🛑 Supply chain attacks are stacking across npm, PyPI, and GitHub.

CanisterSprawl worm steals npm tokens via postinstall scripts, republishes infected packages, and spreads across ecosystems.

Other campaigns add backdoored packages, LLM proxy abuse, and GitHub Actions exploits.

🔗 Read → https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

⚠️ WARNING: Checkmarx KICS Docker repo breached—malicious images replaced trusted tags.

The modified images could encrypt and exfiltrate scan data, risking exposure of credentials in IaC files. Related VS Code extensions also ran unverified remote code.

🔗 Details → https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html

⚡ Apple fixed an iOS bug where deleted notifications stayed stored on devices.

The flaw let message data persist after apps like Signal were removed. It surfaced after forensic extraction. The patch now clears and prevents retention.

🔗 Details → https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html

🔥 Vercel found more compromised accounts, some predating the breach.

Attackers used malware → Google Workspace → Vercel access, then mapped systems and decrypted environment variables. OAuth trust enabled lateral movement.

🔗 Details here → https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.html

⚠️ A China-aligned APT, GopherWhisper, targeted Mongolian government systems.

It uses Slack, Discord, Outlook, and file-io for control and data theft, deploying Go-based backdoors across at least 12 confirmed systems.

🔗 Details → https://thehackernews.com/2026/04/china-linked-gopherwhisper-infects-12.html

Anthropic delayed its new AI after it proved too effective at finding and exploiting bugs.

It uncovered decades-old flaws and built working exploits—but under 1% were patched. The bottleneck is no longer discovery. It’s fixing at speed.

🔗 Learn how AI is overwhelming vulnerability patching → https://thehackernews.com/2026/04/project-glasswing-proved-ai-can-find.html

Move from AI ethics to AI execution. Here’s how to secure your AI deployment. Join Uncharted on May 5 for a technical deep dive.

Register here: https://thn.news/ai-summit-x

🔥 Internet’s on fire again...

💸 $290 million DeFi hack
⚠️ Live RCE exploits
📦 Rogue npm packages
🤖 AI prompt attacks
🕵️ App data grab
🔑 Passkey push
🧠 Backdoor claims
💀 Ransomware feud
🧩 Cryptor kits
📩 Blank phishing
⚙️ Binary hijack
🐀 RAT bundle
🍏 macOS abuse
📡 SIM farms
🇪🇺 EU sanctions
🪤 Bot farm bust
🎭 StealTok extensions
🌐 Joomla backdoor
🛒 Leak Bazaar
🌍 RDP scan spike
🧨 Perforce leak

🔗 Catch the full ThreatsDay Bulletin for this week → https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html

🛑 WARNING: Bitwarden CLI was compromised in a supply chain attack.

@bitwarden/cli@2026.4.0 included malicious code after attackers hijacked GitHub Actions, stole secrets, and pushed a tampered version to npm.

🔗 Learn how the attack worked → https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html

The math doesn't add up anymore.
AI finds vulnerabilities in ⚡ milliseconds.
Manual patching takes ⏳ weeks.

Learn how to beat the bots at their own game.

🎙️ Featuring: Ofer Gayer (VP Product, Miggo Security)
📍 Webinar: Rethinking Prioritization

Secure your spot → https://thehackernews.com/2026/04/webinar-mythos-reality-check-beating.html

⚠️ Hackers are breaching companies through Microsoft Teams, posing as IT helpdesk staff.

They flood inboxes, then send a Teams message with a “fix” link. One click installs malware, steals credentials, and gives full remote access.

🔗 Learn more → https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html

⚠️ LMDeploy flaw exploited within 12.5 hours of disclosure.

The SSRF bug let attackers hit AWS metadata, Redis, and internal services via the image loader to scan networks and access data.

WordPress plugin bugs are also being used for full site takeovers.

🔗 Read → https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html

macOS attacks are now hiding in system features.

Payloads stored in Spotlight metadata let attackers run code without suspicious files, using native scripting and protocols to move and persist outside standard monitoring.

🔗 Learn how macOS built-ins are being weaponized → https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html#macos-stealth-execution-abuse

🛑 A fake PDF reader is being used to quietly take over systems.

Tropic Trooper spreads a trojanized app that runs AdaptixC2 via GitHub-based control, then uses Microsoft Visual Studio Code tunnels for access on high-value targets.

🔗 Read → https://thehackernews.com/2026/04/tropic-trooper-uses-trojanized.html

🛑 26 fake wallet apps on Apple’s App Store stole recovery phrases and private keys.

They mimicked MetaMask and Coinbase, worked via China-region accounts, and used phishing, OCR, or injected code to capture seed phrases.

🔗 Read → https://thehackernews.com/2026/04/26-fakewallet-apps-found-on-apple-app.html

AI agents don’t create risk. They expose it.

The real problem is delegated authority. Most orgs still don’t see or control who is granting that power. If the source is broken, agents will scale the risk fast.

🔗 Learn why AI security starts with fixing delegation → https://thehackernews.com/2026/04/bridging-ai-agent-authority-gap.html

⚡ NASA staff unknowingly shared defense tech with China.

A fake U.S. researcher spent years tricking agencies and universities into sending sensitive aerospace software used in weapons development.

🔗 Learn what investigators found in the case → https://thehackernews.com/2026/04/nasa-employees-duped-in-chinese.html

🔥 A U.S. federal agency was hacked via Cisco firewall.

Attackers used ASA flaws to install FIRESTARTER, a backdoor that stays even after patches and normal reboots.

Fix requires full reimage or hard power cycle, not just updating software.

🔗 Read → https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html

🚨 Four actively exploited flaws flagged.

CISA warns SimpleHelp, Samsung, and D-Link bugs are already used for ransomware and botnets, including admin takeovers and remote command execution.

🔗 See what to patch or replace → https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html

⚠️ This cyberweapon existed before Stuxnet in 2005

Called "fast16," it sabotaged systems by quietly altering engineering calculations instead of destroying code.

🔗 Full report and findings → https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.html