CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 09:15 30/04/2026 UTC
  • VECT 2.0 Ransomware Operation Degrades to Irreversible Data Destruction Due to Critical Encryption Flaw VECT 2.0 ransomware has been confirmed as an irreversible data wiper due to a critical nonce-handling flaw that discards decryption metadata for 75% of affected files, ensuring recovery is impossible regardless of ransom payment. This flaw, inherent to the ChaCha20-IETF encryption scheme, encrypts four independent chunks per large file but only stores the final 12-byte nonce on disk, discarding the first three nonces required for decryption. The operation, structured as a ransomware-as-a-service scheme with a $250 Monero affiliate fee (waived for Commonwealth of Independent States actors), originated on a Russian-language cybercrime forum in December 2025 before being detected by security researchers in early January 2026. VECT 2.0 rapidly expanded through partnerships with BreachForums and TeamPCP, the latter of which provides access to victims compromised in recent supply-chain attacks. Analysts emphasize that negotiating with actors offers no path to file recovery and that the malware's threshold of 128KB ensures nearly all enterprise and user files are targeted. Additional analysis revealed multiple implementation flaws beyond the encryption flaw, including faulty obfuscation, unreachable anti-analysis code, and performance-degrading scheduler bugs. Organizations are advised to prioritize prevention through employee training, EDR monitoring, offline immutable backups, and strict access controls, particularly for ESXi environments. Read
  • Ukrainian law enforcement disrupts Roblox account hijacking ring with 610,000 compromised accounts Ukrainian cyber police arrested three individuals alleged to have hijacked 610,000 Roblox accounts between October 2025 and January 2026, generating approximately $225,000 in illicit revenue. The threat actors used info-stealing malware disguised as game-enhancer tools to harvest credentials, then categorized and sold high-value accounts via Russian websites and closed online communities. Authorities executed ten search warrants in Lviv, seizing $35,000 in cash, 37 mobile phones, 11 desktops, seven laptops, five tablets, and four USB drives. The group targeted at least 357 "elite" accounts, which often contain rare virtual items, financial balances, and years of progress, making them attractive targets for monetization. Read
  • SAP npm Package Supply Chain Attack Leveraging "Mini Shai-Hulud" Credential Malware via AI Tool Configuration Abuse A coordinated supply chain attack compromised multiple SAP-related npm packages with credential-stealing malware dubbed "Mini Shai-Hulud". The attack introduced malicious preinstall scripts in affected package versions, which downloaded and executed a 11.6 MB payload from GitHub Releases at installation time, targeting developer and CI/CD environments. Stolen credentials from GitHub, npm, AWS, Azure, GCP, Kubernetes, and other services were encrypted and exfiltrated to attacker-controlled repositories labeled "A Mini Shai-Hulud has Appeared". The payload includes advanced exfiltration techniques, such as a Python-based memory scanner targeting CI runner secrets, and leverages GitHub commit searches as a dead-drop mechanism for token retrieval. Researchers have linked the attack with medium confidence to the TeamPCP threat actors, who used similar tactics in prior supply chain incidents. A misconfigured CircleCI job may have exposed an NPM token, enabling the compromise of SAP’s npm publishing process. Read
  • Multinational law enforcement operation dismantles cryptocurrency investment fraud ring linked to €50 million losses Austria and Albania, with support from Europol and Eurojust, dismantled a large-scale cryptocurrency investment fraud ring that allegedly defrauded victims worldwide of over €50 million. The operation, initiated in June 2023, culminated in the arrest of 10 suspects and coordinated searches on April 17, 2024, across three call centers and nine private residences. Seizures included €891,735 in cash, 443 computers, 238 mobile phones, 6 laptops, and multiple data storage devices. Victims were primarily targeted through fraudulent cryptocurrency investment platforms advertised on search engines and social media, with funds siphoned into international money-laundering schemes. Read
  • Malicious self-update mechanism in Quick Page/Post Redirect plugin exposed dormant backdoor in WordPress environments A dormant backdoor mechanism was discovered in the Quick Page/Post Redirect WordPress plugin, installed on over 70,000 websites. The backdoor, introduced via compromised plugin versions (5.2.1 and 5.2.2) released between 2020 and 2021, included a hidden self-update system that fetched arbitrary code from a third-party domain (anadnet[.]com). This allowed silent code injection into sites, primarily for SEO spam targeting logged-out users. The backdoor activation mechanism remains dormant on impacted sites due to the command-and-control domain's current lack of resolution, but the self-update capability could enable further exploitation. WordPress.org has temporarily removed the plugin pending review, and users are advised to uninstall the plugin and replace it with a clean version once available. Read
  • Global survey identifies cyber-related workforce literacy and skills as dominant operational risks for 2026 A 2026 global survey of over 4,500 HR and risk professionals across 26 markets ranked cyber-related workforce risks as the top people-centered challenges organizations face. Cyber-threat literacy emerged as the foremost concern, followed closely by tech skills shortages—including cybersecurity and AI—and mindset barriers to AI adoption. Organizations reported increased exposure to cyber-attacks, operational disruption, and reputational damage due to low workforce cyber awareness and inadequate preparation for technology failures. Experts emphasize that the material impact increasingly stems from business interruption and systems failures rather than traditional cyber-attacks alone, driving broader economic and contractual consequences. Read
