[{"data":1,"prerenderedAt":167},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-08":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-08","US Warns of Iranian APTs on Critical Infrastructure; APT28 Hijacks Routers and Deploys New Malware","This edition covers a critical alert from US agencies regarding Iranian APTs targeting industrial controllers in critical infrastructure, leading to operational disruptions. Concurrently, the Russian-linked group APT28 has been implicated in two major campaigns: one hijacking thousands of SOHO routers for global espionage and another deploying a new malware suite, PRISMEX, against Ukraine and NATO allies. Other significant events include Google patching a fourth actively exploited Chrome zero-day, a supply chain attack hitting Cisco via a compromised scanner, and multiple data breaches in the healthcare sector, highlighting the persistent threats facing both public and private entities.","2026-04-08",9,[10,37,59,80,95,109,124,139,154],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":24,"createdAt":28,"updatedAt":29,"readingTime":30,"cves":31,"cvssScore":33,"isUpdate":34,"updateSummary":35,"updateContent":36},"a2583597-6a88-4c03-991d-495095d184da","teampcp-supply-chain-attack-compromises-trivy-litellm","TeamPCP's Sophisticated Supply Chain Attack on Trivy and LiteLLM Hits 1,000+ SaaS Environments","Massive Supply Chain Attack by TeamPCP Compromises Trivy Scanner, Spreads to LiteLLM and Checkmarx","critical","A multi-stage supply chain attack by the threat group TeamPCP has caused a significant security crisis, beginning with the compromise of the popular open-source scanner Trivy and expanding to other developer tools, including Checkmarx KICS and LiteLLM. The attackers exploited a previously stolen GitHub token to poison official software releases and CI/CD pipelines, injecting credential-stealing malware. The campaign has already compromised over 1,000 SaaS environments, exfiltrating cloud credentials, SSH keys, and other secrets. The attack, tracked under CVE-2026-33634, highlights the systemic risk in modern software supply chains, with experts warning the full impact could affect up to 10,000 organizations.",[18,19,20,21,22,23],"CI/CD Security","Tag Poisoning","Infostealer","GitHub Actions","PyPI","Cloud Security",[25,26,27],"Supply Chain Attack","Malware","Threat Actor","2026-03-25T15:00:00.000Z","2026-04-08T12:00:00.000Z",6,[32],"CVE-2026-33634",9.4,true,"Cisco confirmed as victim of Trivy supply chain attack, leading to source code and AWS key theft from internal development environments.","Technology giant Cisco has confirmed it was impacted by the TeamPCP supply chain attack, which leveraged the compromised Trivy scanner. Attackers used a malicious GitHub Action to pivot into Cisco's internal development environment, resulting in the theft of source code and AWS cloud credentials. This led to unauthorized activities in a limited number of Cisco's AWS accounts. The incident highlights the severe downstream impact of the initial Trivy compromise, demonstrating how a single compromised tool can unravel the security of dependent organizations. Cisco has responded by isolating affected systems, reimaging workstations, and rotating all compromised credentials.",{"id":38,"slug":39,"headline":40,"title":41,"severity":42,"excerpt":43,"tags":44,"categories":51,"createdAt":54,"updatedAt":55,"readingTime":56,"isUpdate":34,"updateSummary":57,"updateContent":58},"2945ddb6-b949-41fd-9964-4d06cc716aff","pro-iranian-hackers-handala-target-us-medical-tech-company-stryker","Pro-Iranian Hacktivists \"Handala\" Claim Attack on US Medical Tech Firm Stryker","Pro-Iranian Hacking Group Handala Targets US Medical Tech Company Stryker Amidst Wave of Attacks on Healthcare","medium","A pro-Iranian hacktivist group known as Handala has claimed responsibility for a cyberattack against Stryker, a prominent US-based medical technology company. This incident is part of a broader, politically motivated campaign by Iranian-linked threat actors targeting the US healthcare sector. Unlike financially motivated attacks, the primary goal of these operations appears to be disruption, intimidation, and causing chaos, reflecting the use of cyber operations as a tool in geopolitical conflicts. The attack on Stryker highlights the vulnerability of critical infrastructure sectors to state-aligned hacktivism.",[45,46,47,48,49,50],"Handala","Iran","hacktivism","Stryker","healthcare","geopolitics",[27,52,53],"Cyberattack","Threat Intelligence","2026-03-29T15:00:00.000Z","2026-04-08T00:00:00.000Z",4,"Handala hacktivist group has significantly escalated its operations, shifting from defacements to ransomware, data wiping, and doxxing, claiming 23 new victims in March 2026.","The pro-Iranian hacktivist group Handala has dramatically intensified its cyber campaign, evolving from primarily web defacements and DoS attacks to employing more destructive