[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOm7pH1uHUrcnMICuB-0YgOaBZaaZGduFeiJhYMC0c6Y":3,"$fqGAeYmgddw9FoedBtyqAiJ0koU9YwwEu3J8AKlToBl0":5},{"items":4},[],{"items":6,"total":389},[7,31,54,73,90,110,130,148,168,189,208,228,248,267,283,302,319,334,352,371],{"id":8,"title":9,"slug":10,"summary":11,"severity":12,"category":13,"cve_ids":14,"affected_products":15,"action_required":19,"article_ids":20,"ioc_summary":22,"source_urls":23,"status":25,"expires_at":26,"created_at":27,"updated_at":28,"articles":29},"df8d309d-12cd-4af0-8454-ac8ec4e12cf8","Our research reveals \"Agent God Mode\" in Amazon Bedrock AgentCore. Overly broad IAM permissions a...","our-research-reveals-agent-god-mode-in-amazon-bedrock-agentcore-overly-broad-iam-moeh6zgi","Amazon Bedrock AgentCore contains a privilege escalation vulnerability called 'Agent God Mode' that allows compromised agents to exploit overly permissive IAM policies to escalate privileges across AWS accounts and exfiltrate sensitive data including agent memories. Any organization running Bedrock agents with broad IAM permissions is at risk. This is a configuration flaw, not a patched CVE, making it immediately exploitable by attackers who compromise an agent.","high","advisory",[],[16,17,18],"Amazon","Amazon Bedrock","AgentCore","Audit all Amazon Bedrock agent IAM roles immediately. Apply least privilege principle: replace wildcard permissions with specific, limited actions. Implement principal of least privilege for bedrock:* and iam:* permissions. Document findings within 24 hours.",[21],"f0b5354c-bcf0-4a9a-8800-0ee555fe971c",null,[24],"https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2047790217210233013","archived","2026-04-27T15:09:48.008+00:00","2026-04-25T15:09:52.069617+00:00","2026-04-27T16:05:21.499363+00:00",[30],{"id":21,"title":9,"url":24},{"id":32,"title":33,"slug":34,"summary":35,"severity":36,"category":13,"cve_ids":37,"affected_products":40,"action_required":46,"article_ids":47,"ioc_summary":22,"source_urls":49,"status":25,"expires_at":26,"created_at":51,"updated_at":28,"articles":52},"7e9e845b-5f54-4b78-a583-1764dae1a381","FIRESTARTER Backdoor","firestarter-backdoor-moeh6xo2","APT actors deployed FIRESTARTER, a persistent Linux backdoor on Cisco Firepower and Secure Firewall devices via CVE-2025-20333 and CVE-2025-20362. The malware survives firmware patches and works with LINE VIPER to maintain remote access. Any organization running these devices is at risk of undetected command and control.","critical",[38,39],"CVE-2025-20333","CVE-2025-20362",[41,42,43,44,45],"Cisco","CISA","NCSC","Cisco Firepower","Cisco ASA","Immediately hunt Cisco Firepower and Secure Firewall devices using provided YARA rules. For confirmed compromises: generate core dumps for analysis, apply patches for CVE-2025-20333 and CVE-2025-20362, then perform hard power cycles to clear persistence.",[48],"a78c84a3-115d-483b-9bed-262c14d46a1e",[50],"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fanalysis-reports\u002Far26-113a","2026-04-25T15:09:49.76689+00:00",[53],{"id":48,"title":33,"url":50},{"id":55,"title":56,"slug":57,"summary":58,"severity":36,"category":13,"cve_ids":59,"affected_products":60,"action_required":63,"article_ids":64,"ioc_summary":22,"source_urls":66,"status":25,"expires_at":68,"created_at":69,"updated_at":70,"articles":71},"8bc901ec-fab7-4a9e-a28d-f15014637209","Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign","bitwarden-cli-compromised-in-ongoing-checkmarx-supply-chain-campaign-moef218f","Bitwarden CLI v2026.4.0 was compromised via a malicious GitHub Action injection, distributing malware on npm for 1.5 hours on April 22. The malware exfiltrates developer secrets, GitHub tokens, SSH keys, and cloud credentials to attacker infrastructure. Any developer who installed this version during the window has potentially compromised credentials in active threat actor hands.",[],[61,62],"Bitwarden CLI","Bitwarden","Immediately identify and revoke all GitHub tokens, SSH keys, and cloud credentials for any developer who installed Bitwarden CLI v2026.4.0 between