  • GitHub CVE-2026-3854 remote code execution flaw via crafted git push GitHub disclosed CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server allowing authenticated users with push access to achieve remote code execution via a single "git push" command. The flaw stemmed from inadequate sanitization of user-supplied push option values, which enabled injection of crafted metadata into internal headers during git push operations. Exploitation involved bypassing sandboxing protections, redirecting hook execution, and executing arbitrary commands as the git user, potentially exposing millions of private repositories. GitHub confirmed the vulnerability was reported by Wiz on March 4, 2026, and patched on GitHub.com within two hours, with no evidence of exploitation in the wild prior to disclosure. However, approximately 88% of GitHub Enterprise Server instances remained vulnerable at the time of public disclosure, prompting urgent patches for all supported releases. Read
Last updated: 08:45 30/04/2026 UTC
  • U.S. sanctions cyber scam operations in Southeast Asia The U.S. Department of the Treasury has sanctioned additional entities in Cambodia, including Senator Kok An, for operating large-scale cryptocurrency fraud networks embedded within scam compounds, including casinos and commercial buildings. These networks defrauded Americans of at least $10 billion in 2024 through romance baiting and fake investment platforms, with financial losses reaching millions per victim. The sanctions target 29 individuals and organizations and are coordinated with the Department of Justice, FBI, and Secret Service. Recent enforcement actions include the seizure of 503 fraudulent domains, disruption of a messaging app used for human trafficking recruitment, and criminal charges against operators in Burma and Cambodia. The U.S. has escalated efforts to dismantle these operations, which are linked to widespread human trafficking, physical abuse, and casino-based money laundering. The sanctions block U.S.-based assets and prohibit transactions with designated parties, aiming to disrupt the financial and operational infrastructure sustaining these cyber-enabled fraud networks. Read
  • TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment. Read
  • Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach. Read
  • Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and propagates via compromised repositories. Void Dokkaebi (aka Famous Chollima) abuses legitimate development workflows by luring developers with fake interviews, then delivering malware via malicious VS Code tasks or hidden payloads in fonts/images. Once committed to Git repositories, the infection spreads to downstream contributors, creating a worm-like chain reaction. Developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure are primary targets. Newly identified activity connected to the same actor’s PromptMink campaign targets cryptocurrency developers via malicious npm packages, including @validate-sdk/v2, co-authored by an AI coding assistant. The layered package strategy uses legitimate-looking tools to hide malicious payloads, with payloads evolving from credential theft to broader data exfiltration, persistence mechanisms, and cross-platform binaries. Over 60 packages and 300+ versions have been identified across seven months, with evidence of LLM integration in malware development. Read
  • Rockstar Games analytics data exfiltrated via third-party Snowflake compromise linked to Anodot breach The extortion group ShinyHunters has expanded its campaign tied to the Anodot breach, claiming unauthorized access to Vimeo’s systems and threatening to leak data unless a ransom is paid. The attack leverages authentication tokens stolen from Anodot to compromise downstream victims, including Vimeo and Rockstar Games. Vimeo confirmed that exposed data included email addresses, technical data, video titles, and metadata, but excluded video content, credentials, and payment information. Operations remained unaffected, and Vimeo disabled Anodot integration and launched an investigation with law enforcement. Rockstar Games previously acknowledged a limited breach linked to the same third-party incident, with ShinyHunters leaking approximately 78.6 million records of internal analytics data. The compromised datasets included in-game revenue metrics, player behavior tracking, and Zendesk support analytics, with Rockstar asserting no operational impact. Read
  • Ransomware in Healthcare: Spillover Effects on Surrounding Hospitals Ransomware attacks on healthcare organizations continue to cause significant disruption beyond targeted institutions, affecting surrounding hospitals and entities through diverted ambulances, increased patient volume, and delayed treatments. These spillover effects are particularly severe in rural communities, where delayed care can lead to long-term health effects and fatal outcomes. The healthcare sector faces persistent ransomware threats, with Health-ISAC tracking nearly 6,000 events in critical infrastructure organizations in 2024, including 446 in healthcare, followed by 4,159 cases across all sectors in the first half of 2025. Recent data reveals that medical devices are increasingly targeted, with one-quarter of healthcare organizations reporting cyber-attacks impacting these devices in the past year. These attacks have moderate to severe impacts on patient care, ranging from delayed imaging to interruptions in critical care delivery. Legacy device vulnerabilities, recent high-profile incidents involving Medtronic and Stryker, and the rise of AI-enabled medical systems introduce additional cybersecurity challenges, underscoring the need for robust security measures and improved procurement practices. Read
  • Pre-authenticated RCE in Marimo exploited within 10 hours of advisory A pre-authenticated remote code execution (RCE) vulnerability in Marimo, tracked as CVE-2026-39987 (CVSS 9.3), was exploited in the wild within hours of public disclosure, enabling attackers to gain full PTY shells on exposed instances via the unauthenticated /terminal/ws WebSocket endpoint. The flaw, affecting Marimo versions prior to 0.23.0, initially led to rapid, human-driven exploitation campaigns focused on credential theft. Recent attacks have expanded to deploy a new NKAbuse malware variant hosted on Hugging Face Spaces, using typosquatted repositories to evade detection and establish persistent remote access. Additional exploitation activity includes sophisticated lateral movement, such as reverse-shell techniques and database enumeration, indicating a shift toward multi-stage attacks beyond initial credential harvesting. GitHub assessed the flaw with a critical CVSS score of 9.3, and Marimo developers confirmed impact on instances deployed as editable notebooks or exposed via --host 0.0.0.0 in edit mode. This event is distinct from the LMDeploy SSRF flaw (CVE-2026-33626), which was exploited within 12 hours of disclosure to conduct internal network reconnaissance via SSRF, targeting cloud metadata services, Redis, and MySQL instances. Read

