | Cyble |
| 11.4.26 | Dual-Brain Architecture: The Cybersecurity AI Innovation That Changes Everything | Agentic AI architecture enables dual-brain cybersecurity with predictive intelligence, autonomous response, and faster, smarter threat defense. | AI blog | Cyble |
| 11.4.26 | UK Businesses Are Being Targeted Through Their Middle East Supply Chains — What to Do Now | Middle East supply chain risk is exposing UK businesses to indirect cyber threats through vendors, dependencies, and geopolitical tensions. | BigBrother blog | Cyble |
| 11.4.26 | Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer | When the security industry talks about information stealers, Lumma Stealer, without a doubt, has become the notorious icon of this landscape. Not only could it count itself among the most sophisticated, technically advanced, and widespread stealers-as-a-service in the world, but it was also described in a variety of blog posts from basically everyone in the industry, including us. | Malware blog | GENDIGITAL |
| 11.4.26 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. | Hacking blog | Microsoft blog |
| 11.4.26 | SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. | BigBrother blog | Microsoft blog |
| 11.4.26 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. | Ransom blog | Microsoft blog |
| 11.4.26 | Mitigating the Axios npm supply chain compromise | On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. | Hacking blog | Microsoft blog |
| 11.4.26 | TrendAI Insight: New U.S. National Cyber Strategy | TrendAI reviews the White House National Cyber Strategy, outlining six pillars to strengthen U.S. cybersecurity—from deterrence and regulation to federal modernization, critical infrastructure protection, AI leadership, and workforce development. | AI blog | Trend Micro |
| 11.4.26 | Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do | Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk. | Malware blog | Trend Micro |
| 11.4.26 | U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 | The first quarter of 2026 has reinforced a hard truth: U.S. government agencies and educational institutions are operating in the most hostile cyber threat environment ever recorded. | BigBrother blog | Trend Micro |
| 11.4.26 | n8n Expression Sandbox Bypass RCE | n8n AI Workflow Automation Expression Sandbox Bypass to Remote Code Execution Vulnerability (CVE-2026-1470) | ICS blog | SonicWall |
| 11.4.26 | Unpacking the Nursultan Client PyInstaller Telegram Malware | The SonicWall Capture Labs threat research team identified a PyInstaller-packed Windows executable distributed as "NursultanClient" — a full-featured Telegram RAT targeting Windows systems. | Malware blog | SonicWall |
| 11.4.26 | GPT Academic Pickle Deserialization Remote Code Execution | GPT Academic Pickle Deserialization Remote Code Execution(CVE-2026-0763) | AI blog | SonicWall |
| 11.4.26 | Double Agents: Exposing Security Blind Spots in GCP Vertex AI | Artificial intelligence (AI) agents are quickly advancing into powerful autonomous systems that can perform complex tasks. These agents can be integrated into enterprise workflows, interact with various services and make decisions with a degree of independence. Google Cloud Platform’s Vertex AI, with its Agent Engine and Application Development Kit (ADK), provides a comprehensive platform for developers to build and deploy these sophisticated agents. | AI blog | Palo Alto |
| 11.4.26 | When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications | Multi-agent AI systems extend beyond single-agent architectures by enabling groups of specialized agents to collaborate on complex tasks. This approach improves functionality and scalability, but it also expands the attack surface, introducing new pathways for exploitation through inter-agent communication and orchestration. | AI blog | Palo Alto |
| 11.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | Cyber blog | CHECKPOINT |
| 11.4.26 | From the field to the report and back again: How incident responders can use the Year in Review | The Year in Review distills Talos IR's observations into structured intelligence, but defenders should also be feeding this report back into their own preparation cycles. Here's how. | Incident blog | CISCO TALOS |
| 11.4.26 | New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations | Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” | Malware blog | CISCO TALOS |
| 11.4.26 | The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines | Cisco Talos has recently observed an increase in activity that is leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails. | Phishing blog | CISCO TALOS |
| 11.4.26 | Year in Review: Vulnerabilities old and new and something React2 | The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025. | Vulnerebility blog | CISCO TALOS |
| 11.4.26 | [Video] The TTP Ep. 22: The Collapse of the Patch Window | In this episode of The Talos Threat Perspective, we discuss how vulnerability exploitation is accelerating, and why attacker speed, AI, and exposed systems are affecting the patch window. | Cyber blog | CISCO TALOS |