April 22 00:00-01:30 UTC. Hunt for exfiltration to audit.checkmarx[.]cx and suspicious GitHub repo access from compromised tokens.",[65],"e5cb6d60-4a7e-4bc3-9177-7b1ae091efa6",[67],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fbitwarden-cli-compromised-in-ongoing.html","2026-04-27T14:09:53.884+00:00","2026-04-25T14:10:01.877258+00:00","2026-04-27T15:05:21.675658+00:00",[72],{"id":65,"title":56,"url":67},{"id":74,"title":75,"slug":76,"summary":77,"severity":36,"category":13,"cve_ids":78,"affected_products":79,"action_required":80,"article_ids":81,"ioc_summary":22,"source_urls":83,"status":25,"expires_at":85,"created_at":86,"updated_at":87,"articles":88},"3b4adee9-4689-4f15-8862-4776175a9b34","‼️🇺🇸 A threat actor operating under the alias spider321 has shared samples of an alleged databa...","a-threat-actor-operating-under-the-alias-spider321-has-shared-samples-of-an-alle-mo7if8of","Threat actor spider321 publicly disclosed a database containing ~90,000 records of US law enforcement personnel with full names, emails, phone numbers, IP addresses, and home zip codes. This PII exposes officers to direct targeting, harassment, and social engineering attacks. The breach significantly increases operational security risk for LE agencies.",[],[],"Alert all partner law enforcement agencies immediately. Monitor dark web and public forums for secondary sharing or monetization of the dataset. Advise affected personnel to enable MFA on all accounts, monitor credit reports, and increase physical security awareness.",[82],"167bbf6b-b561-46c0-9e21-32a69ecc710e",[84],"https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2045175703881085094","2026-04-22T18:09:46.561+00:00","2026-04-20T18:09:53.652137+00:00","2026-04-25T14:09:53.96931+00:00",[89],{"id":82,"title":75,"url":84},{"id":91,"title":92,"slug":93,"summary":94,"severity":36,"category":13,"cve_ids":95,"affected_products":96,"action_required":102,"article_ids":103,"ioc_summary":22,"source_urls":105,"status":25,"expires_at":85,"created_at":107,"updated_at":87,"articles":108},"4dc97f44-a1ca-42b0-a16f-695db9fc5db9","52M-Download protobuf.js Library Hit by RCE in Schema Handling","52m-download-protobuf-js-library-hit-by-rce-in-schema-handling-mo7if6w9","A critical RCE vulnerability (CVSS 9.4) was discovered in protobuf.js, a JavaScript library downloaded 52M times monthly. Attackers can inject malicious code through crafted schema names that bypass input validation in the Function constructor. Any application using protobufjs versions 8.0.0 or earlier, or 7.5.4 or earlier, is at risk of remote code execution.",[],[97,98,99,100,101],"protobuf.js","gRPC","Firebase","Google","Endor Labs","Immediately identify all internal and third-party applications using protobufjs. Upgrade to patched versions (8.0.1+ or 7.5.5+) and scan logs for suspicious schema processing or Function constructor abuse patterns.",[104],"4402f742-d9af-4273-8d40-1310e13279c3",[106],"https:\u002F\u002Fhackread.com\u002F52m-download-protobuf-js-library-rce-schema-handle\u002F","2026-04-20T18:09:51.351497+00:00",[109],{"id":104,"title":92,"url":106},{"id":111,"title":112,"slug":113,"summary":114,"severity":36,"category":13,"cve_ids":115,"affected_products":117,"action_required":122,"article_ids":123,"ioc_summary":22,"source_urls":125,"status":25,"expires_at":85,"created_at":127,"updated_at":87,"articles":128},"78ab4c1e-4060-4d08-805a-e95175a2761c","CVE-2026-34197: 13-Year-Old Apache ActiveMQ RCE via Jolokia API Surfaces for In-the-Wild Attacks","cve-2026-34197-13-year-old-apache-activemq-rce-via-jolokia-api-surfaces-for-in-t-mo7if4th","Apache ActiveMQ Classic has a 13-year-old RCE vulnerability (CVE-2026-34197) in the Jolokia API that is actively exploited in the wild. Attackers chain vm:\u002F\u002F URIs with remote Spring XML configs to execute arbitrary code as the broker process. Any organization running ActiveMQ Classic without the April 30 patch deadline is at immediate risk.",[116],"CVE-2026-34197",[118,119,120,121,42],"Apache ActiveMQ Classic","Jolokia API","Apache Software Foundation","Horizon3.ai","Identify