Latest updates

Browse →

Global survey identifies cyber-related workforce literacy and skills as dominant operational risks for 2026

Updated: · First: 30.04.2026 12:10 · 📰 1 src / 1 articles

A 2026 global survey of over 4,500 HR and risk professionals across 26 markets ranked cyber-related workforce risks as the top people-centered challenges organizations face. Cyber-threat literacy emerged as the foremost concern, followed closely by tech skills shortages—including cybersecurity and AI—and mindset barriers to AI adoption. Organizations reported increased exposure to cyber-attacks, operational disruption, and reputational damage due to low workforce cyber awareness and inadequate preparation for technology failures. Experts emphasize that the material impact increasingly stems from business interruption and systems failures rather than traditional cyber-attacks alone, driving broader economic and contractual consequences.

SAP npm Package Supply Chain Attack Leveraging "Mini Shai-Hulud" Credential Malware via AI Tool Configuration Abuse

Updated: 30.04.2026 01:43 · First: 29.04.2026 19:26 · 📰 2 src / 2 articles

A coordinated supply chain attack compromised multiple SAP-related npm packages with credential-stealing malware dubbed "Mini Shai-Hulud". The attack introduced malicious preinstall scripts in affected package versions, which downloaded and executed a 11.6 MB payload from GitHub Releases at installation time, targeting developer and CI/CD environments. Stolen credentials from GitHub, npm, AWS, Azure, GCP, Kubernetes, and other services were encrypted and exfiltrated to attacker-controlled repositories labeled "A Mini Shai-Hulud has Appeared". The payload includes advanced exfiltration techniques, such as a Python-based memory scanner targeting CI runner secrets, and leverages GitHub commit searches as a dead-drop mechanism for token retrieval. Researchers have linked the attack with medium confidence to the TeamPCP threat actors, who used similar tactics in prior supply chain incidents. A misconfigured CircleCI job may have exposed an NPM token, enabling the compromise of SAP’s npm publishing process.

Malicious self-update mechanism in Quick Page/Post Redirect plugin exposed dormant backdoor in WordPress environments

Updated: · First: 30.04.2026 01:13 · 📰 1 src / 1 articles

A dormant backdoor mechanism was discovered in the Quick Page/Post Redirect WordPress plugin, installed on over 70,000 websites. The backdoor, introduced via compromised plugin versions (5.2.1 and 5.2.2) released between 2020 and 2021, included a hidden self-update system that fetched arbitrary code from a third-party domain (anadnet[.]com). This allowed silent code injection into sites, primarily for SEO spam targeting logged-out users. The backdoor activation mechanism remains dormant on impacted sites due to the command-and-control domain's current lack of resolution, but the self-update capability could enable further exploitation. WordPress.org has temporarily removed the plugin pending review, and users are advised to uninstall the plugin and replace it with a clean version once available.

