[{"data":1,"prerenderedAt":120},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-07":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-07","Medusa Ransomware Exploits Zero-Days, Iranian APTs Target US Infrastructure, and Critical Fortinet Flaw Patched","This edition covers the period of April 6-7, 2026, a timeframe marked by significant nation-state activity, rapid zero-day exploitation, and major supply chain compromises. Key events include the identification of China-based Storm-1175, a Medusa ransomware affiliate using zero-days for swift attacks on healthcare and finance. Concurrently, a US federal advisory warns of Iranian APTs targeting critical infrastructure by exploiting Rockwell PLCs. CISA has mandated urgent patching for a new, actively exploited Fortinet zero-day (CVE-2026-35616), while a separate unpatched Windows LPE zero-day, 'BlueHammer,' was publicly released. Supply chain attacks also featured prominently, with a North Korean group compromising the popular Axios npm library and a breach at the European Commission traced back to a compromised Trivy scanner. These incidents highlight the increasing speed and sophistication of threat actors across the globe.","2026-04-07",6,[10,36,57,74,89,107],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":28,"updatedAt":29,"readingTime":30,"cves":31,"cvssScore":32,"isUpdate":33,"updateSummary":34,"updateContent":35},"37dbe14d-4359-4099-b295-61b25c00dc13","fortinet-patches-actively-exploited-forticlient-ems-zero-day-cve-2026-35616","Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)","Fortinet Releases Emergency Hotfix for Critical RCE Zero-Day in FortiClient EMS, CISA Adds to KEV Catalog","critical","Fortinet has released an emergency hotfix for a critical zero-day vulnerability, CVE-2026-35616, affecting its FortiClient Endpoint Management Server (EMS). The flaw, rated 9.1 on the CVSS scale, is an improper access control issue that allows an unauthenticated remote attacker to achieve remote code execution. Fortinet confirmed the vulnerability is being actively exploited in the wild, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate a swift patching deadline for federal agencies.",[18,19,20,21,22,23,24],"Zero-Day","Fortinet","CVE-2026-35616","RCE","Vulnerability","CISA","KEV",[22,26,27],"Patch Management","Cyberattack","2026-04-05T15:00:00.000Z","2026-04-07T00:00:00.000Z",4,[20],9.1,true,"CISA sets strict April 9 deadline for Fortinet EMS patch; vulnerability discovered by Defused.","The U.S. CISA officially added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, 2026, mandating federal agencies to apply the Fortinet hotfix by April 9, 2026. The vulnerability, which allows remote code execution in FortiClient EMS versions 7.4.5 and 7.4.6, was reportedly discovered and reported by the security firm Defused. This update reinforces the critical urgency for all organizations to patch immediately due to active exploitation.",{"id":37,"slug":38,"headline":39,"title":40,"severity":15,"excerpt":41,"tags":42,"categories":51,"createdAt":54,"updatedAt":54,"readingTime":55,"isUpdate":56},"9690aacb-61a5-4456-a85e-a559d4861c16","cisa-warns-of-iranian-apt-attacks-on-us-critical-infrastructure-exploiting-rockwell-plcs","Iranian APTs Target US Critical Infrastructure, Exploiting Internet-Exposed Rockwell PLCs","CISA Warns of Iranian APT Attacks on US Critical Infrastructure, Exploiting Rockwell PLCs","A coalition of U.S. federal agencies, including CISA, the FBI, and the NSA, has issued a joint advisory (AA26-097A) warning of ongoing disruptive attacks by Iranian-affiliated APT actors against U.S. critical infrastructure. The campaign specifically targets internet-connected operational technology (OT) devices, with a focus on Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). These attacks have already caused operational disruptions in the Water and Wastewater Systems (WWS) and energy sectors. The threat actors, known by aliases such as Hydro Kitten and Storm-0784, are manipulating the PLCs to disrupt industrial processes. The advisory strongly urges organizations to disconnect OT devices from the public internet and apply hardening measures recommended by Rockwell Automation to prevent further compromises.",[43,44,23,45,46,47,48,49,50],"ICS","OT","Iran","APT","Rockwell Automation","PLC","Critical Infrastructure","Hydro Kitten",[52,27,53],"Industrial Control Systems","Threat Actor","2026-04-07T15:00:00.000Z",5,false,{"id":58,"slug":59,"headline":60,"title":61,"severity":62,"excerpt":63,"tags":64,"categories":70,"createdAt":54,"updatedAt":54,"readingTime":55,"cves":72,"cvssScore":73,"isUpdate":56},"97637976-f915-4b8e-9724-c48ade0fba51","ai-model-finds-zero-day-rces-in-vim-and-gnu-emacs-with-simple-prompts","AI Model Discovers RCE Zero-Days in Vim and Emacs with Simple Prompts","AI Model Finds Zero-Day RCEs in Vim and GNU Emacs with Simple Prompts","medium","A security researcher has demonstrated the power of AI in vulnerability discovery by using