| 11.4.26 | The threat hunter’s gambit | Bill discusses why obsessing over strategy games is actually a secret weapon to outsmart threat actors. | Cyber blog | CISCO TALOS |
| 11.4.26 | Talos Takes: 2025's ransomware trends and zombie vulnerabilities | In this episode of Talos Takes, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. | Cyber blog | CISCO TALOS |
| 11.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 11.4.26 | Axios NPM supply chain incident | Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure. | Incident blog | CISCO TALOS |
| 11.4.26 | Recovery scammers hit you when you’re down: Here’s how to avoid a second strike | If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse. | Spam blog | Eset |
| 11.4.26 | As breakout time accelerates, prevention-first cybersecurity takes center stage | Threat actors are using AI to supercharge tried-and-tested TTPs. When attacks move this fast, cyber-defenders need to rethink their own strategy. | AI blog | Eset |
| 11.4.26 | Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion | Masjesu Botnet: Deep dive into the commercially-run IoT threat, its stealth, multi-XOR evasion, and expanded architecture targets. Secure your network! | BotNet blog | Trelix |
| 10.4.26 | Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows | Google has made Device Bound Session Credentials ( DBSC ) generally available to all Windows users of its Chrome web browser, months after it | Safety | The Hacker News |
| 10.4.26 | Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers | Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. | Virus | The Hacker News |
| 10.4.26 | EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs | Details have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called | Cryptocurrency | The Hacker News |
| 10.4.26 | UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns | A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental | APT | The Hacker News |
| 10.4.26 | Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 | Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least | Exploit | The Hacker News |
| 10.4.26 | Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region | An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and | APT | The Hacker News |
| 10.4.26 | New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy | Cybersecurity researchers have flagged a new variant ofmalware called Chaos that'scapable of hitting misconfigured cloud deployments, marking an | Virus | The Hacker News |
| 10.4.26 | Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices | Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks. Called Masjesu , the | BotNet | The Hacker News |
| 9.4.26 | APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies | The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine | APT | The Hacker News |
| 9.4.26 | Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems | Artificial Intelligence (AI) company Anthropic announced a new cybersecurity initiative called Project Glasswing that will use a preview version of its new | AI | The Hacker News |
| 9.4.26 | N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust | The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, | APT | The Hacker News |
| 8.4.26 | Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs | Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable | APT | The Hacker News |
| 8.4.26 | Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign | The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP- | APT | The Hacker News |
| 8.4.26 | Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access | A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins ( AuthZ ) under | Vulnerebility | The Hacker News |
| 8.4.26 | Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign | An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a | Cryptocurrency | The Hacker News |
| 8.4.26 | New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips | New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to | Attack | The Hacker News |
| 8.4.26 | China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware | A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day | APT | The Hacker News |
| 8.4.26 | Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed | Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence (AI) platform, according to new findings | AI | The Hacker News |
| 8.4.26 | Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations | An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. | APT | The Hacker News |
| 8.4.26 | DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea | Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) | APT | The Hacker News |
| 8.4.26 | Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools | Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver ( BYOVD ) technique | Ransom | The Hacker News |
