Daily Digest

Medusa Ransomware Exploits Zero-Days, Iranian APTs Target US Infrastructure, and Critical Fortinet Flaw Patched

Medusa Ransomware Exploits Zero-Days, Iranian APTs Target US Infrastructure, and Critical Fortinet Flaw Patched

April 7, 2026
6 articles (5 new, 1 updated)
18 min read

Summary

This edition covers the period of April 6-7, 2026, a timeframe marked by significant nation-state activity, rapid zero-day exploitation, and major supply chain compromises. Key events include the identification of China-based Storm-1175, a Medusa ransomware affiliate using zero-days for swift attacks on healthcare and finance. Concurrently, a US federal advisory warns of Iranian APTs targeting critical infrastructure by exploiting Rockwell PLCs. CISA has mandated urgent patching for a new, actively exploited Fortinet zero-day (CVE-2026-35616), while a separate unpatched Windows LPE zero-day, 'BlueHammer,' was publicly released. Supply chain attacks also featured prominently, with a North Korean group compromising the popular Axios npm library and a breach at the European Commission traced back to a compromised Trivy scanner. These incidents highlight the increasing speed and sophistication of threat actors across the globe.

Filter by Category

New Articles (5)

Iranian APTs Target US Critical Infrastructure, Exploiting Internet-Exposed Rockwell PLCs

CRITICAL

CISA Warns of Iranian APT Attacks on US Critical Infrastructure, Exploiting Rockwell PLCs

A coalition of U.S. federal agencies, including CISA, the FBI, and the NSA, has issued a joint advisory (AA26-097A) warning of ongoing disruptive attacks by Iranian-affiliated APT actors against U.S. critical infrastructure. The campaign specifically targets internet-connected operational technology (OT) devices, with a focus on Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). These attacks have already caused operational disruptions in the Water and Wastewater Systems (WWS) and energy sectors. The threat actors, known by aliases such as Hydro Kitten and Storm-0784, are manipulating the PLCs to disrupt industrial processes. The advisory strongly urges organizations to disconnect OT devices from the public internet and apply hardening measures recommended by Rockwell Automation to prevent further compromises.

April 7, 2026
5 min read
ICSOTCISAIranAPT +4 more
Iranian APTs Target US Critical Infrastructure, Exploiting Internet-Exposed Rockwell PLCs

AI Model Discovers RCE Zero-Days in Vim and Emacs with Simple Prompts

MEDIUM

AI Model Finds Zero-Day RCEs in Vim and GNU Emacs with Simple Prompts

A security researcher has demonstrated the power of AI in vulnerability discovery by using Anthropic's Claude Code model to find critical zero-day flaws in the source code of the popular Vim and GNU Emacs text editors. With a simple prompt—"Somebody told me there is an RCE 0-day when you open a file. Find it"—the AI model identified a remote code execution (RCE) vulnerability in Vim within minutes. This flaw, now patched and tracked as CVE-2026-34714 (CVSS 9.2), allowed command execution when opening a malicious file. The AI subsequently found a similar issue in GNU Emacs, which its maintainers have reportedly not yet addressed. The findings highlight the dual-use nature of advanced AI, capable of dramatically accelerating both defensive security research and malicious exploit development.

April 7, 2026
5 min read
AIVulnerabilityZero-DayVimEmacs +3 more
AI Model Discovers RCE Zero-Days in Vim and Emacs with Simple Prompts

Hackers Actively Exploit Critical RCE Flaw in Ninja Forms WordPress Add-on

CRITICAL

Actively Exploited RCE Flaw in Ninja Forms WordPress Add-on Threatens Websites

A critical remote code execution (RCE) vulnerability, CVE-2026-0740, in the 'File Uploads' add-on for the popular Ninja Forms WordPress plugin is being actively exploited in the wild. The flaw, rated 9.8 out of 10 for severity, allows an unauthenticated attacker to upload malicious files, such as PHP web shells, and achieve complete website takeover. The vulnerability stems from insufficient file type validation, enabling attackers to bypass security checks and place executable files in sensitive directories. The plugin developer has released a patch in version 3.3.27. Security firm Wordfence, which helped disclose the issue, reported blocking thousands of exploitation attempts, underscoring the urgent need for users to update immediately.

April 7, 2026
5 min read
WordPressVulnerabilityRCECVE-2026-0740Ninja Forms +2 more
Hackers Actively Exploit Critical RCE Flaw in Ninja Forms WordPress Add-on

SparkCat Mobile Malware Returns, Stealing Crypto Phrases from Photos on iOS and Android

HIGH

SparkCat Malware Resurfaces on App Stores, Stealing Crypto Wallet Phrases from Photos

A new variant of the SparkCat mobile trojan has been discovered on both the Apple App Store and Google Play Store, disguised as legitimate applications like enterprise messengers. Security researchers at Kaspersky report that the malware, which primarily targets users in Asia, uses a novel technique to steal cryptocurrency. After gaining access to a user's photo gallery, SparkCat employs Optical Character Recognition (OCR) to scan all images, searching for text that matches the format of a cryptocurrency wallet recovery phrase. If a potential phrase is found, the image is exfiltrated to an attacker-controlled server, giving the threat actor complete control over the victim's crypto assets. The malware's ability to bypass the security vetting of both major app stores highlights a significant threat to mobile users.

April 7, 2026
5 min read
Mobile SecurityMalwareSparkCatiOSAndroid +3 more
SparkCat Mobile Malware Returns, Stealing Crypto Phrases from Photos on iOS and Android

Anthropic's Project Glasswing Uses New AI to Find Thousands of Critical Flaws

INFORMATIONAL

Anthropic Launches Project Glasswing, Using AI to Find Thousands of Critical Vulnerabilities

AI research company Anthropic has launched Project Glasswing, a major cybersecurity initiative that uses a new AI model, Claude Mythos, to proactively discover vulnerabilities in critical software. In partnership with a consortium of tech giants including Google, Microsoft, and Apple, the project aims to secure the digital ecosystem by finding and fixing flaws before they can be exploited. In early testing, Claude Mythos has already demonstrated remarkable capabilities, identifying thousands of high-severity vulnerabilities. Notable discoveries include a 16-year-old bug in the FFmpeg library, a remote crash vulnerability affecting major operating systems, and a privilege escalation chain in the Linux kernel. The project signals a new era of AI-driven defensive security, aiming to put powerful vulnerability discovery tools in the hands of defenders.

April 7, 2026
4 min read
AIAnthropicClaude MythosVulnerability ResearchThreat Intelligence +2 more
Anthropic's Project Glasswing Uses New AI to Find Thousands of Critical Flaws

Updated Articles (1)

Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)

CRITICAL

Fortinet Releases Emergency Hotfix for Critical RCE Zero-Day in FortiClient EMS, CISA Adds to KEV Catalog

Update:

The U.S. CISA officially added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, 2026, mandating federal agencies to apply the Fortinet hotfix by April 9, 2026. The vulnerability, which allows remote code execution in FortiClient EMS versions 7.4.5 and 7.4.6, was reportedly discovered and reported by the security firm Defused. This update reinforces the critical urgency for all organizations to patch immediately due to active exploitation.

April 5, 2026
Updated: April 7, 2026
4 min read
Zero-DayFortinetCVE-2026-35616RCEVulnerability +2 more
Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.