Weekly Review, 2026-04-27
Weekly Review - April 27, 2026
Covers 7 daily digests (2026-04-21 to 2026-04-27).
All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.
Vulnerabilities & Patches
Mirai-based tuxnokill botnet exploits critical vulnerability in legacy D-Link routers
Active: 2026-04-22, 2026-04-23
The reporting initially identified the Mirai botnet as the actor exploiting a command injection vulnerability in discontinued D-Link routers. Subsequent updates specified that the campaign utilizes a Mirai-based malware payload known as tuxnokill and identified the specific affected hardware as D-Link DIR-823X routers. The coverage also identified the researchers responsible for disclosing the vulnerability.
Coverage Timeline
- 2026-04-22: Reports indicate the Mirai botnet is exploiting a command injection vulnerability in end-of-life D-Link routers.
- 2026-04-23: Coverage specifies that the tuxnokill malware is being used to target D-Link DIR-823X routers and identifies the researchers who disclosed the vulnerability.
Sources
- Mirai Botnet Targets Flaw in Discontinued D-Link Routers - SecurityWeek, 2026-04-22 (quality: 17/21)
- New Mirai campaign exploits RCE flaw in EoL D-Link routers - BleepingComputer, 2026-04-22 (quality: 20/21)
Data Breaches
Data breach at Rituals exposes personal information of My Rituals members
Active: 2026-04-23, 2026-04-24
The reporting initially focused on the discovery of unauthorized access to the personal information of My Rituals members. Subsequent coverage identified the presence of unidentified attackers and noted that the company had moved to notify affected customers. The scope of the breach was clarified to involve the unauthorized download of data from the membership database.
Coverage Timeline
- 2026-04-23: SecurityWeek reports that a data breach at Rituals exposed the personal information of My Rituals members.
- 2026-04-24: Coverage expands to identify unidentified attackers as the threat actors and notes that Rituals has notified affected customers.
Sources
- Luxury Cosmetics Giant Rituals Discloses Data Breach - SecurityWeek, 2026-04-23 (quality: 16/21)
- Cosmetics giant Rituals discloses data breach affecting customers - BleepingComputer, 2026-04-23 (quality: 14/21)
Supply Chain Attacks
Supply chain attacks and npm worms target developer tools and tokens
Active: 2026-04-23, 2026-04-24
The reporting began with the discovery of a self-propagating npm worm known as CanisterSprawl that steals developer tokens to infect packages. Subsequent reports expanded the scope of the incident to include the compromise of the Bitwarden CLI and Checkmarx tools via malicious Docker tags. The investigation linked these activities to the threat actor TeamPCP.
Coverage Timeline
- 2026-04-23: Reports identify the discovery of the CanisterSprawl npm worm and its method of hijacking packages.
- 2026-04-24: Coverage expands to include the compromise of Bitwarden CLI and Checkmarx tools via supply chain attacks.
Sources
- New npm supply-chain attack self-spreads to steal auth tokens - BleepingComputer, 2026-04-22 (quality: 18/21)
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens - The Hacker News, 2026-04-22 (quality: 10/21)
- Bitwarden CLI npm package compromised to steal developer credentials - BleepingComputer, 2026-04-23 (quality: 20/21)
- New Checkmarx supply-chain breach affects KICS analysis tool - BleepingComputer, 2026-04-23 (quality: 19/21)
- Bitwarden NPM Package Hit in Supply Chain Attack - SecurityWeek, 2026-04-24 (quality: 20/21)
- Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign - The Hacker News, 2026-04-23 (quality: 20/21)
Third-party AI tool compromise and malware caused Vercel security breach
Active: 2026-04-21, 2026-04-22
The reporting initially identified a supply-chain attack involving malware-infected employees at Context.ai and the use of over-privileged OAuth tokens to access Vercel environments. Subsequent updates clarified that the breach involved the compromise of a Vercel employee's credentials, which exposed non-sensitive environment variables. The investigation also included a denial of involvement by the cybercriminal organization ShinyHunters.
Coverage Timeline
- 2026-04-21: Reports indicate that a supply-chain attack via Context.ai allowed threat actors to use OAuth tokens to compromise Vercel environments.
- 2026-04-22: Coverage specifies that the breach involved compromised credentials exposing non-sensitive environment variables and notes that ShinyHunters denied involvement.