| 8.4.26 | BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks | Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identities of two of the key figures associated with the | BigBrothers | The Hacker News |
| 8.4.26 | $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation | Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously | APT | The Hacker News |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments | This is the sixth update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 005 covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz's post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM's release resumption after Mandiant's forensic audit. This update covers intelligence from April 1 through April 3, 2026. | Incindent | SANS |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows | This is the fifth update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 004 covered developments through March 30, including the Databricks investigation, dual ransomware operations, and AstraZeneca data release. This update consolidates two days of intelligence through April 1, 2026. | Incindent | SANS |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 004 - Databricks Investigating Alleged Compromise, TeamPCP Runs Dual Ransomware Operations, and AstraZeneca Data Released | This is the fourth update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 003 covered developments through March 28, including the first 48-hour pause in new compromises and the campaign's shift to monetization. This update consolidates intelligence from March 28-30, 2026 -- two days since our last update. | Incindent | SANS |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 003 - Operational Tempo Shift as Campaign Enters Monetization Phase With No New Compromises in 48 Hours | This is the third update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 002 covered developments through March 27, including the Telnyx PyPI compromise and Vect ransomware partnership. This update covers developments from March 27-28, 2026. | Incindent | SANS |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 002 - Telnyx PyPI Compromise, Vect Ransomware Mass Affiliate Program, and First Named Victim Claim | This is the second update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 001 covered developments through March 26. This update covers developments from March 26-27, 2026. | Incindent | SANS |
| 6.4.26 | TeamPCP Supply Chain Campaign: Update 001 - Checkmarx Scope Wider Than Reported, CISA KEV Entry, and Detection Tools Available | This is the first update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). That report covers the full campaign from the February 28 initial access through the March 24 LiteLLM PyPI compromise. This update covers developments since publication. | Incindent | SANS |
| 6.4.26 | Traffic violation scams switch to QR codes in new phishing texts | Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information. | Phishing | |
| 6.4.26 | New FortiClient EMS flaw exploited in attacks, emergency patch released | Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks. | Vulnerebility | BleepingComputer |
| 6.4.26 | Hackers exploit React2Shell in automated credential theft campaign | Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. | Vulnerebility | |
| 6.4.26 | Device code phishing attacks surge 37x as new kits spread online | Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. | Phishing | |
| 6.4.26 | LinkedIn secretly scans for 6,000+ Chrome extensions, collects data | A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. | Social | |
| 6.4.26 | Hims & Hers warns of data breach after Zendesk support ticket breach | Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. | Incindent | BleepingComputer |
| 6.4.26 | Die Linke German political party confirms data stolen by Qilin ransomware | The Qilin ransomware group has claimed responsibility for an attack against Die Linke ('The Left'), forcing an IT systems outage at the political party, and threatening sensitive data leak. | Ransom | |
| 6.4.26 | Evolution of Ransomware: Multi-Extortion Ransomware Attacks | Multi-extortion ransomware relies on stolen data to pressure victims with public leaks. Penta Security explains how its D.AMO platform keeps exfiltrated files encrypted and useless to attackers. | Ransom | |
| 6.4.26 | Microsoft still working to fix Exchange Online mailbox access issues | Microsoft is investigating and working to resolve Exchange Online mailbox access issues that have intermittently affected Outlook mobile and macOS users for weeks. | OS | BleepingComputer |
| 6.4.26 | Man admits to locking thousands of Windows devices in extortion plot | A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey. | OS | BleepingComputer |
| 6.4.26 | Microsoft now force upgrades unmanaged Windows 11 24H2 PCs | Starting this week, Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. | OS | |
