[{"data":1,"prerenderedAt":174},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-11":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-11","Critical Infrastructure Under Siege as Supply Chain Attacks and Zero-Days Rattle Global Defenses","Over the past 24 hours, the cybersecurity landscape has been dominated by a surge in state-sponsored attacks targeting US critical infrastructure, with Iran-linked actors exploiting internet-exposed PLCs. Simultaneously, major supply chain compromises have rocked the open-source ecosystem, with tools like Trivy and Axios being poisoned. Healthcare remains a key target, evidenced by a crippling ransomware attack on EHR provider ChipSoft and a sensitive data breach at Hims & Hers. Meanwhile, active exploitation of Ivanti zero-days and new warnings about insecure building management systems highlight the expanding attack surface for enterprises globally.","2026-04-11",9,[10,35,57,74,95,113,126,145,160],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":29,"updatedAt":30,"readingTime":31,"isUpdate":32,"updateSummary":33,"updateContent":34},"2924807b-4af0-4309-b7b9-fca4c64b90ac","tycoon-2fa-phishing-as-a-service-platform-disrupted-in-global-takedown","Global Takedown Disrupts 'Tycoon 2FA' Phishing Service That Bypassed MFA for 100k Orgs","International Operation Dismantles 'Tycoon 2FA' Phishing-as-a-Service Platform","high","An international law enforcement operation, led by Microsoft and Europol, has successfully disrupted 'Tycoon 2FA,' a major Phishing-as-a-Service (PhaaS) platform responsible for enabling multi-factor authentication (MFA) bypass attacks on a massive scale. Active since August 2023, the service provided low-skilled cybercriminals with a toolkit using adversary-in-the-middle (AitM) techniques to steal credentials, one-time passcodes, and session cookies in real-time. The platform facilitated attacks against nearly 100,000 organizations globally, including schools and hospitals, and was linked to tens of millions of phishing emails per month. The takedown involved seizing over 330 domains that formed the service's core infrastructure, striking a significant blow against the cybercrime economy that preys on enterprise identity security.",[18,19,20,21,22,23,24],"Phishing-as-a-Service","PhaaS","MFA Bypass","Adversary-in-the-Middle","Session Hijacking","Europol","Takedown",[26,27,28],"Phishing","Cyberattack","Threat Intelligence","2026-03-13T15:00:00.000Z","2026-04-11T00:00:00.000Z",5,true,"Google Chrome rolls out Device Bound Session Credentials (DBSC) to combat session cookie theft and MFA bypass, making stolen cookies useless.","Google Chrome has begun rolling out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. This new security feature cryptographically binds an authentication session to a specific device, rendering stolen session cookies useless to attackers. DBSC directly addresses the threat of session hijacking and MFA bypass via info-stealing malware, which was a core technique used by PhaaS platforms like Tycoon 2FA. This significantly enhances user security by neutralizing a common attack vector.",{"id":36,"slug":37,"headline":38,"title":39,"severity":15,"excerpt":40,"tags":41,"categories":50,"createdAt":53,"updatedAt":54,"readingTime":31,"isUpdate":32,"updateSummary":55,"updateContent":56},"ce77cbec-690f-4dd0-9802-1eba374c9edf","hims-and-hers-reports-data-breach-via-third-party-customer-service-platform","Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access","Hims & Hers Reports Data Breach via Third-Party Customer Service Platform","Telehealth company Hims & Hers has disclosed a data breach that exposed customer support tickets. The attackers, reportedly the ShinyHunters extortion group, gained unauthorized access to the company's instance on a third-party customer service platform, identified as Zendesk. The breach, which occurred in early February 2026, was achieved using a compromised Okta single sign-on (SSO) account. Exposed data includes customer names, contact information, and details from their support requests. Medical records were not compromised, and the company is offering free credit monitoring to affected individuals.",[42,43,44,45,46,47,48,49],"Hims & Hers","Data Breach","ShinyHunters","Zendesk","Okta","SSO","SaaS","Healthcare",[43,51,52],"Supply Chain Attack","Cloud Security","2026-04-05T15:00:00.000Z","2026-04-11T12:00:00.000Z","Hims & Hers breach now confirmed to expose highly sensitive PHI, significantly increasing severity. New details highlight ShinyHunters' advanced MFA bypass techniques.","The initial report stated that medical records were not compromised. However, new information confirms that the breach exposed highly sensitive Protected Health Information (PHI), including specific medical details related to conditions like erectile dysfunction and hair loss, significantly escalating the incident's severity and regulatory implications (HIPAA). Furthermore, the new article provides a deeper technical analysis of the attack vector, detailing how ShinyHunters employed sophisticated MFA bypass techniques such as real-time vishing and OAuth abuse to steal session tokens, rather than just a