Daily Digest

Critical Infrastructure Under Siege as Supply Chain Attacks and Zero-Days Rattle Global Defenses

Critical Infrastructure Under Siege as Supply Chain Attacks and Zero-Days Rattle Global Defenses

April 11, 2026
9 articles (5 new, 4 updated)
27 min read

Summary

Over the past 24 hours, the cybersecurity landscape has been dominated by a surge in state-sponsored attacks targeting US critical infrastructure, with Iran-linked actors exploiting internet-exposed PLCs. Simultaneously, major supply chain compromises have rocked the open-source ecosystem, with tools like Trivy and Axios being poisoned. Healthcare remains a key target, evidenced by a crippling ransomware attack on EHR provider ChipSoft and a sensitive data breach at Hims & Hers. Meanwhile, active exploitation of Ivanti zero-days and new warnings about insecure building management systems highlight the expanding attack surface for enterprises globally.

Filter by Category

New Articles (5)

Smart Buildings, Dumb Security: Claroty Warns New Standard Exposes BMS to Remote Attack

MEDIUM

Claroty's Team82 Reveals Systemic Risk in Building Management Systems from CEA-852 Standard

Research from Claroty's Team82 has uncovered significant cybersecurity risks stemming from the adoption of the CEA-852 standard, which connects traditionally isolated Building Management Systems (BMS) to IP networks. The standard, which allows legacy protocols like LonTalk to run over IP, introduces remote attack vectors into smart buildings and the critical infrastructure they support. Researchers found serious design weaknesses that could allow attackers to remotely compromise BMS gateways and servers, potentially gaining control over entire building ecosystems, including HVAC, lighting, and security systems.

April 11, 2026
5 min read
BMSBuilding Management SystemClarotyLonTalkIoT Security +2 more
Smart Buildings, Dumb Security: Claroty Warns New Standard Exposes BMS to Remote Attack
Vulnerability
Industrial Control Systems
IoT Security

Hundreds of Unauthenticated ICS Devices, Including for Power Grids, Found Exposed Online

HIGH

Comparitech Research Finds Internet-Exposed ICS Devices Using Insecure Modbus Protocol

New research from Comparitech reveals a startling lack of security in critical infrastructure, with at least 179 industrial control system (ICS) devices found exposed to the internet without any authentication. These devices, using the insecure-by-design Modbus protocol on its default port, are tied to critical entities including a national railway and two national power grids. The findings reinforce urgent warnings from government agencies about the growing threat of nation-state actors targeting operational technology (OT) and highlight a severe visibility gap, with fewer than 10% of OT networks having adequate monitoring.

April 11, 2026
5 min read
ICSOT SecurityModbusComparitechCritical Infrastructure +2 more
Hundreds of Unauthenticated ICS Devices, Including for Power Grids, Found Exposed Online
Industrial Control Systems
Vulnerability
Threat Intelligence

Citizen Lab Uncovers 'Webloc' - A Global Surveillance Tool Using Ad Data to Track Phones

INFORMATIONAL

Webloc Surveillance System by Cobwebs Technologies Exposed by Citizen Lab Investigation

A new report from the University of Toronto's Citizen Lab has exposed a global geolocation surveillance system named "Webloc." Developed by the Israeli firm Cobwebs Technologies, the tool leverages data from the digital advertising ecosystem to track the location of up to 500 million devices worldwide. The investigation revealed that Webloc has been used by law enforcement and intelligence agencies in multiple countries, including the United States, Hungary, and El Salvador, raising significant privacy concerns about the government use of commercial surveillance technology.

April 11, 2026
4 min read
SurveillancePrivacyCitizen LabCobwebs TechnologiesWebloc +2 more
Citizen Lab Uncovers 'Webloc' - A Global Surveillance Tool Using Ad Data to Track Phones
Policy and Compliance
Threat Intelligence
Regulatory

GlassWorm Campaign Evolves, Uses Zig-Based Dropper to Infect All Developer IDEs

HIGH

New GlassWorm Dropper Written in Zig Targets Developer Workstations via Malicious VSX Extension

The ongoing GlassWorm cyber-espionage campaign has adopted a new, sophisticated tool: a dropper written in the Zig programming language. This new malware component was discovered hidden within a malicious Open VSX extension masquerading as a legitimate WakaTime activity tracker. The dropper's primary function is to stealthily infect all Integrated Development Environments (IDEs) installed on a compromised developer's machine. This technique allows the attackers to achieve deep, persistent access to the developer's workflow, posing a significant software supply chain risk by enabling the potential injection of malicious code into any project the developer touches.

