MFA protects login. Not the session.

As Alicia Townsend explains, session cookies become the real credential after authentication. If stolen, attackers get access with no password, no MFA, no alerts.

🔗 How session hijacking bypasses MFA → https://thehackernews.com/expert-insights/2026/04/session-cookie-theft-you-showed-your-id.html

Effective DDoS testing requires more than generating traffic.

It requires:
🔶 Precise attack modeling
🔶 Deep understanding of mitigation layers
🔶 Controlled execution against production-like environments

Otherwise, you’re measuring system behavior—not resilience to real world attacks.

Here’s how the main DDoS testing approaches stack up in 2026: https://thn.news/ddos-automation-testing

Security alerts rose 52%, but critical risk jumped ~400%.

OX Security shows AI-driven development is scaling high-impact flaws faster than teams can fix them, while business context now outweighs CVSS in real risk.

🔗 Read → https://thehackernews.com/2026/04/analysis-of-216m-security-findings.html

🔥 Google put Rust in Pixel 10’s modem DNS parser, cutting off a major class of memory bugs.

DNS powers core cellular functions, and unsafe parsing has enabled exploits like buffer overflows. This move reduces attack surface at one of the most exposed layers.

🔗 Read → https://thehackernews.com/2026/04/google-adds-rust-based-dns-parser-into.html

2026 Gartner® Magic Quadrant™ for Third-Party Risk Management Tools for Assurance Leaders

As organizations grow increasingly reliant on third parties and their technologies, the range of associated risks expands as well. Third-party risk is a slippery slope, which is why it’s even more important to have a trusted solution that best supports your team.

✨ Optro has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Third-Party Risk Management for Assurance Leaders!

Download your complimentary copy for unbiased recommendations and in-depth analyses of TPRM software: https://thn.news/2026-tprm-magic-quadrant

⚡ U.K. moves to jail tech execs over failure to remove non-consensual intimate images.

New bill amendments also criminalize incest porn and adults roleplaying as children, expanding platform liability.

🔗 What the law changes for platforms and execs → https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html#:~:text=U.K.%20Government%20Threatens%20Tech%20Execs%20with%20Jail%20Time

A new ad fraud campaign used AI-written news to enter Google Discover and trick users.

Pushpaganda drove 240M ad requests in a week by forcing notification opt-ins, then pushing scam alerts and redirecting to ad sites.

🔗 Read → https://thehackernews.com/2026/04/ai-driven-pushpaganda-scam-exploits.html

⚠️ ALERT - Composer disclosed two command injection flaws (CVE-2026-40176 and CVE-2026-40261) with up to CVSS 8.8 severity.

Malicious composer.json or crafted source refs can execute arbitrary commands—even without Perforce installed. Affects multiple 2.x versions; patches released and metadata disabled as a precaution.

🔗 Read → https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html

🔥 OpenAI launched GPT-5.4-Cyber, a model built for security teams to find and fix bugs faster.

3,000+ vulnerabilities already fixed using its Codex Security tools, with access expanding to thousands of defenders.

But the same AI can be misused to find exploits.

🔗 Read → https://thehackernews.com/2026/04/openai-launches-gpt-54-cyber-with.html

⚡ Microsoft patched 169 vulnerabilities, including an actively exploited SharePoint zero-day.

It lets attackers spoof trusted content. 93 flaws are privilege escalation, and a critical IKEv2 bug (CVSS 9.8) enables remote code execution with no user action.

🔗 Full Patch Tuesday risks and fixes → https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html

🛑 April Patch Tuesday spans SAP, Adobe, Microsoft, Fortinet—and core vendors like Apple, Google, Cisco, VMware, Palo Alto, AWS, and Linux.

SAP (CVSS 9.9) enables SQL execution. Adobe Reader and SharePoint flaws are already exploited.

🔗 Read → https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html

🚨 A critical nginx-ui flaw is now exploited in the wild.

CVE-2026-33032 (9.8) allows auth bypass via the /mcp_message endpoint, letting attackers take full control of Nginx with two HTTP requests due to an “allow-all” default.

🔗 Details here → https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html

🤖 AI is now embedded across security teams. 100% of CISOs report active use.

Agentic testing adds variability, so results change between runs and break repeatability. Hybrid models keep tests consistent while using AI to adapt.

🔗 Learn why hybrid AI models are replacing agentic security testing → https://thehackernews.com/2026/04/deterministic-agentic-ai-architecture.html

⚠️ Attackers are abusing automation tools as delivery infrastructure.

Cisco Talos found #n8n webhooks used for phishing, malware, and tracking, leveraging trusted *.n8n.cloud domains to bypass filters.

email link → CAPTCHA → silent download → RMM-based persistence.

🔗 Read → https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html

Ukraine’s CERT-UA reports attacks on hospitals and government using AGINGFLY to steal browser and WhatsApp data.

Phishing triggers LNK → HTA via mshta.exe, deploying RAVENSHELL for remote control, credential theft, and lateral movement.

🔗 Full attack chain and tools used → https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html

Google added E2EE to Gmail on Android and iOS for Workspace users.

Client-side encryption lets licensed users send encrypted emails to any address, readable in Gmail or secure web view.

🔗 How Gmail handles encrypted emails → https://thehackernews.com/2026/04/weekly-recap-fiber-optic-spying-windows.html#:~:text=Google%20Brings%20E2EE%20to%20Gmail%20for%20Android%20and%20iOS

A bank-approved pixel redirected logged-in users to Temu—without consent or detection.

First-hop bias let it pass: Taboola was allow-listed, so the browser followed a 302 redirect and sent cookies cross-origin.

🔗 Full trace of how CSP trust breaks at runtime → https://thehackernews.com/2026/04/hidden-passenger-how-taboola-routes.html

⚠️ Attackers are using Obsidian’s plugin system to run malware.

Targets move LinkedIn → Telegram → shared vault, where code runs only after enabling plugins. The payload deploys PHANTOMPULSE with Ethereum-based C2.

🔗 Read how → https://thehackernews.com/2026/04/obsidian-plugin-abuse-delivers.html

Cisco patched 4 critical flaws (CVSS up to 9.9) in Webex and ISE.

Bugs allow user impersonation, remote code execution, and OS command execution—even with low-level admin access. Exploits can lead to root access or outages.

🔗 CVEs, impact, and fixes → https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html

Work with real ICS/OT security scenarios, tools, and techniques at the SANS ICS Security Summit.

Join experts and practitioners in Orlando, or attend virtually, for workshops, technical talks, and community discussions.

Register - https://thn.news/ics-security-summit-26

This week's ThreatsDay Bulletin is wild:

🧓 17-year-old Excel bug exploited again
💸 Fake Ledger app drains $9.5M
🛡️ New Defender zero-day drops
☁️ APT41 hiding in your cloud
🔗 WordPress plugins poisoned via acquisition
💬 $21B black market still live on Telegram
...and 12 more.

Read all new stories here ↓ https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html