STORIES THIS WEEK
Defender turned against itself by three zero-days
Microsoft patched BlueHammer (CVE-2026-33825) on April 14, but RedSun and UnDefend remain open. All three have been used in real intrusions, chaining SYSTEM-level escalation with progressive corruption of Defender’s update pipeline on fully patched systems. BleepingComputer, April 17, 2026
North Korea stole $292M without touching a smart contract
TraderTraitor compromised two LayerZero-operated RPC nodes, DDoS’d the backups, and forced a failover to attacker-controlled infrastructure. The sole verifier confirmed a fabricated cross-chain message and released $292M in rsETH. No smart contract flaw was involved. Chainalysis, April 23, 2026
Cisco firewall backdoor survives patches, firmware, and reboots
CISA and the UK NCSC confirmed the presence of the FIRESTARTER implant on a federal Cisco Firepower device, persisting from before September 2025 through March 2026. It hooks into LINA, Cisco’s core network engine. Only a hard power cycle removes it. CyberScoop, April 23, 2026
Bitwarden’s build pipeline weaponized against developers
Attackers exploited a Checkmarx-linked GitHub Action in Bitwarden’s CI/CD pipeline to publish a malicious npm release on April 22. The payload harvested SSH keys, cloud secrets, and CI tokens before exfiltrating them to attacker-controlled repositories. The Hacker News, April 23, 2026
13-year-old ActiveMQ flaw exploited across 6,300 servers
CVE-2026-34197 was added to CISA’s KEV on April 16. Shadowserver confirmed 6,300 vulnerable internet-facing instances on April 19. Default admin credentials make the Jolokia API trivially accessible; some versions deliver unauthenticated RCE with minimal effort. BleepingComputer, April 17, 2026
Ghost telecoms exploiting SS7 to track phones silently
Citizen Lab identified two campaigns that used front companies with legitimate telecom access to geolocate targets via signaling-protocol abuse. One delivered zero-click binary SMS commands processed silently by the SIM card, leaving no trace on the device. TechCrunch, April 23, 2026
Ransomware negotiator was feeding intel to the attackers
Angelo Martino pleaded guilty on April 20 to working with BlackCat while posing as a victim-side negotiator. He passed client insurance limits and strategy positions to attackers. Authorities seized approximately $10 million in linked assets. CyberScoop, April 20, 2026
France’s national identity portal breached, 19M records claimed
France Titres confirmed unauthorized access to the ANTS portal account data on April 22. A threat actor claimed to have compromised 19 million records. The agency said that the portal systems were not taken over; investigators are assessing phishing and identity-fraud exposure. The Record, April 20, 2026
AI model files weaponized in CVSS 9.8 remote code execution attack
CVE-2026-5760 in SGLang allows arbitrary OS command execution via malicious GGUF model files. Any environment ingesting open-source models from public repositories without source validation is at risk of full system compromise. The Hacker News, April 21, 2026
Lumma Stealer infection chains through to Vercel breach
A Lumma Stealer infection on a Context.ai employee’s machine gave attackers a path through Google Workspace into Vercel’s internal systems. The multi-hop chain illustrates how personal endpoint behavior can reach enterprise infrastructure. SecurityWeek, April 20, 2026
Japan forms AI risk task force after Mythos model release
Japan’s Financial Services Agency, the Bank of Japan, and major banks established a task force citing risks from Anthropic’s Mythos Preview. It follows regulatory action in South Korea and India, which treat autonomous exploit-generation as a systemic financial risk. The Star, April 24, 2026
Hacked cybersecurity firm threatens journalists who reported the breach
An attacker recovered API keys from unprotected admin accounts at the Mexican firm BePrime, seizing control of 1,858 Cisco Meraki network devices and accessing live surveillance feeds at client sites, including Iberdrola and Whirlpool. BePrime responded by threatening legal action against journalists covering the breach. DataBreaches.net, April 20, 2026
Scattered Spider ringleader pleads guilty to wire fraud and identity theft
Tyler Buchanan, a 24-year-old British national, was identified as a leading Scattered Spider member and pleaded guilty on April 20 to charges related to SMS phishing campaigns that breached dozens of companies and stole at least $8M in cryptocurrency. Sentencing is set for August 2026. BleepingComputer, April 20, 2026
SMS blasters seized in Toronto credential-theft operation
Three men were arrested after devices mimicking cell towers were found pushing fraudulent texts to nearby phones. The investigation began when a cybersecurity partner flagged a device in a downtown Toronto building in November 2025. The Record, April 23, 2026
More cybersecurity news
- Last week’s news roundup
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
