ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade — you have to rotate the key ring.
@bitwarden/cli 2026.4.0 Backdoored in 93-Minute npm Window — 'Shai-Hulud: The Third Coming' Worm Hijacks Developer Credentials
A trojanized @bitwarden/[email protected] sat live on npm for 93 minutes on April 22, exfiltrating GitHub/npm tokens, SSH keys, cloud creds, and crypto wallet keys — and self-propagating through victims' own npm packages. The pivot came from the ongoing Checkmarx/TeamPCP campaign.
LMDeploy SSRF (CVE-2026-33626) Weaponized in 12 Hours to Loot GPU IAM Credentials
A Server-Side Request Forgery in LMDeploy's vision-language image loader turned LLM inference nodes into SSRF primitives for cloud metadata theft — exploited 12 hours and 31 minutes after disclosure.
Kyber Ransomware: First Production PQC Deployment — Rust Windows Variant, ESXi Variant, Same Affiliate
Rapid7 recovered two Kyber variants from a single incident: a Rust-based Windows encryptor that actually implements Kyber1024 + X25519 + AES-CTR, and an ESXi encryptor whose 'post-quantum' claim is just ChaCha8 under RSA-4096. Same campaign ID, same Tor infrastructure, same affiliate.
CanisterSprawl: Self-Propagating npm Worm Hits pgserve, Spreads to PyPI, Exfils to ICP Canister
Malicious pgserve, automagik, xinference, and kube-health releases drop a 1,143-line postinstall stealer that re-publishes itself using stolen npm tokens and exfiltrates to a decentralized ICP canister.
BRIDGE:BREAK — 22 Flaws in Lantronix and Silex Serial-to-IP Converters, ~20,000 Devices Exposed
Forescout's Vedere Labs disclosed 22 CVEs in Lantronix EDS3000PS/EDS5000 and Silex SD330-AC serial-to-IP converters, including unauthenticated RCE, hard-coded keys, and null admin passwords. Roughly 20,000 devices sit directly on the public internet.
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 — a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance — to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
The Gentlemen RaaS: SystemBC Proxy Botnet Reveals 1,570 Corporate Victims
A DFIR engagement against The Gentlemen RaaS exposed a SystemBC C2 server proxying over 1,570 likely corporate victims, with affiliates leaning on a 14,700-device FortiGate inventory for initial access.
Vercel Breach: Context.ai OAuth Pivot Exposes Customer Environment Variables
A Lumma Stealer infection at Context.ai gave attackers an OAuth path into a Vercel employee's Google Workspace, then into customer environment variables. ShinyHunters is now selling the data for $2M.
ShinyHunters Dumps 3M Cisco Salesforce Records as UNC6040 Vishing Campaign Expands
ShinyHunters leaks 3M+ Cisco Salesforce CRM records tied to the UNC6040 vishing/OAuth-abuse campaign, exposing federal procurement data, AWS resource references, and GitHub repo names.
The Ransomware Dwell Time Collapse: When the Entire Kill Chain Fits Inside an Hour
Akira is encrypting domains 60 minutes after a VPN login. Storm-1175 is going from zero-day to domain-wide Medusa deployment in under 24 hours. The industry's average detection time is still measured in days. The math no longer works.
ZionSiphon: OT Sabotage Malware Targeting Israeli Water and Desalination Plants
Darktrace dissects ZionSiphon, a politically motivated OT malware built to tamper with chlorine and pressure in Israeli water systems. Broken by bad crypto, but the blueprint is real.
Payouts King Runs Hidden QEMU VMs to Bypass EDR — STAC4713 and CitrixBleed 2 Campaigns
Sophos tracks two Payouts King campaigns running Alpine Linux inside QEMU on Windows hosts to tunnel reverse SSH and evade endpoint security. STAC3725 chains in CitrixBleed 2 (CVE-2025-5777) against NetScaler.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
Operation PowerOFF: 21-Country Takedown Seizes 53 DDoS-for-Hire Domains, Exposes 3 Million User Accounts
Europol-coordinated action across 21 countries seizes 53 booter/stresser domains, makes four arrests in Poland, and captures databases containing over 3 million DDoS-for-hire user accounts.
Kyverno apiCall Service Helper Leaks ServiceAccount Token to Attacker-Controlled Endpoints (CVE-2026-40868)
A high-severity flaw in Kyverno's apiCall servicecall helper implicitly attaches the controller's ServiceAccount bearer token to policy-controlled outbound URLs, letting any ClusterPolicy author exfiltrate the token and impersonate the Kyverno controller.
CISA Adds Apache ActiveMQ CVE-2026-34197 to KEV as 13-Year-Old Jolokia RCE Sees Active Exploitation
CISA added CVE-2026-34197 to the KEV catalog today with an April 30 patch deadline. The 13-year-old Jolokia MBean flaw yields RCE on the broker JVM and is unauthenticated on ActiveMQ 6.0.0–6.1.1 when chained with CVE-2024-32114.
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 — two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.