all ActiveMQ Classic instances in your environment and patch to the latest version immediately. If patching is not possible by April 30, isolate affected systems or disable the Jolokia API endpoint.",[124],"ee7749f1-f7fe-4993-8019-a7c1522cf6ef",[126],"https:\u002F\u002Fdarkwebinformer.com\u002Fcve-2026-34197-13-year-old-apache-activemq-rce-via-jolokia-api-surfaces-for-in-the-wild-attacks\u002F","2026-04-20T18:09:48.658287+00:00",[129],{"id":124,"title":112,"url":126},{"id":131,"title":132,"slug":133,"summary":134,"severity":36,"category":13,"cve_ids":135,"affected_products":136,"action_required":138,"article_ids":139,"ioc_summary":22,"source_urls":141,"status":25,"expires_at":143,"created_at":144,"updated_at":145,"articles":146},"53356d00-be43-4c25-a9f2-79d0e4d2ef84","ZionSiphon malware designed to sabotage water treatment systems","zionsiphon-malware-designed-to-sabotage-water-treatment-systems-mo4lcn8j","Darktrace identified ZionSiphon, malware purpose-built to sabotage water treatment and desalination facilities by manipulating chlorine levels and hydraulic pressures. The malware currently contains a flawed XOR encryption that renders it non-functional, but a corrected variant could cause severe operational damage. Israeli water infrastructure is the confirmed target, though similar facilities worldwide should assume risk.",[],[137],"Darktrace","Immediately inventory all OT\u002FICS assets in water treatment environments. Hunt for ZionSiphon IOCs and suspicious geolocation checks or file validation logic in network traffic. Isolate any infected systems and escalate to facility operators and CISA.",[140],"16b946a7-e0cb-45fc-af3b-8b2263546881",[142],"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fzionsiphon-malware-designed-to-sabotage-water-treatment-systems\u002F","2026-04-20T17:08:26.721+00:00","2026-04-18T17:08:32.881522+00:00","2026-04-20T18:09:46.632253+00:00",[147],{"id":140,"title":132,"url":142},{"id":149,"title":150,"slug":151,"summary":152,"severity":36,"category":13,"cve_ids":153,"affected_products":155,"action_required":160,"article_ids":161,"ioc_summary":22,"source_urls":163,"status":25,"expires_at":143,"created_at":165,"updated_at":145,"articles":166},"e3f94fb1-6846-482d-be1e-e6cc6dd7b020","Horner Automation Cscape and XL4, XL7 PLC","horner-automation-cscape-and-xl4-xl7-plc-mo4lcljc","Horner Automation Cscape v10.0, XL4 PLC v16.32.0, and XL7 PLC v15.60 contain a critical password brute-force vulnerability (CVE-2026-6284, CVSS 9.1) with no rate limiting. This affects manufacturing environments globally and allows unauthenticated network attackers to compromise PLCs controlling critical infrastructure.",[154],"CVE-2026-6284",[156,157,158,159],"Horner Automation","Cscape","XL4 PLC","XL7 PLC","Immediately identify and inventory all Horner Cscape and XL4\u002FXL7 PLC instances on your network. Patch Cscape to v10.2 SP2 or later and update PLC firmware to latest versions. Until patched, restrict network access to these devices and enforce strong passwords.",[162],"de0f36b0-37f0-4cf8-a656-69c05d287659",[164],"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-106-02","2026-04-18T17:08:30.688274+00:00",[167],{"id":162,"title":150,"url":164},{"id":169,"title":170,"slug":171,"summary":172,"severity":36,"category":13,"cve_ids":173,"affected_products":175,"action_required":181,"article_ids":182,"ioc_summary":22,"source_urls":184,"status":25,"expires_at":143,"created_at":186,"updated_at":145,"articles":187},"fed53706-4c0e-4351-92a5-97387e8f6974","Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face","hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face-mo4lcjwb","Attackers are actively exploiting CVE-2026-39987, a critical RCE vulnerability in Marimo Python notebooks, to deploy NKAbuse malware hosted on Hugging Face. The malware acts as a RAT with credential theft and lateral movement capabilities. Exploitation started within 10 hours of disclosure across multiple threat actors.",[174],"CVE-2026-39987",[176,177,178,179,180],"Marimo","Hugging Face Spaces","NKAbuse","Hugging