compromised Okta SSO account. This highlights the need for phishing-resistant MFA like FIDO2/WebAuthn.",{"id":58,"slug":59,"headline":60,"title":61,"severity":15,"excerpt":62,"tags":63,"categories":69,"createdAt":70,"updatedAt":30,"readingTime":71,"isUpdate":32,"updateSummary":72,"updateContent":73},"9ea9ad24-2cc6-4d1f-ad74-d8c181323d25","eu-commission-data-breach-attributed-to-teampcp-via-trivy-supply-chain-attack","EU Commission Data Breach Linked to Trivy Supply Chain Attack by TeamPCP Hackers","EU Commission Data Breach Attributed to TeamPCP Hacking Group via Trivy Supply Chain Attack","The EU's cybersecurity agency, CERT-EU, has attributed a significant data breach at the European Commission to the hacking group TeamPCP. The attackers exfiltrated approximately 92GB of data from the Commission's Amazon Web Services (AWS) account. The investigation revealed that the breach was a downstream consequence of a supply chain attack targeting Trivy, a popular open-source vulnerability scanner. The Commission had unknowingly installed a compromised version of Trivy, which contained a backdoor providing the attackers with an Amazon API key. The stolen data, including names and email information from numerous EU entities, was later advertised for sale on a dark web forum associated with the ShinyHunters group, suggesting a possible collaboration between the two threat actors.",[64,43,65,66,44,67,52,68],"Supply Chain","Trivy","TeamPCP","AWS","European Commission",[43,51,52],"2026-04-07T15:00:00.000Z",6,"New details confirm 71 EU institutions, including ENISA, were affected. A detailed attack timeline from March 19-24, 2026, and specific data types like sensitive emails were also disclosed.","The update confirms that 71 EU institutions were impacted, explicitly naming the European Medicines Agency (EMA), European Banking Authority (EBA), and notably, ENISA (the EU Agency for Cybersecurity), which escalates the incident's significance. A more precise attack timeline reveals TeamPCP manipulated the Trivy GitHub repository on March 19, 2026, leading to a five-day data exfiltration period until March 24, 2026. The stolen data is further specified to include sensitive emails and personal information of staff. Additional MITRE ATT&CK and D3FEND techniques were also detailed, providing deeper technical insight into the compromise.",{"id":75,"slug":76,"headline":77,"title":78,"severity":79,"excerpt":80,"tags":81,"categories":89,"createdAt":90,"updatedAt":30,"readingTime":31,"cves":91,"cvssScore":92,"isUpdate":32,"updateSummary":93,"updateContent":94},"62f4640b-ee48-4664-9553-abc33f139b2a","cisa-adds-critical-ivanti-epmm-flaw-to-kev-catalog","CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11","CISA Adds Critical Ivanti EPMM Code Injection Flaw (CVE-2026-1340) to Known Exploited Vulnerabilities Catalog","critical","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1340, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and is confirmed to be actively exploited in the wild. CISA has issued a directive requiring all federal civilian agencies to apply patches by April 11, 2026, and strongly urges all organizations using the affected product to remediate immediately.",[82,83,84,85,86,87,88],"CISA","KEV","Ivanti","CVE-2026-1340","Vulnerability","Patch Management","Zero-Day",[86,87,27],"2026-04-09T15:00:00.000Z",[85],9.8,"New details reveal attackers chain two zero-days in Ivanti EPMM for unauthenticated RCE, deploying webshells and cryptominers.","New analysis reveals attackers are chaining two zero-day vulnerabilities in Ivanti EPMM: an authentication bypass followed by a code injection, to achieve unauthenticated remote code execution. Post-exploitation activities now include the deployment of webshells, cryptominers, and persistent backdoors, indicating a more severe and persistent threat. This exploit chain allows attackers to gain full control over the MDM server, enabling them to bypass security controls, manipulate device policies, and establish a lasting presence within compromised networks. Organizations are urged to apply vendor patches immediately and hunt for these specific post-exploitation indicators.",{"id":96,"slug":97,"headline":98,"title":99,"severity":100,"excerpt":101,"tags":102,"categories":109,"createdAt":111,"updatedAt":111,"readingTime":31,"isUpdate":112},"05953aeb-8098-445b-a42a-44a1b8d60767","claroty-warns-of-systemic-risk-from-insecure-building-management-systems","Smart Buildings, Dumb Security: Claroty Warns New Standard Exposes BMS to Remote Attack","Claroty's Team82 Reveals Systemic Risk in Building Management Systems from CEA-852 Standard","medium","Research from Claroty's Team82 has uncovered significant cybersecurity risks stemming from the adoption of the CEA-852 standard, which connects traditionally isolated Building Management Systems (BMS) to IP networks. The standard, which allows legacy protocols like LonTalk to run over IP, introduces remote attack vectors into smart buildings and the critical infrastructure they support. Researchers found serious design weaknesses that could allow attackers to remotely compromise BMS gateways and servers, potentially gaining control