[{"data":1,"prerenderedAt":153},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-14":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-14","Massive Data Breaches at Basic-Fit and Booking.com Expose Millions; CISA Warns of Actively Exploited Zero-Days","This 24-hour period has seen major consumer data breaches, with fitness giant Basic-Fit exposing bank details of 1 million members and Booking.com confirming a compromise of customer reservation data. Concurrently, CISA has issued urgent warnings for multiple actively exploited zero-day vulnerabilities in Adobe, Ivanti, and Fortinet products, demanding immediate patching. Ransomware and supply-chain attacks also continue to plague organizations, with the Qilin group targeting a German political party and ShinyHunters threatening to leak data from GTA developer Rockstar Games.","2026-04-14",8,[10,35,54,76,92,107,121,137],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":27,"updatedAt":28,"readingTime":29,"cves":30,"cvssScore":31,"isUpdate":32,"updateSummary":33,"updateContent":34},"62f4640b-ee48-4664-9553-abc33f139b2a","cisa-adds-critical-ivanti-epmm-flaw-to-kev-catalog","CISA Mandates Federal Agencies Patch Actively Exploited Ivanti EPMM Flaw by April 11","CISA Adds Critical Ivanti EPMM Code Injection Flaw (CVE-2026-1340) to Known Exploited Vulnerabilities Catalog","critical","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1340, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and is confirmed to be actively exploited in the wild. CISA has issued a directive requiring all federal civilian agencies to apply patches by April 11, 2026, and strongly urges all organizations using the affected product to remediate immediately.",[18,19,20,21,22,23,24],"CISA","KEV","Ivanti","CVE-2026-1340","Vulnerability","Patch Management","Zero-Day",[22,23,26],"Cyberattack","2026-04-09T15:00:00.000Z","2026-04-14T12:00:00.000Z",5,[21],9.8,true,"New details on Ivanti EPMM flaw (CVE-2026-1340) include affected versions (12.5-12.7), 'wormable' nature, and additional detection observables.","This update provides more specific information regarding the actively exploited Ivanti EPMM vulnerability, CVE-2026-1340. It now explicitly lists affected versions as 12.5 through 12.7. The vulnerability is further characterized as 'wormable' due to its low attack complexity and lack of user interaction. Additional impact details include the potential for attackers to push malicious applications (T1475) and deploy ransomware. New cyber observables for detection have been added, such as monitoring for `w3wp.exe` processes on Windows servers and looking for unexpected file creations (webshells) in web server directories.",{"id":36,"slug":37,"headline":38,"title":39,"severity":15,"excerpt":40,"tags":41,"categories":47,"createdAt":27,"updatedAt":48,"readingTime":49,"cves":50,"cvssScore":51,"isUpdate":32,"updateSummary":52,"updateContent":53},"2595f69b-f872-4641-b8a5-0cd141377ca4","marimo-rce-flaw-exploited-within-hours-of-disclosure","Marimo RCE Flaw Exploited in Under 10 Hours of Public Disclosure","Critical Marimo RCE Flaw (CVE-2026-39987) Exploited in the Wild Less Than 10 Hours After Disclosure","A critical, unauthenticated remote code execution (RCE) vulnerability in the Marimo Python notebook, CVE-2026-39987, was exploited in the wild just 9 hours and 41 minutes after its public disclosure on April 8, 2026. The flaw, which has a CVSS score of 9.3, allows an unauthenticated attacker to gain a full interactive shell on the server running the notebook. Security firm Sysdig observed an attacker developing a working exploit directly from the advisory's technical details and using it to steal credentials, demonstrating the rapidly shrinking window between vulnerability disclosure and exploitation.",[42,22,43,44,45,46,24],"RCE","Exploit","Marimo","Python","CVE-2026-39987",[22,26],"2026-04-14T00:00:00.000Z",4,[46],9.3,"New reports confirm continued active exploitation of Marimo RCE (CVE-2026-39987) with updated threat