April 11, 2026
5 min read
GlassWormMalwareZigIDESupply Chain Attack +2 more
GlassWorm Campaign Evolves, Uses Zig-Based Dropper to Infect All Developer IDEs
Malware
Supply Chain Attack
Threat Actor

Hacking Group 'FlamingChina' Claims 10 Petabyte Military Data Heist from Chinese Supercomputer

CRITICAL

'FlamingChina' Threat Actor Alleges Massive Breach of Chinese Supercomputer, Offers Military Data for Sale

A previously unknown hacking entity calling itself 'FlamingChina' has claimed responsibility for a colossal data breach targeting a Chinese supercomputer. The group alleges it has stolen 10 petabytes of highly sensitive military data and is now offering it for sale. The purported data includes schematics and simulations for advanced weaponry like aircraft, missiles, and bombs. The data is said to originate from top-tier Chinese state-run defense and technology institutions, including the Aviation Industry Corporation of China. If verified, the breach would represent a catastrophic loss of state secrets for China.

April 11, 2026
6 min read
FlamingChinaData BreachCyber EspionageChinaSupercomputer +2 more
Hacking Group 'FlamingChina' Claims 10 Petabyte Military Data Heist from Chinese Supercomputer
Data Breach
Threat Actor
Cyberattack

Updated Articles (4)

Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access

HIGH

Hims & Hers Reports Data Breach via Third-Party Customer Service Platform

Update:

The initial report stated that medical records were not compromised. However, new information confirms that the breach exposed highly sensitive Protected Health Information (PHI), including specific medical details related to conditions like erectile dysfunction and hair loss, significantly escalating the incident's severity and regulatory implications (HIPAA). Furthermore, the new article provides a deeper technical analysis of the attack vector, detailing how ShinyHunters employed sophisticated MFA bypass techniques such as real-time vishing and OAuth abuse to steal session tokens, rather than just a compromised Okta SSO account. This highlights the need for phishing-resistant MFA like FIDO2/WebAuthn.

April 5, 2026
Updated: April 11, 2026
5 min read
Hims & HersData BreachShinyHuntersZendeskOkta +3 more
Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access
Data Breach
Supply Chain Attack
Cloud Security

Global Takedown Disrupts 'Tycoon 2FA' Phishing Service That Bypassed MFA for 100k Orgs

HIGH

International Operation Dismantles 'Tycoon 2FA' Phishing-as-a-Service Platform

Update:

Google Chrome has begun rolling out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. This new security feature cryptographically binds an authentication session to a specific device, rendering stolen session cookies useless to attackers. DBSC directly addresses the threat of session hijacking and MFA bypass via info-stealing malware, which was a core technique used by PhaaS platforms like Tycoon 2FA. This significantly enhances user security by neutralizing a common attack vector.

March 13, 2026
Updated: April 11, 2026
5 min read
Phishing-as-a-ServicePhaaSMFA BypassAdversary-in-the-MiddleSession Hijacking +2 more
Global Takedown Disrupts 'Tycoon 2FA' Phishing Service That Bypassed MFA for 100k Orgs
Phishing
Cyberattack
Threat Intelligence

EU Commission Data Breach Linked to Trivy Supply Chain Attack by TeamPCP Hackers

HIGH

EU Commission Data Breach Attributed to TeamPCP Hacking Group via Trivy Supply Chain Attack

Update:

The update confirms that 71 EU institutions were impacted, explicitly naming the European Medicines Agency (EMA), European Banking Authority (EBA), and notably, ENISA (the EU Agency for Cybersecurity), which escalates the incident's significance. A more precise attack timeline reveals TeamPCP manipulated the Trivy GitHub repository on March 19, 2026, leading to a five-day data exfiltration period until March 24, 2026. The stolen data is further specified to include sensitive emails and personal information of staff. Additional MITRE ATT&CK and D3FEND techniques were also detailed, providing deeper technical insight into the compromise.

April 7, 2026
Updated: April 11, 2026
6 min read
Supply ChainData BreachTrivyTeamPCPShinyHunters +3 more
EU Commission Data Breach Linked to Trivy Supply Chain Attack by TeamPCP Hackers
Data Breach
Supply Chain Attack
Cloud Security

CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11

CRITICAL

CISA Adds Critical Ivanti EPMM Code Injection Flaw (CVE-2026-1340) to Known Exploited Vulnerabilities Catalog

Update:

New analysis reveals attackers are chaining two zero-day vulnerabilities in Ivanti EPMM: an authentication bypass followed by a code injection, to achieve unauthenticated remote code execution. Post-exploitation activities now include the deployment of webshells, cryptominers, and persistent backdoors, indicating a more severe and persistent threat. This exploit chain allows attackers to gain full control over the MDM server, enabling them to bypass security controls, manipulate device policies, and establish a lasting presence within compromised networks. Organizations are urged to apply vendor patches immediately and hunt for these specific post-exploitation indicators.

April 9, 2026
Updated: April 11, 2026
5 min read
CISAKEVIvantiCVE-2026-1340Vulnerability +2 more
CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11
Vulnerability
Patch Management
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats