⚡ AI is speeding up code—and risk.

145% more vulnerabilities and 3x more fixes in one quarter, as Python (72.1%) and PostgreSQL (+73%) surge with AI.

96% of risk sits outside core tools.

🔗 Where most security exposure actually lives → https://thehackernews.com/2026/04/the-state-of-trusted-open-source-report.html

🚨 From zero-days to mass infections — this week has it all...

⚠️ ShareFile pre-auth RCE
📱 Android rootkit at scale
🖼️ ImageMagick 0-days → RCE
🕵️ XLoader stealth upgrades
🎣 Mobile phishing surge
📦 Supply chain attacks ×14

📖 Read the full ThreatsDay Bulletin → https://thehackernews.com/2026/04/threatsday-bulletin-pre-auth-chains.html

⚠️ A cybercrime campaign since 2023 spreads malware via fake installers.

REF1695 delivers RATs, crypto miners, and CNB Bot via ISO files, tricks users to bypass Windows protections, and uses GitHub to host payloads.

🔗 Key tactics, payloads, and earnings → https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html

🚨 Cisco fixed two critical flaws that allow full system takeover without login.

CVSS 9.8 vulnerabilities let attackers reset admin passwords (IMC) or run commands as root (SSM On-Prem) using crafted requests.

No workaround is available. Patching is required.

🔗 Read → https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html

⚠️ ALERT - A threat group exploited a Next.js flaw to compromise 766+ hosts and steal cloud credentials at scale.

Using automated scripts, attackers extracted AWS secrets, SSH keys, and API tokens, all managed through a central dashboard for reuse.

🔗 Read → https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html

Drift Protocol lost $285M after attackers took over governance, not by breaking code but by abusing approvals.

They used pre-signed transactions, social engineering, and a zero-timelock change to gain admin control, add a fake asset, and remove limits to drain funds.

🔗 How governance and multisig failures enabled the exploit → https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html

⚠️ WARNING - Attackers are weaponizing the Claude Code leak.

Fake GitHub repos now deploy Vidar Stealer and GhostSocks, using trojanized builds that look legitimate.

🔗 Read → https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html#fake-claude-code-repos-deploy-vidar-stealer-and-ghostsocks

⚡ It turns out Axios npm was compromised via a targeted UNC1069 social engineering attack.

Attackers used a fake Slack + Teams setup to install malware, steal npm credentials, and publish trojanized versions (1.14.1, 0.30.4).

🔗 Details here → https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html

Apple is testing a safeguard against copy-paste attacks.

macOS 26.4 adds Terminal paste warnings, targeting scams that trick users into running malicious commands. Users can still override.

ClickFix-style attacks are now widely used.
🔗 Reads → https://thehackernews.com/2026/03/weekly-recap-telecom-sleeper-cells-llm.html#:~:text=Apple%20Tests%20Ways%20to%20Block%20Malicious%20Copy%2DPastes%20in%20macOS

30% of breaches now involve third parties like vendors and SaaS.

The perimeter has shifted outward, and regulations now require continuous oversight. Cynomi shows TPRM is now a core security function, not just compliance.

🔗 Why TPRM is becoming central to security → https://thehackernews.com/2026/04/why-third-party-risk-is-biggest-gap-in.html

SparkCat malware has reappeared on Apple and Google app stores, hiding inside everyday apps.

It scans photos for crypto recovery phrases and sends them to attackers, using OCR to extract sensitive data from images.

🔗 Read → https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html

🛑 Attackers are using HTTP cookies to control PHP web shells on Linux servers.

Malware stays inactive and runs only when specific cookie values are sent, blending into normal traffic. Cron jobs can also recreate it for persistence.

🔗 How cookie-triggered web shells evade detection → https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html

🛑 China-linked TA416 is again targeting European governments, using OAuth redirect abuse and cloud-hosted malware to deliver PlugX.

Activity expanded to the Middle East in 2026, tied to conflict-driven intelligence gathering.

🔗 Read → https://thehackernews.com/2026/04/china-linked-ta416-targets-european.html

⚠️ Fortinet is warning of active exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS.

The flaw lets unauthenticated attackers bypass API controls and run code. This is the second critical EMS flaw exploited in weeks.

🔗 Full details → https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html

🛑 36 npm packages posing as Strapi plugins were used to deliver malware that runs on install.

They exploited Redis and PostgreSQL, stole credentials, and deployed backdoors via postinstall scripts with full user or CI/CD access.

🔗 Details → https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

🚨 North Korea-linked hackers spent 6 months building trust before stealing $285M from Drift.

They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access.

🔗 How social engineering enabled the Drift crypto theft → https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

🔥 Germany’s BKA has identified a key figure behind the REvil #ransomware group.

Daniil Shchukin (“UNKN”) is accused of leading REvil, linked to 130 attacks in Germany causing over €35.4M in damage, with €1.9M in ransom paid.

🔗 Learn more here → https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

🛑 Qilin and Warlock #ransomware are disabling defenses before attacks using BYOVD techniques.

Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution.

🔗 Find the technique disabling EDR tools → https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html

AI isn’t making attacks smarter, says Martin Zugec, Technical Solutions Director at Bitdefender. It’s making them cheaper and easier to scale.

Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast.

🔗 Why scale matters more than sophistication in AI threats → https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html

Everything hit at once this week ...

📦 Supply-chain: Axios hack
🌐 Exploits: Chrome 0-day, TrueConf, Fortinet
🍎 Patches: Apple DarkSword fixes
🧩 Malware: ClickFix, DeepLoad, Mirax, Venom
🤖 Leak: Claude code exposure
🎯 Phishing: device code surge, banking scams
🕵️ Privacy: LinkedIn tracking claims
🛰️ Spyware: Paragon use confirmed
🌍 Infra: residential proxy abuse
💰 Targeting: crypto org attacks
📱 Policy: India SIM-binding
🔁 APT: access regain attempts
💣 Insider: extortion case
❤️ Data: OkCupid settlement
🧠 Trend: stealer surge, malicious extensions

Read the full recap → https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

⚠️ A compromised AI library exposed developer machines.

1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies.

It worked because secrets sit in plaintext across files and tools.

🔗 How one dependency exposed thousands of environments → https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html