A campaign targeting Android users in Brazil has been identified, utilizing a trojanized version of the HandyPay app to distribute NGate NFC malware. Active since November 2025, it employs two distribution methods: a fake lottery website and a counterfeit Google Play page.
A theft of nearly $290 million in cryptocurrency from the Kelp platform has been attributed to North Korean hackers, specifically the TraderTraitor group. The attack exploited Kelp's reliance on a single Decentralized Verifier Network (DVN) from LayerZero, which LayerZero warned against.
A Florida man, Angelo Martino, pleaded guilty to conspiracy to deploy BlackCat ransomware and extort U.S. victims.
CISA added eight vulnerabilities to its Known Exploited Vulnerabilities catalog, including critical flaws in Cisco Catalyst SD-WAN Manager and PaperCut NG/MF. Notable vulnerabilities include CVE-2025-32975 (CVSS 10.0) allowing user impersonation in Quest KACE SMA and CVE-2023-27351 (CVSS 8.
Threat actors are exploiting Microsoft Teams for cross-tenant impersonation, posing as IT support to socially engineer users into granting remote desktop access. This access enables credential-backed lateral movement using WinRM, targeting high-value assets like domain controllers.
Tyler Robert Buchanan, a 24-year-old British hacker, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft in a U.S. federal court, linked to the Scattered Spider cybercrime campaign that stole at least $8 million in cryptocurrency.
The US government is preparing to authorize Anthropic’s Claude Mythos AI model for use by federal agencies, amid concerns about its potential to identify and exploit cybersecurity vulnerabilities.
Active exploitation attempts of CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, were detected. The vulnerability allows attackers to inject commands via the ssid1 parameter, but requires authentication.
Vercel confirmed a data breach on April 18-19, 2026, after hackers accessed internal systems via a compromised Google Workspace OAuth app linked to Context.ai. The attackers, claiming to be ShinyHunters, offered stolen data for $2 million, including employee records and access keys.
Mohan Pedhapati utilized Anthropic's Opus 4.6 model to create a Chrome exploit targeting the V8 JavaScript engine, incurring $2,283 in API costs. He highlighted the ease of exploit development with AI, warning that any determined individual could eventually exploit unpatched software.
A newly identified malware, ZionSiphon, targets Israeli water treatment and desalination facilities, posing a significant threat to critical infrastructure. It features hardcoded Israeli IP addresses and politically charged messages, indicating ideological motivations.
Cybersecurity researchers at Fortinet's FortiGuard Labs have identified a new Mirai variant, Nexcorium, targeting DVR devices, particularly TBK DVR-4104 and DVR-4216 models, exploiting CVE-2024-3721. This malware creates a botnet for DDoS attacks, using brute-force methods with hardcoded passwords.
Kyrgyzstan-based crypto exchange Grinex has ceased operations following a $13.7 million cyber heist, which it attributes to Western intelligence agencies. The attack targeted Russian users, with over 1 billion rubles stolen from their wallets.
A high-severity vulnerability in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score: 8.8), is actively exploited, prompting CISA to add it to its KEV catalog. It involves improper input validation allowing code injection via the Jolokia API.
Google's annual ads safety report reveals that its AI tool, Gemini, successfully blocked over 99% of policy-violating ads in 2025, removing 8.3 billion ads, including 602 million related to scams. The company suspended over 4 million advertiser accounts for scam activity.
Microsoft Threat Intelligence reported on a macOS cyber campaign by North Korean actor Sapphire Sleet, using social engineering to compromise systems.
A zero-day vulnerability in Microsoft Defender, named “RedSun,” allows unprivileged users to escalate privileges to full SYSTEM access on fully patched Windows 10, 11, and Server 2019 and later. This exploit, tracked as CVE-2026-33825 with a CVSS score of 7.
Authorities from 21 countries seized 53 domains and arrested four individuals linked to DDoS-for-hire operations, impacting over 75,000 cybercriminals in "Operation PowerOFF.
A threat actor targeting trucking and logistics companies compromised a load board platform on February 27, 2026, delivering a malicious payload via email.
A critical vulnerability in the model context protocol (MCP), created by Anthropic, could expose 150 million downloads and over 200,000 vulnerable instances. Researchers at Ox Security reported that the flaw allows arbitrary command execution, risking sensitive data access.
Cisco has released patches for four critical vulnerabilities in Identity Services and Webex Services that could lead to arbitrary code execution and user impersonation. Key vulnerabilities include CVE-2026-20184 (CVSS 9.
NIST announced changes to its CVE enrichment process due to a surge in vulnerability submissions, stating it will only enrich records that meet specific criteria. This shift aims to focus on critical vulnerabilities, particularly those in a federal catalog of exploited vulnerabilities.
Two U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced for facilitating a scheme that enabled North Korean IT workers to pose as U.S. residents and generate over $5 million for the DPRK.
Cisco Talos reports an increase in the misuse of the n8n AI workflow automation platform for phishing campaigns from October 2025 to March 2026. Attackers exploit n8n's webhook URLs to deliver malware and perform device fingerprinting.
McGraw Hill confirmed a data breach involving unauthorized access to a limited set of Salesforce-hosted data, attributed to a misconfiguration within Salesforce's environment. The ransomware group ShinyHunters claims to have stolen 45 million records, demanding a ransom by April 14, 2026.
A pro-Russian hacker group attempted to breach a thermal power plant in western Sweden in spring 2025, but the intrusion was thwarted by the facility's security measures, according to Swedish officials. The attackers are believed to have links to Russian intelligence.
A critical vulnerability (CVE-2026-33032) in nginx-ui, an open-source Nginx management tool, allows full server takeover via an authentication bypass. The flaw, with a CVSS score of 9.8, enables attackers to exploit the unprotected /mcp_message endpoint.
Dozens of WordPress plug-ins were taken offline after a backdoor was discovered, enabling malicious code distribution to websites using them. The backdoor was added following the acquisition of Essential Plugin, which has over 400,000 installs.
