Massive Data Breaches at Basic-Fit and Booking.com Expose Millions; CISA Warns of Actively Exploited Zero-Days

Phishing Campaign Impersonates Linux Foundation on Slack to Steal Developer Credentials and Install Malicious Certificates

A sophisticated social engineering campaign is targeting open-source developers on Slack, with attackers impersonating a Linux Foundation official to gain trust. Victims are lured to a fake login page hosted on Google Sites to harvest their credentials. The attack then escalates by tricking the developer into installing a fake 'security certificate,' which is a malicious root certificate enabling the attacker to intercept encrypted traffic. The campaign, which targets members of prominent projects like CNCF, highlights the increasing focus of threat actors on compromising developers as a gateway into the software supply chain.

PhishingSocial EngineeringOpen SourceLinux FoundationSlack +3 more

Phishing

Supply Chain Attack

Threat Actor

OneDigital Discloses Supply-Chain Breach from 2025, 28,000 Individuals Impacted

OneDigital Investment Advisors Reveals 2025 Data Breach Affecting 28,414 Clients via Third-Party Chat App

Financial advisory firm OneDigital Investment Advisors has disclosed a data breach that occurred in August 2025, impacting 28,414 individuals. The incident was a supply-chain attack stemming from a vulnerability in the Drift online chat application, which was integrated into their former CRM platform, Salesloft. The breach, which exposed sensitive data including names and Social Security numbers, was discovered after their current CRM provider, Salesforce, alerted them. The significant delay between the breach in August 2025 and the notification in April 2026 highlights the complex and often delayed discovery process in supply-chain security incidents.

Supply Chain AttackData BreachOneDigitalSalesforceDrift +3 more

OneDigital Discloses Supply-Chain Breach from 2025, 28,000 Individuals Impacted

Supply Chain Attack

Data Breach

Regulatory

Hack-for-Hire Espionage Campaign Linked to BITTER APT Targets Phones in MENA Region

BITTER APT-Linked 'Hack-for-Hire' Group Targets Journalists and Activists in MENA with Sophisticated Phishing

A large-scale, long-running cyber-espionage campaign is targeting journalists, activists, and officials, primarily in the Middle East and North Africa (MENA) region. The 'hack-for-hire' operation, linked by researchers to the BITTER APT group, uses sophisticated phishing and social engineering rather than zero-day exploits. Attackers use fake login pages to steal Apple ID credentials and deploy spyware disguised as legitimate apps on Android devices. The goal is espionage, with the attackers offering surveillance services to clients. The campaign highlights the continued effectiveness of credential phishing for compromising even high-value targets.

Hack-for-HireBITTER APTCyber EspionagePhishingMENA +3 more

Hack-for-Hire Espionage Campaign Linked to BITTER APT Targets Phones in MENA Region

Threat Actor

Phishing

Utah Surgical Practice Data Leaked by 'PEAR' Ransomware; 50,000 Patients' SSNs and Financial Info Exposed

Rocky Mountain Associated Physicians Suffers Data Breach; PEAR Ransomware Group Leaks Data of 50,640 Patients

Rocky Mountain Associated Physicians (RMAP), a Utah-based surgical practice, has reported a data breach affecting 50,640 patients. A threat group calling itself 'PEAR' (Pure Extortion and Ransom) has claimed responsibility, and after its ransom demands were not met, it leaked the stolen data on the dark web. The compromised information is highly sensitive, including patient names, Social Security numbers, medical diagnoses, and in some cases, debit/credit card numbers with PINs. The public release of this data places affected patients at extreme risk of identity theft and fraud.

RansomwareData BreachPEARHealthcareHIPAA +3 more

8 min read

Ransomware

Data Breach

Threat Actor

CISA KEV Update: Six Flaws Added, Including Critical Fortinet SQLi and Adobe RCE

CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog, Targeting Fortinet, Adobe, and Microsoft

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The list includes a critical SQL injection flaw in Fortinet FortiClient EMS (CVE-2026-21643) with a 9.1 CVSS score, and an older but still targeted use-after-free bug in Adobe Acrobat Reader (CVE-2020-9715). Federal agencies are mandated to patch these flaws by April 27, 2026, and CISA strongly urges all organizations to prioritize these updates to defend against ongoing threats.

CISAKEVVulnerabilityFortinetAdobe +4 more

6 min read

CISA KEV Update: Six Flaws Added, Including Critical Fortinet SQLi and Adobe RCE

Vulnerability

Patch Management

Microsoft 365 Admins Locked Out of Tenant After Attacker Removes All Global Admin Roles

Business-Critical Incident: Attacker Achieves Tenant Lockout by Removing All Microsoft 365 Global Administrators

An organization has reported a 'business-critical security incident' after a malicious actor gained access to their Microsoft 365 tenant and systematically removed the 'Global Administrator' role from all assigned user accounts. This action resulted in a complete administrative lockout, preventing legitimate administrators from accessing the Microsoft 365 Admin Center and Microsoft Entra ID. The attack highlights a potent technique where attackers, after compromising a single privileged account, can cement their control and prevent remediation by decapitating the tenant's administrative structure. The organization is now reliant on Microsoft's Data Protection team to verify ownership and restore access.

Microsoft 365Entra IDAzure ADTenant LockoutCloud Security +2 more

Microsoft 365 Admins Locked Out of Tenant After Attacker Removes All Global Admin Roles

Security Operations

Cloud Security

Updated Articles (2)

CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11

CISAKEVIvantiCVE-2026-1340Vulnerability +2 more

CISA Adds Critical Ivanti EPMM Code Injection Flaw (CVE-2026-1340) to Known Exploited Vulnerabilities Catalog

Update:

This update provides more specific information regarding the actively exploited Ivanti EPMM vulnerability, CVE-2026-1340. It now explicitly lists affected versions as 12.5 through 12.7. The vulnerability is further characterized as 'wormable' due to its low attack complexity and lack of user interaction. Additional impact details include the potential for attackers to push malicious applications (T1475) and deploy ransomware. New cyber observables for detection have been added, such as monitoring for `w3wp.exe` processes on Windows servers and looking for unexpected file creations (webshells) in web server directories.

April 9, 2026

Updated: April 14, 2026

5 min read

CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11

Vulnerability

Patch Management

Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure

RCEVulnerabilityExploitMarimoPython +2 more

Critical Marimo RCE Flaw (CVE-2026-39987) Exploited in the Wild Less Than 10 Hours After Disclosure

Update:

The new article, dated April 14, 2026, provides further confirmation of the active and immediate exploitation of CVE-2026-39987 in Marimo Python notebooks. New threat intelligence reports from April 13, 2026, underscore the ongoing nature of attacks, emphasizing the critical need for users to upgrade to version 0.23.0 without delay. The vulnerability continues to pose a significant risk, particularly for data science and machine learning environments, due to its unauthenticated RCE capabilities, leading to potential data theft and system compromise.

April 9, 2026

Updated: April 14, 2026

4 min read

Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure

Vulnerability