intelligence.","The new article, dated April 14, 2026, provides further confirmation of the active and immediate exploitation of CVE-2026-39987 in Marimo Python notebooks. New threat intelligence reports from April 13, 2026, underscore the ongoing nature of attacks, emphasizing the critical need for users to upgrade to version 0.23.0 without delay. The vulnerability continues to pose a significant risk, particularly for data science and machine learning environments, due to its unauthenticated RCE capabilities, leading to potential data theft and system compromise.",{"id":55,"slug":56,"headline":57,"title":58,"severity":59,"excerpt":60,"tags":61,"categories":70,"createdAt":73,"updatedAt":73,"readingTime":74,"isUpdate":75},"87848c07-ecfd-4ba0-afd2-fcb71f2390fe","phishing-campaign-targets-open-source-devs-via-slack-and-google-sites","Open-Source Devs Targeted in Sophisticated Phishing Attack Using Slack and Google Sites","Phishing Campaign Impersonates Linux Foundation on Slack to Steal Developer Credentials and Install Malicious Certificates","high","A sophisticated social engineering campaign is targeting open-source developers on Slack, with attackers impersonating a Linux Foundation official to gain trust. Victims are lured to a fake login page hosted on Google Sites to harvest their credentials. The attack then escalates by tricking the developer into installing a fake 'security certificate,' which is a malicious root certificate enabling the attacker to intercept encrypted traffic. The campaign, which targets members of prominent projects like CNCF, highlights the increasing focus of threat actors on compromising developers as a gateway into the software supply chain.",[62,63,64,65,66,67,68,69],"Phishing","Social Engineering","Open Source","Linux Foundation","Slack","Google Sites","Man-in-the-Middle","Root Certificate",[62,71,72],"Supply Chain Attack","Threat Actor","2026-04-14T15:00:00.000Z",7,false,{"id":77,"slug":78,"headline":79,"title":80,"severity":59,"excerpt":81,"tags":82,"categories":90,"createdAt":73,"updatedAt":73,"readingTime":74,"isUpdate":75},"cb36835a-a7b2-46f8-be6e-4ec107658747","onedigital-discloses-2025-supply-chain-breach-affecting-28000","OneDigital Discloses Supply-Chain Breach from 2025, 28,000 Individuals Impacted","OneDigital Investment Advisors Reveals 2025 Data Breach Affecting 28,414 Clients via Third-Party Chat App","Financial advisory firm OneDigital Investment Advisors has disclosed a data breach that occurred in August 2025, impacting 28,414 individuals. The incident was a supply-chain attack stemming from a vulnerability in the Drift online chat application, which was integrated into their former CRM platform, Salesloft. The breach, which exposed sensitive data including names and Social Security numbers, was discovered after their current CRM provider, Salesforce, alerted them. The significant delay between the breach in August 2025 and the notification in April 2026 highlights the complex and often delayed discovery process in supply-chain security incidents.",[71,83,84,85,86,87,88,89],"Data Breach","OneDigital","Salesforce","Drift","Delayed Disclosure","PII","SSN",[71,83,91],"Regulatory",{"id":93,"slug":94,"headline":95,"title":96,"severity":59,"excerpt":97,"tags":98,"categories":106,"createdAt":73,"updatedAt":73,"readingTime":74,"isUpdate":75},"b74fcc8f-e9f7-4534-9422-dd3fc263219e","hack-for-hire-spy-campaign-targets-phones-in-mena-region","Hack-for-Hire Espionage Campaign Linked to BITTER APT Targets Phones in MENA Region","BITTER APT-Linked 'Hack-for-Hire' Group Targets Journalists and Activists in MENA with Sophisticated Phishing","A large-scale, long-running cyber-espionage campaign is targeting journalists, activists, and officials, primarily in the Middle East and North Africa (MENA) region. The 'hack-for-hire' operation, linked by researchers to the BITTER APT group, uses sophisticated phishing and social engineering rather than zero-day exploits. Attackers use fake login pages to steal Apple ID credentials