Sources
- Vercel’s security breach started with malware disguised as Roblox cheats - CyberScoop, 2026-04-20 (quality: 20/21)
- Vercel systems targeted after third-party tool compromised - Cybersecurity Dive - Latest News, 2026-04-20 (quality: 10/21)
- Vercel Employee's AI Tool Access Led to Data Breach - darkreading, 2026-04-20 (quality: 20/21)
- Cloud platform Vercel says company breached through third-party AI tool - The Record from Recorded Future News, 2026-04-21 (quality: 20/21)
Nation-State / APT
GopherWhisper APT targets Mongolian government officials using legitimate communication platforms
Active: 2026-04-23, 2026-04-24, 2026-04-26
The reporting initially identified the specific tools used by GopherWhisper, noting a custom Go-based toolkit and the use of Slack, Discord, and Microsoft 365 Outlook for command-and-control. Subsequent updates provided more context regarding the discovery of the group, revealing that investigators found a previously unknown backdoor on a Mongolian government network in January 2025. The final reports expanded on the scope of the impact, noting that approximately 12 systems were affected by the activity.
Coverage Timeline
- 2026-04-23: Reports identify GopherWhisper's use of a Go-based toolkit and legitimate services like Slack and Discord for data exfiltration.
- 2026-04-24: Coverage details how the discovery of a previously unknown backdoor in January 2025 led to the identification of the group.
- 2026-04-26: Reporting adds that the attack impacted approximately 12 systems.
Sources
- New GopherWhisper APT group abuses Outlook, Slack, Discord for comms - BleepingComputer, 2026-04-23 (quality: 18/21)
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors - The Hacker News, 2026-04-23 (quality: 19/21)
- China-linked hackers targeted Mongolian government using Slack, Discord for covert communications - The Record from Recorded Future News, 2026-04-23 (quality: 16/21)
- China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks - SecurityWeek, 2026-04-25 (quality: 18/21)
China-backed hackers deploy industrialized botnets to evade global cyber detection
Active: 2026-04-23, 2026-04-24
Initial reports identified specific threat actors, such as Flax Typhoon, and detailed the use of the Raptor Train botnet involving hijacked SOHO routers and IoT devices to evade UK detection. Subsequent coverage expanded the description of this activity to characterize it as the industrialization of botnets. The reporting transitioned from naming specific actors and technical methods to describing the broader strategic shift toward using these networks for low-cost and deniable attack execution.
Coverage Timeline
- 2026-04-23: Dark Reading reports that Flax Typhoon and other China-nexus hackers are using the Raptor Train botnet and hijacked consumer devices to evade detection.
- 2026-04-24: Dark Reading reports that China-linked threat actors are utilizing industrialized botnets to conduct low-risk cyberattacks.
Sources
- UK warns of Chinese hackers using proxy networks to evade detection - BleepingComputer, 2026-04-23 (quality: 20/21)
- China-Backed Hackers Are Industrializing Botnets - darkreading, 2026-04-23 (quality: 10/21)
Mustang Panda Uses LotusLite Malware to Target Banks and Officials
Active: 2026-04-21, 2026-04-22
The reporting initially identified the use of LotusLite malware by Mustang Panda to target banks and policymakers, specifically noting the impersonation of Victor Cha and HDFC Bank. Subsequent coverage identified a new variant of the LOTUSLITE malware being distributed through India-themed banking lures. The latest information specifies that the malware utilizes a dynamic DNS-based command-and-control infrastructure.
Coverage Timeline
- 2026-04-21: Reports indicate Mustang Panda is using LotusLite malware to target the Indian banking sector and US-Korea diplomatic circles.
- 2026-04-22: Coverage identifies a new variant of the LOTUSLITE malware using India-themed banking lures and dynamic DNS-based command-and-control.
Sources
- Chinese APT Targets Indian Banks, Korean Policy Circles - darkreading, 2026-04-21 (quality: 20/21)
- Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles - The Hacker News, 2026-04-22 (quality: 11/21)
Malware & Botnets
Discovery of Fast16 malware reveals long-standing framework for software sabotage
Active: 2026-04-24, 2026-04-26, 2026-04-27
The reporting began with an initial technical analysis of the fast16 malware framework, focusing on its Lua-based engine and evasion capabilities. Subsequent coverage expanded the scope of the discovery by identifying the framework's purpose as the sabotage of high-precision calculation software and linking it to historical geopolitical tensions. Later reports added specific details regarding the targeted software suites, such as LS-DYNA 970, and identified the involvement of the Shadow Brokers and the Equation Group.