| 6.4.26 | CERT-EU: European Commission hack exposes data of 30 EU entities | The European Union's Cybersecurity Service (CERT-EU) has attributed the European Commission cloud hack to the TeamPCP threat group, saying the resulting breach exposed the data of at least 29 other Union entities. | Incindent | BleepingComputer |
| 6.4.26 | Claude Code leak used to push infostealer malware on GitHub | Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. | AI | BleepingComputer |
| 6.4.26 | Drift loses $280 million as North Korean hackers seize Security Council powers | The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. | APT | BleepingComputer |
| 6.4.26 | Residential proxies evaded IP reputation checks in 78% of 4B sessions | Researchers warn that residential proxies used to route malicious traffic are a big problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. | Security | |
| 6.4.26 | Adversaries Exploit Vacant Homes to Intercept Mail in Hybrid Cybercrime | Threat actors are exploiting vacant homes as "drop addresses" to intercept mail and enable fraud. Flare shows how postal services and fake identities are abused to turn mail into a fraud vector. | Exploit | BleepingComputer |
| 6.4.26 | New Progress ShareFile flaws can be chained in pre-auth RCE attacks | Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments. | Vulnerebility | |
| 6.4.26 | Medtech giant Stryker fully operational after data-wiping attack | Stryker Corporation, one of the world's leading medical technology companies, says it's fully operational three weeks after many of its systems were wiped out in a cyberattack claimed by the Iranian-linked Handala hacktivist group. | Hack | BleepingComputer |
| 5.4.26 | 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants | Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different | Exploit | The Hacker News |
| 5.4.26 | Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS | Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, | Vulnerebility | The Hacker News |
| 5.4.26 | Critical Cisco IMC auth bypass gives attackers Admin access | Cisco has patched several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that enables attackers to gain Admin access. | Vulnerebility | |
| 5.4.26 | Microsoft links Classic Outlook issue to email delivery problems | Microsoft links Classic Outlook issue to email delivery problems | OS | |
| 5.4.26 | Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks | Internet security watchdog Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability. | Vulnerebility | |
| 5.4.26 | New CrystalRAT malware adds RAT, stealer and prankware features | A new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities. | Virus | BleepingComputer |
| 5.4.26 | Apple expands iOS 18 updates to more iPhones to block DarkSword attacks | Apple has now made it possible for more iPhones still running iOS 18 to receive security updates that protect against the actively exploited DarkSword exploit kit. | OS | |
| 5.4.26 | Hackers exploit TrueConf zero-day to push malicious software updates | Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. | Exploit | |
| 5.4.26 | New EvilTokens service fuels Microsoft device code phishing attacks | A new malicious kit called EvilTokens integrates device code phishing capabilities, allowing attackers to hijack Microsoft accounts and provide advanced features for business email compromise attacks | Virus | |
| 5.4.26 | 'NoVoice' Android malware on Google Play infected 2.3 million devices | A new Android malware dubbed NoVoice exploited known vulnerabilities to gain root access and has been distributed through more than 50 apps on Google Play Store, with at least 2.3 million downloads. | Virus | BleepingComputer |
| 5.4.26 | Routine Access Is Powering Modern Intrusions, a New Threat Report Finds | Modern intrusions increasingly start with valid credentials and routine access, not exploits. Blackpoint Cyber's upcoming threat report shows how VPN abuse, RMM tools, and social engineering drive most incidents. | Exploit | |
| 5.4.26 | FBI warns against using Chinese mobile apps due to privacy risks | The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers. | APT | |
| 5.4.26 | Google fixes fourth Chrome zero-day exploited in attacks in 2026 | Google has fixed the fourth Chrome vulnerability exploited in zero-day attacks since the start of the year. | Exploit | BleepingComputer |
| 5.4.26 | Google Drive ransomware detection now on by default for paying users | Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users. | Ransom | BleepingComputer |
| 5.4.26 | New Windows 11 emergency update fixes preview update install issues | Microsoft released an emergency update to fix the March 2026 KB5079391 non-security preview update, which was pulled over the weekend due to installation issues. | OS | |
| 5.4.26 | Claude Code source code accidentally leaked in NPM package | Anthropic says it accidentally leaked the source code for Claude Code, which is closed source, but the company says no customer data or credentials were exposed. | AI | BleepingComputer |