and deploy spyware disguised as legitimate apps on Android devices. The goal is espionage, with the attackers offering surveillance services to clients. The campaign highlights the continued effectiveness of credential phishing for compromising even high-value targets.",[99,100,101,62,102,103,104,105],"Hack-for-Hire","BITTER APT","Cyber Espionage","MENA","Journalists","Activists","Mobile Security",[72,62,26],{"id":108,"slug":109,"headline":110,"title":111,"severity":15,"excerpt":112,"tags":113,"categories":120,"createdAt":73,"updatedAt":73,"readingTime":8,"isUpdate":75},"fe2d17d3-2449-42ea-a4ac-cda9c6a6efea","utah-surgical-practice-rmas-breach-exposes-data-of-50000-patients","Utah Surgical Practice Data Leaked by 'PEAR' Ransomware; 50,000 Patients' SSNs and Financial Info Exposed","Rocky Mountain Associated Physicians Suffers Data Breach; PEAR Ransomware Group Leaks Data of 50,640 Patients","Rocky Mountain Associated Physicians (RMAP), a Utah-based surgical practice, has reported a data breach affecting 50,640 patients. A threat group calling itself 'PEAR' (Pure Extortion and Ransom) has claimed responsibility, and after its ransom demands were not met, it leaked the stolen data on the dark web. The compromised information is highly sensitive, including patient names, Social Security numbers, medical diagnoses, and in some cases, debit/credit card numbers with PINs. The public release of this data places affected patients at extreme risk of identity theft and fraud.",[114,83,115,116,117,88,118,119],"Ransomware","PEAR","Healthcare","HIPAA","PHI","Extortion",[114,83,72],{"id":122,"slug":123,"headline":124,"title":125,"severity":59,"excerpt":126,"tags":127,"categories":133,"createdAt":73,"updatedAt":73,"readingTime":134,"cves":135,"cvssScore":136,"isUpdate":75},"9061212d-0df0-4fe9-a1f9-bd95447f7b8d","cisa-adds-six-flaws-to-kev-catalog-including-fortinet-and-adobe","CISA KEV Update: Six Flaws Added, Including Critical Fortinet SQLi and Adobe RCE","CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog, Targeting Fortinet, Adobe, and Microsoft","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The list includes a critical SQL injection flaw in Fortinet FortiClient EMS (CVE-2026-21643) with a 9.1 CVSS score, and an older but still targeted use-after-free bug in Adobe Acrobat Reader (CVE-2020-9715). Federal agencies are mandated to patch these flaws by April 27, 2026, and CISA strongly urges all organizations to prioritize these updates to defend against ongoing threats.",[18,19,22,128,129,130,131,132,23],"Fortinet","Adobe","Microsoft","CVE-2026-21643","CVE-2020-9715",[22,23],6,[131,132],9.1,{"id":138,"slug":139,"headline":140,"title":141,"severity":15,"excerpt":142,"tags":143,"categories":151,"createdAt":73,"updatedAt":73,"readingTime":74,"isUpdate":75},"ee9033d1-6155-427b-a9e0-e7cc5eed8130","microsoft-365-tenant-lockout-after-unauthorized-admin-removal","Microsoft 365 Admins Locked Out of Tenant After Attacker Removes All Global Admin Roles","Business-Critical Incident: Attacker Achieves Tenant Lockout by Removing All Microsoft 365 Global Administrators","An organization has reported a 'business-critical security incident' after a malicious actor gained access to their Microsoft 365 tenant and systematically removed the 'Global Administrator' role from all assigned user accounts. This action resulted in a complete administrative lockout, preventing legitimate administrators from accessing the Microsoft 365 Admin Center and Microsoft Entra ID. The attack highlights a potent technique where attackers, after compromising a single privileged account, can cement their control and prevent remediation by decapitating the tenant's administrative structure. The organization is now reliant on Microsoft's Data Protection team to verify ownership and restore access.",[144,145,146,147,148,149,150],"Microsoft 365","Entra ID","Azure AD","Tenant Lockout","Cloud Security","Incident Response","Global Administrator",[152,26,148],"Security Operations",1776260667518]