30% of breaches now involve third parties like vendors and SaaS.

The perimeter has shifted outward, and regulations now require continuous oversight. Cynomi shows TPRM is now a core security function, not just compliance.

🔗 Why TPRM is becoming central to security → https://thehackernews.com/2026/04/why-third-party-risk-is-biggest-gap-in.html

SparkCat malware has reappeared on Apple and Google app stores, hiding inside everyday apps.

It scans photos for crypto recovery phrases and sends them to attackers, using OCR to extract sensitive data from images.

🔗 Read → https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html

🛑 Attackers are using HTTP cookies to control PHP web shells on Linux servers.

Malware stays inactive and runs only when specific cookie values are sent, blending into normal traffic. Cron jobs can also recreate it for persistence.

🔗 How cookie-triggered web shells evade detection → https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html

🛑 China-linked TA416 is again targeting European governments, using OAuth redirect abuse and cloud-hosted malware to deliver PlugX.

Activity expanded to the Middle East in 2026, tied to conflict-driven intelligence gathering.

🔗 Read → https://thehackernews.com/2026/04/china-linked-ta416-targets-european.html

⚠️ Fortinet is warning of active exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS.

The flaw lets unauthenticated attackers bypass API controls and run code. This is the second critical EMS flaw exploited in weeks.

🔗 Full details → https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html

🛑 36 npm packages posing as Strapi plugins were used to deliver malware that runs on install.

They exploited Redis and PostgreSQL, stole credentials, and deployed backdoors via postinstall scripts with full user or CI/CD access.

🔗 Details → https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

🚨 North Korea-linked hackers spent 6 months building trust before stealing $285M from Drift.

They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access.

🔗 How social engineering enabled the Drift crypto theft → https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

🔥 Germany’s BKA has identified a key figure behind the REvil #ransomware group.

Daniil Shchukin (“UNKN”) is accused of leading REvil, linked to 130 attacks in Germany causing over €35.4M in damage, with €1.9M in ransom paid.

🔗 Learn more here → https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

🛑 Qilin and Warlock #ransomware are disabling defenses before attacks using BYOVD techniques.

Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution.

🔗 Find the technique disabling EDR tools → https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html

AI isn’t making attacks smarter, says Martin Zugec, Technical Solutions Director at Bitdefender. It’s making them cheaper and easier to scale.

Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast.

🔗 Why scale matters more than sophistication in AI threats → https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html

Everything hit at once this week ...

📦 Supply-chain: Axios hack
🌐 Exploits: Chrome 0-day, TrueConf, Fortinet
🍎 Patches: Apple DarkSword fixes
🧩 Malware: ClickFix, DeepLoad, Mirax, Venom
🤖 Leak: Claude code exposure
🎯 Phishing: device code surge, banking scams
🕵️ Privacy: LinkedIn tracking claims
🛰️ Spyware: Paragon use confirmed
🌍 Infra: residential proxy abuse
💰 Targeting: crypto org attacks
📱 Policy: India SIM-binding
🔁 APT: access regain attempts
💣 Insider: extortion case
❤️ Data: OkCupid settlement
🧠 Trend: stealer surge, malicious extensions

Read the full recap → https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

⚠️ A compromised AI library exposed developer machines.

1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies.

It worked because secrets sit in plaintext across files and tools.

🔗 How one dependency exposed thousands of environments → https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html

Automated pentesting evaluates environments through chained attack paths. If step A fails, steps B through Z never execute.

One blocked step near the top = cascading blind spot across every downstream technique.

Picus Security mapped these two other structural gaps in a new whitepaper.

Download now → https://thn.news/automated-blind-spots

🚨 Attackers now move across Windows, macOS, Linux, and mobile in one campaign.

Multi-OS attacks break SOC workflows, splitting one threat into many investigations and slowing validation.

That delay gives attackers time to spread and persist.

🔗 Why fragmented triage increases risk → https://thehackernews.com/2026/04/multi-os-cyberattacks-how-socs-close.html

🚨 DPRK-linked attackers used GitHub as C2 in phishing-led attacks on South Korean orgs.

LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads.

🔗 Read → https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html

⚠️ Iran-linked actors targeted Microsoft 365 accounts in 3 attack waves in March 2026, hitting 300+ orgs in Israel and 25+ in the UAE.

They used password spraying via Tor/VPNs to access mailboxes.

At the same time, Pay2Key ransomware resurfaced with stronger evasion and log wiping.

🔗 Read → https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html

🛑 Flowise has a CVSS 10.0 RCE flaw (CVE-2025-59528) now under active attack.

A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk.

🔗 Exploitation details → https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html

⚠️ WARNING: China-linked Storm-1175 is breaching networks and deploying ransomware in under 72 hours.

It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more.

🔗 Read → https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

⚡ New research shows GPUs can be used to take over a system.

GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploits—even with IOMMU enabled.

🔗 Read details → https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html

Ilan Nacmias at Sygnia shares a case where AI security tools worked, but no decisions were made.

Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact.

🔗 Why AI didn’t fix execution in cybersecurity → https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html

Credential security isn’t just about breaches.

Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed.

Forced resets increase weak passwords without reducing risk.

🔗 Why credential issues cost more than breaches → https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html