[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZAU9h8D3Vn-irycyi5Nxmtp-QJGMBz1oTbPubpB7OrI":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":64,"social_x":65,"article_count":66,"awareness_links":67,"status":128,"published_at":129,"created_at":130,"updated_at":130,"mastodon_posted_at":131,"executive_summary":132,"tagline":132,"cover_image_url":132},"636f9555-a97e-462d-82c9-750f423fd2a6","2026-W15","2026-w15","2026-04-06","2026-04-12","🚨 Mexican government breached at scale using Claude AI and ChatGPT to exfiltrate 195M tax records\n🎯 Adobe patches critical Reader zero-day exploited since November 2025 with APT connections\n⚡ Marimo RCE flaw weaponized within 10 hours of disclosure, showing acceleration of exploit timelines\n🏭 Iranian APTs confirmed inside US critical infrastructure with SCADA manipulation capabilities\n🔒 Chrome 146 deploys device-bound sessions to combat cookie theft attacks\n💰 Major ransomware week with multiple state\u002Flocal governments and healthcare providers hit\n🔧 Supply chain attacks surge: CPUID, Smart Slider 3 Pro, and W3LL phishing kit disrupted","## Vulnerabilities & Exploits\n\n**[Critical Marimo pre-auth RCE flaw now under active exploitation](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritical-marimo-pre-auth-rce-flaw-now-under-active-exploitation\u002F)**. CVE-2026-39987 (CVSS 9.3) exploited within 10 hours of disclosure for credential theft via unauthenticated WebSocket endpoint.\n\n**[Adobe Patches Reader Zero-Day Exploited for Months](https:\u002F\u002Fwww.securityweek.com\u002Fadobe-patches-reader-zero-day-exploited-for-months\u002F)**. CVE-2026-34621 (CVSS 9.6) enables arbitrary code execution, actively exploited since November 2025 with Russian APT connections.\n\n**[Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000](https:\u002F\u002Fwww.securityweek.com\u002Fchrome-147-patches-60-vulnerabilities-including-two-critical-flaws-worth-86000\u002F)**. Two critical heap buffer overflow flaws in WebML component patched with significant bounties.\n\n**[Orthanc DICOM Vulnerabilities Lead to Crashes, RCE](https:\u002F\u002Fwww.securityweek.com\u002Forthanc-dicom-vulnerabilities-lead-to-crashes-rce\u002F)**. Nine flaws in healthcare DICOM server enable DoS, data leaks, and remote code execution.\n\n### Key Takeaway\nPatch critical vulnerabilities immediately as exploitation windows have collapsed to hours, not days.\n\n## APT & Nation-State\n\n**[Nearly 4,000 US industrial devices exposed to Iranian cyberattacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnearly-4-000-us-industrial-devices-exposed-to-iranian-cyberattacks\u002F)**. Iranian APTs target exposed Rockwell PLCs with SCADA display manipulation causing operational disruptions since March 2026.\n\n**[GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware](https:\u002F\u002Fhackread.com\u002Fgraphalgo-scam-lazarus-hackers-us-llcs-malware\u002F)**. North Korean Lazarus Group registers legitimate Florida LLCs and uses GitHub typosquatting to distribute RATs to developers.\n\n**[Hacker Used Claude Code, GPT-4.1 to Exfiltrate Hundreds of Millions of Mexican Records](https:\u002F\u002Fhackread.com\u002Fhacker-claude-code-gpt-4-1-mexican-records\u002F)**. Single attacker used AI to automate reconnaissance and exfiltrate 195M tax records from nine Mexican agencies.\n\n### Key Takeaway\nNation-state actors are weaponizing AI for reconnaissance and targeting critical infrastructure with increasing sophistication. [Learn more](\u002Fawareness\u002Firanian-threat-actor-targets-los-angeles-metro-critical-infrastructure)\n\n## Supply Chain\n\n**[Supply chain attack at CPUID pushes malware with CPU-Z\u002FHWMonitor](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fsupply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor\u002F)**. API compromise led to trojanized downloads for six hours, affecting widely-used system monitoring tools.\n\n**[Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fbackdoored-smart-slider-3-pro-update.html)**. WordPress plugin update infrastructure hijacked for six hours, potentially impacting 800K+ installations.\n\n**[FBI Recovers Deleted Signal Messages Through iPhone Notifications](https:\u002F\u002Fhackread.com\u002Ffbi-recover-deleted-signal-messages-iphone-notifications\u002F)**. Push notification cache vulnerability affects all messaging apps, exposes content even after app deletion.\n\n**[GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fglassworm-campaign-uses-zig-dropper-to.html)**. Fake VS Code extension deploys multi-IDE malware via Solana blockchain C2.\n\n### Key Takeaway\nValidate software downloads from official sources and monitor third-party update infrastructure for signs of compromise. [Learn more](\u002Fawareness\u002Fcpuid-supply-chain-attack-highlights-third-party-software-risks)\n\n## Ransomware & Breaches\n\n**[ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot](https:\u002F\u002Fhackread.com\u002Fshinyhunters-rockstar-games-snowflake-breach-anodot\u002F)**. Major gaming studio breached through supply chain attack via Anodot-Snowflake integration.\n\n**[Android Banking Trojan Linked to Cambodia Scam Compounds Hits 21 Countries](https:\u002F\u002Fhackread.com\u002Fandroid-banking-trojan-cambodia-scam-compounds\u002F)**. Forced labor operations in Cambodia power global banking trojan campaign across 21 countries.\n\n**[Over 20,000 crypto fraud victims identified in international crackdown](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fpolice-identifies-20-000-victims-in-international-crypto-fraud-crackdown\u002F)**. Operation Atlantic identifies 20K+ victims, freezes $12M in international law enforcement action.\n\n### Key Takeaway\nImplement defense in depth for cloud environments and monitor third-party integrations for unauthorized access. [Learn more](\u002Fawareness\u002Fandroid-banking-trojan-linked-to-cambodian-scam-operations-targets-21-countries)\n\n## Regulatory & AI Security\n\n**[Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fgoogle-rolls-out-dbsc-in-chrome-146-to.html)**. Device Bound Session Credentials prevent cookie theft by binding sessions to hardware TPM.\n\n**[Anthropic's Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think](https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fanthropics-mythos-will-force-a-cybersecurity-reckoning-just-not-the-one-you-think\u002F)**. Claude Mythos Preview can autonomously discover vulnerabilities and develop exploits.\n\n**[Browser Extensions Are the New AI Consumption Channel That No One Is Talking About](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fbrowser-extensions-are-new-ai.html)**. AI extensions pose 60% higher vulnerability rates and bypass traditional security controls.\n\n### Key Takeaway\nEvaluate AI security tools for dual-use risks and implement controls for ungoverned AI consumption channels. [Learn more](\u002Fawareness\u002Fai-powered-cyber-attacks-demand-enhanced-defensive-capabilities)\n\n## References\n\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritical-marimo-pre-auth-rce-flaw-now-under-active-exploitation\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fadobe-patches-reader-zero-day-exploited-for-months\u002F\n- https:\u002F\u002Fhackread.com\u002Fhacker-claude-code-gpt-4-1-mexican-records\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnearly-4-000-us-industrial-devices-exposed-to-iranian-cyberattacks\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fsupply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fbackdoored-smart-slider-3-pro-update.html\n- https:\u002F\u002Fhackread.com\u002Ffbi-atlanta-indonesian-police-w3llstore-phishing-market\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fgoogle-rolls-out-dbsc-in-chrome-146-to.html",[13,17,21,24,27,30,34,37,41,44,48,51,54,57,60],{"type":14,"value":15,"context":16},"cve","CVE-2026-39987","Unauthenticated RCE in Marimo \u002Fterminal\u002Fws WebSocket endpoint; CVSS 9.3",{"type":18,"value":19,"context":20},"malware","Remote Access Trojan (RAT)","Deployed via fake security update messages for remote system control",{"type":14,"value":22,"context":23},"CVE-2025-55182","React2Shell remote code execution vulnerability exploited in active attacks",{"type":18,"value":25,"context":26},"W3LL phishing kit","Phishing-as-a-service toolkit sold for ~$500 used to create fake login pages and steal credentials",{"type":14,"value":28,"context":29},"CVE-2026-34621","Critical Adobe Reader\u002FAcrobat zero-day, CVSS 9.6, arbitrary code execution, exploited in wild since November 2025",{"type":31,"value":32,"context":33},"hash_sha256","3d91f442ddc055e19e3710482e1605836c799249dacd43d99843257a3affd2d2","Portable HWMonitor Installer (v1.63) — trojanized malware sample",{"type":31,"value":35,"context":36},"a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286","Fake CRYPTBASE.dll — malicious Windows library component",{"type":38,"value":39,"context":40},"url","https:\u002F\u002Ft.co\u002FYGp90bQ0ck","Direct link to trojanized HWMonitor sample (Twitter shortened URL)",{"type":18,"value":42,"context":43},"EngageLab EngageSDK (vulnerable versions before 5.2.1)","Third-party Android SDK with intent redirection vulnerability affecting crypto wallets",{"type":45,"value":46,"context":47},"domain","wpjs1.com","Command-and-control (C2) domain used by Smart Slider 3 Pro backdoor to exfiltrate site credentials, configuration, and persistence method details.",{"type":18,"value":49,"context":50},"Smart Slider 3 Pro v3.5.1.35 (backdoored)","Trojaned plugin version distributed via compromised update servers; contains multi-layered remote access toolkit