The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its KEV (Known Exploited Vulnerabilities) catalog with several security vulnerabilities, including CVE-2024-1708 (a path traversal flaw in ConnectWise ScreenConnect leading to remote code execution), CVE-2026-32202 (a protection mechanism failure in Microsoft Windows Shell), and CVE-2026-41940 (authentication bypass in cPanel). According to the managed cPanel host KnownHost, CVE-2026-41940 has been exploited in the wild since February 23, 2026.
The list also includes two SimpleHelp flaws (CVE-2024-57726 and CVE-2024-57728) reportedly used as initial access vectors in campaigns attributed to the DragonForce ransomware group; CVE-2024-7399 (a path traversal vulnerability in Samsung MagicINFO 9 Server); and CVE-2025-29635 (D-Link DIR-823X routers).
A recently disclosed SQL injection vulnerability (CVE-2026-42208) BerriAI's LiteLLM Python package has come under active exploitation within 36 hours after public disclosure, according to Sysdig. CISA has yet to mark the flaw as actively exploited.
SonicWall has released security updates to fix three high-risk firewall vulnerabilities that could allow a remote attacker to get access to certain management interface functions, restricted areas, or trigger denial-of-service.
A high-severity logic flaw in the Linux kernel allows unprivileged attackers to write arbitrary code into the memory of other processes, potentially leading to full system compromise and root shell access. Tracked as CVE-2026-31431 (aka Copy Fail), the vulnerability is believed to affect all major Linux distributions dating back to 2017.
Researchers at SentinelLabs have uncovered a cyber sabotage tool from 2005 called ‘fast16,’ designed to alter the results of high-precision computing systems. The findings suggest that attacks targeting scientific and research workloads began years earlier than previously believed, well before Stuxnet. The malware’s key component is a kernel driver named fast16.sys. The driver intercepts programs as they are loaded from disk and modifies their code directly in memory. Instead of crashing systems, it changes how calculations are performed, leading to incorrect (but believable) results.
A hacking team associated with the North Korea-linked Lazarus Group has carried out a large-scale crypto theft campaign targeting more than 100 cryptocurrency organizations across over 20 countries. The campaign, attributed to BlueNoroff, impersonated well-known fintech figures, distributed fake meeting invitations via spoofed Calendly links, and used typosquatted domains mimicking Zoom and Microsoft Teams to lure victims.
CERT-EU released a threat landscape report, according to which, cyber threats increased significantly in 2025, with 174 groups identified (up from 110 in 2024). Most attacks focused on spying and preparation, while cybercrime also grew. China-linked actors were the most active, followed by Russia-linked actors, with China focusing on vulnerabilities and supply chains, and Russia targeting Ukraine and supporting EU countries.
Hackers linked to the Chinese government orchestrated two widespread phishing campaigns targeting journalists and opposition activists over a nine-month period. The report, published by Citizen Lab in collaboration with the International Consortium of Investigative Journalists (ICIJ), discovered more than 100 malicious domains used to carry out the operations.
Securonix researchers found a new Windows malware called Deep#Door, which uses a hidden batch script to install a Python-based backdoor that can spy on users and steal credentials. Instead of downloading malicious files, it embeds code inside the script and re-constructs itself in-memory and on disk during execution.
Several official SAP npm have been compromised in what researchers believe is a supply-chain attack linked to the TeamPCP threat group. The attackers planted a malicious preinstall script into the packages. The malware is designed to steal sensitive data from developer systems and CI/CD pipelines, including authentication tokens, SSH keys, and cloud credentials for major platforms like AWS, Azure, and Google Cloud. Researchers have also discovered what appears to be an extension of the Bitwarden CLI npm compromise and the SAP npm compromise targeting the PyTorch Lightning Python package.
Check Point Research found that VECT 2.0, part of the VECT Ransomware-as-a-Service (RaaS) program, contains a critical flaw that permanently destroys large files instead of encrypting them. Due to an implementation error, files larger than 128 KB lose most of the data required for decryption, making recovery impossible even for the attackers. As a result, the malware behaves like a data wiper. VECT Ransomware got public attention after it announced a partnership with TeamPCP to exploit the companies affected by the supply chain attacks.
A new Varonis report details Bluekit, a new phishing kit that includes over 40 ready-made templates targeting services like email providers, cloud platforms, developer tools, and cryptocurrency accounts. It has a built-in AI assistant that uses multiple models to help attackers easily create phishing emails.
Arctic Wolf published a report on a widespread phishing campaign targeting organizations across North America and EMEA. The attack, similar to the “Riding the Rails” campaign observed in March, exploits the OAuth 2.0 Device Authorization Grant, commonly known as device code flow, to gain unauthorized access to user accounts. Attackers use the Kali365 Live phishing-as-a-service (PhaaS) platform to scale operations and automate attacks.
Cato Networks uncovered a large-scale campaign aimed at fingerprinting internet-exposed industrial control systems, specifically Modbus-based programmable logic controllers (PLCs). The activity, which peaked between September and November last year, spanned 70 countries and targeted more than 14,000 unique IP addresses.
Many popular browser extensions are collecting and selling user data — and doing it legally, new research shows. LayerX analyzed thousands of extensions from official stores and found more than 80 that say they can sell or share user data.
A Chinese national accused of taking part in a global hacking operation has been extradited from Italy to the United States. Xu Zewei, 34, was charged for participation in a series of computer intrusions carried out between February 2020 and June 2021. Prosecutors say some of the attacks were part of the widespread Hafnium (aka Salt Typhoon) cyber-espionage campaign, which compromised thousands of systems worldwide.
Austrian and Albanian authorities, with support from Europol and Eurojust, dismantled a large cryptocurrency investment fraud ring that caused over €50 million in losses worldwide. The operation led to 10 arrests and the seizure of cash, electronics, and data during raids on call centers and homes. The group operated like a structured company, employing hundreds of people across different departments to run the scam.
Authorities in the US, China, and Dubai conducted a separate takedown that resulted in the arrest of at least 276 suspects and the shutdown of nine cryptocurrency investment fraud centers.
In the meantime, Swiss and German police have arrested 10 suspected members of the Nigerian criminal network known as Black Axe, including a regional leader believed to oversee operations in Southern Europe.
The US Department of Justice has reportedly filed charges against a 19-year-old alleged member of the hacking collective known as Scattered Spider, following his arrest in Finland earlier this month. Peter Stokes, a dual citizen of the United States and Estonia known online as “Bouquet,” was apprehended on April 10 at Helsinki Airport while attempting to board a flight to Japan. Authorities say he was carrying multiple electronic devices, including two two-terabyte hard drives, at the time of his arrest.
French police detained a 15-year-old on April 25 for allegedly stealing millions of records from France Titres (ANTS). The teen, suspected of using the alias “breach3d,” faces computer crime charges after data from 12–18 million records was put up for sale online.
Ukrainian law enforcement authorities have uncovered a cybercrime operation that stole hundreds of thousands of Roblox gaming accounts belonging to both Ukrainian and international users. According to the police, the group hacked into players’ personal accounts and re-sold them for cryptocurrency within closed online communities and via a website registered in Russia.
A Romanian man, Thomasz Szabo, was sentenced to 4 years in US federal prison for running an online swatting scheme that targeted over 75 officials, journalists, and religious institutions. He pleaded guilty to conspiracy and making explosive threats. In an unrelated case, a juvenile linked to the cybercriminal group “Purgatory” was charged for making random swatting calls to universities and other institutions across the US.
Patrick Schmitz, a German man living in Colombia, was extradited to the United States for allegedly running The Versus Project underground marketplace. The site worked like an online store where over 380,000 users could create accounts and buy or sell illegal items, including drugs, fraud tools, digital goods, services, and malware.
A group of teenagers in South Korea has been arrested for operating private Telegram “doxxing rooms” where they allegedly spread false information, shared personal details and photos of individuals, and distributed harmful content. Authorities say the group defamed victims and also posted deepfake videos along with material involving the sexual exploitation of minors.