[{"data":1,"prerenderedAt":212},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-05":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-05","Supply Chain Attacks and Critical Zero-Days Rattle Global Infrastructure","This edition covers a tumultuous period in cybersecurity for April 5, 2026, dominated by sophisticated supply chain attacks and the active exploitation of critical zero-day vulnerabilities. The European Commission and AI firms like Meta suffered major data breaches originating from compromised open-source tools including Trivy and LiteLLM, with threat actor TeamPCP implicated in both. Concurrently, Fortinet and Google scrambled to patch actively exploited zero-days in FortiClient EMS (CVE-2026-35616) and the Chrome browser (CVE-2026-5281), both added to CISA's KEV catalog. Critical infrastructure also came under fire, with CISA issuing an emergency directive to decommission medical IoT gateways due to the 'Vitals Vapor' exploit, and Australian water facilities thwarting an attack on their control systems.","2026-04-05",12,[10,34,55,77,94,112,127,144,161,172,185,198],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":24,"createdAt":28,"updatedAt":29,"readingTime":30,"isUpdate":31,"updateSummary":32,"updateContent":33},"188517d8-5771-46db-b25c-d3dcb110e017","lapsus-claims-theft-of-4tb-of-data-from-ai-firm-mercor-in-supply-chain-attack","Lapsus$ Claims Theft of 4TB of Data from AI Firm Mercor in LiteLLM Supply Chain Attack","Lapsus$ Claims 4TB Data Theft from AI Firm Mercor Following LiteLLM Supply Chain Attack","critical","AI recruiting firm Mercor has confirmed it was impacted by a recent supply chain attack targeting the open-source LiteLLM PyPI package. The incident occurred on March 27, when malicious versions `1.82.7` and `1.82.8` of LiteLLM were published for about 40 minutes. Following the incident, the notorious extortion group Lapsus$ claimed responsibility, listing Mercor on its data leak site and alleging the theft of over 4 terabytes of data. Mercor is currently investigating the breach with third-party forensic experts. The attack originated from a compromise of a dependency used in Mercor's CI/CD workflow, highlighting the cascading risks in the software supply chain.",[18,19,20,21,22,23],"supply chain","Lapsus$","PyPI","LiteLLM","data breach","extortion",[25,26,27],"Supply Chain Attack","Data Breach","Threat Actor","2026-04-02T15:00:00.000Z","2026-04-05T12:00:00.000Z",6,true,"Meta suspended its partnership with Mercor after the LiteLLM supply chain attack exposed sensitive AI training data from clients like Meta, OpenAI, and Anthropic.","Meta has halted its partnership with AI data contracting startup Mercor following the LiteLLM supply chain attack. The breach, attributed to TeamPCP, exposed highly sensitive and proprietary AI training data and methodologies belonging to Mercor's high-profile clients, including Meta, OpenAI, and Anthropic. This development significantly escalates the incident's impact, highlighting critical security vulnerabilities within the AI supply chain and causing major financial and reputational damage to Mercor.",{"id":35,"slug":36,"headline":37,"title":38,"severity":15,"excerpt":39,"tags":40,"categories":46,"createdAt":28,"updatedAt":29,"readingTime":49,"cves":50,"cvssScore":52,"isUpdate":31,"updateSummary":53,"updateContent":54},"c23cf2cb-3082-42ae-a2be-7f6c8395749b","cisco-patches-critical-rce-flaw-in-ssm-on-prem","Cisco Patches Critical Unauthenticated RCE Flaw in Smart Software Manager","Cisco Patches Critical 9.8 CVSS RCE Vulnerability (CVE-2026-20160) in SSM On-Prem","Cisco has released a security patch for a critical vulnerability, CVE-2026-20160, in its Smart Software Manager On-Prem (SSM On-Prem) product. The flaw, which has a CVSS score of 9.8, could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability is due to insufficient access control on a specific API. An attacker can exploit it by sending a crafted HTTP request. Cisco has released software updates and confirms there are no workarounds. The company's PSIRT is not aware of any malicious exploitation of this flaw, which was discovered during internal security testing.",[41,42,43,15,44,45],"Cisco","vulnerability","RCE","patch management","root",[47,48],"Vulnerability","Patch Management",5,[51],"CVE-2026-20160",9.8,"Cisco expands critical patch advisory to include IMC and more products, alongside SSM On-Prem.","Cisco has issued a broader security advisory, now encompassing critical vulnerabilities in