This week didn’t break anything. It bent everything:

⚡ Vercel hacked
🌐 DDoS busted
🤖 PowMix botnet
📢 Push fraud
📝 Obsidian RAT
⬇️ CPUID trojan
🧩 Chrome spyware
🧠 AI cyber
💰 Vect ransomware
💬 Teams trap
🗂️ CGrabber steal
📧 Mail breach
🔑 Access trade
🛠️ Adaptix C2
🧬 Adware backdoor
💉 SQL attacks
🖥️ VM stealth
🎭 Fake installer

🔗 Scroll through the full recap → https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html

⚠️ SGLang has a critical flaw enabling remote code execution (CVSS 9.8) via malicious GGUF model files.

A crafted Jinja2 template runs when /v1/rerank is triggered, executing attacker code on the server.

🔗 How GGUF templates become an RCE path → https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html

⚠️ CISA added 8 actively exploited vulnerabilities to KEV across Cisco, Quest, PaperCut, TeamCity, Kentico, and Zimbra.

Includes 3 Cisco SD-WAN flaws and a Quest KACE bug (CVSS 10.0) enabling user impersonation.

Federal patch deadlines: April 23 (Cisco), May 4 (others).

🔗 Read → https://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.html

96% of security teams can’t confirm if risks are exploitable.

In this analysis, Jean-Philippe Salles of Filigran shows CTEM is failing at prioritization and validation, with 42% of SOC time wasted on low-value work.

The gap is poor use of threat intelligence.

🔗 Why CTEM breaks without intel-driven context → https://thehackernews.com/expert-insights/2026/04/why-threat-intelligence-is-missing-link.html

Google fixed an Antigravity IDE flaw that enabled arbitrary code execution via a search tool input.

Attackers could inject commands, bypass sandbox controls, and run scripts automatically. Similar prompt injection flaws are now seen across AI dev tools.

🔗 Read → https://thehackernews.com/2026/04/google-patches-antigravity-ide-flaw.html

🛑 Android malware is hijacking NFC payments via a real app.

Researchers found NGate abusing HandyPay to relay card data and steal PINs for ATM withdrawals. Spread via fake lottery sites and spoofed app pages, targeting Brazil since Nov 2025.

🔗 Read → https://thehackernews.com/2026/04/ngate-campaign-targets-brazil.html

99% of security leaders are confident in their ability to detect attacks. Yet nearly half of those who experienced one admit they detected it too late to prevent significant damage. 🤔

Something doesn't add up.

Halcyon recently surveyed 100 CISOs and senior security leaders on #ransomware, and their findings show the confidence-vs-reality gap is bigger than it should be:

⚠️ 98% use EDR; only 25% actually trust it to defend against today's threats
⚠️ #AI is giving attackers a 13:1 speed advantage over defenders
⚠️ 90% rate their security as sufficient - yet nearly half experienced moderate to significant disruption

The problem isn't experience or awareness. It's that most tools in use today weren't purpose-built for ransomware - and attackers know it.

The gap is real, it's measurable, and it's getting wider.

👉 Read the full report: https://thn.news/halcyon-survey-2026

Most breaches don’t start with exploits. Stolen credentials still dominate initial access.

Attackers log in, move laterally, and escalate fast—often reaching ransomware within hours. AI is accelerating this pattern, not changing it.

🔗 Why identity attacks still lead breaches → https://thehackernews.com/2026/04/no-exploit-needed-how-attackers-walk.html

🚨 A ransomware negotiator worked with attackers while advising victims.

Angelo Martino leaked client negotiation data to BlackCat, including insurance limits, helping raise ransom payouts while getting paid by both sides.

🔗 Read → https://thehackernews.com/2026/04/ransomware-negotiator-pleads-guilty-to.html

Over 99% of Mythos-discovered vulnerabilities remain unpatched. The Glasswing report lands in July. The window between patch publication and AI-powered weaponization is collapsing.

Picus Security published 12 vendor-neutral recommendations for security teams preparing for what comes after.

Get your copy now: https://thn.news/post-mythos-actions

A 24-year-old linked to Scattered Spider pleaded guilty after stealing $8 million in digital assets from multiple companies.

The campaign used SMS phishing to capture employee credentials, then SIM swapping to take over accounts across telecom, tech, and crypto firms.

🔗 Read → https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html#:~:text=British%20National%20Pleads%20Guilty%20to%20Scattered%20Spider%20Campaign

🚨 Researchers found 22 vulnerabilities in serial-to-IP converters, with ~20,000 devices exposed online.

Exploitation can enable device takeover and tampering with data between legacy systems and IP networks, impacting industrial operations.

🔗 Read → https://thehackernews.com/2026/04/22-bridgebreak-flaws-expose-20000.html

🛑 A SystemBC-linked server exposed 1,570+ infected systems, mostly corporate.

An affiliate of The Gentlemen #ransomware used the proxy malware for covert access and staging—not all were confirmed ransomware victims.

🔗 Read → https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html

Many companies have backups but still can’t recover from ransomware.

As Acronis’ Subramani Rao explains, backups often fail before encryption as attackers disable, delete, or corrupt them after gaining access.

Recovery breaks down due to compromised systems and slow validation.

🔗 Why backup doesn’t equal recovery in real attacks → https://thehackernews.com/expert-insights/2026/04/why-your-backups-might-not-save-you.html

⚠️ A Python sandbox for untrusted code has a 9.3 flaw (CVE-2026-5752).

A Pyodide bug enables sandbox escape and root command execution. The project is unmaintained, so the issue remains UNPATCHED.

🔗 Learn more → https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html

⚡ Security teams track MTTR as a metric. Leadership sees every hour of dwell time as risk.

Delays rarely come from staffing—they come from disconnected threat intel, manual lookups, and tool switching that add up over time.

🔗 Learn why MTTR slows down inside most SOCs → https://thehackernews.com/2026/04/5-places-where-mature-socs-keep-mttr.html

🛑 China-linked APT targets India’s banks with updated malware.

LOTUSLITE v1.1 uses phishing, signed executables, and DLL sideloading to gain access—focused on espionage, not theft. Shift from U.S. govt targets to Indian financial systems.

🔗 Details → https://thehackernews.com/2026/04/mustang-pandas-new-lotuslite-variant.html

⚠️ Microsoft patched CVE-2026-40372 (CVSS 9.1) in ASP .NET Core enabling SYSTEM-level escalation.

A crypto flaw let attackers forge payloads and decrypt auth data in apps using vulnerable Data Protection on Linux/macOS.

🔗 Read → https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html

⚠️ Kaspersky found a new wiper targeting Venezuela’s energy sector.

Lotus Wiper fully destroys systems—no ransom, no recovery. It uses scripts to disable defenses, then wipes drives, deletes backups, and erases files using native Windows tools.

🔗 Details → https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.html

Moltbook exposed 1.5M API tokens and 35,000 emails via an open database.

Agents also stored internal tokens and third-party credentials together in plaintext, creating cross-app access paths no one reviewed.

🔗 How “toxic combinations” form across SaaS → https://thehackernews.com/2026/04/toxic-combinations-when-cross-app.html

Join 15+ SANS Institute instructors in a panel-style webinar to gain practical tools, proven tactics, and real-world tradecraft you can apply immediately. Detect threats sooner and respond with precision.

15+ Cybersecurity Experts. 1 Can't-Miss Webinar. Register → https://thn.news/sans-2026-secure-fortress