| 4.4.26 | Proton launches new "Meet" privacy-focused conferencing platform | Proton has announced a new video conferencing service named Meet and positioned it as a privacy-focused alternative to mainstream services like Google Meet, Zoom, and Microsoft Teams. | Security | BleepingComputer |
| 4.4.26 | GIGABYTE Control Center vulnerable to arbitrary file write flaw | The GIGABYTE Control Center is vulnerable to an arbitrary file-write flaw that could allow a remote, unauthenticated attacker to access files on vulnerable hosts. | Vulnerebility | |
| 4.4.26 | Claude AI finds Vim, Emacs RCE bugs that trigger on file open | Vulnerabilities in the Vim and GNU Emacs text editors, discovered using simple prompts with the Claude assistant, allow remote code execution simply by opening a file. | AI | |
| 4.4.26 | Cisco source code stolen in Trivy-linked dev environment breach | Cisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to the company and its customers. | Incindent | BleepingComputer |
| 4.4.26 | How to Categorize AI Agents and Prioritize Risk | AI agent risk isn't equal, it scales with access to systems and level of autonomy. Token Security explains how CISOs should categorize agents and prioritize what to secure first. | AI | |
| 4.4.26 | Hackers compromise Axios npm package to drop cross-platform malware | Hackers hijacked the npm account of the Axios package, a JavaScript HTTP client with 100M+ weekly downloads, to deliver remote access trojans to Linux, Windows, and macOS systems. | Virus | |
| 4.4.26 | Hacker charged with stealing $53 million from Uranium crypto exchange | U.S. prosecutors have charged a Maryland man with stealing more than $53 million after hacking the Uranium Finance crypto exchange twice and laundering the proceeds through a cryptocurrency mixer. | Cryptocurrency | |
| 4.4.26 | Dutch Finance Ministry takes treasury banking portal offline after breach | The Dutch Ministry of Finance took some of its systems offline, including the digital portal for treasury banking, while investigating a cyberattack detected two weeks ago. | BigBrothers | BleepingComputer |
| 4.4.26 | CISA orders feds to patch actively exploited Citrix flaw by Thursday | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their Citrix NetScaler appliances against an actively exploited vulnerability by Thursday. | Exploit | |
| 4.4.26 | Healthcare tech firm CareCloud says hackers stole patient data | Healthcare IT firm CareCloud has disclosed a data breach incident that exposed sensitive data and caused a network disruption lasting approximately eight hours. | Incindent | |
| 4.4.26 | New RoadK1ll WebSocket implant used to pivot on breached networks | A newly identified malicious implant named RoadK1ll is enabling threat actors to quietly move from a compromised host to other systems on the network. | Incindent | BleepingComputer |
| 4.4.26 | Critical Citrix NetScaler memory flaw actively exploited in attacks | Hackers are exploiting a critical severity vulnerability, tracked as CVE-2026-3055, in Citrix NetScaler ADC and NetScaler Gateway appliances to obtain sensitive data. | Vulnerebility | BleepingComputer |
| 4.4.26 | China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing | A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of | APT | The Hacker News |
| 4.4.26 | Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers | Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, | Hack | The Hacker News |
| 4.4.26 | Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets. | Malware blog | GTI | |
| 4.4.26 | Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. | APT blog | GTI | |
| 4.4.26 | Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521) | A vulnerability in F5 BIG-IP systems that allows unauthenticated remote code execution by attackers has been added to the CISA Known Exploited Vulnerabilities catalog. CVE-2025-53521 was disclosed on October 15, 2025, but only added to the KEV on March 27, 2026. | Vulnerebility blog | Eclypsium |
| 4.4.26 | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity | Operation DualScript – A Multi-Stage PowerShell Malware Campaign Targeting Cryptocurrency and Financial Activity Introduction During our investigation, we identified a multi-stage malware infection leveraging Scheduled Task persistence, VBScript launchers, and PowerShell-based execution. The attack operates through two parallel chains:... | Cyber blog | Seqrite |
| 4.4.26 | The Week in Vulnerabilities: AI Frameworks, VMware, and Critical ICS Exposure | Critical vulnerabilities in AI frameworks, VMware environments, EV charging platforms, and ICS systems show growing risks across enterprise and industrial ecosystems. | Cyber blog | Cyble |
| 4.4.26 | How Cyble Blaze AI Predicts Cyber Threats 6 Months in Advance Using Agentic Intelligence | Predictive Cybersecurity with Cyble Blaze AI uses agentic AI to forecast threats months ahead and automate faster, smarter responses. | AI blog | Cyble |
| 4.4.26 | Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign | Cyble dissects a LinkedIn job‑lure campaign, exposing its multi‑stage PXA Stealer tactic that hijacks accounts and steals sensitive data. | APT blog | Cyble |