its Integrated Management Controller (IMC) in addition to Smart Software Manager On-Prem (SSM On-Prem). The new advisory covers a wider range of affected products, including UCS servers and Catalyst Edge uCPE devices. These flaws allow unauthenticated remote attackers to bypass authentication, escalate privileges, and execute arbitrary commands, leading to full system compromise. While no active exploitation is known, immediate patching is urged due to the expanded scope and critical nature of these vulnerabilities across Cisco's enterprise hardware.",{"id":56,"slug":57,"headline":58,"title":59,"severity":60,"excerpt":61,"tags":62,"categories":70,"createdAt":72,"updatedAt":73,"readingTime":74,"isUpdate":31,"updateSummary":75,"updateContent":76},"80e3c016-b978-4632-b676-30f53c70a477","eu-commission-breach-traced-to-trivy-supply-chain-attack","EU Commission Hacked via Compromised Trivy Scanner in Major Supply Chain Attack","TeamPCP Exploits Compromised Trivy Scanner to Breach European Commission, Stealing 92GB of Data","high","A significant data breach at the European Commission has been attributed to the hacking group TeamPCP, who leveraged a compromised version of the popular Trivy open-source vulnerability scanner. The supply chain attack allowed the threat actors to steal an AWS API key, gain management rights to the Commission's cloud environment, and exfiltrate 92 GB of compressed data, including sensitive email communications. The stolen data was later put up for sale on a dark web forum by the data broker ShinyHunters, underscoring a dangerous collaboration between cybercriminal groups.",[63,64,65,22,66,67,68,69],"supply chain attack","cloud security","AWS","vulnerability scanner","TeamPCP","ShinyHunters","European Union",[25,26,71],"Cloud Security","2026-04-04T15:00:00.000Z","2026-04-05T00:00:00.000Z",4,"New details on EU Commission breach: Trivy compromised via GitHub CI/CD, 340GB uncompressed data exfiltrated, leak confirmed March 28.","The European Commission data breach update reveals that the Trivy scanner was compromised through its GitHub CI/CD pipeline. Attackers exfiltrated 92 GB of compressed data, which is now confirmed to be 340 GB uncompressed. The notorious ShinyHunters group publicly leaked the data on March 28, 2026. The breach impacts up to 71 EU entities, including 42 internal Commission clients and 29 other EU bodies. Additional MITRE ATT&CK techniques for persistence and exfiltration have also been identified.",{"id":78,"slug":79,"headline":80,"title":81,"severity":82,"excerpt":83,"tags":84,"categories":90,"createdAt":72,"updatedAt":73,"readingTime":74,"isUpdate":31,"updateSummary":92,"updateContent":93},"de669227-708a-4e04-bff1-2564fb02ac6f","hims-hers-data-breach-investigated-after-zendesk-compromise","Hims & Hers Faces Class Action Probe After Third-Party Vendor Breach","Hims & Hers Data Breach via Third-Party Vendor Zendesk Under Investigation","medium","Telehealth company Hims & Hers, Inc. is under investigation for a data breach that originated from its third-party customer service provider, Zendesk. An unauthorized user gained access to the Zendesk platform between February 4 and February 7, 2026, exposing sensitive customer service tickets. These tickets contained personal information submitted by customers, including names and contact details. The national class action law firm Edelson Lechtzin LLP has launched an investigation into data privacy claims, highlighting the significant supply chain risks associated with third-party vendors.",[22,63,85,86,87,88,89],"third-party risk","Hims & Hers","Zendesk","telehealth","privacy",[26,25,91],"Policy and Compliance","New details emerge on Hims & Hers breach, identifying ShinyHunters as the threat actor and a compromised Okta SSO account as the initial access vector.","New information reveals the Hims & Hers data breach was executed by the notorious ShinyHunters extortion group. The attackers gained unauthorized access to the company's Zendesk instance by compromising an Okta single sign-on (SSO) account, leveraging techniques such as Valid Accounts (T1078) and potentially SAML Evasion (T1606.002). The incident, which occurred between February 4-7, 2026, involved the exfiltration of customer support tickets containing names, contact information, and support request details. Hims & Hers confirmed medical records were not compromised and is offering 12 months of credit monitoring to affected individuals. This update provides crucial attribution and technical