When exploit code becomes public, you’d better act fast. When a researcher dropped proof-of-concept code for three Microsoft Defender zero-days alongside a public grievance, Patch Tuesday effectively became patch-right-now-day. With BlueHammer, RedSun, and UnDefend seeing active, real-world exploitation, the race between defenders and weaponized public code has reached a sprint. Using AI for finding bugs and exploit creation increases the time needed to action, and this is true for everyone, not just Microsoft. In today’s newsletter, we’re also tracking NIST’s decision to scale back vulnerability ratings, Vercel’s credential-leak fallout, and a clever new tactic where attackers use QEMU virtual machines to ghost your EDR.

Read our Blog
Services

Attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems. The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure. Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.
https://securityaffairs.com/190961/hacking/microsoft-defender-under-attack-as-three-zero-days-two-of-them-still-unpatched-enable-elevated-access.html

Three days after the April 8, 2026, disclosure of a critical pre-authorization remote code execution (RCE) in the marimo Python notebook platform, the Sysdig Threat Research Team (TRT) observed multiple unique attacks, including a threat actor deploying malware that was hosted on HuggingFace Spaces using a marimo exploit. The malware binary we captured was a previously undocumented variant of NKAbuse, a Go-based backdoor using the NKN blockchain for C2.
https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface

Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess. A Vercel security bulletin says that on April 19, the company “identified a security incident that involved unauthorized access to certain internal Vercel systems” and led to credential compromise for “a limited subset of customers.” The company contacted those customers and “recommended an immediate rotation of credentials.”
https://www.theregister.com/2026/04/20/vercel_context_ai_security_incident/

Sophos researchers report a rise in attackers abusing QEMU, an open-source emulator, to hide malicious activity inside virtual machines. By running malware in a VM, attackers avoid endpoint security controls and leave minimal traces on the host system. This approach allows them to maintain long-term access, steal credentials, exfiltrate data, and eventually deploy ransomware such as PayoutsKing.
https://securityaffairs.com/190982/security/hidden-vms-how-hackers-leverage-qemu-to-stealthily-steal-data-and-spread-malware.html

Boost Security has released SmokedMeat, an open-source framework that runs attack chains against CI/CD infrastructure so engineering and security teams can see what an attacker would do in their specific environment.
https://www.helpnetsecurity.com/2026/04/20/smokedmeat-ci-cd-pipeline-attacks/

Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. A reader shared an email with BleepingComputer that appeared to be a standard Apple security notification that stated their account information had been updated.
https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/

The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. Starting April 15, the service will only analyze and provide additional details (e.g., severity rating, product lists) for security issues that meet specific criteria related to the risk they pose. The National Vulnerability Database (NVD) will still list all submitted vulnerabilities, but those considered low priority will have a severity rating only from the CVE Numbering Authority (CNA) that evaluated and submitted it.
https://www.bleepingcomputer.com/news/security/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase/

The European Commission is stepping up efforts to strengthen the EU’s digital sovereignty by awarding a cloud services tender worth up to €180 million over six years. The initiative gives EU institutions and agencies access to sovereign cloud services delivered by a group of Europe-based providers.
https://www.helpnetsecurity.com/2026/04/20/eu-sovereign-cloud-tender-180-million-eu/

Kamerin Stokes, 23, from Memphis (aka TheMFNPlug), received a 30-month prison sentence for his role in a 2022 credential stuffing attack against DraftKings. He continued selling stolen login data online even after pleading guilty. The court also ordered three years of supervised release, $125,000 in forfeiture, and $1.3 million in restitution, highlighting the financial impact of the breach and the consequences of ongoing cybercrime activity.
https://securityaffairs.com/190943/cyber-crime/draftkings-hacker-sentenced-to-prison-ordered-to-pay-1-4-million.html

A 24-year-old British national, Tyler Robert Buchanan, has pleaded guilty to orchestrating a massive cyberattack campaign that compromised over a dozen U.S. companies and resulted in the theft of at least $8 million in cryptocurrency.
https://gbhackers.com/british-hacker-admits-stealing-millions-in-virtual-currency/

The FBI has taken out a global phishing operation that targeted at least 17,000 victims and likely more than $20 million in fraud.  Called W3LL, the operation involved a “phishing kit,” according to an FBI announcement. For $500, criminals could purchase the kit, which allowed them to impersonate the login pages of legitimate websites. That enabled them to steal credentials and even bypass multi-factor authentication (MFA).
https://www.inc.com/chloe-aiello/the-fbi-just-busted-a-global-phishing-empire-targeting-microsoft-365-accounts-heres-how-they-beat-mfa/91330893

CheckmateC2 is a custom agent and listener for the Havoc Framework (made by @Cracked5pider) that communicates entirely through Chess.com game collections and analysis boards using Base5 and FEN for data encoding.
https://github.com/OfficialScragg/CheckmateC2

A small Bluetooth tracking device hidden inside a mailed postcard revealed the location of a Dutch naval vessel for about 24 hours, raising security concerns. The low-cost tracker (reported as costing roughly €5/$5) exposed a warship valued at about half a billion euros/dollars, prompting scrutiny of physical tracking threats.
https://www.cnet.com/tech/mobile/how-to-tell-if-an-apple-airtag-is-tracking-you/

Kelp DAO’s rsETH bridge was reportedly exploited in a LayerZero-based attack that drained roughly $292 million, leaving wrapped Ether stranded across about 20 blockchains. The incident targeted the bridge mechanism, causing large cross-chain asset losses and prompting investigations and recovery attempts by affected protocols and security teams.
https://parameter.io/xrp-sees-1-08b-in-etf-assets-while-solana-wxrp-launch-triggers-security-concerns/

Reports indicate failed or shuttered startups are selling archived Slack conversations and historical email archives to AI companies and model trainers. These data sets—spanning internal chats and customer correspondence—are being packaged for AI training, raising concerns about consent, data provenance, privacy, and potential exposure of sensitive information.
https://www.techspot.com/news/112117-data-failed-startups-finds-second-life-ai-training.html