Ukrainian law enforcement disrupts Roblox account hijacking ring with 610,000 compromised accounts

Updated: · First: 29.04.2026 21:32 · 📰 1 src / 1 articles

Ukrainian cyber police arrested three individuals alleged to have hijacked 610,000 Roblox accounts between October 2025 and January 2026, generating approximately $225,000 in illicit revenue. The threat actors used info-stealing malware disguised as game-enhancer tools to harvest credentials, then categorized and sold high-value accounts via Russian websites and closed online communities. Authorities executed ten search warrants in Lviv, seizing $35,000 in cash, 37 mobile phones, 11 desktops, seven laptops, five tablets, and four USB drives. The group targeted at least 357 "elite" accounts, which often contain rare virtual items, financial balances, and years of progress, making them attractive targets for monetization.

Emergency patch issued for critical authentication bypass in cPanel and WHM control panels

Updated: · First: 29.04.2026 18:51 · 📰 1 src / 1 articles

A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM) allowed unauthenticated access to control panels across multiple versions, exposing servers to complete compromise. The flaw affected all supported cPanel/WHM versions prior to specific patched releases, enabling attackers to gain administrative control over websites, databases, emails, and entire server environments without credentials. The vendor released emergency updates via manual command execution to address the issue, while a major hosting provider temporarily blocked access to WHM/cPanel ports as a precaution.

VECT 2.0 Ransomware Operation Degrades to Irreversible Data Destruction Due to Critical Encryption Flaw

Updated: 29.04.2026 18:23 · First: 28.04.2026 17:01 · 📰 4 src / 4 articles

VECT 2.0 ransomware has been confirmed as an irreversible data wiper due to a critical nonce-handling flaw that discards decryption metadata for 75% of affected files, ensuring recovery is impossible regardless of ransom payment. This flaw, inherent to the ChaCha20-IETF encryption scheme, encrypts four independent chunks per large file but only stores the final 12-byte nonce on disk, discarding the first three nonces required for decryption. The operation, structured as a ransomware-as-a-service scheme with a $250 Monero affiliate fee (waived for Commonwealth of Independent States actors), originated on a Russian-language cybercrime forum in December 2025 before being detected by security researchers in early January 2026. VECT 2.0 rapidly expanded through partnerships with BreachForums and TeamPCP, the latter of which provides access to victims compromised in recent supply-chain attacks. Analysts emphasize that negotiating with actors offers no path to file recovery and that the malware's threshold of 128KB ensures nearly all enterprise and user files are targeted. Additional analysis revealed multiple implementation flaws beyond the encryption flaw, including faulty obfuscation, unreachable anti-analysis code, and performance-degrading scheduler bugs. Organizations are advised to prioritize prevention through employee training, EDR monitoring, offline immutable backups, and strict access controls, particularly for ESXi environments.

Cursor AI Extension Vulnerability Enables Unauthorized Credential Access via Local Storage Flaw

Updated: · First: 29.04.2026 18:00 · 📰 1 src / 1 articles

A high-severity vulnerability in the Cursor AI development environment allows installed extensions to directly access locally stored API keys, session tokens, and configuration data without user interaction or permission prompts. The flaw stems from Cursor's use of an unprotected SQLite database for credential storage, enabling any extension—regardless of its requested permissions—to query and exfiltrate sensitive authentication materials. Exploitation risks unauthorized access to third-party services such as OpenAI, Anthropic, or Google, leading to potential financial loss, data exposure, and service misuse. Cursor has not yet patched the issue as of April 28, 2026, and places responsibility on users to define trust boundaries.

Multinational law enforcement operation dismantles cryptocurrency investment fraud ring linked to €50 million losses

Updated: · First: 29.04.2026 17:27 · 📰 1 src / 1 articles

Austria and Albania, with support from Europol and Eurojust, dismantled a large-scale cryptocurrency investment fraud ring that allegedly defrauded victims worldwide of over €50 million. The operation, initiated in June 2023, culminated in the arrest of 10 suspects and coordinated searches on April 17, 2024, across three call centers and nine private residences. Seizures included €891,735 in cash, 443 computers, 238 mobile phones, 6 laptops, and multiple data storage devices. Victims were primarily targeted through fraudulent cryptocurrency investment platforms advertised on search engines and social media, with funds siphoned into international money-laundering schemes.

Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain

Updated: 29.04.2026 17:00 · First: 22.04.2026 17:48 · 📰 2 src / 2 articles

A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and propagates via compromised repositories. Void Dokkaebi (aka Famous Chollima) abuses legitimate development workflows by luring developers with fake interviews, then delivering malware via malicious VS Code tasks or hidden payloads in fonts/images. Once committed to Git repositories, the infection spreads to downstream contributors, creating a worm-like chain reaction. Developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure are primary targets. Newly identified activity connected to the same actor’s PromptMink campaign targets cryptocurrency developers via malicious npm packages, including @validate-sdk/v2, co-authored by an AI coding assistant. The layered package strategy uses legitimate-looking tools to hide malicious payloads, with payloads evolving from credential theft to broader data exfiltration, persistence mechanisms, and cross-platform binaries. Over 60 packages and 300+ versions have been identified across seven months, with evidence of LLM integration in malware development.

Compromise of Third-Party AI Tool via Infostealer Leads to Vercel Breach and OAuth Token Theft Chain

Updated: 29.04.2026 16:05 · First: 21.04.2026 00:01 · 📰 3 src / 3 articles

Vercel remains under assessment following a sophisticated attack chain that began with the compromise of third-party AI tool vendor Context.ai via an infostealer. The breach was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account, granting access to non-sensitive environment variables and internal systems. Context.ai acknowledged the theft of OAuth tokens, including those used in consumer-facing integrations. Vercel, collaborating with Mandiant, has notified affected customers and issued advisories emphasizing MFA enforcement, credential rotation, and review of non-sensitive environment variables. A threat actor allegedly linked to ShinyHunters attempted to extort Vercel for $2 million. The incident highlights systemic risks from shadow AI integrations and OAuth sprawl. Context.ai’s breach originated from an infostealer infection on an employee’s system after searching for gaming cheats, leading to the theft of OAuth tokens. The compromised Vercel employee account had broad permissions, including access to internal dashboards, API keys, and GitHub tokens. Broader industry trends show attackers increasingly exploiting OAuth connections at scale, with campaigns like Scattered Lapsus$ Hunters targeting major enterprises via OAuth-driven supply chain attacks and phishing. Security experts recommend default-deny policies for OAuth integrations and routine audits to mitigate these risks.

Exponential growth in compromised credential collections driven by infostealers and macOS targeting in 2025

Updated: · First: 29.04.2026 16:00 · 📰 1 src / 1 articles

Global compromised credential collections surged to nearly 2.9 billion in 2025, driven by widespread infostealer activity and a 7,000% increase in macOS infostealer infections. The data spans usernames, passwords, session tokens, cookies, breached email repositories, and cybercrime marketplaces. At least 347 million credentials originated from infostealers operating across 3.9 million infected systems. The scale reflects persistent and evolving credential harvesting threats targeting both traditional and Apple ecosystems. Ransomware victims rose 45% to 7,549 across 147 groups, including 80 new entities. CISA’s Known Exploited Vulnerabilities (KEV) Catalog expanded by 29% to 238 entries, with markets favoring weaponized exploits over proof-of-concept code. Hacktivist groups increased by 250, while DDoS attacks surged 400% to 3,500 incidents amid rising geopolitical tensions. AI integration in attack chains has shifted from supportive tools to core components, enabling autonomous workflows, malware deployment, and prompt injection attacks across compromised identities.

GitHub CVE-2026-3854 remote code execution flaw via crafted git push

Updated: 29.04.2026 15:41 · First: 28.04.2026 21:19 · 📰 2 src / 2 articles

GitHub disclosed CVE-2026-3854, a critical command injection vulnerability in GitHub.com and GitHub Enterprise Server allowing authenticated users with push access to achieve remote code execution via a single "git push" command. The flaw stemmed from inadequate sanitization of user-supplied push option values, which enabled injection of crafted metadata into internal headers during git push operations. Exploitation involved bypassing sandboxing protections, redirecting hook execution, and executing arbitrary commands as the git user, potentially exposing millions of private repositories. GitHub confirmed the vulnerability was reported by Wiz on March 4, 2026, and patched on GitHub.com within two hours, with no evidence of exploitation in the wild prior to disclosure. However, approximately 88% of GitHub Enterprise Server instances remained vulnerable at the time of public disclosure, prompting urgent patches for all supported releases.

Shift to Autonomous Exposure Validation Against AI-Driven Attack Agents

Updated: · First: 29.04.2026 15:02 · 📰 1 src / 1 articles

The cybersecurity community has documented the first recorded use of custom AI agents by threat actors to autonomously execute attacks within enterprise networks, specifically targeting Active Directory and escalating privileges to Domain Admin. These AI-driven attacks reduce time-to-compromise to minutes while traditional defensive workflows—characterized by siloed CTI, Red, and Blue teams—remain manual and sluggish, creating a critical speed asymmetry. A new defensive paradigm, Autonomous Exposure Validation, is being introduced to counter these AI adversaries by integrating automated threat simulation, exposure validation, and coordinated remediation into a unified operational loop.