Coverage Timeline
- 2026-04-24: Initial reports describe the technical architecture and modular design of the fast16 malware framework.
- 2026-04-26: Coverage expands to include the framework's purpose in sabotaging mathematical software and identifies potential links to the Equation Group and the Shadow Brokers.
- 2026-04-27: Reporting provides further details on the historical timeline of the malware's creation and its presence on VirusTotal.
Sources
- fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet - SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms., 2026-04-23 (quality: 18/21)
- Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions - SecurityWeek, 2026-04-24 (quality: 19/21)
- Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software - The Hacker News, 2026-04-25 (quality: 20/21)
- 20-Year-Old Malware Rewrites History of Cyber Sabotage - darkreading, 2026-04-27 (quality: 20/21)
Fake Crypto Apps and SparkKitty Malware Target iOS Users via App Store
Active: 2026-04-22, 2026-04-26
Initial reports identified a campaign of malicious cryptocurrency applications on the Apple App Store designed to steal private keys and recovery phrases. Subsequent reporting expanded on the technical methods used by the apps, noting that they redirect users to browser pages that mimic the App Store to distribute trojanized software. The scope of the campaign was also clarified to include the use of typosquatting and deceptive links to target users of various wallet brands.
Coverage Timeline
- 2026-04-22: Reports identify the SparkKitty malware and the FakeWallet campaign using deceptive iOS apps to target cryptocurrency users.
- 2026-04-26: Coverage details the specific mechanism of the apps redirecting users to fake browser pages to distribute trojanized software.
Sources
- Dozens of Malicious Crypto Apps Land in Apple App Store - SecurityWeek, 2026-04-21 (quality: 18/21)
- 26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases - The Hacker News, 2026-04-24 (quality: 20/21)
New Lotus wiper malware targets Venezuela’s energy and utility sectors
Active: 2026-04-22, 2026-04-23
The reporting initially identified the Lotus wiper malware and its targeting of the Venezuelan energy and utilities sector. Subsequent coverage added specific details regarding the timeline of the malware's creation, noting it was compiled in late September 2025. The updated information also included a reference to a December 2024 cyberattack on PDVSA that disrupted administrative systems.
Coverage Timeline
- 2026-04-22: Kaspersky reports on the use of Lotus wiper malware against Venezuelan energy and utility sectors.
- 2026-04-23: Coverage expands to include the compilation date of the malware and details regarding a 2024 attack on PDVSA.
Sources
- New Lotus data wiper used against Venezuelan energy, utility firms - BleepingComputer, 2026-04-21 (quality: 19/21)
- New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention - SecurityWeek, 2026-04-22 (quality: 20/21)
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack - The Hacker News, 2026-04-22 (quality: 14/21)
- Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector - The Record from Recorded Future News, 2026-04-22 (quality: 18/21)
NGate malware targets Brazilian payment apps to steal sensitive data
Active: 2026-04-21, 2026-04-22
The reporting initially identified the NGate Android malware variant targeting Brazilian users through the trojanized HandyPay application to intercept NFC payment data and PINs. Subsequent coverage added the detail that the malicious code injected into the application may be AI-generated and is used to facilitate NFC data relay attacks. The story concludes with the identification of the specific mechanism used by attackers to patch the legitimate application.
Coverage Timeline
- 2026-04-21: Various outlets report that NGate malware is using a trojanized version of the HandyPay app to steal NFC payment data and PINs in Brazil.
- 2026-04-22: Coverage expands to include the possibility that the malicious code injected into the application is AI-generated.
