Hacking News

CVE-2026-34621 is a prototype pollution flaw in Adobe Acrobat Reader with a CVSS 8.6 score. Active exploitation began in December 2025. Update immediately.

US, UK, and Canadian law enforcement froze $12 million in stolen crypto and identified 20,000 victims of approval phishing scams in week-long crackdown.

Microsoft found an intent redirection vulnerability in EngageLab's Android SDK affecting 50M+ app installs. Crypto wallets with 30M users were at risk.

ClickFix attackers bypass macOS 26.4 Terminal paste scanning by using applescript:// URLs to launch Script Editor. Same payload, new delivery vector.

Ransomware attack on ChipSoft forces 11 Dutch hospitals offline. The vendor manages patient records for most of the Netherlands. Attacker unknown.

CVE-2026-39987 in Marimo Python notebooks allows unauthenticated RCE via terminal WebSocket. Attackers weaponized it within hours. Patch to 0.23.0 now.

Attackers compromised CPUID's website API for six hours, redirecting CPU-Z and HWMonitor downloads to trojanized installers that steal browser credentials using advanced evasion techniques.

AI startup Mercor confirms breach via LiteLLM supply chain attack. Lapsus$ claims 4TB stolen including candidate data, source code, and API keys. Meta pauses contracts.

ShinyHunters compromised SaaS analytics provider Anodot, using stolen authentication tokens to access and exfiltrate data from dozens of Snowflake customers.

Russian GRU's APT28 uses new PRISMEX malware suite with steganography and COM hijacking to target Ukraine defense and NATO logistics. Includes wiper capability.

FBI-led Operation Masquerade dismantled Russia's GRU-linked FrostArmada, which compromised 18,000+ routers to steal Microsoft 365 credentials via DNS hijacking.

Attackers compromised Nextend's update infrastructure to push a malicious Smart Slider 3 Pro version with four layers of backdoors. Here's who's affected and how to recover.

World Leaks gang dumps 7TB of sensitive police data including personnel files and Internal Affairs investigations after breaching LA City Attorney's Office.

Attackers stole 50.9 BTC from company wallets after obtaining settlement account credentials. Second security incident for the crypto ATM operator since 2023.

CVE-2026-25776 (CVSS 9.8) enables remote code execution through Movable Type's Listing Framework. Affects versions 6.0+. Patches available for MT 9, 8.8, 8.0.

Contagious Interview campaign escalates with trojanized developer tools across five ecosystems. Packages impersonate logging utilities and steal credentials.

CVE-2026-39888 bypasses PraisonAI's Python sandbox via exception frame traversal. Attackers chain __traceback__ attributes to reach exec(). Patch to 1.5.115.

Project Glasswing partners Amazon, Microsoft, Cisco to hunt zero-days with an AI model too dangerous for public release. Thousands of flaws already found.

CVE-2026-34197 exposes Apache ActiveMQ to remote code execution via the Jolokia API. Horizon3 researcher used Claude to uncover the flaw in under 10 minutes. Patch now.

Over 1,000 exposed ComfyUI instances targeted by cryptomining campaign. Attackers exploit custom nodes for RCE, deploy XMRig and Hysteria V2 botnet with persistence.

Joint advisory AA26-097A details Iranian APT targeting Rockwell Allen-Bradley controllers across critical infrastructure. Attacks caused operational disruptions since March 2026.

CVE-2026-34040 lets attackers bypass Docker authorization plugins with a single padded HTTP request. CVSS 8.8 flaw patched in Engine 29.3.1.

Check Point tracks an Iran-nexus campaign targeting Microsoft 365 accounts across 300+ Israeli organizations and 25+ UAE entities. Attackers use Tor exit nodes and Israeli VPNs to evade detection.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Critical code injection vulnerability CVE-2025-59528 in Flowise AI agent builder scores maximum CVSS 10.0 and is under active exploitation. Over 12,000 instances are publicly accessible.

Security researcher releases working proof-of-concept for BlueHammer, an unpatched Windows Defender privilege escalation flaw enabling SYSTEM access via TOCTOU and path confusion vulnerabilities.

University of Toronto researchers demonstrate GPUBreach, a GPU rowhammer attack that bypasses IOMMU protections to achieve root access on systems with NVIDIA GPUs. Consumer GPUs remain unmitigated.

CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.

AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.

CVE-2026-34838 lets authenticated attackers achieve RCE on Group-Office CRM servers via insecure deserialization. Upgrade to patched versions immediately.

CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.

CVE-2026-20093 and CVE-2026-20160 let unauthenticated attackers take full control of Cisco UCS servers and licensing infrastructure. No workarounds exist.

CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.

Brazilian threat actor Augmented Marauder targets Latin America and Europe with Casbaneiro banking trojan, using dynamically generated court summons PDFs and Horabot for worm-like propagation.

Microsoft Defender Experts identify multi-stage malware campaign using WhatsApp messages to deliver VBS scripts that bypass UAC and establish persistent Windows backdoors.

Telehealth company Hims & Hers reveals data breach affecting customer support tickets. ShinyHunters gang exploited Okta SSO to access Zendesk platform.

Security researchers expose KadNap malware targeting ASUS routers to build a criminal proxy network. 60% of infected devices located in the US, linked to Doppelganger service.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.

Unit 42 exposes Phantom Taurus, a Chinese APT targeting embassies and foreign ministries with fileless NET-STAR malware. The group resurfaces within hours after discovery.

Solana's Drift Protocol lost $285 million in 2026's largest DeFi hack. TRM Labs attributes the attack to North Korean actors who exploited oracle manipulation and pre-signed transactions.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

CVE-2026-34938 lets attackers escape PraisonAI's three-layer Python sandbox to execute arbitrary OS commands. CVSS 10 — patch to version 1.5.90 immediately.

Die Linke confirms Qilin stole internal data and employee info from party headquarters. Officials suggest attack may be politically motivated hybrid warfare.