Face","Sysdig","Immediately hunt for Marimo notebook execution in your environment, block known Hugging Face Space IOCs hosting NKAbuse, and scan for signs of credential theft and lateral movement on compromised systems.",[183],"a6755a48-6ebc-4f9a-8ca1-5df12699da7a",[185],"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face\u002F","2026-04-18T17:08:28.556808+00:00",[188],{"id":183,"title":170,"url":185},{"id":190,"title":191,"slug":192,"summary":193,"severity":36,"category":13,"cve_ids":194,"affected_products":195,"action_required":198,"article_ids":199,"ioc_summary":22,"source_urls":201,"status":25,"expires_at":203,"created_at":204,"updated_at":205,"articles":206},"e7d1ac26-6da8-4d3f-a7eb-fd9481da0d4c","$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks","10-domain-could-have-handed-hackers-25k-endpoints-including-in-ot-and-gov-networ-mo1m7ov2","Malware signed by Dragon Boss Solutions infected 25,000+ endpoints across 124 countries, including 221 universities, 41 OT\u002Fcritical infrastructure networks, 35 government entities, and multiple Fortune 500 companies. The malware disables AV, persists via scheduled tasks and WMI, and relies on an unregistered update domain (chromsterabrowser[.]com) that any actor could register for ~$10 to push arbitrary code. If that domain was registered by an attacker, all 25k endpoints became remote code execution targets.",[],[196,197],"Dragon Boss Solutions","Huntress","Immediately hunt for chromsterabrowser[.]com DNS requests and connections in your network logs. If found, assume compromise: isolate endpoints, capture memory, and scan for AV disablement, scheduled tasks, and WMI event subscriptions. Query all signed binaries from Dragon Boss Solutions for presence and execution.",[200],"4f3a5d25-b2be-4612-8ccd-e2b16bae0466",[202],"https:\u002F\u002Fwww.securityweek.com\u002F10-domain-could-have-handed-hackers-25k-endpoints-including-in-ot-and-gov-networks\u002F","2026-04-18T15:09:14.202+00:00","2026-04-16T15:09:22.990533+00:00","2026-04-18T17:08:26.815278+00:00",[207],{"id":200,"title":191,"url":202},{"id":209,"title":210,"slug":211,"summary":212,"severity":36,"category":13,"cve_ids":213,"affected_products":215,"action_required":220,"article_ids":221,"ioc_summary":22,"source_urls":223,"status":25,"expires_at":203,"created_at":225,"updated_at":205,"articles":226},"29954d56-85da-4b34-89e4-d7a7f99ab617","wolfSSL Vulnerability Hits IoT, Routers and Military Systems, Update to 5.9.1 Now","wolfssl-vulnerability-hits-iot-routers-and-military-systems-update-to-5-9-1-now-mo1m7mn5","Critical vulnerability CVE-2026-5194 in wolfSSL allows attackers to forge digital certificates by bypassing signature verification across ECDSA, DSA, ML-DSA, ED25519, and ED448 algorithms. Affects approximately 5 billion devices including IoT, routers, and military systems. Legacy devices unlikely to receive patches create persistent risk across critical infrastructure.",[214],"CVE-2026-5194",[216,217,218,219],"wolfSSL","wolfSSL Inc.","Red Hat","Anthropic","Immediately inventory all wolfSSL deployments in your environment and prioritize patching to version 5.9.1 or later. For unpatched legacy devices, implement network segmentation and enhanced monitoring for suspicious certificate validation events.",[222],"d9f23c20-c3f7-4fe5-ba45-37579af4ba01",[224],"https:\u002F\u002Fhackread.com\u002Fwolfssl-vulnerability-iot-routers-military-systems\u002F","2026-04-16T15:09:19.928053+00:00",[227],{"id":222,"title":210,"url":224},{"id":229,"title":230,"slug":231,"summary":232,"severity":36,"category":13,"cve_ids":233,"affected_products":235,"action_required":240,"article_ids":241,"ioc_summary":22,"source_urls":243,"status":25,"expires_at":203,"created_at":245,"updated_at":205,"articles":246},"7b7d3ea0-5bfe-424f-a271-cd8f33377bb2","Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover","actively-exploited-nginx-ui-flaw-cve-2026-33032-enables-full-nginx-server-takeov-mo1m7keq","CVE-2026-33032 is a critical authentication bypass in nginx-ui that allows unauthenticated attackers to modify Nginx configurations and take over the