Anthropic's Claude Code model to find critical zero-day flaws in the source code of the popular Vim and GNU Emacs text editors. With a simple prompt—\"Somebody told me there is an RCE 0-day when you open a file. Find it\"—the AI model identified a remote code execution (RCE) vulnerability in Vim within minutes. This flaw, now patched and tracked as CVE-2026-34714 (CVSS 9.2), allowed command execution when opening a malicious file. The AI subsequently found a similar issue in GNU Emacs, which its maintainers have reportedly not yet addressed. The findings highlight the dual-use nature of advanced AI, capable of dramatically accelerating both defensive security research and malicious exploit development.",[65,22,18,66,67,21,68,69],"AI","Vim","Emacs","Anthropic","CVE-2026-34714",[22,71],"Threat Intelligence",[69],9.2,{"id":75,"slug":76,"headline":77,"title":78,"severity":15,"excerpt":79,"tags":80,"categories":86,"createdAt":54,"updatedAt":54,"readingTime":55,"cves":87,"cvssScore":88,"isUpdate":56},"e9ae6c5c-8d4b-468f-b34e-71e9d4ea8fc3","actively-exploited-rce-flaw-in-ninja-forms-wordpress-add-on","Hackers Actively Exploit Critical RCE Flaw in Ninja Forms WordPress Add-on","Actively Exploited RCE Flaw in Ninja Forms WordPress Add-on Threatens Websites","A critical remote code execution (RCE) vulnerability, CVE-2026-0740, in the 'File Uploads' add-on for the popular Ninja Forms WordPress plugin is being actively exploited in the wild. The flaw, rated 9.8 out of 10 for severity, allows an unauthenticated attacker to upload malicious files, such as PHP web shells, and achieve complete website takeover. The vulnerability stems from insufficient file type validation, enabling attackers to bypass security checks and place executable files in sensitive directories. The plugin developer has released a patch in version 3.3.27. Security firm Wordfence, which helped disclose the issue, reported blocking thousands of exploitation attempts, underscoring the urgent need for users to update immediately.",[81,22,21,82,83,84,85],"WordPress","CVE-2026-0740","Ninja Forms","Wordfence","Web Shell",[22,27],[82],9.8,{"id":90,"slug":91,"headline":92,"title":93,"severity":94,"excerpt":95,"tags":96,"categories":105,"createdAt":54,"updatedAt":54,"readingTime":55,"isUpdate":56},"7b62784b-41e2-4d2f-9149-202526a2bab9","sparkcat-malware-resurfaces-on-app-stores-stealing-crypto-wallet-phrases","SparkCat Mobile Malware Returns, Stealing Crypto Phrases from Photos on iOS and Android","SparkCat Malware Resurfaces on App Stores, Stealing Crypto Wallet Phrases from Photos","high","A new variant of the SparkCat mobile trojan has been discovered on both the Apple App Store and Google Play Store, disguised as legitimate applications like enterprise messengers. Security researchers at Kaspersky report that the malware, which primarily targets users in Asia, uses a novel technique to steal cryptocurrency. After gaining access to a user's photo gallery, SparkCat employs Optical Character Recognition (OCR) to scan all images, searching for text that matches the format of a cryptocurrency wallet recovery phrase. If a potential phrase is found, the image is exfiltrated to an attacker-controlled server, giving the threat actor complete control over the victim's crypto assets. The malware's ability to bypass the security vetting of both major app stores highlights a significant threat to mobile users.",[97,98,99,100,101,102,103,104],"Mobile Security","Malware","SparkCat","iOS","Android","Cryptocurrency","OCR","Kaspersky",[97,98,106],"Phishing",{"id":108,"slug":109,"headline":110,"title":111,"severity":112,"excerpt":113,"tags":114,"categories":119,"createdAt":54,"updatedAt":54,"readingTime":30,"isUpdate":56},"905d82dd-ca58-4cde-9b15-8518e7f5d585","anthropic-launches-project-glasswing-using-ai-to-find-critical-vulnerabilities","Anthropic's Project Glasswing Uses New AI to Find Thousands of Critical Flaws","Anthropic Launches Project Glasswing, Using AI to Find Thousands of Critical Vulnerabilities","informational","AI research company Anthropic has launched Project Glasswing, a major cybersecurity initiative that uses a new AI model, Claude Mythos, to proactively discover vulnerabilities in critical software. In partnership with a consortium of tech giants including Google, Microsoft, and Apple, the project aims to secure the digital ecosystem by finding and fixing flaws before they can be exploited. In early testing, Claude Mythos has already demonstrated remarkable capabilities, identifying thousands of high-severity vulnerabilities. Notable discoveries include a 16-year-old bug in the FFmpeg library, a remote crash vulnerability affecting major operating systems, and a privilege escalation chain in the Linux kernel. The project signals a new era of AI-driven defensive security, aiming to put powerful vulnerability discovery tools in the hands of defenders.",[65,68,115,116,71,117,118],"Claude Mythos","Vulnerability Research","Project Glasswing","SAST",[71,22],1775683849408]