Joint U.S. Government Guide Released to Accelerate Zero Trust Adoption in Operational Technology Environments

Updated: · First: 29.04.2026 15:00 · 📰 1 src / 1 articles

U.S. government agencies—CISA, Department of War, Department of Energy, FBI, and Department of State—published a joint guide titled *Adapting Zero Trust Principles to Operational Technology* to assist organizations in integrating Zero Trust principles into operational technology (OT) environments. The guide addresses challenges posed by increasing OT connectivity, expanded attack surfaces, and heightened cybersecurity risks, emphasizing the need to secure OT systems without disrupting critical operations. Zero Trust adoption is positioned as a strategy to prevent adversaries from compromising, manipulating, or disrupting essential physical processes controlled by OT. CISA highlights observed threat activity, such as Volt Typhoon targeting OT systems, underscoring the urgency of implementing Zero Trust architectures to maintain visibility and control over critical operations.

Evaluating exposure management platform architectures for effective risk reduction

Updated: · First: 29.04.2026 14:30 · 📰 1 src / 1 articles

Exposure management platforms are increasingly adopted to bridge the gap between remediation efforts and actual risk reduction, addressing a critical shortcoming in traditional vulnerability management approaches. Security teams often struggle to quantify whether their patching efforts translate to meaningful improvements in security posture due to limited context provided by patch counts and CVSS scores alone. The market offers four dominant platform architectures—stitched portfolios, data aggregation platforms, single-domain specialists, and integrated platforms—each with distinct technical capabilities and limitations that directly impact an organization’s ability to assess and mitigate real-world attack paths. Selecting an exposure management platform with the wrong architecture can result in persistent blind spots, inefficient remediation efforts, and misaligned prioritization, leaving critical assets exposed despite high volumes of closed vulnerabilities.

CISA mandates patching of Windows zero-click authentication coercion flaw (CVE-2026-32202) exploited in APT28 campaigns

Updated: · First: 29.04.2026 13:29 · 📰 1 src / 1 articles

CISA has issued a directive under BOD 22-01 requiring U.S. federal agencies to patch the Windows authentication coercion vulnerability CVE-2026-32202 by May 12, 2026, following evidence of active exploitation in low-complexity, zero-click credential theft attacks. The flaw represents an incompletely remediated gap left after Microsoft’s February 2026 patch for CVE-2026-21510, a remote code execution issue exploited by Russian state-sponsored APT28 (Fancy Bear) in December 2025 across Ukraine and EU targets. Akamai researchers identified the residual vulnerability as enabling auto-parsed LNK file-based attacks that bypass user interaction, leveraging trust verification bypasses in path resolution. Microsoft confirmed active exploitation on April 27, 2026, prompting the urgency reflected in the KEV entry and CISA’s binding directive.

Ransomware in Healthcare: Spillover Effects on Surrounding Hospitals

Updated: 29.04.2026 13:05 · First: 27.08.2025 00:00 · 📰 2 src / 2 articles

Ransomware attacks on healthcare organizations continue to cause significant disruption beyond targeted institutions, affecting surrounding hospitals and entities through diverted ambulances, increased patient volume, and delayed treatments. These spillover effects are particularly severe in rural communities, where delayed care can lead to long-term health effects and fatal outcomes. The healthcare sector faces persistent ransomware threats, with Health-ISAC tracking nearly 6,000 events in critical infrastructure organizations in 2024, including 446 in healthcare, followed by 4,159 cases across all sectors in the first half of 2025. Recent data reveals that medical devices are increasingly targeted, with one-quarter of healthcare organizations reporting cyber-attacks impacting these devices in the past year. These attacks have moderate to severe impacts on patient care, ranging from delayed imaging to interruptions in critical care delivery. Legacy device vulnerabilities, recent high-profile incidents involving Medtronic and Stryker, and the rise of AI-enabled medical systems introduce additional cybersecurity challenges, underscoring the need for robust security measures and improved procurement practices.

Authentication bypass vulnerability in cPanel patched across supported versions

Updated: · First: 29.04.2026 12:37 · 📰 1 src / 1 articles

cPanel released security updates addressing an authentication bypass vulnerability affecting all supported versions of its control panel software. The flaw could allow an attacker to gain unauthorized access to cPanel and WebHost Manager (WHM) interfaces, potentially leading to server compromise, data exposure, or malicious account creation. The impacted versions span multiple release branches, and servers running outdated or unsupported builds are also at risk. Immediate patching is strongly advised due to elevated exploitation potential.