service completely. An estimated 2,689 vulnerable instances remain exposed globally and active exploitation is confirmed in the wild. Any unpatched nginx-ui deployment is a direct path to full web server compromise.",[234],"CVE-2026-33032",[236,237,238,239],"nginx-ui","Nginx","Atlassian","Pluto Security","Immediately identify all nginx-ui instances in your environment and upgrade to version 2.3.4 or later. For any system that cannot be patched within 24 hours, isolate it from production traffic and monitor all HTTP requests to the nginx-ui interface.",[242],"03db9af3-419d-4ed2-ac60-3533c3621f2e",[244],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fcritical-nginx-ui-vulnerability-cve.html","2026-04-16T15:09:17.255896+00:00",[247],{"id":242,"title":230,"url":244},{"id":249,"title":250,"slug":251,"summary":252,"severity":12,"category":13,"cve_ids":253,"affected_products":254,"action_required":257,"article_ids":258,"ioc_summary":22,"source_urls":260,"status":25,"expires_at":262,"created_at":263,"updated_at":264,"articles":265},"66c2a7d0-140d-4866-a818-43ed8ba63d70","North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware","north-korea-s-apt37-uses-facebook-social-engineering-to-deliver-rokrat-malware-mnyrbkd1","APT37 is conducting active social engineering campaigns via Facebook and Telegram to deliver RokRAT, a fully-featured remote access trojan. Targets receive friend requests followed by trojanized Wondershare PDFelement installers that execute shellcode and establish persistence. RokRAT abuses Zoho WorkDrive for C2 and can capture screenshots, execute arbitrary commands, and disable security tools.",[],[255,256],"Wondershare PDFelement","Zoho WorkDrive","Hunt for PDFelement installer executions and suspicious Zoho WorkDrive API calls in your environment. Block known RokRAT IOCs and monitor for unsigned shellcode execution from PDF applications. Educate users on social engineering via Facebook\u002FTelegram and enforce conversation verification before accepting file transfers.",[259],"b58e5297-83ea-4608-87ae-c441f3fde0f5",[261],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fnorth-koreas-apt37-uses-facebook-social.html","2026-04-16T15:08:54.611+00:00","2026-04-14T15:09:03.160366+00:00","2026-04-16T15:09:14.312876+00:00",[266],{"id":259,"title":250,"url":261},{"id":268,"title":269,"slug":270,"summary":271,"severity":36,"category":13,"cve_ids":272,"affected_products":273,"action_required":275,"article_ids":276,"ioc_summary":22,"source_urls":278,"status":25,"expires_at":262,"created_at":280,"updated_at":264,"articles":281},"a9951155-9fed-471d-8e2d-1cc5bbc7d4a4","The silent “Storm”: New infostealer hijacks sessions, decrypts server-side","the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side-mnyrbi1z","Storm infostealer is actively harvesting browser credentials, session cookies, and crypto wallet data across multiple countries, then decrypting everything server-side to bypass endpoint detection. Attackers are hijacking authenticated sessions without triggering MFA, giving them direct access to Google, Facebook, X, and crypto exchanges. Stolen credentials are already being sold on dark web marketplaces.",[],[274,100],"Varonis","Hunt for Storm IOCs across endpoint telemetry and proxy logs. Priority: detect suspicious encrypted outbound traffic to unknown C2 infrastructure, unusual browser process behavior, and lateral movement from compromised user accounts. Cross-reference breach notification databases for credential overlap with your user base.",[277],"abf01874-1fcd-455d-88c1-99bbbf5550f1",[279],"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fthe-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side\u002F","2026-04-14T15:09:00.390716+00:00",[282],{"id":277,"title":269,"url":279},{"id":284,"title":285,"slug":286,"summary":287,"severity":36,"category":13,"cve_ids":288,"affected_products":289,"action_required":294,"article_ids":295,"ioc_summary":22,"source_urls":297,"status":25,"expires_at":262,"created_at":299,"updated_at":264,"articles":300},"7a59fadc-e342-44c1-bfa8-314c05de0d7c","APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials","apt41-delivers-zero-detection-backdoor-to-harvest-cloud-credentials-mnyrbfx2","APT41 