| 4.4.26 | Hybrid Warfare 2026: When Cyber Operations and Kinetic Attacks Converge | In 2026, hybrid warfare blends cyberattacks and physical strikes, disrupting infrastructure and shaping global security dynamics. | Cyber blog | Cyble |
| 4.4.26 | Mitigating the Axios npm supply chain compromise | On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages for version updates to download from command and control (C2) that Microsoft Threat Intelligence has attributed to the North Korean state actor Sapphire Sleet. | Incident blog | Microsoft blog |
| 4.4.26 | TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV‑based payloads to steal credentials across Linux, macOS, and Windows. | Hacking blog | Trend Micro |
| 4.4.26 | Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads | A supply chain attack hit Axios when attackers used stolen npm credentials to publish malicious versions containing a phantom dependency. This triggered a cross-platform RAT during installation and replaced its files with clean decoys, making detection challenging. | Incident blog | Trend Micro |
| 4.4.26 | Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads | A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks. | AI blog | Trend Micro |
| 4.4.26 | Three Decades for a 3-Line Fix: The Critical telnetd Bug Hiding in Plain Sight (CVE-2026-32746) | The SonicWall Capture Labs threat research team became aware of an out-of-bounds write vulnerability in the Telnet server shipped with GNU Inetutils, assessed its impact and developed mitigation measures. Telnetd hardly needs an introduction. It is one of the oldest and most widely distributed network utilities on Linux systems. | Vulnerebility blog | SonicWall |
| 4.4.26 | GPT Academic Pickle Deserialization Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-0763, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also tracked as ZDI-26-029, is a critical unauthenticated remote code execution vulnerability affecting GPT Academic in versions 3.91 and earlier. | AI blog | SonicWall |
| 4.4.26 | Double Agents: Exposing Security Blind Spots in GCP Vertex AI | Artificial intelligence (AI) agents are quickly advancing into powerful autonomous systems that can perform complex tasks. These agents can be integrated into enterprise workflows, interact with various services and make decisions with a degree of independence. Google Cloud Platform’s Vertex AI, with its Agent Engine and Application Development Kit (ADK), provides a comprehensive platform for developers to build and deploy these sophisticated agents. | AI blog | Palo Alto |
| 4.4.26 | ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime | Sensitive data shared with ChatGPT conversations could be silently exfiltrated without the user’s knowledge or approval. | AI blog | CHECKPOINT |
| 4.4.26 | Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets | Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. | Hacking blog | CHECKPOINT |
| 4.4.26 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.” | Hacking blog | CISCO TALOS |
| 4.4.26 | Qilin EDR killer infection chain | This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. | Hacking blog | CISCO TALOS |
| 4.4.26 | Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders | A conversation between Cisco Talos and Cisco Security leaders on the 2025 threat landscape, from identity attacks and legacy vulnerabilities to AI-driven threats, and what defenders should prioritize now. | Cyber blog | CISCO TALOS |
| 4.4.26 | An overview of ransomware threats in Japan in 2025 and early detection insights from Qilin cases | There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024. | Ransom blog | CISCO TALOS |
| 4.4.26 | Do not get high(jacked) off your own supply (chain) | In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe? | Hacking blog | CISCO TALOS |
| 4.4.26 | Axios NPM supply chain incident | Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure. | Incident blog | CISCO TALOS |
| 4.4.26 | The democratisation of business email compromise fraud | This week, Martin tells the story of a crime he encountered and how it shows that the threat landscape is changing. | BigBrother blog | CISCO TALOS |
| 4.4.26 | [Video] The TTP Ep 21: When Attackers Become Trusted Users | An episode of the Talos Threat Perspective on the 2025 Year in Review trends. We explore how identity is being used to gain, extend, and maintain access inside environments. | Cyber blog | CISCO TALOS |
| 4.4.26 | Ransomware in 2025: Blending in is the strategy | A summary of the top ransomware trends from the Talos 2025 Year in Review, with a focus on identity, attacker tactics, and practical defenses. | Ransom blog | CISCO TALOS |
| 4.4.26 | Digital assets after death: Managing risks to your loved one’s digital estate | Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay. | Spam blog | Eset |
