Another Thursday, another avalanche.

🦠 Hybrid botnet, 125K/day
🔓 13-yr Apache RCE, still live
💸 $17.7B lost to fraud in 2025
🌊 8M DDoS hits, H2 2025
📸 Meta insider, 30K stolen photos
🎭 BPOs hijacked, enterprises breached
🛒 SVG skimmer, 99 Magento stores
🙂 Emojis beating security filters
🐀 ClickFix → Node.js RAT, in-memory
🍎 ClickFix → macOS via AppleScript
🤖 PyPI package stealing AI prompts
🏭 5K+ Rockwell PLCs, wide open
💀 Claude Code leak → stealer wave
👾 Remus = Lumma's 64-bit ghost
⚖️ Anthropic's risk label stands
📋 Fake Proxifier → clipboard clipper
📧 GitHub & Jira flipped for phishing
🔑 Linux SMB3 leaks AES keys
🧠 CLAUDE.md → prompt injection
👻 GrafanaGhost, silent data exfil
💳 LSPosed = Android payment fraud

🔗 Read more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html

📡 State of Browser Attacks — free webinar series

Attackers have moved into the browser. These numbers tell the story:

• OAuth attacks up 37x this year
• ClickFix was the #1 initial access vector in 2025 (47% of attacks)
• 1 in 3 phishing payloads now delivered outside email
• Average breakout time to high-value assets: 29 minutes

Most security tools never see it coming.

Push Security is running a 3-part series with Troy Hunt (Have I Been Pwned), John Hammond (Huntress), and Matt Johansen (Vulnerable U) — breaking down exactly how these attacks work and what actually stops them.

📅 Starts April 16
🔗 https://thn.news/push-browser-attacks

Researchers tracked UAT-10362 targeting Taiwan via phishing.

It uses DLL side-loading to deploy LucidRook, a Lua-based stager that steals system data and runs encrypted payloads in memory. Execution is limited to zh-TW systems to evade detection.

🔗 Full attack chain and toolkit details → https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html

🛑 ALERT - A flaw in EngageLab’s #Android SDK exposed 30M+ crypto wallet installs to potential data access.

The intent redirection bug allowed sandbox bypass via a malicious app on the same device. No active exploitation found.

🔗Read → https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html

⚠️ Smart Slider 3 Pro shipped a backdoored update (3.5.1.35) via its official update system.

For ~6 hours, installs got hidden admin accounts, pre-auth remote code execution via HTTP headers, and full credential + site data exfiltration with persistent backdoors.

🔗 Read → https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html

🔥 Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 (Windows).

It ties session cookies to a device using hardware keys, so stolen cookies can’t be reused without that device. Cookies expire quickly without validation.

🔗 Read → https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html

A 13-year-old flaw in Apache ActiveMQ can lead to RCE.

CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions.

Patched in 5.19.4 and 6.2.3.

🔗 Learn more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#chained-flaws-enable-stealth-rce

⚠️ Marimo CVE-2026-39987 gave attackers a full shell with no authentication.

A missing check in /terminal/ws allowed remote code execution on exposed systems. Exploitation began within 9 hours of disclosure—no PoC needed.

🔗 Details here → https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

Shadow AI is now a core security risk.

55% of employees use unapproved AI tools, sending sensitive data outside control. No visibility. No audit trail.

Traditional security tools can’t monitor this shift.

🔗 How shadow AI creates hidden exposure → https://thehackernews.com/2026/04/the-hidden-security-risks-of-shadow-ai.html

A fake VS Code extension is spreading malware across developer tools.

One plugin infects every IDE on the system, then installs a RAT and data stealer. It uses native Zig code to bypass sandbox limits and runs with full OS access.

🔗 Details here → https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html

AI browser extensions are a hidden risk in enterprise security.

99% of users run extensions, yet they bypass DLP and logs while accessing sessions, inputs, and data. AI extensions are riskier and often change permissions over time.

🔗 What security teams are missing → https://thehackernews.com/2026/04/browser-extensions-are-new-ai.html

⚠️ Police and intelligence agencies are using phone ad data to track people.

Up to 500M devices feed Webloc, built by Cobwebs and sold by Penlink, enabling location tracking, identity inference, and 3-year history, per Citizen Lab.

🔗 Learn more → https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html

🛑 Adobe released emergency fixes for a 9.6 CVSS flaw (CVE-2026-34621) in Acrobat/Reader, confirmed under active exploitation.

A prototype pollution bug lets malicious PDFs run arbitrary code via JavaScript. Evidence shows attacks may date back to Dec 2025.

🔗 Read → https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html

⚠️ ALERT - CPUID’s site was compromised for ~19 hours, serving trojanized CPU-Z and HWMonitor installers.

Attackers used DLL sideloading to pair legit apps with a malicious file, deploying STX RAT.

150+ victims reported before detection.

🔗 Read → https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html

⚠️ WARNING - Are you using #ChatGPT, Codex, or OpenAI Atlas browser?

Update now... Older #macOS apps will stop working after May 8, 2026 due to a supply chain attack on a dependency used in OpenAI’s signing workflow. No user data was compromised, but certificates are revoked.

🔗Read → https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

🚨 APT37 used Facebook to run a targeted malware campaign.

Fake profiles built trust, moved chats to Telegram, then pushed a trojanized PDF app that installs RokRAT via a JPG payload, using compromised sites and Zoho WorkDrive for control.

🔗 Read → https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html

Claude Code leak is now a malware vector.

A 512K-line source leak was mirrored on GitHub, where fake repos pushed Vidar, PureLogs, and GhostSocks via trojanized releases.

🔗 How attackers weaponized the leak for malware spread → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#code-leak-weaponized-for-malware-spread

Monday is here, and your patch list just got a lot longer.

🔥 Adobe 0-Day
🤖 AI Exploits
⚡ Infra War
📡 Router Botnets
🇰🇵 Crypto Sting
👂 Fiber Spying
📁 Payroll Pirates
🕵️ Hack-for-Hire
🔐 Signal Leak

Skim this before your next meeting. Let’s get into it: https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html

⚡ Email is still the top attack vector and $3 Billion in BEC losses (2024) proves it.

Modern attacks use AI-written messages, not malware. Traditional filters miss them. Security teams are layering behavioral AI and automation on top of Microsoft 365 to close the gap.

🔗 Learn why email security is shifting to layered defense → https://thehackernews.com/expert-insights/2026/04/why-security-leaders-are-layering-email.html

FBI and Indonesian police dismantled W3LL, a phishing platform behind $20M+ fraud attempts.

Used by 500+ actors, it sold tools to steal credentials, bypass MFA, and resell access to 25,000+ accounts.

🔗 Learn how a $500 kit scaled global phishing → https://thehackernews.com/2026/04/fbi-and-indonesian-police-dismantle.html

Anthropic restricted a model after it exploited zero-days autonomously.

Attackers now move in 29 minutes, or 22 seconds between steps. Detection is fast. But alerts still wait, and investigations take 20 to 40 minutes, longer than the attack itself.

🔗 Learn the real gap in modern security → https://thehackernews.com/2026/04/your-mttd-looks-great-your-post-alert.html