Sources
- NGate Android malware uses HandyPay NFC app to steal card data - BleepingComputer, 2026-04-21 (quality: 17/21)
- China's Apple App Store infiltrated by crypto-stealing wallet apps - BleepingComputer, 2026-04-20 (quality: 15/21)
- NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs - The Hacker News, 2026-04-21 (quality: 20/21)
Phishing & Social Engineering
UNC6692 Uses Microsoft Teams Impersonation to Deploy New Snow Malware Suite
Active: 2026-04-24, 2026-04-26, 2026-04-27
The reporting initially identified the UNC6692 threat actor using Microsoft Teams and email bombing to deploy SNOW malware. Subsequent updates clarified that the malware suite is used for credential theft and domain takeover. The final reports added that the attack involves the installation of a malicious browser extension specifically targeting Microsoft Edge.
Coverage Timeline
- 2026-04-24: Reports identify UNC6692 using Microsoft Teams and email flooding to deploy SNOW malware.
- 2026-04-26: Coverage specifies that the Snow malware suite is used for credential theft and domain takeover.
- 2026-04-27: Reports add that the attack includes the deployment of a malicious browser extension for Microsoft Edge.
Sources
- UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware - The Hacker News, 2026-04-23 (quality: 20/21)
- Threat actor uses Microsoft Teams to deploy new “Snow” malware - BleepingComputer, 2026-04-25 (quality: 17/21)
- Hackers impersonate Microsoft Teams help desk to breach corporate networks - The Record from Recorded Future News, 2026-04-27 (quality: 20/21)
- UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware - SecurityWeek, 2026-04-27 (quality: 18/21)
AI-driven phishing surges as the leading cyberattack threat in 2026
Active: 2026-04-22, 2026-04-23, 2026-04-26
Initial reports identified that phishing returned to the top position for initial access in the first quarter of 2026, specifically noting the use of the Softr AI platform to create credential-harvesting pages. Subsequent reporting expanded on this trend, noting a shift from broad, small-scale campaigns to highly personalized, one-to-one attacks. The most recent information indicates a significant increase in these AI-driven phishing attempts over the preceding six months.
Coverage Timeline
- 2026-04-22: Cisco Talos reports that phishing has reemerged as the primary vector for initial access due to AI-powered web development tools.
- 2026-04-23: Coverage specifies that the Softr AI platform is being used in documented credential-harvesting campaigns.
- 2026-04-26: Reports indicate that AI-powered phishing has transitioned from broad campaigns to personalized, one-to-one attacks over the last six months.
Sources
- IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist - Cisco Talos Blog, 2026-04-22 (quality: 18/21)
- Phishing — sometimes with AI’s help — topped initial-access methods in Q1, Cisco says - Cybersecurity Dive - Latest News, 2026-04-22 (quality: 19/21)
- AI Phishing Is No. 1 With a Bullet for Cyberattackers - darkreading, 2026-04-24 (quality: 20/21)
AI & Machine Learning Security
Rapid AI advancements drive escalating cybersecurity risks and automated offensive threats
Active: 2026-04-21, 2026-04-23, 2026-04-24, 2026-04-27
The reporting began with the revelation of a leaked Anthropic model called Claude Mythos Preview, which is capable of autonomously discovering and chaining software vulnerabilities. Subsequent reports identified the project as Project Glasswing and detailed its ability to identify long-standing bugs in operating systems and browsers to bypass sandboxing. Later coverage focused on the shrinking window for patching vulnerabilities and included perspectives on how these models compare to historical automated security tools like fuzzers. The narrative concluded with the argument that while the volume of discovered bugs is increasing, human expertise remains necessary for validating security impacts.
Coverage Timeline
- 2026-04-21: Reports emerge regarding a data leak revealing Anthropic's Claude Mythos Preview model and its ability to automate cyberattacks.
- 2026-04-23: Coverage identifies the model as part of Project Glasswing and details its ability to automate exploit development and bypass sandboxing.
- 2026-04-24: Reports focus on the risks posed by frontier AI models to traditional security programs and the reduction of the patching window.
- 2026-04-27: Coverage includes arguments that the rise of LLMs in offensive security increases the volume of discovered bugs but still requires human validation.
Sources
- Mythos: An AI tool too powerful for public release - Malwarebytes, 2026-04-20 (quality: 16/21)
- Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them? - The Hacker News, 2026-04-23 (quality: 16/21)
- Frontier AI and the Future of Defense: Your Top Questions Answered - Unit 42, 2026-04-23 (quality: 12/21)
- Parsing Agentic Offensive Security's Existential Threat - darkreading, 2026-04-27 (quality: 18/21)
Legal & Law Enforcement
Sean Plankey withdraws CISA director nomination following intense Senate opposition
Active: 2026-04-23, 2026-04-24
The story began with the announcement that Sean Plankey requested the withdrawal of his nomination for the Director of the Cybersecurity and Infrastructure Security Agency. Subsequent reporting provided additional context, noting that the nomination had been stalled in the Senate for more than thirteen months. The coverage also identified additional political figures involved in the nomination process.