tactics. According to Bitdefender, Handala claimed 23 ransomware victims in March 2026 alone, a significant increase in activity. Their updated playbook now includes ransomware, data wiping, doxxing, and even threats of physical violence, targeting organizations in both Israel and the United States. This escalation indicates a more sophisticated and impactful threat actor than previously observed, moving beyond 'low-impact' disruption to cause significant operational and data privacy damage.",{"id":60,"slug":61,"headline":62,"title":63,"severity":64,"excerpt":65,"tags":66,"categories":73,"createdAt":77,"updatedAt":55,"readingTime":30,"isUpdate":34,"updateSummary":78,"updateContent":79},"f7f0f7b2-5647-4a5f-bf93-840c0e323978","carecloud-investigates-patient-data-leak-in-ehr-breach","Healthcare IT Firm CareCloud Probes Patient Data Access in EHR Breach","CareCloud Investigates Potential Patient Data Leak After Breach of EHR Environment","high","Healthcare technology provider CareCloud is investigating a security breach that gave an unauthorized third party access to one of its electronic health record (EHR) environments for eight hours on March 16, 2026. The company, which serves over 45,000 healthcare providers, has not yet confirmed if protected health information (PHI) was exfiltrated but has hired a leading cyber response team to assess the scope. The incident has been reported to the SEC, highlighting the potential for significant legal, regulatory, and reputational fallout if a large-scale patient data leak is confirmed.",[67,49,68,69,70,71,72],"data breach","carecloud","ehr","phi","hipaa","sec",[74,75,76],"Data Breach","Regulatory","Incident Response","2026-03-30T15:00:00.000Z","Forensic investigation confirms patient data exfiltration and significant operational disruption in CareCloud cyberattack.","CareCloud has officially confirmed that the cyberattack on March 16, 2026, resulted in the theft of sensitive patient data. A forensic investigation concluded that Protected Health Information (PHI) was exfiltrated by the attackers. In addition to the data breach, the incident caused an eight-hour system outage in one of its electronic health record (EHR) environments, leading to significant operational disruption for healthcare providers. This confirmation escalates the severity of the incident, highlighting the dual impact of data compromise and service interruption.",{"id":81,"slug":82,"headline":83,"title":84,"severity":64,"excerpt":85,"tags":86,"categories":92,"createdAt":93,"updatedAt":93,"readingTime":56,"isUpdate":94},"e5575f1a-b11d-419f-aa68-6088d3ec98a8","new-lucidrook-lua-based-malware-targets-taiwanese-organizations","New 'LucidRook' Malware Uses Lua and Rust in Targeted Attacks on Taiwan","Cisco Talos Uncovers 'LucidRook' Malware Targeting Taiwanese NGOs and Universities via Spear-Phishing","Security researchers at Cisco Talos have discovered a new, sophisticated malware family named 'LucidRook' used in targeted spear-phishing campaigns. Attributed to a threat cluster known as UAT-10362, the attacks primarily target non-governmental organizations (NGOs) and universities in Taiwan. LucidRook is a complex stager delivered as a DLL that embeds a Lua interpreter and Rust-compiled libraries. It uses a dropper component, 'LucidPawn,' which performs an anti-analysis check to ensure it only runs on systems configured for the Traditional Chinese language. The malware downloads and executes Lua bytecode payloads from a C2 server, and is accompanied by a reconnaissance tool called 'LucidKnight' used for initial system profiling.",[87,88,89,90,91],"Lua","Rust","Spear-phishing","Stager","Espionage",[26,27,52],"2026-04-08T15:00:00.000Z",false,{"id":96,"slug":97,"headline":98,"title":99,"severity":64,"excerpt":100,"tags":101,"categories":107,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"322609a2-fa03-4543-8384-2071018be52c","russian-apt28-frostarmada-hijacks-soho-routers-in-global-espionage-campaign","APT28 'FrostArmada' Campaign Hijacks SOHO Routers for Global DNS Espionage","Russian APT28 Linked to 'FrostArmada' Campaign Compromising MikroTik and TP-Link Routers for DNS Hijacking","The Russian-linked threat group APT28 (aka Forest Blizzard) has been identified as the actor behind 'FrostArmada,' a large-scale cyber espionage campaign compromising insecure Small Office/Home Office (SOHO) routers. According to Lumen's Black Lotus Labs and Microsoft, the campaign, active since at least May 2025, exploits vulnerable MikroTik and TP-Link routers. The attackers modify the devices' DNS settings to redirect traffic from victims—including government agencies and cloud service users—to attacker-controlled infrastructure. This allows for passive credential harvesting and data collection. At its peak, the campaign's infrastructure communicated with over 18,000 IPs across 120 countries before being disrupted by a law enforcement operation.",[102,103,104,105,106],"SOHO","Router","DNS