is deploying a zero-detection backdoor targeting cloud credentials across AWS, Google Cloud, Azure, and Alibaba Cloud using typosquatting for C2 obfuscation. Any organization using these cloud platforms is at risk of credential theft and lateral movement into cloud infrastructure. This is a live campaign with no known CVEs, making detection signature-based approaches ineffective.",[],[290,291,292,293],"Amazon Web Services","Google Cloud","Microsoft Azure","Alibaba Cloud","Hunt for suspicious cloud credential access patterns, failed authentication spikes, and unusual API calls from new principals. Correlate with DNS queries to typosquatted domains. Review cloud IAM logs for service account abuse and cross-account access attempts.",[296],"e62b7fd4-5dba-45ad-88da-0982f1b8e5e4",[298],"https:\u002F\u002Fwww.darkreading.com\u002Fcloud-security\u002Fapt41-zero-detection-backdoor-harvest-cloud-credentials","2026-04-14T15:08:57.41453+00:00",[301],{"id":296,"title":285,"url":298},{"id":303,"title":304,"slug":305,"summary":306,"severity":36,"category":13,"cve_ids":307,"affected_products":308,"action_required":309,"article_ids":310,"ioc_summary":22,"source_urls":312,"status":25,"expires_at":314,"created_at":315,"updated_at":316,"articles":317},"f13baa6f-1bb0-4106-9ea3-bf4419af92f4","✅ GOOD\n- FBI dismantles GRU\u002FAPT28 DNS hijacking network — 23+ states, thousands of routers, criti...","good-fbi-dismantles-gru-apt28-dns-hijacking-network-23-states-thousands-of-route-mnvwe779","Russia's GRU\u002FAPT28 compromised thousands of routers across 23+ US states through DNS hijacking targeting critical infrastructure. Affected devices had malicious DNS configurations redirecting traffic to attacker-controlled servers. ISPs are notifying customers, but any organization with on-premises routers or managed network infrastructure may still harbor compromised devices.",[],[],"Audit all edge routers and DNS configurations across your environment immediately. Cross-reference against ISP notifications, verify DNS servers are legitimate, and check router logs for unauthorized configuration changes dating back 6+ months. Reset any devices with suspicious DNS settings.",[311],"6954ea14-7617-4eda-a2e2-802374a68f3a",[313],"https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2042709883104170045","2026-04-14T15:07:38.112+00:00","2026-04-12T15:07:45.613155+00:00","2026-04-14T15:08:54.731139+00:00",[318],{"id":311,"title":304,"url":313},{"id":320,"title":321,"slug":322,"summary":323,"severity":36,"category":13,"cve_ids":324,"affected_products":325,"action_required":326,"article_ids":327,"ioc_summary":22,"source_urls":329,"status":25,"expires_at":314,"created_at":331,"updated_at":316,"articles":332},"f5f741bd-52f0-44e5-ae0a-24c1289e5f86","🤢 UGLY\n- Iranian APTs confirmed inside U.S. water, energy, and government infrastructure\n- They'...","ugly-iranian-apts-confirmed-inside-u-s-water-energy-and-government-infrastructur-mnvwe5ji","Iranian APT actors have confirmed access inside U.S. water, energy, and government infrastructure with ability to manipulate SCADA displays and hide their presence from operators. Activity has escalated since March 2026 with documented disruptions and financial losses. This is an active persistent threat to critical national infrastructure.",[],[42],"Immediately hunt for SCADA display anomalies, unauthorized remote access, and lateral movement in ICS\u002FSCADA environments. Correlate network logs for command and control traffic to Iranian threat actor IOCs published by CISA. Verify integrity of HMI and operator dashboards across all critical infrastructure