specifics on the initial access.",{"id":95,"slug":96,"headline":97,"title":98,"severity":15,"excerpt":99,"tags":100,"categories":106,"createdAt":108,"updatedAt":108,"readingTime":74,"cves":109,"cvssScore":110,"isUpdate":111},"37dbe14d-4359-4099-b295-61b25c00dc13","fortinet-patches-actively-exploited-forticlient-ems-zero-day-cve-2026-35616","Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)","Fortinet Releases Emergency Hotfix for Critical RCE Zero-Day in FortiClient EMS, CISA Adds to KEV Catalog","Fortinet has released an emergency hotfix for a critical zero-day vulnerability, CVE-2026-35616, affecting its FortiClient Endpoint Management Server (EMS). The flaw, rated 9.1 on the CVSS scale, is an improper access control issue that allows an unauthenticated remote attacker to achieve remote code execution. Fortinet confirmed the vulnerability is being actively exploited in the wild, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate a swift patching deadline for federal agencies.",[101,102,103,43,47,104,105],"Zero-Day","Fortinet","CVE-2026-35616","CISA","KEV",[47,48,107],"Cyberattack","2026-04-05T15:00:00.000Z",[103],9.1,false,{"id":113,"slug":114,"headline":115,"title":116,"severity":60,"excerpt":117,"tags":118,"categories":125,"createdAt":108,"updatedAt":108,"readingTime":49,"isUpdate":111},"cfde1412-a965-479d-bbf9-600ffc076f39","hong-kong-hospital-authority-data-leak-56000-patients","Hong Kong Hospital Authority Apologizes for Data Leak Affecting 56,000 Patients","Hong Kong Hospital Authority Investigates Major Data Breach Exposing Personal and Medical Data of Over 56,000 Patients","The Hong Kong Hospital Authority (HA) is investigating a major data breach that exposed the sensitive personal and medical information of over 56,000 patients from its Kowloon East hospital cluster. The data, including HKID numbers and surgical details, was discovered on a third-party platform. While an external cyberattack has been ruled out, the breach is suspected to be linked to 'inappropriate access' by a contractor. The police and Hong Kong's privacy commissioner have launched formal investigations into the incident.",[26,119,120,121,122,123,124],"Healthcare","Hong Kong","Insider Threat","Contractor","PII","PHI",[26,126,27],"Regulatory",{"id":128,"slug":129,"headline":130,"title":131,"severity":82,"excerpt":132,"tags":133,"categories":142,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"b2162db4-5f8f-49bf-a556-db83f3914a62","anthropic-accidentally-leaks-claude-code-ai-source-code","Anthropic Accidentally Leaks 'Claude Code' AI Source Code in Packaging Error","Anthropic's 'Claude Code' AI Source Code Accidentally Leaked to Public via npm Registry","AI research company Anthropic experienced a significant intellectual property leak after the full source code for its flagship 'Claude Code' AI tool was accidentally published. The leak was caused by a packaging error where a JavaScript source map file, included in a public npm package, contained the entire agent architecture. For over three hours, 512,000 lines of proprietary TypeScript code were publicly accessible and were cloned thousands of times. Anthropic has stated it was a human error, not a security breach, and that no customer data was exposed.",[134,135,136,137,138,139,140,141],"Anthropic","Claude Code","Source Code Leak","Data Leak","npm","DevSecOps","Human Error","AI",[26,91,143],"Other",{"id":145,"slug":146,"headline":147,"title":148,"severity":60,"excerpt":149,"tags":150,"categories":159,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"f89a73a7-8053-4f68-8762-2dc9d33cf83d","new-whatsapp-impersonation-fraud-targets-corporate-executives-in-hyderabad","Hyderabad Police Warn of WhatsApp Impersonation Fraud Leading to Major Corporate Losses","New WhatsApp Impersonation Fraud Targets Corporate Executives in Hyderabad","Police in Hyderabad, India, have issued an alert about a sophisticated new fraud scheme targeting corporations. The multi-stage attack begins with a phishing email that installs remote access malware on an employee's computer. The criminals then wait for an active WhatsApp Web session, which they hijack to impersonate a senior executive (like the CEO or CFO). Posing as the executive, they instruct finance staff to make urgent, fraudulent financial transfers. The use of the legitimate WhatsApp account lends credibility to the requests, leading to significant financial losses for several companies.",[151,152,153,154,155,156,157,158],"WhatsApp","Fraud","Phishing","Social