Hijacking","Cyber Espionage","Man-in-the-Middle",[27,52,52],5,{"id":110,"slug":111,"headline":112,"title":113,"severity":114,"excerpt":115,"tags":116,"categories":122,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"0ad6250d-cf07-4155-95b4-1165bd9efca8","singapore-csa-issues-advisory-on-securing-software-supply-chains","Singapore's CSA Issues Advisory on Securing Software Supply Chains","Cyber Security Agency of Singapore (CSA) Warns of Rising Software Supply Chain Threats","informational","The Cyber Security Agency of Singapore (CSA) has published an advisory on the increasing threat of software supply chain attacks. The guidance warns that threat actors are targeting third-party software dependencies and automated development pipelines to compromise internal corporate systems. The CSA highlights that a single compromised tool can grant attackers deep access, leading to data theft and operational downtime. The advisory cites recent incidents like the hijacking of the popular 'Axios' npm package as examples of this growing threat. The CSA urges organizations to enforce strict governance over development environments, identify dependencies, and have incident response plans ready.",[117,118,119,120,121],"Supply Chain Security","DevSecOps","SBOM","npm","Open Source",[25,123,75],"Policy and Compliance",{"id":125,"slug":126,"headline":127,"title":128,"severity":64,"excerpt":129,"tags":130,"categories":137,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"f79818a9-1784-4416-b571-ce7ac26964a1","southern-illinois-dermatology-breach-exposes-data-of-over-150000-patients","Southern Illinois Dermatology Breach Exposes Data of Over 150,000 Patients","'Insomnia' Threat Group Leaks Data of 150,000+ Patients After Southern Illinois Dermatology Breach","Southern Illinois Dermatology has started notifying patients of a data breach that occurred in November 2025. An unauthorized party gained access to its network and exfiltrated files containing patient data, including names, Social Security numbers, and medical information. The 'Insomnia' threat group has claimed responsibility for the attack, alleging they stole data from over 150,000 patients. The group has since followed through on its threats by leaking the entire stolen dataset on its data leak site, amplifying the impact on affected individuals.",[131,132,133,134,135,136],"Data Leak","Double Extortion","Healthcare","HIPAA","PII","PHI",[74,27,138],"Ransomware",{"id":140,"slug":141,"headline":142,"title":143,"severity":42,"excerpt":144,"tags":145,"categories":151,"createdAt":93,"updatedAt":93,"readingTime":153,"isUpdate":94},"971f2d94-8a5c-4185-b505-747b9fc19796","samsungs-april-2026-security-patch-fixes-47-vulnerabilities","Samsung's April 2026 Patch Fixes 47 Vulnerabilities in Galaxy Devices","Samsung Details April 2026 Security Update, Addressing 47 Flaws in Galaxy Phones, Tablets, and Wearables","Samsung has released its April 2026 security patch, which addresses a total of 47 vulnerabilities affecting its Galaxy line of smartphones, tablets, and wearables. The update is a combination of patches from Google and Samsung itself. It includes 33 fixes from Google's Android Security Bulletin, 14 of which are rated critical. Additionally, Samsung has included 14 of its own Samsung Vulnerabilities and Exposures (SVEs), addressing high-severity flaws in both its software and underlying semiconductor firmware. Users are advised to install the update as soon as it becomes available for their device and region.",[146,147,148,149,150],"Samsung","Android","Mobile Security","Patch Tuesday","Vulnerability",[152,148,150],"Patch Management",3,{"id":155,"slug":156,"headline":157,"title":158,"severity":114,"excerpt":159,"tags":160,"categories":166,"createdAt":93,"updatedAt":93,"readingTime":108,"isUpdate":94},"8ecc0bd3-c3c6-4793-9038-5c5a261cad2a","chubb-report-ai-and-supply-chain-attacks-drive-us-data-breach-costs-to-10-2m","US Data Breach Costs Hit Record $10.2M, Fueled by AI and Supply Chain Attacks","Chubb Report: Average US Data Breach Cost Soars to $10.2 Million, Driven by AI Weaponization and Supply Chain Failures","A new report from insurance provider Chubb reveals that the average cost of a data breach in the United States has reached a record high of $10.2 million, more than double the global average. The 2026 Cyber Claims Report identifies three key drivers for this surge: the weaponization of Artificial Intelligence (AI) by cybercriminals, an increase in immediate litigation following breach announcements, and the cascading impact of software supply chain compromises. The report notes that hostile AI is being used for self-rewriting malware and deepfake-based social engineering, while supply chain issues are now seen as the top cyber challenge by 65% of large companies.",[161,162,163,164,165],"Data Breach Cost","Cyber Insurance","AI","Supply Chain","Litigation",[123,53,74],1775683849413]