🛑 Flowise has a CVSS 10.0 RCE flaw (CVE-2025-59528) now under active attack.

A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk.

🔗 Exploitation details → https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html

⚠️ WARNING: China-linked Storm-1175 is breaching networks and deploying ransomware in under 72 hours.

It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more.

🔗 Read → https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

⚡ New research shows GPUs can be used to take over a system.

GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploits—even with IOMMU enabled.

🔗 Read details → https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html

Ilan Nacmias at Sygnia shares a case where AI security tools worked, but no decisions were made.

Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact.

🔗 Why AI didn’t fix execution in cybersecurity → https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html

Credential security isn’t just about breaches.

Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed.

Forced resets increase weak passwords without reducing risk.

🔗 Why credential issues cost more than breaches → https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html

Most attacks don’t start with exploits anymore. They start with access.

Across thousands of real-world incidents analyzed in the 2026 Annual Threat Report, one pattern is clear:

Attackers aren’t breaking in.
They’re logging in.

Here’s what we’re seeing:
↳ Legitimate credentials are the #1 entry point
↳ Remote access tools are being used against you
↳ Traditional detection is missing what looks “normal”

This isn’t theory. This is what actually worked for attackers in 2025.

If your security strategy is still built around stopping malware, you’re already behind.

Download the Blackpoint Cyber 2026 Annual Threat Report and see how modern attacks are actually unfolding.

Download the report: https://thn.news/blackpoint-threat-2026

⚠️ Attackers are hijacking exposed ComfyUI servers into crypto mining and proxy botnets.

Scanners exploit unauthenticated setups via custom nodes, run code, and install persistent malware. Infected systems mine crypto and resist removal.

🔗 Read → https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html

🛑 Docker fixed a flaw letting attackers bypass AuthZ plugins with a padded API request (>1MB).

The plugin sees no body and allows it, while Docker executes it—creating a privileged container with host access and exposed credentials.

🔗 Learn how this leads to full host compromise → https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html

--- ⚠️ WEBINAR ALERT ---

The biggest identity risk in 2026 isn’t inside your IAM. It’s everything outside it.

Hundreds of unmanaged apps are now being accessed by AI agents, expanding risk beyond what your team can see or control.

🔗 Join the WEBINAR for data and practical steps to close the gaps → https://thehackernews.com/2026/04/webinar-how-to-close-identity-gaps-in.html

🚨 WARNING - APT28 ran a global router hijack to steal credentials.

The group compromised MikroTik and TP-Link devices, rewrote DNS settings, and redirected traffic for credential theft at scale -- impacting 18,000+ IPs across 120 countries, including government and cloud targets.

🔗 Read here → https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html

⚠️ Iran linked hackers are targeting U.S. critical infrastructure with direct PLC disruption.

They access internet exposed devices using legitimate tools, then alter system data and operations, disrupting water, energy, and government services and causing financial loss.

🔗 Read → https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

🛑 North Korea-linked hackers spread #malware across five open-source ecosystems.

1,700+ packages on npm, PyPI, Go, Rust, and PHP posed as dev tools but loaded infostealer and RAT malware, hidden inside normal functions, not install.

🔗 Read → https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html

🔥 Anthropic’s new Claude Mythos model has found thousands of high-severity zero-days across major OS, browsers, and software — showing capabilities that can surpass top human experts.

Project Glasswing deploys it to secure critical systems ahead of potential misuse.

🔗 Details → https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html

🚨 Nearly half of identity activity is invisible.

46% sits outside IAM, across shadow apps, local accounts, and machine identities. This “identity dark matter” is where real risk lives.

IVIP brings full, real-time visibility across systems.

🔗 Learn why IAM alone is no longer enough → https://thehackernews.com/2026/04/shrinking-iam-attack-surface-through.html

⚠️ APT28 is targeting Ukraine and allied supply chains using a confirmed zero-day (CVE-2026-21513) and PRISMEX malware.

It also exploits CVE-2026-21509, with LNK delivery possibly chaining both flaws to enable theft and file-wiping.

🔗 Read here → https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html

Most DDoS failures aren’t caused by bad protection tools.

They’re caused by hidden gaps in configuration, architecture, and readiness—often discovered too late.

Here are 5 gaps consistently uncovered in DDoS test simulations: https://thn.news/ddos-testing-reveals

🚨 Masjesu, a DDoS botnet active since 2023, is spreading across IoT devices.

Built for stealth and persistence, it avoids high-risk targets while exploiting routers and cameras to grow its network and launch attacks.

🔗 Details here → https://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.html

⚠️ ALERT - New Chaos malware variant now targets misconfigured cloud setups, expanding beyond routers.

New variant exploits exposed services, installs a payload & adds proxy features to route attacker traffic, making activity harder to trace.

🔗 Read → https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html

⚠️ WARNING - A hack-for-hire campaign linked to the “Bitter” cluster targeted journalists across MENA.

One Apple account was fully compromised, giving attackers persistent access. Others were hit with phishing using fake logins and Google OAuth abuse.

🔗 Tactics, targets, and spyware links → https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html

⚠️ Attackers are exploiting a 0-day in Adobe Reader via malicious PDFs.

Opening the file runs hidden JavaScript to steal data and stage further exploits, including possible RCE. It works on the latest version & has been active since Dec 2025.

🔗 Read → https://thehackernews.com/2026/04/adobe-reader-zero-day-exploited-via.html

Another Thursday, another avalanche.

🦠 Hybrid botnet, 125K/day
🔓 13-yr Apache RCE, still live
💸 $17.7B lost to fraud in 2025
🌊 8M DDoS hits, H2 2025
📸 Meta insider, 30K stolen photos
🎭 BPOs hijacked, enterprises breached
🛒 SVG skimmer, 99 Magento stores
🙂 Emojis beating security filters
🐀 ClickFix → Node.js RAT, in-memory
🍎 ClickFix → macOS via AppleScript
🤖 PyPI package stealing AI prompts
🏭 5K+ Rockwell PLCs, wide open
💀 Claude Code leak → stealer wave
👾 Remus = Lumma's 64-bit ghost
⚖️ Anthropic's risk label stands
📋 Fake Proxifier → clipboard clipper
📧 GitHub & Jira flipped for phishing
🔑 Linux SMB3 leaks AES keys
🧠 CLAUDE.md → prompt injection
👻 GrafanaGhost, silent data exfil
💳 LSPosed = Android payment fraud

🔗 Read more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html