Engineering","BEC","Impersonation","Hyderabad","India",[153,160,107],"Malware",{"id":162,"slug":163,"headline":164,"title":165,"severity":60,"excerpt":166,"tags":167,"categories":171,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"46cab8ce-d5f5-44d1-b5c7-4407b734bffa","trend-micro-uncovers-malware-campaigns-targeting-seven-indian-banks","Trend Micro Uncovers Coordinated Malware Campaigns Targeting Seven Indian Banks","Trend Micro Uncovers Malware Campaigns Targeting Seven Indian Banks","Cybersecurity firm Trend Micro has identified a large-scale, coordinated phishing campaign targeting the customers of seven major banks in India. The attackers are using five distinct families of banking malware to steal credit card data and personal credentials. The primary attack vector is phishing messages containing malicious links that redirect victims to fake login pages and other fraudulent websites. The report highlights a significant and ongoing threat to India's banking sector, though the specific banks and malware families were not disclosed.",[153,160,168,169,158,170],"Banking Trojan","Trend Micro","Finance",[153,160,27],{"id":173,"slug":174,"headline":175,"title":176,"severity":15,"excerpt":177,"tags":178,"categories":182,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"245fac43-15e1-444b-9327-87512fe41aa5","ai-driven-feedback-loop-attack-causes-market-freeze","Novel AI 'Feedback Loop' Attack Triggers 4-Hour Market Freeze at Financial Hub","AI-Driven \"Feedback Loop\" Attack Causes 4-Hour Market Freeze","A major global financial hub experienced a four-hour market freeze due to a novel cyberattack that turned an AI-powered defense system against itself. Attackers generated millions of fake, low-grade security alerts, overwhelming the institution's AI-driven Security Orchestration, Automation, and Response (SOAR) platform. The defensive AI, misinterpreting the flood of alerts as a massive assault, initiated its ultimate containment protocol: quarantining the entire primary trading floor network. The incident exposes a critical vulnerability in fully automated defense systems.",[141,179,180,107,170,181],"Adversarial AI","SOAR","Denial of Service",[107,183,184],"Threat Intelligence","Industrial Control Systems",{"id":186,"slug":187,"headline":188,"title":189,"severity":15,"excerpt":190,"tags":191,"categories":197,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"e7327ae4-ac1e-4ead-a190-1ce7a55fa891","cisa-mandates-decommission-of-medical-iot-gateways-vitals-vapor-zero-day","CISA Mandates Decommission of Medical IoT Gateways Due to 'Vitals Vapor' Zero-Day","CISA Issues Emergency Directive to Decommission Medical IoT Gateways Vulnerable to 'Vitals Vapor' Zero-Day Exploit","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, ordering the immediate decommissioning of specific legacy embedded IoT gateways used in medical facilities. The urgent action responds to a new zero-day exploit dubbed 'Vitals Vapor,' which poses a grave threat to patient safety. The exploit allows attackers to compromise patient monitoring systems, freeze the live data feed, and loop pre-recorded normal data to nursing stations, effectively hiding a patient's deteriorating condition or the effects of a cyberattack.",[104,192,193,119,101,194,195,196],"Emergency Directive","IoT Security","Vitals Vapor","Patient Safety","OT",[193,47,184],{"id":199,"slug":200,"headline":201,"title":202,"severity":15,"excerpt":203,"tags":204,"categories":211,"createdAt":108,"updatedAt":108,"readingTime":74,"isUpdate":111},"d8b7c7f2-3724-460b-b017-4685462cc1be","australian-water-treatment-facility-hit-by-coordinated-plc-breach","Australian Water Treatment Facilities Thwart Coordinated PLC Cyberattack","Australian Water Treatment Facility Hit by Coordinated PLC Breach","Multiple municipal water treatment facilities in Australia were the target of a coordinated cyberattack aimed at their chemical feed Programmable Logic Controllers (PLCs). The attackers attempted to breach the industrial control systems to override safety thresholds for chlorine distribution. A potential public health crisis was averted by the timely manual intervention of plant operators. The incident exposes significant vulnerabilities in internet-connected critical infrastructure and highlights the growing threat to operational technology (OT) in the water sector.",[205,206,207,208,107,209,210],"ICS","OT Security","PLC","Critical Infrastructure","Australia","Water Sector",[184,107,183],1775683849401]