Coverage Timeline
- 2026-04-23: Reports indicate that Sean Plankey has requested that President Trump withdraw his nomination for CISA director.
- 2026-04-24: Coverage expands to report that the withdrawal occurred after the nomination remained stalled in the Senate for over thirteen months.
Sources
- CISA director pick Sean Plankey withdraws his nomination - CyberScoop, 2026-04-22 (quality: 17/21)
- Trump’s CISA director pick withdraws after tumultuous nomination - Cybersecurity Dive - Latest News, 2026-04-22 (quality: 17/21)
- Trump’s pick for CISA director withdraws from consideration - The Record from Recorded Future News, 2026-04-23 (quality: 17/21)
Other Cybersecurity
Rising Cyber Threats and AI Innovations Reshaping the Global Security Landscape
Active: 2026-04-24, 2026-04-26, 2026-04-27
Initial reports focused on the general threat of corporate cyberattacks to consumer identity and financial security. Subsequent coverage identified a specific instance of UK medical data being leaked on Alibaba. The reporting transitioned from a broad discussion of corporate security risks to a specific case of data exposure involving medical records.
Coverage Timeline
- 2026-04-24: Reports cover the threat of corporate cyberattacks to consumer identity and financial security
- 2026-04-27: Reports cover the leak of UK medical data on Alibaba
Sources
- How cyberattacks on companies affect everyone - Malwarebytes, 2026-04-23 (quality: 10/21)
- CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline - The Hacker News, 2026-04-25 (quality: 17/21)
- Hyper TPRM: Rethinking Third-Party Risk for Scale, Speed, and Confidence - Corporate Compliance Insights, 2026-04-25 (quality: 7/21)
- ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906, (Fri, Apr 24th) - SANS Internet Storm Center, InfoCON: green, 2026-04-24 (quality: 9/21)
- GRC News Roundup: Aravo, RAMPxchange, BYU Law & More - Corporate Compliance Insights, 2026-04-24 (quality: 10/21)
- A week in security (April 20 – April 26) - Malwarebytes, 2026-04-27 (quality: 7/21)
In Brief
Notable one-off stories with significant broader implications.
- Key Members of Ransomware Gangs Plead Guilty to Crimes (2026-04-22)
- ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty - Krebs on Security
- Former DigitalMint ransomware negotiator pleads guilty to extortion scheme - CyberScoop
- Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety - CyberScoop
- Third US Security Expert Admits Helping Ransomware Gang - SecurityWeek
- Ransomware Negotiator Pleads Guilty to BlackCat Scheme - darkreading
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 - The Hacker News
- Hackers exploited Cisco firewall vulnerabilities to maintain long-term access. (2026-04-24)
- It pays to be a forever student - Cisco Talos Blog
- UAT-4356's Targeting of Cisco Firepower Devices - Cisco Talos Blog
- US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied - CyberScoop
- CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March - The Record from Recorded Future News
- China and Iran expand cyber threats against critical infrastructure. (2026-04-24)
- Dragos: Despite AI use, new malware targeting water plants is ‘hype’ - CyberScoop
- A dozen allied agencies say China is building covert hacker networks out of everyday routers - CyberScoop
- China disguises cyberattacks with ‘covert network’ botnets, US and allies warn - Cybersecurity Dive - Latest News
- Iran-nexus threat groups refine attacks against critical infrastructure - Cybersecurity Dive - Latest News
- North Korean hackers linked to $290 million KelpDAO heist. (2026-04-21)
- KelpDAO suffers $290 million heist tied to Lazarus hackers - BleepingComputer
- Crypto infrastructure company blames $290 million theft on North Korean hackers - The Record from Recorded Future News
- $290 Million Kelp DAO Crypto Heist Blamed on North Korea - SecurityWeek
- American utility firm Itron suffers internal network data breach. (2026-04-27)