| 4.4.26 | This month in security with Tony Anscombe – March 2026 edition | The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience plan | Cyber blog | Eset |
| 3.4.26 | UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack | The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign | APT | The Hacker News |
| 3.4.26 | New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images | Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after | OS | The Hacker News |
| 3.4.26 | Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK | Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that | APT | The Hacker News |
| 3.4.26 | Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials | A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database | Exploit | The Hacker News |
| 2.4.26 | Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise | Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an | Vulnerebility | The Hacker News |
| 2.4.26 | Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners | A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and | Virus | The Hacker News |
| 2.4.26 | WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action | Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware. According to reports from Italian newspaper La | Social | The Hacker News |
| 2.4.26 | Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit | Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a | OS | The Hacker News |
| 1.4.26 | Apple adds macOS Terminal warning to block ClickFix attacks | Apple has introduced a security feature in macOS Tahoe 26.4 that blocks pasting and executing potentially harmful commands in Terminal and alerts users to possible risks. | OS | |
| 1.4.26 | How to Evaluate AI SOC Agents: 7 Questions Gartner Says You Should Be Asking | AI SOC agents can reduce alert fatigue, but most teams fail to measure real outcomes. Prophet Security breaks down Gartner's questions for evaluating AI SOC agents and separating real impact from hype. | AI | |
| 1.4.26 | Hackers exploiting critical F5 BIG-IP flaw in attacks, patch now | F5 has reclassified a BIG-IP APM denial-of-service (DoS) vulnerability as a critical-severity remote code execution (RCE) flaw, warning that attackers are exploiting it to deploy webshells on unpatched devices. | Vulnerebility | |
| 1.4.26 | Microsoft pulls KB5079391 Windows update over install issues | Microsoft has pulled a buggy Windows 11 non-security preview update to investigate a known issue that triggers 0x80073712 errors during installation. | OS | BleepingComputer |
| 1.4.26 | Critical Fortinet Forticlient EMS flaw now exploited in attacks | Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. | Vulnerebility | |
| 1.4.26 | European Commission confirms data breach after Europa.eu hack | The European Commission has confirmed a data breach after its Europa.eu web platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang. | Incindent | |
| 1.4.26 | FBI confirms hack of Director Patel's personal email inbox | The Handala hackers associated with Iran have breached the personal email account of FBI Director Kash Patel and published photos and documents. | Incindent | |
| 1.4.26 | File read flaw in Smart Slider plugin impacts 500K WordPress sites | A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. | Vulnerebility | BleepingComputer |
| 1.4.26 | New Infinity Stealer malware grabs macOS data via ClickFix lures | A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using the open-source Nuitka compiler. | Virus | BleepingComputer |
| 1.4.26 | CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails | The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself | BigBrothers | The Hacker News |
| 1.4.26 | Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass | Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, | Virus | The Hacker News |
| 1.4.26 | Block the Prompt, Not the Work: The End of "Doctor No" | There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable. Its | Cyber | The Hacker News |
| 1.4.26 | Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures | A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking | Phishing | The Hacker News |
| 1.4.26 | New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released | Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been | Exploit | The Hacker News |
| 1.4.26 | Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 | Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity | APT | The Hacker News |
| 1.4.26 | Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms | Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently | AI | The Hacker News |
| 1.4.26 | Android Developer Verification Rollout Begins Ahead of September Enforcement | Google on Monday said it's officially rolling out Android developer verification to all developers to combat the problem of bad actors distributing harmful | OS | The Hacker News |
| 1.4.26 | TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks | A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign | Exploit | The Hacker News |