Active exploitation of pre-authentication SQL injection in LiteLLM proxy gateways

Updated: · First: 29.04.2026 00:07 · 📰 1 src / 1 articles

A critical pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM gateway proxy is being actively exploited by threat actors to access and modify sensitive data stored in the proxy's database. The flaw, tracked as CVE-2026-42208, allows unauthenticated attackers to send specially crafted Authorization headers to any LLM API route, enabling read and write access to database contents. Given LiteLLM's role as a middleware layer for managing API keys, credentials, and environment secrets across major providers (e.g., OpenAI, Anthropic, Bedrock), successful exploitation can lead to unauthorized access to credentials and configuration data. The vulnerability arises from insecure string concatenation during API key verification and has been addressed in LiteLLM version 1.83.7 via parameterized queries. Widespread exploitation began approximately 36 hours after public disclosure on April 24, 2026.

Rockstar Games analytics data exfiltrated via third-party Snowflake compromise linked to Anodot breach

Updated: 28.04.2026 22:04 · First: 13.04.2026 23:08 · 📰 2 src / 2 articles

The extortion group ShinyHunters has expanded its campaign tied to the Anodot breach, claiming unauthorized access to Vimeo’s systems and threatening to leak data unless a ransom is paid. The attack leverages authentication tokens stolen from Anodot to compromise downstream victims, including Vimeo and Rockstar Games. Vimeo confirmed that exposed data included email addresses, technical data, video titles, and metadata, but excluded video content, credentials, and payment information. Operations remained unaffected, and Vimeo disabled Anodot integration and launched an investigation with law enforcement. Rockstar Games previously acknowledged a limited breach linked to the same third-party incident, with ShinyHunters leaking approximately 78.6 million records of internal analytics data. The compromised datasets included in-game revenue metrics, player behavior tracking, and Zendesk support analytics, with Rockstar asserting no operational impact.

LofyGang Returns with Minecraft-Themed LofyStealer Campaign Targeting Gamers

Updated: · First: 28.04.2026 20:39 · 📰 1 src / 1 articles

The Brazilian cybercrime group LofyGang has re-emerged after a three-year hiatus with a targeted campaign against Minecraft players using a new infostealer named LofyStealer (also tracked as GrabBot). The campaign leverages a trojanized Minecraft hack tool called 'Slinky' to deliver the stealer, which masquerades as the official game’s icon to deceive victims, particularly young users familiar with the gaming ecosystem. Once executed, LofyStealer (chromelevator.exe) is deployed in memory and harvests sensitive data from multiple browsers, including stored passwords, cookies, tokens, credit card details, and International Bank Account Numbers (IBANs). The exfiltrated data is sent to a command-and-control (C2) server located at 24.152.36[.]241. The group’s tactics have evolved to include a malware-as-a-service (MaaS) model with free and premium tiers, alongside a custom builder (Slinky Cracked) for payload delivery. This shift marks a significant departure from their historical focus on JavaScript supply chain attacks, such as npm package typosquatting and dependency hijacking, which previously targeted Discord tokens and gaming-related credentials.

Enterprise AI Governance Framework Webinar Scheduled for April 28, 2026

Updated: · First: 28.04.2026 18:29 · 📰 1 src / 1 articles

A live webinar scheduled for April 28, 2026, at 1PM ET will present a structured approach to governing AI adoption in enterprises amid rising concerns over "Shadow AI" practices. The session aims to address security, ethical, and compliance risks stemming from unchecked AI tool adoption, while proposing a scalable governance framework to transition from fragmented usage to controlled, enterprise-wide deployment.

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

Updated: 28.04.2026 17:50 · First: 21.03.2026 09:28 · 📰 12 src / 19 articles

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment.

Robinhood account creation process exploited to deliver phishing emails via email injection

Updated: 28.04.2026 17:49 · First: 28.04.2026 02:11 · 📰 2 src / 2 articles

Threat actors abused a flaw in Robinhood’s account creation onboarding process to inject arbitrary HTML into legitimate registration emails, enabling the delivery of convincing phishing messages. Starting April 26, 2026, Robinhood customers received emails from [email protected] with a subject line ‘Your recent login to Robinhood’ warning of an ‘Unrecognized Device Linked to Your Account’. The emails included fake IP addresses, partial phone numbers, and a ‘Review Activity Now’ button that led to a phishing domain. The attack leveraged improperly sanitized device metadata fields during account registration to embed HTML into the Device: field of confirmation emails, creating a fake alert within otherwise legitimate messages. Attackers exploited Gmail’s dot aliasing feature to register accounts using variations of real email addresses, which Robinhood treated as distinct accounts while Gmail directed emails to the intended recipient. Robinhood has confirmed the incident was not a breach and has remediated the flaw by removing the Device: field from account creation emails.