- American utility firm Itron discloses breach of internal IT network - BleepingComputer
- Energy and Water Management Firm Itron Hacked - SecurityWeek
- Firestarter malware persists despite Cisco security patches and updates. (2026-04-26)
- Firestarter malware survives Cisco firewall updates, security patches - BleepingComputer
- FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches - The Hacker News
- Gentlemen Ransomware Now Utilizes SystemBC for Bot-Powered Attacks (2026-04-21)
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy - Check Point Research
- The Gentlemen ransomware now uses SystemBC for bot-powered attacks - BleepingComputer
- Tropic Trooper APT Targets Home Routers and Japanese Users (2026-04-26)
- Surveillance firms exploit telecom vulnerabilities to track targets' locations. (2026-04-24)
- Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities - CyberScoop
- Surveillance companies exploiting telecom system to spy on targets’ locations, research shows - The Record from Recorded Future News
- Fake Google Antigravity downloads used to steal user accounts. (2026-04-22)
- ShinyHunters claims theft of 9 million Medtronic records (2026-04-27)
- Medtronic confirms breach after hackers claim 9 million records theft - BleepingComputer
- Evan Tangeman Sentenced for Laundering $3.5M in Crypto Heist (2026-04-27)
- Money launderer linked to $230M crypto heist gets 70 months in prison - BleepingComputer
- Harvester Uses Microsoft Graph API to Deploy GoGra Linux Backdoor (2026-04-23)
- Harvester’s GoGra malware uses Microsoft Graph API on Linux (2026-04-22)
- New GoGra malware for Linux uses Microsoft Graph API for comms - BleepingComputer
- Sapphire Sleet Uses Mach-O Man Malware to Target macOS Users (2026-04-22)
- APT28 Exploits Windows CVE-2026-32202 for Zero-Click Credential Theft (2026-04-27)
- Incomplete Windows Patch Opens Door to Zero-Click Attacks - SecurityWeek
- US Sanctions Senator Kok An in Southeast Asia Cybercrime Crackdown (2026-04-27)
- PhantomCore exploits TrueConf vulnerabilities to breach Russian networks (2026-04-27)
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks - The Hacker News
- GlassWorm v2 Malware Found in 73 Fake VS Code Extensions (2026-04-27)
- Keitaro Campaigns and Fake CAPTCHAs Drive Global SMS and Crypto Fraud (2026-04-27)
- Moltbook Data Breach Exposes 1.5 Million AI Agent API Tokens (2026-04-22)
- Toxic Combinations: When Cross-App Permissions Stack into Risk - The Hacker News
- OpenClaw Vulnerabilities Expose 1.5 Million Tokens and 43,000 IP Addresses (2026-04-27)
- OpenClaw Reveals Hidden Security Risks of Agentic AI - Corporate Compliance Insights
- Vercel Discovers More Compromised Accounts Following Context.ai-Linked Breach (2026-04-23)
- Vercel Finds More Compromised Accounts in Context.ai-Linked Breach - The Hacker News
- Bitwarden Supply-Chain Attack and Anthropic Claude Access Breaches Reported (2026-04-27)
- 27th April – Threat Intelligence Report - Check Point Research
- TGR-STA-1030 Threat Group Targets Central and South America (2026-04-26)
- US and Israel Strikes Target 80 Iranian Police Stations (2026-04-26)
- BlackFile extortion group uses vishing to target retail and hospitality (2026-04-26)
- New BlackFile extortion group linked to surge of vishing attacks - BleepingComputer
- Section 702 Reauthorization Bill Faces Criticism Over Privacy Concerns (2026-04-26)
- Hasbro Cyberattack Expected to Impact Second-Quarter Revenue and Profits (2026-04-26)
- Hasbro expects March cyberattack to impact second-quarter revenue - Cybersecurity Dive - Latest News
- Iranian Cyber Actors Use Low-and-Slow Tactics, Officials Warn (2026-04-26)
- Iran’s cyber threat may be less ‘shock and awe’ than ‘low and slow,’ officials say - The Record from Recorded Future News
- Pentagon Faces Security Risks Integrating Anthropic’s Mythos AI Models (2026-04-26)
- Pentagon grapples with securing AI as it moves toward autonomous warfare - The Record from Recorded Future News
