In this week’s news: LinkedIn secretly scans for 6,000+ Chrome extensions, collects data, Fortinet issued emergency patches for a critical FortiClient EMS flaw, BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks, $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation, Hackers exploit React2Shell in automated credential theft campaign, UNC1069 Targets Node.js Maintainers via Fake LinkedIn, Slack Profiles, European Commission breach exposed data of 30 EU entities, Fake ChatGPT Ad Blocker Chrome Extension Caught Spying on Users, North Korean Hackers Abuse GitHub to Spy on South Korean Firms, AI Firm Mercor Confirms Breach as Hackers Claim 4TB of Stolen Data, Man admits to locking thousands of Windows devices in extortion plot and RCE vuln found in FreeBSD using Claude AI.

Subscribe to this newsletter.
Read our Blog

Last week, FreeBSD published a security advisory for CVE-2026-4747, a remote code execution vulnerability in its kernel. The advisory credited "Nicholas Carlini using Claude, Anthropic" for discovering the flaw. That credit line understates what happened. The AI system did not merely flag suspicious code or identify a potential bug. It developed two working exploits, from scratch, that deliver a super user, or root shell, on unpatched servers. The AI agent did this in roughly four hours of compute time.
https://www.forbes.com/sites/amirhusain/2026/04/01/ai-just-hacked-one-of-the-worlds-most-secure-operating-systems/

A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. According to a report by Fairlinked e.V., which claims to be an association of commercial LinkedIn users, Microsoft's platform injects JavaScript into user sessions that checks for thousands of browser extensions and links the results to identifiable user profiles.
https://www.bleepingcomputer.com/news/security/linkedin-secretly-scans-for-6-000-plus-chrome-extensions-collects-data/

Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.
https://securityaffairs.com/190392/hacking/cve-2026-35616-fortinet-fixes-actively-exploited-high-severity-flaw.html

Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People's Republic of Korea (DPRK) that began in the fall of 2025.
https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. At least 766 hosts across various cloud providers and geographies have been compromised to collect database and AWS credentials, SSH private keys, API keys, cloud tokens, and environment secrets. The operation uses a framework named NEXUS Listener and leverages automated scripts to extract and exfiltrate sensitive data from various applications.
https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/

CERT-EU attributed a European Commission cloud breach to the TeamPCP threat group, revealing that data from at least 30 EU entities was exposed. The incident was publicly disclosed on March 27 after inquiries confirmed that the Commission’s Amazon cloud environment had been compromised.
https://securityaffairs.com/190333/security/european-commission-breach-exposed-data-of-30-eu-entities-cert-eu-says.html

Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. Hims & Hers is an American telehealth company specializing in the direct-to-consumer healthcare space, providing subscription-based treatments for hair loss, ED, mental health, skincare, weight loss, and other conditions or needs.
https://www.bleepingcomputer.com/news/security/hims-and-hers-warns-of-data-breach-after-zendesk-support-ticket-breach/

As OpenAI introduces adverts for its free-tier users, a new wave of scams is already looking to cash in. DomainTools, a team of internet infrastructure monitors, has identified a malicious Chrome extension titled ChatGPT Ad Blocker, which was available on the official Google Chrome Web Store as recently as 10 February 2026. While users thought they were simply blocking ads from their screens, the extension was actually keeping an eye on ther their conversations with the ChatGPT AI chatbot.
https://hackread.com/fake-chatgpt-ad-blocker-chrome-extension-spy-users/

A coordinated group of hackers is currently targeting Open Source Maintainers, particularly those managing Node.js and npm, following a high-profile attack on the popular Axios npm package. Security experts at Socket investigated these attacks, identifying that hackers are using social engineering techniques to initiate contact through LinkedIn or Slack, posing as recruiters or podcast hosts under fake company profiles and using fake meeting sites that look exactly like Microsoft Teams or Zoom.
https://hackread.com/unc1069-node-js-maintainer-fake-linkedin-slack-profile/

Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation. The threat actor, who went by the alias UNKN, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum
https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

Qilin ransomware claims it stole data from Germany’s Die Linke and threatens to leak it; the party confirmed the incident, but not a breach.
https://securityaffairs.com/190348/cyber-crime/qilin-ransomware-group-claims-the-hack-of-german-political-party-die-linke.html

GreyNoise observed 4 billion malicious sessions during a 90-day period and described activity that appeared indistinguishable from normal user traffic at the network level. Residential proxies routed traffic through consumer broadband, mobile data, and small-business connections. These same IP ranges were used by employees, customers, and partners, which made it difficult to separate malicious activity based on source address alone.
https://www.helpnetsecurity.com/2026/04/06/residential-proxy-attack-traffic-ip-reputation-enterprise-security/

Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information.
https://www.bleepingcomputer.com/news/security/traffic-violation-scams-switch-to-qr-codes-in-new-phishing-texts/

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker's device to access the account through valid access and refresh tokens. This flow was designed to simplify connecting devices that do not have accessible input options (e.g., IoT devices, printers, streaming devices, and smart TVs).
https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/

Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean hackers are using LNK files, hidden PowerShell scripts, and legitimate GitHub repositories to evade detection and steal sensitive system data from Windows users.
https://hackread.com/north-korean-hackers-github-spy-south-korean-firms/

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality," the tech giant said.
https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html

The AI recruitment firm Mercor has confirmed it is dealing with a security incident following a widespread cyberattack linked to a compromised open-source tool. The breach is part of a large-scale supply chain attack that impacted thousands of organisations globally.
https://hackread.com/ai-firm-mercor-breach-hackers-4tb-data/

A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey According to court documents, 57-year-old Daniel Rhyne from Kansas City, Missouri, remotely accessed the company's network without authorization using an administrator account between November 9 and November 25.
https://www.bleepingcomputer.com/news/security/man-admits-to-extortion-plot-locking-coworkers-out-of-thousands-of-windows-devices/