Deprecation of TLS 1.0 and TLS 1.1 for Exchange Online POP3/IMAP4 access

Updated: · First: 28.04.2026 16:18 · 📰 1 src / 1 articles

Microsoft will fully deprecate support for legacy TLS versions 1.0 and 1.1 for POP3 and IMAP4 connections to Exchange Online starting July 2026, requiring TLS 1.2 or later for continued access. The change aims to mitigate risks associated with outdated cryptographic protocols that no longer meet modern security standards. Most users are expected to remain unaffected as current traffic predominantly uses TLS 1.2 or higher, but organizations relying on legacy endpoints or non-compliant clients may face connectivity failures or require updates to custom/embedded systems.

Ransomware groups 0APT and KryBit engage in retaliatory data leaks disrupting operations

Updated: · First: 28.04.2026 16:00 · 📰 1 src / 1 articles

A retaliatory cyber conflict between the ransomware groups 0APT and KryBit resulted in mutual data leaks exposing operational details, infrastructure, and fabricated victim claims. The incident began in late March 2026 when 0APT leaked KryBit’s administrative panel, personnel data, and negotiation records, prompting KryBit to retaliate by stealing 0APT’s operational data and defacing its leak site. Both groups now face operational disruption, requiring infrastructure rebuilds, while Everest Group remains unaffected but exposed. The event highlights escalating instability within the ransomware ecosystem driven by credibility erosion and financial pressure.

Structured OPSEC Framework for Large-Scale Carding Operations Revealed in Underground Forum

Updated: · First: 28.04.2026 15:50 · 📰 1 src / 1 articles

A threat actor has publicly detailed a three-tier operational security (OPSEC) framework designed to sustain high-volume carding operations while evading detection, emphasizing compartmentalization, identity isolation, and advanced evasion techniques. The framework separates infrastructure into public, operational, and extraction layers, each with distinct controls to minimize exposure and forensic traceability. Common operational failures—such as identity reuse, weak fingerprinting evasion, and poor stage separation—are explicitly identified as primary causes of compromise. Advanced techniques including time-delayed triggers, behavioral randomization, and dead man’s switches are integrated to enhance resilience. The methodology reflects a shift in cybercriminal operations toward long-term sustainability, where OPSEC is treated as a competitive advantage over technical sophistication.

Extradition of Chinese National Tied to Silk Typhoon Cyber Espionage Campaign

Updated: · First: 28.04.2026 15:30 · 📰 1 src / 1 articles

A Chinese national accused of conducting state-sponsored cyber intrusions under the Silk Typhoon (Hafnium) campaign has been extradited to the U.S. to face charges related to espionage activities targeting American organizations and COVID-19 research between February 2020 and June 2021. Xu Zewei, 34, allegedly carried out intrusions under the direction of China’s Ministry of State Security (MSS) while operating through a private contractor, Shanghai Powerock Network Co. Ltd., to obscure state involvement. The campaign leveraged Microsoft Exchange Server vulnerabilities and targeted universities, researchers, and private sector entities, with data exfiltration focused on vaccine research, policy communications, and sensitive intellectual property.

PhantomRPC Local Privilege Escalation in Windows RPC Mechanism Exploited via Impersonation Abuse

Updated: · First: 28.04.2026 14:31 · 📰 1 src / 1 articles

A novel local privilege escalation technique named PhantomRPC has been disclosed, leveraging architectural weaknesses in the Windows Remote Procedure Call (RPC) mechanism to escalate privileges to SYSTEM level across all supported Windows versions. The attack abuses legitimate Windows impersonation mechanisms and RPC server impersonation without runtime verification, allowing attackers to deploy malicious RPC endpoints that mimic legitimate services such as TermService or DHCP Client. Exploitation requires prior compromise of a privileged service account or user context, and can be triggered via scheduled system calls, user actions, or automatic service behavior. The vulnerability introduces a broad attack surface due to the widespread use of RPC in Windows system components and applications.

Misrendered Windows RDP security warnings due to multi-monitor scaling in April 2026 update

Updated: · First: 28.04.2026 12:51 · 📰 1 src / 1 articles

Microsoft disclosed a rendering defect in newly introduced Remote Desktop (RDP) security warnings on Windows systems after the April 2026 cumulative updates. Affected systems fail to render warning dialog text and controls correctly when using multiple monitors with different display scaling settings, resulting in overlapping text, misplaced buttons, and reduced usability or complete loss of interaction capability. The issue occurs on all supported Windows versions and persists across Windows 11, Windows 10, and Windows Server installations that include the April 2026 security updates.