- PM Jonas Gahr Støre Proposes Social Media Ban for Under-16s (2026-04-26)
- Norway's prime minister proposes ban on social media access for young teens - The Record from Recorded Future News
- Toronto Police Arrest Three for Using Mobile SMS Blasters (2026-04-26)
- Toronto police arrest three in Canada’s first mobile SMS blaster case - The Record from Recorded Future News
- Perforce P4 Server Misconfigurations Expose Sensitive Corporate Source Code (2026-04-22)
- PhantomRPC Technique Enables Windows Privilege Escalation to SYSTEM Level (2026-04-26)
- Southern Illinois Dermatology, Saint Anthony, and NTBHA Breach 600,000 (2026-04-21)
- UK Biobank medical data of 500,000 volunteers leaked on Alibaba (2026-04-26)
- Lazarus Group Uses ClickFix Technique to Target macOS Users (2026-04-26)
- North Korea's Lazarus Targets macOS Users via ClickFix - darkreading
- Trump Administration Targets Chinese Firms Exploiting U.S. AI Models (2026-04-26)
- Song Wu Indicted for Phishing NASA for Defense Software (2026-04-26)
- HexagonalRodent campaign steals $12 million using BeaverTail malware (2026-04-23)
- North Korean hackers siphon more than $12 million from crypto users in sprawling campaign - The Record from Recorded Future News
- Senator Kok An Sanctioned Over Cambodian Scam Compound Network (2026-04-24)
- US sanctions Cambodian senator for millions earned through scam compounds - The Record from Recorded Future News
- Myanmar Fraud Ring Targeting Americans Busted by US Authorities (2026-04-26)
- Anthropic's Claude Mythos Faces Unauthorized Access Amid Security Breaches (2026-04-26)
- Trigona ransomware uses custom tool to bypass security and exfiltrate data (2026-04-24)
- Trigona ransomware attacks use custom exfiltration tool to steal data - BleepingComputer
- Kyber Ransomware Uses Post-Quantum Encryption to Target Windows Systems (2026-04-23)
- Kyber ransomware gang toys with post-quantum encryption on Windows - BleepingComputer
- The Gentlemen Ransomware Group Rapidly Scales Sophisticated Cyberattacks (2026-04-23)
- 'The Gentlemen' Rapidly Rises to Ransomware Prominence - darkreading
- Scattered Spider Targets Marks & Spencer via Password Reset Exploits (2026-04-24)
- Regular Password Resets Aren’t as Safe as You Think - BleepingComputer
- $290M DeFi Hack and macOS Living-off-the-Land Abuse Reported (2026-04-24)
- FBI Recovers Deleted Signal Messages via iPhone Notification Database (2026-04-23)
- FBI Extracts Deleted Signal Messages from iPhone Notification Database - Schneier on Security
- Bissa Scanner Exploitation Uses AI Tools for Mass Credential Harvesting (2026-04-23)
- Chinese Smart Cameras Found With Hardcoded Passwords and Vulnerabilities (2026-04-23)
- LABScon25 Replay | Are Your Chinese Cameras Spying For You Or On You? - SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
- HexDex suspect arrested for massive French data breach spree (2026-04-23)
- French police arrest suspected hacker behind dozens of data breaches - The Record from Recorded Future News
- Dutch Intelligence: Salt Typhoon Cyber Capabilities Now Match the US (2026-04-23)
- China’s cyber capabilities now equal to the US, warns Dutch intelligence - The Record from Recorded Future News
- NCSC reports four weekly major incidents amid rising nation-state attacks (2026-04-23)
- UK cyber agency handling four major incidents a week as nation-state attacks surge - The Record from Recorded Future News
- Bluesky outage caused by sophisticated 313 Team DDoS attack (2026-04-21)
- Bluesky blames app outage on ‘sophisticated’ DDoS attack - The Record from Recorded Future News
- 313 Team Targets Mastodon.social in Major DDoS Attack (2026-04-23)
- After Bluesky, Mastodon Targeted in DDoS Attack - SecurityWeek
- Malicious KICS Docker Images Compromise Checkmarx Supply Chain (2026-04-23)
- DPRK-Linked Actors Use Fake Job Scams to Spread Malware (2026-04-23)
- Rockstar Games hack by Internet Yiff Machine leaks sensitive data (2026-04-23)