over entire building ecosystems, including HVAC, lighting, and security systems.",[103,104,105,106,107,108,86],"BMS","Building Management System","Claroty","LonTalk","IoT Security","OT Security",[86,110,107],"Industrial Control Systems","2026-04-11T15:00:00.000Z",false,{"id":114,"slug":115,"headline":116,"title":117,"severity":15,"excerpt":118,"tags":119,"categories":125,"createdAt":111,"updatedAt":111,"readingTime":31,"isUpdate":112},"11f6d88b-66dc-4dcf-b759-4e2ce3880ab1","hundreds-of-unauthenticated-industrial-control-devices-exposed-on-internet","Hundreds of Unauthenticated ICS Devices, Including for Power Grids, Found Exposed Online","Comparitech Research Finds Internet-Exposed ICS Devices Using Insecure Modbus Protocol","New research from Comparitech reveals a startling lack of security in critical infrastructure, with at least 179 industrial control system (ICS) devices found exposed to the internet without any authentication. These devices, using the insecure-by-design Modbus protocol on its default port, are tied to critical entities including a national railway and two national power grids. The findings reinforce urgent warnings from government agencies about the growing threat of nation-state actors targeting operational technology (OT) and highlight a severe visibility gap, with fewer than 10% of OT networks having adequate monitoring.",[120,108,121,122,123,86,124],"ICS","Modbus","Comparitech","Critical Infrastructure","Power Grid",[110,86,28],{"id":127,"slug":128,"headline":129,"title":130,"severity":131,"excerpt":132,"tags":133,"categories":141,"createdAt":111,"updatedAt":111,"readingTime":144,"isUpdate":112},"80d07e14-eeed-466b-8cdb-1c86b14ecc6b","citizen-lab-exposes-global-webloc-surveillance-system","Citizen Lab Uncovers 'Webloc' - A Global Surveillance Tool Using Ad Data to Track Phones","Webloc Surveillance System by Cobwebs Technologies Exposed by Citizen Lab Investigation","informational","A new report from the University of Toronto's Citizen Lab has exposed a global geolocation surveillance system named \"Webloc.\" Developed by the Israeli firm Cobwebs Technologies, the tool leverages data from the digital advertising ecosystem to track the location of up to 500 million devices worldwide. The investigation revealed that Webloc has been used by law enforcement and intelligence agencies in multiple countries, including the United States, Hungary, and El Salvador, raising significant privacy concerns about the government use of commercial surveillance technology.",[134,135,136,137,138,139,140],"Surveillance","Privacy","Citizen Lab","Cobwebs Technologies","Webloc","Data Broker","Ad Tech",[142,28,143],"Policy and Compliance","Regulatory",4,{"id":146,"slug":147,"headline":148,"title":149,"severity":15,"excerpt":150,"tags":151,"categories":158,"createdAt":111,"updatedAt":111,"readingTime":31,"isUpdate":112},"3d888e46-d47c-475f-8e31-78a7a9942684","glassworm-campaign-deploys-new-zig-dropper-to-infect-developer-ides","GlassWorm Campaign Evolves, Uses Zig-Based Dropper to Infect All Developer IDEs","New GlassWorm Dropper Written in Zig Targets Developer Workstations via Malicious VSX Extension","The ongoing GlassWorm cyber-espionage campaign has adopted a new, sophisticated tool: a dropper written in the Zig programming language. This new malware component was discovered hidden within a malicious Open VSX extension masquerading as a legitimate WakaTime activity tracker. The dropper's primary function is to stealthily infect all Integrated Development Environments (IDEs) installed on a compromised developer's machine. This technique allows the attackers to achieve deep, persistent access to the developer's workflow, posing a significant software supply chain risk by enabling the potential injection of malicious code into any project the developer touches.",[152,153,154,155,51,156,157],"GlassWorm","Malware","Zig","IDE","Developer","Open VSX",[153,51,159],"Threat Actor",{"id":161,"slug":162,"headline":163,"title":164,"severity":79,"excerpt":165,"tags":166,"categories":173,"createdAt":111,"updatedAt":111,"readingTime":71,"isUpdate":112},"762d01fe-6a25-4e8f-98a8-b2f0bc41e7ad","flamingchina-group-claims-theft-of-10-petabytes-from-chinese-supercomputer","Hacking Group 'FlamingChina' Claims 10 Petabyte Military Data Heist from Chinese Supercomputer","'FlamingChina' Threat Actor Alleges Massive Breach of Chinese Supercomputer, Offers Military Data for Sale","A previously unknown hacking entity calling itself 'FlamingChina' has claimed responsibility for a colossal data breach targeting a Chinese supercomputer. The group alleges it has stolen 10 petabytes of highly sensitive military data and is now offering it for sale. The purported data includes schematics and simulations for advanced weaponry like aircraft, missiles, and bombs. The data is said to originate from top-tier Chinese state-run defense and technology institutions, including the Aviation Industry Corporation of China. If verified, the breach would represent a catastrophic loss of state secrets for China.",[167,43,168,169,170,171,172],"FlamingChina","Cyber Espionage","China","Supercomputer","Military","AVIC",[43,159,27],1776260665690]