systems.",[328],"048149ca-aab4-4444-98ee-6a25609a6a7e",[330],"https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2042709886879072455","2026-04-12T15:07:43.452464+00:00",[333],{"id":328,"title":321,"url":330},{"id":335,"title":336,"slug":337,"summary":338,"severity":36,"category":13,"cve_ids":339,"affected_products":340,"action_required":344,"article_ids":345,"ioc_summary":22,"source_urls":347,"status":25,"expires_at":314,"created_at":349,"updated_at":316,"articles":350},"55ada461-5c3f-41cc-a68c-0ba59ecb7d52","GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs","glassworm-campaign-uses-zig-dropper-to-infect-multiple-developer-ides-mnvwe3qm","GlassWorm campaign distributed a malicious Zig dropper through fake VS Code extensions on Open VSX marketplace, targeting developer environments. The dropper identifies all IDEs on infected systems and deploys a second-stage extension that steals credentials and executes C2 commands via Solana blockchain. Any developer who installed 'specstudio.code-wakatime-activity-tracker' or 'floktokbok.autoimport' should be treated as compromised.",[],[341,342,343],"VS Code","Microsoft","Open VSX","Immediately identify and isolate any developer machines with the affected extensions installed. Assume full credential compromise: force password resets for all users matching this profile, rotate API keys and secrets, and scan for lateral movement and data exfiltration in the past 90 days.",[346],"4e3b12d9-22ce-49b0-8b6b-7e5b7c6207ee",[348],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fglassworm-campaign-uses-zig-dropper-to.html","2026-04-12T15:07:41.174608+00:00",[351],{"id":346,"title":336,"url":348},{"id":353,"title":354,"slug":355,"summary":356,"severity":12,"category":13,"cve_ids":357,"affected_products":358,"action_required":361,"article_ids":362,"ioc_summary":22,"source_urls":364,"status":25,"expires_at":366,"created_at":367,"updated_at":368,"articles":369},"9a396c2e-8639-401e-a9f4-7d0da5adeed7","Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’","inside-the-fbi-s-router-takedown-that-cut-off-apt28-s-tremendous-access-mnszfjr8","APT28 compromised over 18,000 TP-Link routers to inject malicious DNS settings, intercepting traffic from all connected devices for intelligence gathering. Small offices and home networks are affected. This gave attackers persistent, transparent access to sensitive data across entire networks without targeting individual hosts.",[],[359,360],"TP-Link routers","FBI Cyber Division","Inventory all TP-Link routers in your environment immediately. Verify DNS settings are legitimate (check router admin panel). Reset DNS to ISP defaults or trusted public resolvers. Monitor network traffic for suspicious DNS queries and out-of-band C2 communication.",[363],"23d34834-ebd9-4785-85c6-506b2b060ec6",[365],"https:\u002F\u002Fcyberscoop.com\u002Ffbi-operation-masquerade-russian-gru-router-takedown-brett-leatherman\u002F","2026-04-12T14:09:20.785+00:00","2026-04-10T14:09:28.853187+00:00","2026-04-12T15:07:38.215069+00:00",[370],{"id":363,"title":354,"url":365},{"id":372,"title":373,"slug":374,"summary":375,"severity":36,"category":13,"cve_ids":376,"affected_products":377,"action_required":381,"article_ids":382,"ioc_summary":22,"source_urls":384,"status":25,"expires_at":366,"created_at":386,"updated_at":368,"articles":387},"08a07394-df1b-443e-aeeb-ff9ac590b763","‼️🇺🇸 Threat actor claims to be selling Cisco source code and database containing 3.15 million S...","threat-actor-claims-to-be-selling-cisco-source-code-and-database-containing-3-15-mnszfhuj","Threat actor UNC6040\u002FShinyHunters claims to possess stolen Cisco source code (IOS, ASA, NX-OS) and 3.15M Salesforce records, seeking $500K for sale. This exposes core network infrastructure code and customer data, enabling attackers to identify zero-days and conduct targeted exploitation against Cisco-dependent environments.",[],[41,378,379,45,380],"Salesforce","Cisco IOS","Cisco NX-OS","Immediately inventory all Cisco IOS, ASA, and NX-OS devices in your environment. Prioritize patching and monitor for suspicious firmware modifications, unauthorized access attempts, and exploitation patterns matching leaked code functionality.",[383],"0aeccab5-40d9-44ea-8670-39316aa01f4e",[385],"https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2042262638231503057","2026-04-10T14:09:26.383096+00:00",[388],{"id":383,"title":373,"url":385},30]