�� WARNING - APT28 ran a global router hijack to steal credentials.

The group compromised MikroTik and TP-Link devices, rewrote DNS settings, and redirected traffic for credential theft at scale -- impacting 18,000+ IPs across 120 countries, including government and cloud targets.

�� Read here → https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html

--- ⚠️ WEBINAR ALERT ---

The biggest identity risk in 2026 isn’t inside your IAM. It’s everything outside it.

Hundreds of unmanaged apps are now being accessed by AI agents, expanding risk beyond what your team can see or control.

�� Join the WEBINAR for data and practical steps to close the gaps → https://thehackernews.com/2026/04/webinar-how-to-close-identity-gaps-in.html

�� Docker fixed a flaw letting attackers bypass AuthZ plugins with a padded API request (>1MB).

The plugin sees no body and allows it, while Docker executes it—creating a privileged container with host access and exposed credentials.

�� Learn how this leads to full host compromise → https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html

⚠️ Attackers are hijacking exposed ComfyUI servers into crypto mining and proxy botnets.

Scanners exploit unauthenticated setups via custom nodes, run code, and install persistent malware. Infected systems mine crypto and resist removal.

�� Read → https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html

Most attacks don’t start with exploits anymore. They start with access.

Across thousands of real-world incidents analyzed in the 2026 Annual Threat Report, one pattern is clear:

Attackers aren’t breaking in.
They’re logging in.

Here’s what we’re seeing:
↳ Legitimate credentials are the #1 entry point
↳ Remote access tools are being used against you
↳ Traditional detection is missing what looks “normal”

This isn’t theory. This is what actually worked for attackers in 2025.

If your security strategy is still built around stopping malware, you’re already behind.

Download the Blackpoint Cyber 2026 Annual Threat Report and see how modern attacks are actually unfolding.

Download the report: https://thn.news/blackpoint-threat-2026

Credential security isn’t just about breaches.

Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed.

Forced resets increase weak passwords without reducing risk.

�� Why credential issues cost more than breaches → https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html

Ilan Nacmias at Sygnia shares a case where AI security tools worked, but no decisions were made.

Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact.

�� Why AI didn’t fix execution in cybersecurity → https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html

⚡ New research shows GPUs can be used to take over a system.

GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploits—even with IOMMU enabled.

�� Read details → https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html

⚠️ WARNING: China-linked Storm-1175 is breaching networks and deploying ransomware in under 72 hours.

It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more.

�� Read → https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

�� Flowise has a CVSS 10.0 RCE flaw (CVE-2025-59528) now under active attack.

A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk.

�� Exploitation details → https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html

⚠️ Iran-linked actors targeted Microsoft 365 accounts in 3 attack waves in March 2026, hitting 300+ orgs in Israel and 25+ in the UAE.

They used password spraying via Tor/VPNs to access mailboxes.

At the same time, Pay2Key ransomware resurfaced with stronger evasion and log wiping.

�� Read → https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html

�� DPRK-linked attackers used GitHub as C2 in phishing-led attacks on South Korean orgs.

LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads.

�� Read → https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html

�� Attackers now move across Windows, macOS, Linux, and mobile in one campaign.

Multi-OS attacks break SOC workflows, splitting one threat into many investigations and slowing validation.

That delay gives attackers time to spread and persist.

�� Why fragmented triage increases risk → https://thehackernews.com/2026/04/multi-os-cyberattacks-how-socs-close.html

Automated pentesting evaluates environments through chained attack paths. If step A fails, steps B through Z never execute.

One blocked step near the top = cascading blind spot across every downstream technique.

Picus Security mapped these two other structural gaps in a new whitepaper.

Download now → https://thn.news/automated-blind-spots

⚠️ A compromised AI library exposed developer machines.

1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies.

It worked because secrets sit in plaintext across files and tools.

�� How one dependency exposed thousands of environments → https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html

Everything hit at once this week ...

�� Supply-chain: Axios hack
�� Exploits: Chrome 0-day, TrueConf, Fortinet
�� Patches: Apple DarkSword fixes
�� Malware: ClickFix, DeepLoad, Mirax, Venom
�� Leak: Claude code exposure
�� Phishing: device code surge, banking scams
��️ Privacy: LinkedIn tracking claims
��️ Spyware: Paragon use confirmed
�� Infra: residential proxy abuse
�� Targeting: crypto org attacks
�� Policy: India SIM-binding
�� APT: access regain attempts
�� Insider: extortion case
❤️ Data: OkCupid settlement
�� Trend: stealer surge, malicious extensions

Read the full recap → https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

AI isn’t making attacks smarter, says Martin Zugec, Technical Solutions Director at Bitdefender. It’s making them cheaper and easier to scale.

Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast.

�� Why scale matters more than sophistication in AI threats → https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html

�� Qilin and Warlock #ransomware are disabling defenses before attacks using BYOVD techniques.

Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution.

�� Find the technique disabling EDR tools → https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html

�� Germany’s BKA has identified a key figure behind the REvil #ransomware group.

Daniil Shchukin (“UNKN”) is accused of leading REvil, linked to 130 attacks in Germany causing over €35.4M in damage, with €1.9M in ransom paid.

�� Learn more here → https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

�� North Korea-linked hackers spent 6 months building trust before stealing $285M from Drift.

They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access.

�� How social engineering enabled the Drift crypto theft → https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html