⚠️ Iran linked hackers are targeting U.S. critical infrastructure with direct PLC disruption.

They access internet exposed devices using legitimate tools, then alter system data and operations, disrupting water, energy, and government services and causing financial loss.

🔗 Read → https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

🛑 North Korea-linked hackers spread #malware across five open-source ecosystems.

1,700+ packages on npm, PyPI, Go, Rust, and PHP posed as dev tools but loaded infostealer and RAT malware, hidden inside normal functions, not install.

🔗 Read → https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html

🔥 Anthropic’s new Claude Mythos model has found thousands of high-severity zero-days across major OS, browsers, and software — showing capabilities that can surpass top human experts.

Project Glasswing deploys it to secure critical systems ahead of potential misuse.

🔗 Details → https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html

🚨 Nearly half of identity activity is invisible.

46% sits outside IAM, across shadow apps, local accounts, and machine identities. This “identity dark matter” is where real risk lives.

IVIP brings full, real-time visibility across systems.

🔗 Learn why IAM alone is no longer enough → https://thehackernews.com/2026/04/shrinking-iam-attack-surface-through.html

⚠️ APT28 is targeting Ukraine and allied supply chains using a confirmed zero-day (CVE-2026-21513) and PRISMEX malware.

It also exploits CVE-2026-21509, with LNK delivery possibly chaining both flaws to enable theft and file-wiping.

🔗 Read here → https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html

Most DDoS failures aren’t caused by bad protection tools.

They’re caused by hidden gaps in configuration, architecture, and readiness—often discovered too late.

Here are 5 gaps consistently uncovered in DDoS test simulations: https://thn.news/ddos-testing-reveals

🚨 Masjesu, a DDoS botnet active since 2023, is spreading across IoT devices.

Built for stealth and persistence, it avoids high-risk targets while exploiting routers and cameras to grow its network and launch attacks.

🔗 Details here → https://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.html

⚠️ ALERT - New Chaos malware variant now targets misconfigured cloud setups, expanding beyond routers.

New variant exploits exposed services, installs a payload & adds proxy features to route attacker traffic, making activity harder to trace.

🔗 Read → https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html

⚠️ WARNING - A hack-for-hire campaign linked to the “Bitter” cluster targeted journalists across MENA.

One Apple account was fully compromised, giving attackers persistent access. Others were hit with phishing using fake logins and Google OAuth abuse.

🔗 Tactics, targets, and spyware links → https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html

⚠️ Attackers are exploiting a 0-day in Adobe Reader via malicious PDFs.

Opening the file runs hidden JavaScript to steal data and stage further exploits, including possible RCE. It works on the latest version & has been active since Dec 2025.

🔗 Read → https://thehackernews.com/2026/04/adobe-reader-zero-day-exploited-via.html

Another Thursday, another avalanche.

🦠 Hybrid botnet, 125K/day
🔓 13-yr Apache RCE, still live
💸 $17.7B lost to fraud in 2025
🌊 8M DDoS hits, H2 2025
📸 Meta insider, 30K stolen photos
🎭 BPOs hijacked, enterprises breached
🛒 SVG skimmer, 99 Magento stores
🙂 Emojis beating security filters
🐀 ClickFix → Node.js RAT, in-memory
🍎 ClickFix → macOS via AppleScript
🤖 PyPI package stealing AI prompts
🏭 5K+ Rockwell PLCs, wide open
💀 Claude Code leak → stealer wave
👾 Remus = Lumma's 64-bit ghost
⚖️ Anthropic's risk label stands
📋 Fake Proxifier → clipboard clipper
📧 GitHub & Jira flipped for phishing
🔑 Linux SMB3 leaks AES keys
🧠 CLAUDE.md → prompt injection
👻 GrafanaGhost, silent data exfil
💳 LSPosed = Android payment fraud

🔗 Read more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html

📡 State of Browser Attacks — free webinar series

Attackers have moved into the browser. These numbers tell the story:

• OAuth attacks up 37x this year
• ClickFix was the #1 initial access vector in 2025 (47% of attacks)
• 1 in 3 phishing payloads now delivered outside email
• Average breakout time to high-value assets: 29 minutes

Most security tools never see it coming.

Push Security is running a 3-part series with Troy Hunt (Have I Been Pwned), John Hammond (Huntress), and Matt Johansen (Vulnerable U) — breaking down exactly how these attacks work and what actually stops them.

📅 Starts April 16
🔗 https://thn.news/push-browser-attacks

Researchers tracked UAT-10362 targeting Taiwan via phishing.

It uses DLL side-loading to deploy LucidRook, a Lua-based stager that steals system data and runs encrypted payloads in memory. Execution is limited to zh-TW systems to evade detection.

🔗 Full attack chain and toolkit details → https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html

🛑 ALERT - A flaw in EngageLab’s #Android SDK exposed 30M+ crypto wallet installs to potential data access.

The intent redirection bug allowed sandbox bypass via a malicious app on the same device. No active exploitation found.

🔗Read → https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html

⚠️ Smart Slider 3 Pro shipped a backdoored update (3.5.1.35) via its official update system.

For ~6 hours, installs got hidden admin accounts, pre-auth remote code execution via HTTP headers, and full credential + site data exfiltration with persistent backdoors.

🔗 Read → https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html

🔥 Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 (Windows).

It ties session cookies to a device using hardware keys, so stolen cookies can’t be reused without that device. Cookies expire quickly without validation.

🔗 Read → https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html

A 13-year-old flaw in Apache ActiveMQ can lead to RCE.

CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions.

Patched in 5.19.4 and 6.2.3.

🔗 Learn more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#chained-flaws-enable-stealth-rce

⚠️ Marimo CVE-2026-39987 gave attackers a full shell with no authentication.

A missing check in /terminal/ws allowed remote code execution on exposed systems. Exploitation began within 9 hours of disclosure—no PoC needed.

🔗 Details here → https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

Shadow AI is now a core security risk.

55% of employees use unapproved AI tools, sending sensitive data outside control. No visibility. No audit trail.

Traditional security tools can’t monitor this shift.

🔗 How shadow AI creates hidden exposure → https://thehackernews.com/2026/04/the-hidden-security-risks-of-shadow-ai.html

A fake VS Code extension is spreading malware across developer tools.

One plugin infects every IDE on the system, then installs a RAT and data stealer. It uses native Zig code to bypass sandbox limits and runs with full OS access.

🔗 Details here → https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html

AI browser extensions are a hidden risk in enterprise security.

99% of users run extensions, yet they bypass DLP and logs while accessing sessions, inputs, and data. AI extensions are riskier and often change permissions over time.

🔗 What security teams are missing → https://thehackernews.com/2026/04/browser-extensions-are-new-ai.html