- AirSnitch Attacks Bypass WPA2 and WPA3-Enterprise Network Encryption (2026-04-22)
- ICE Admits to Using Graphite Spyware for Surveillance Operations (2026-04-22)
- ICE Uses Graphite Spyware - Schneier on Security
- Angelo Martino Pleads Guilty to Aiding BlackCat Ransomware Attacks (2026-04-21)
- Former ransomware negotiator pleads guilty to BlackCat attacks - BleepingComputer
- Telegram tdata theft enables attackers to bypass two-factor authentication (2026-04-22)
- [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) - SANS Internet Storm Center, InfoCON: green
- Breach3d offers stolen ANTS citizen data for sale online (2026-04-22)
- French govt agency confirms breach as hacker offers to sell data - BleepingComputer
- Hospital Ransomware Attacks Could Face Terrorism Designations and Homicide Charges (2026-04-22)
- Anthropic’s Mythos AI Discovers 271 Firefox Security Vulnerabilities (2026-04-22)
- Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150 - security - Ars Technica
- EU Sanctions Euromore and Pravfond Over Russian Disinformation Campaigns (2026-04-22)
- EU targets two Russian propaganda networks with new sanctions - The Record from Recorded Future News
- CISA Warns of Axios Library Compromise by North Korean Actors (2026-04-22)
- CISA urges security teams to view environments following axios compromise - Cybersecurity Dive - Latest News
- SystemBC Malware C2 Server Exposes 1,570 The Gentlemen Ransomware Victims (2026-04-22)
- Claude Desktop Accused of Installing Potential Spyware on macOS (2026-04-22)
- Researcher claims Claude Desktop installs “spyware” on macOS - Malwarebytes
- Microsoft 365 and MFA Exploited in Cascaded Phishing Campaigns (2026-04-21)
- Phishing and MFA exploitation: Targeting the keys to the kingdom - Cisco Talos Blog
- macOS Primitives Weaponized for Remote Execution and Lateral Movement (2026-04-21)
- Bad Apples: Weaponizing native macOS primitives for movement and execution - Cisco Talos Blog
- Didier Stevens Discovers Malware Payloads Hidden Inside .WAV Files (2026-04-21)
- A .WAV With A Payload, (Tue, Apr 21st) - SANS Internet Storm Center, InfoCON: green
- ANTS Cyberattack May Have Exposed Personal Data of French Users (2026-04-21)
- Cyberattack at French identity document agency may have exposed personal data - The Record from Recorded Future News
- Seiko USA website defaced following alleged Shopify customer data theft (2026-04-21)
- Seiko USA website defaced as hacker claims customer data theft - BleepingComputer
- Microsoft Teams abused in IT helpdesk impersonation attacks (2026-04-21)
- Microsoft: Teams increasingly abused in helpdesk impersonation attacks - BleepingComputer
- Scattered Spider leader pleads guilty to $8 million crypto theft (2026-04-21)
- British Scattered Spider hacker pleads guilty to crypto theft charges - BleepingComputer
- FTC to Expand Enforcement Against Deepfakes and Voice Cloning Scams (2026-04-21)
- The FTC’s AI portfolio is about to get bigger - CyberScoop
- Poste Italiane fined $15 million for invasive mobile app tracking (2026-04-21)
- Italian regulator fines national postal service orgs $15 million for data privacy violations - The Record from Recorded Future News
- WhatsApp Metadata Exploitation Allows Attackers to Track User Activity (2026-04-21)
- WhatsApp Leaks User Metadata to Attackers - darkreading
- Android 17 introduces granular permissions to protect user contact data (2026-04-21)
- Android 17 ends all-or-nothing access to your contacts - Malwarebytes
- Booking.com and McGraw-Hill Breaches Highlight New Weekly Cyber Threats (2026-04-21)
- 20th April – Threat Intelligence Report - Check Point Research
Reported Data Breaches
Breaches reported via Have I Been Pwned this period.
- ADT Breach Exposes Over Five Million User Accounts (2026-04-27)
- Over 1.4 Million Udemy Accounts Compromised in Data Breach (2026-04-27)
- Major Data Breaches Impact Carnival and ADT Customers (2026-04-26)
- Massive Data Breaches Impact Carnival and Vercel Customers (2026-04-24)