AI Discovers Thousands of Zero-Days, Iranian APTs Hit US Critical Infrastructure, and Multiple Zero-Days Actively Exploited

Major Dutch Healthcare Vendor ChipSoft Hit by Ransomware, Forcing Hospitals Offline and Sparking Patient Data Fears

A crippling ransomware attack has struck ChipSoft, a dominant provider of electronic health record (EHR) software in the Netherlands, causing widespread disruption across the nation's healthcare system. The attack, confirmed on April 7, 2026, forced ChipSoft to take its platforms offline and prompted at least 11 hospitals to sever connections as a precaution. The incident has created significant logistical challenges and raised concerns that sensitive patient data may have been compromised, highlighting the systemic risk posed by supply chain attacks in the healthcare sector.

RansomwareHealthcareChipSoftNetherlandsEHR +2 more

Ransomware

Data Breach

Supply Chain Attack

CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11

CRITICAL

CISA Adds Critical Ivanti EPMM Code Injection Flaw (CVE-2026-1340) to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1340, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and is confirmed to be actively exploited in the wild. CISA has issued a directive requiring all federal civilian agencies to apply patches by April 11, 2026, and strongly urges all organizations using the affected product to remediate immediately.

CISAKEVIvantiCVE-2026-1340Vulnerability +2 more

CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11

Vulnerability

Patch Management

Cyberattack

Active Zero-Day in Adobe Reader Steals Files by Abusing Privileged APIs

Unpatched Adobe Reader Zero-Day Exploit Actively Stealing Local Files via Malicious PDFs

A previously unknown zero-day vulnerability in Adobe Acrobat and Reader is being actively exploited in targeted attacks to steal data from victims' computers. The flaw, a logic bug in the application's JavaScript engine, allows a specially crafted PDF to bypass the sandbox and invoke privileged APIs. Simply opening the malicious document is enough to trigger the exploit, which can read arbitrary local files and exfiltrate them to an attacker-controlled server. Adobe has not yet released a patch, and the campaign, which uses Russian-language lures, appears to be targeting the oil and gas sector.

Zero-DayAdobePDFExploitData Exfiltration +1 more

Active Zero-Day in Adobe Reader Steals Files by Abusing Privileged APIs

Vulnerability

Cyberattack

Data Breach

Silent Ransom Group Claims Phishing Attack on Law Firm Jones Day, Demands $13M

Global Law Firm Jones Day Hit by Silent Ransom Group in Phishing Attack, Client Files Accessed

The prominent global law firm Jones Day has disclosed it was the victim of a targeted phishing attack that resulted in unauthorized access to files for ten clients. The Silent Ransom Group (SRG), a sophisticated threat actor believed to be a splinter group from the notorious Conti syndicate, has claimed responsibility. The group allegedly published negotiation chats demanding a US$13 million ransom to prevent the public leak of stolen confidential client data and internal communications, highlighting the persistent targeting of the legal sector by high-stakes extortion groups.

Data BreachPhishingRansomwareSilent Ransom GroupConti +2 more

Data Breach

Threat Actor

Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure

CRITICAL

Critical Marimo RCE Flaw (CVE-2026-39987) Exploited in the Wild Less Than 10 Hours After Disclosure

A critical, unauthenticated remote code execution (RCE) vulnerability in the Marimo Python notebook, CVE-2026-39987, was exploited in the wild just 9 hours and 41 minutes after its public disclosure on April 8, 2026. The flaw, which has a CVSS score of 9.3, allows an unauthenticated attacker to gain a full interactive shell on the server running the notebook. Security firm Sysdig observed an attacker developing a working exploit directly from the advisory's technical details and using it to steal credentials, demonstrating the rapidly shrinking window between vulnerability disclosure and exploitation.

RCEVulnerabilityExploitMarimoPython +2 more

Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure

Vulnerability

Cyberattack

Atomic Stealer Malware Bypasses macOS Warnings with New 'ClickFix' Attack Vector

Atomic Stealer Evolves 'ClickFix' Tactic to Target macOS Users via Apple's Script Editor

A new malware campaign is delivering the Atomic Stealer (AMOS) infostealer to macOS users by evolving the 'ClickFix' social engineering technique. To bypass recent security warnings Apple added to the Terminal application, threat actors are now tricking users into launching Apple's built-in Script Editor and pasting malicious code. The attack, identified by Jamf Threat Labs, uses convincing browser pop-ups to guide victims through a fake troubleshooting workflow, ultimately leading to the installation of the AMOS infostealer and a persistent backdoor.

MalwaremacOSAtomic StealerAMOSSocial Engineering +2 more

Malware

Mobile Security

Job Seekers Targeted in Phishing Scam Impersonating Palo Alto Networks Recruiters

MEDIUM

Unit 42 Exposes Phishing Scam Where Fake Palo Alto Networks Recruiters Trick Job Seekers into Paying for 'CV Formatting'

Threat actors are conducting a sophisticated phishing campaign targeting senior-level professionals by impersonating recruiters from cybersecurity giant Palo Alto Networks. According to the company's own Unit 42 threat intelligence team, the scam uses data scraped from LinkedIn for highly personalized lures. The attackers trick victims by creating a sense of urgency, claiming the candidate's CV failed an automated screening, and then referring them to a paid 'CV expert' to fix the fake formatting issue, ultimately scamming them out of several hundred dollars.

PhishingScamSocial EngineeringPalo Alto NetworksRecruitment +1 more

Policy and Compliance

Other

Fake Windows Update Site Tricks French-Speaking Users into Installing Infostealer

Convincing Fake Microsoft Support Site Distributes Infostealer to French Users via Malvertising

A malvertising campaign is directing French-speaking users to a highly convincing but fake Microsoft support website hosted on a typosquatted domain. The site, designed to mimic an official Windows update page, tricks users into downloading what they believe is a cumulative update for Windows. The downloaded file is actually a Windows Installer package that deploys a potent information-stealing malware. Researchers at Malwarebytes, who discovered the campaign, suggest it may be leveraging recent large-scale data breaches in France to enhance the believability of related scams.

MalwareInfostealerPhishingMalvertisingMicrosoft +1 more

Fake Windows Update Site Tricks French-Speaking Users into Installing Infostealer

Malware