with credential theft and persistence capabilities.",{"type":45,"value":52,"context":53},"bluegraintours[.]com","Malicious domain hosting fake Microsoft 365 sign-in page used in AiTM attacks",{"type":14,"value":55,"context":56},"CVE-2026-5437","Out-of-bounds read in meta-header parser",{"type":45,"value":58,"context":59},"cpuid.com","Compromised domain used to distribute malicious downloads",{"type":61,"value":62,"context":63},"mitre_attack","T1059.001","Command and scripting interpreter (use of legitimate PLC programming software)","This week's threat landscape shows cyber adversaries weaponizing AI and accelerating exploitation timelines:\n\n• Mexican government compromised at scale using Claude AI and ChatGPT to steal 195M records\n• Adobe Reader zero-day exploited for months before patch, linked to Russian APT\n• Marimo RCE flaw weaponized within 10 hours of disclosure\n• Iranian APTs confirmed inside US critical infrastructure with SCADA manipulation\n• Supply chain attacks hit CPUID, Smart Slider 3 Pro affecting millions\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w15\n\n#CyberSecurity #ThreatIntelligence #SupplyChain #APT #AI","🚨 This week: Mexican gov breached using AI, Adobe zero-day exploited for months, Marimo RCE weaponized in 10hrs, Iranian APTs in US infrastructure. Supply chain attacks surge.\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w15 #CyberSecurity",80,[68,71,74,77,80,83,86,89,92,95,98,101,104,107,110,113,116,119,122,125],{"slug":69,"title":70},"new-rust-based-valkyrie-malware-framework-emerges-with-advanced-evasion-capabilities","New Rust-Based Valkyrie Malware Framework Emerges with Advanced Evasion Capabilities",{"slug":72,"title":73},"android-banking-trojan-linked-to-cambodian-scam-operations-targets-21-countries","Android Banking Trojan Linked to Cambodian Scam Operations Targets 21 Countries",{"slug":75,"title":76},"iranian-threat-actor-targets-los-angeles-metro-critical-infrastructure","Iranian Threat Actor Targets Los Angeles Metro Critical Infrastructure",{"slug":78,"title":79},"compromised-technology-domain-delivers-targeted-malware","Compromised Technology Domain Delivers Targeted Malware",{"slug":81,"title":82},"chromes-device-bound-sessions-combat-cookie-theft-attacks","Chrome's Device-Bound Sessions Combat Cookie Theft Attacks",{"slug":84,"title":85},"third-party-sdk-vulnerability-exposes-30m-crypto-wallet-users","Third-Party SDK Vulnerability Exposes 30M Crypto Wallet Users",{"slug":87,"title":88},"delayed-ioc-sharing-hampers-community-defense-against-supply-chain-attack","Delayed IOC Sharing Hampers Community Defense Against Supply Chain Attack",{"slug":90,"title":91},"wordpress-plugin-supply-chain-attack-via-compromised-update-infrastructure","WordPress Plugin Supply Chain Attack via Compromised Update Infrastructure",{"slug":93,"title":94},"ai-powered-cyber-attacks-demand-enhanced-defensive-capabilities","AI-Powered Cyber Attacks Demand Enhanced Defensive Capabilities",{"slug":96,"title":97},"critical-zero-day-exploited-within-hours-of-disclosure","Critical Zero-Day Exploited Within Hours of Disclosure",{"slug":99,"title":100},"chrome-146-introduces-device-bound-session-protection-against-cookie-theft","Chrome 146 Introduces Device-Bound Session Protection Against Cookie Theft",{"slug":102,"title":103},"payroll-pirates-use-phishing-to-steal-employee-salaries","Payroll Pirates Use Phishing to Steal Employee Salaries",{"slug":105,"title":106},"critical-orthanc-dicom-server-vulnerabilities-enable-rce-attacks","Critical Orthanc DICOM Server Vulnerabilities Enable RCE Attacks",{"slug":108,"title":109},"ai-browser-extensions-create-ungoverned-enterprise-security-blind-spot","AI Browser Extensions Create Ungoverned Enterprise Security Blind Spot",{"slug":111,"title":112},"chrome-browser-patches-critical-buffer-overflow-vulnerabilities","Chrome Browser Patches Critical Buffer Overflow Vulnerabilities",{"slug":114,"title":115},"critical-rce-vulnerability-exploited-within-hours-of-disclosure","Critical RCE Vulnerability Exploited Within Hours of Disclosure",{"slug":117,"title":118},"critical-default-password-flaw-highlights-patch-management-gaps","Critical Default Password Flaw Highlights Patch Management Gaps",{"slug":120,"title":121},"industrial-controllers-exposed-to-nation-state-cyber-operations","Industrial Controllers Exposed to Nation-State Cyber Operations",{"slug":123,"title":124},"cpuid-supply-chain-attack-highlights-third-party-software-risks","CPUID Supply Chain Attack Highlights Third-Party Software Risks",{"slug":126,"title":127},"dual-use-ai-security-tools-present-supply-chain-and-access-control-risks","Dual-Use AI Security Tools Present Supply Chain and Access Control Risks","published","2026-04-19T07:02:17.625+00:00","2026-04-13T00:01:17.779321+00:00","2026-04-19T07:15:03.66+00:00",null]