⚠️ Smart Slider 3 Pro shipped a backdoored update (3.5.1.35) via its official update system.

For ~6 hours, installs got hidden admin accounts, pre-auth remote code execution via HTTP headers, and full credential + site data exfiltration with persistent backdoors.

🔗 Read → https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html

🔥 Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 (Windows).

It ties session cookies to a device using hardware keys, so stolen cookies can’t be reused without that device. Cookies expire quickly without validation.

🔗 Read → https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html

A 13-year-old flaw in Apache ActiveMQ can lead to RCE.

CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions.

Patched in 5.19.4 and 6.2.3.

🔗 Learn more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#chained-flaws-enable-stealth-rce

⚠️ Marimo CVE-2026-39987 gave attackers a full shell with no authentication.

A missing check in /terminal/ws allowed remote code execution on exposed systems. Exploitation began within 9 hours of disclosure—no PoC needed.

🔗 Details here → https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

Shadow AI is now a core security risk.

55% of employees use unapproved AI tools, sending sensitive data outside control. No visibility. No audit trail.

Traditional security tools can’t monitor this shift.

🔗 How shadow AI creates hidden exposure → https://thehackernews.com/2026/04/the-hidden-security-risks-of-shadow-ai.html

A fake VS Code extension is spreading malware across developer tools.

One plugin infects every IDE on the system, then installs a RAT and data stealer. It uses native Zig code to bypass sandbox limits and runs with full OS access.

🔗 Details here → https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html

AI browser extensions are a hidden risk in enterprise security.

99% of users run extensions, yet they bypass DLP and logs while accessing sessions, inputs, and data. AI extensions are riskier and often change permissions over time.

🔗 What security teams are missing → https://thehackernews.com/2026/04/browser-extensions-are-new-ai.html

⚠️ Police and intelligence agencies are using phone ad data to track people.

Up to 500M devices feed Webloc, built by Cobwebs and sold by Penlink, enabling location tracking, identity inference, and 3-year history, per Citizen Lab.

🔗 Learn more → https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html

🛑 Adobe released emergency fixes for a 9.6 CVSS flaw (CVE-2026-34621) in Acrobat/Reader, confirmed under active exploitation.

A prototype pollution bug lets malicious PDFs run arbitrary code via JavaScript. Evidence shows attacks may date back to Dec 2025.

🔗 Read → https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html

⚠️ ALERT - CPUID’s site was compromised for ~19 hours, serving trojanized CPU-Z and HWMonitor installers.

Attackers used DLL sideloading to pair legit apps with a malicious file, deploying STX RAT.

150+ victims reported before detection.

🔗 Read → https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html

⚠️ WARNING - Are you using #ChatGPT, Codex, or OpenAI Atlas browser?

Update now... Older #macOS apps will stop working after May 8, 2026 due to a supply chain attack on a dependency used in OpenAI’s signing workflow. No user data was compromised, but certificates are revoked.

🔗Read → https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

🚨 APT37 used Facebook to run a targeted malware campaign.

Fake profiles built trust, moved chats to Telegram, then pushed a trojanized PDF app that installs RokRAT via a JPG payload, using compromised sites and Zoho WorkDrive for control.

🔗 Read → https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html

Claude Code leak is now a malware vector.

A 512K-line source leak was mirrored on GitHub, where fake repos pushed Vidar, PureLogs, and GhostSocks via trojanized releases.

🔗 How attackers weaponized the leak for malware spread → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#code-leak-weaponized-for-malware-spread

Monday is here, and your patch list just got a lot longer.

🔥 Adobe 0-Day
🤖 AI Exploits
⚡ Infra War
📡 Router Botnets
🇰🇵 Crypto Sting
👂 Fiber Spying
📁 Payroll Pirates
🕵️ Hack-for-Hire
🔐 Signal Leak

Skim this before your next meeting. Let’s get into it: https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html

⚡ Email is still the top attack vector and $3 Billion in BEC losses (2024) proves it.

Modern attacks use AI-written messages, not malware. Traditional filters miss them. Security teams are layering behavioral AI and automation on top of Microsoft 365 to close the gap.

🔗 Learn why email security is shifting to layered defense → https://thehackernews.com/expert-insights/2026/04/why-security-leaders-are-layering-email.html

FBI and Indonesian police dismantled W3LL, a phishing platform behind $20M+ fraud attempts.

Used by 500+ actors, it sold tools to steal credentials, bypass MFA, and resell access to 25,000+ accounts.

🔗 Learn how a $500 kit scaled global phishing → https://thehackernews.com/2026/04/fbi-and-indonesian-police-dismantle.html

Anthropic restricted a model after it exploited zero-days autonomously.

Attackers now move in 29 minutes, or 22 seconds between steps. Detection is fast. But alerts still wait, and investigations take 20 to 40 minutes, longer than the attack itself.

🔗 Learn the real gap in modern security → https://thehackernews.com/2026/04/your-mttd-looks-great-your-post-alert.html

⚠️ CISA added 6 flaws to its KEV list after active exploitation.

A Fortinet bug (9.1) allows unauthenticated remote code execution, while an Exchange flaw is being used to deploy Medusa ransomware.

Federal agencies must patch by April 27.

🔗 Read → https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html

🚨 A ShowDoc flaw (CVSS 9.4) is now under active exploitation.

CVE-2025-0520 lets attackers upload web shells via unauthenticated file upload → full server control. First attacks seen via a U.S. honeypot; ~2,000 instances remain exposed, mostly in China.

🔗 Details → https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html

🛑 108 Chrome extensions with 20,000 installs were tied to one backend stealing user data.

They captured Google accounts, hijacked Telegram sessions, and injected scripts into every page—while posing as games and utilities.

🔗Read → https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html

Android trojan Mirax is spreading via Meta ads, hitting 220K+ accounts with fake streaming apps.

It gives attackers full device control and turns phones into proxy nodes to mask fraud using real IPs.

🔗 How RAT + proxy is reshaping mobile attacks → https://thehackernews.com/2026/04/mirax-android-rat-turns-devices-into.html