Windows Defender Zero-Days Actively Exploited, Global DDoS Takedown, and Major Data Breaches at McGraw Hill &amp; Amtrak

McGraw Hill Confirms Breach of 13.5 Million Accounts; ShinyHunters Claims Attack via Salesforce Misconfiguration

Educational publishing giant McGraw Hill has confirmed a significant data breach exposing the personal information of 13.5 million unique email accounts. The incident was caused by a misconfigured webpage hosted on the Salesforce platform. The cybercrime group 'ShinyHunters' claimed responsibility, initially threatening to leak 45 million records before publicly distributing a 100GB dataset containing names, physical addresses, and phone numbers. The breach highlights the critical risk of supply chain and third-party platform security, as McGraw Hill's core internal systems were not compromised.

Data BreachSalesforceMisconfigurationShinyHuntersEducation +1 more

McGraw Hill Data Breach Exposes 13.5 Million Accounts After Salesforce Misconfiguration

New 'NBLOCK' Ransomware Emerges, Using AES-256 Encryption and Tor for Anonymous Extortion

Researchers Analyze New 'NBLOCK' Ransomware Strain Focusing on Encryption and Anonymity

Security researchers at CYFIRMA have identified a new ransomware family named 'NBLOCK.' The malware encrypts victim files using AES-256, appends a '.NBLock' extension, and drops a ransom note named 'README_NBLOCK.txt'. Unlike some modern ransomware that focuses on data exfiltration, NBLOCK appears to be a more traditional file-encrypting strain, coercing victims to pay for a decryption key. All communication with the threat actors is handled through an anonymous Tor-based negotiation portal. Its distribution vectors are believed to be standard methods like phishing and malicious downloads.

RansomwareNBLOCKAES-256TorData Encryption +2 more

New 'NBLOCK' Ransomware Emerges, Using AES-256 Encryption and Tor for Anonymous Extortion

Stealthy 'PowMix' Botnet Targets Czech Workforce with Evasive C2 Communications

New 'PowMix' Botnet Campaign Discovered Targeting Workers in Czech Republic

Researchers at Cisco Talos have uncovered a new botnet named 'PowMix,' which has been targeting the workforce in the Czech Republic since at least December 2025. The malware is delivered via phishing emails containing malicious LNK files and uses PowerShell for in-memory execution. PowMix is designed for stealth, employing randomized command-and-control (C2) beaconing intervals and embedding encrypted data into URL paths to mimic legitimate API traffic and evade network signature-based detection. The campaign targets professionals in HR, legal, and recruitment with compliance-themed lures.

BotnetPowMixPowerShellC2Cisco Talos +2 more

Stealthy 'PowMix' Botnet Targets Czech Workforce with Evasive C2 Communications

Mozambique Passes Sweeping Cybersecurity and Cybercrime Laws to Combat Rising Digital Threats

INFORMATIONAL

Mozambique Parliament Approves New National Cybersecurity and Cybercrime Legislation

Mozambique's Parliament, the Assembly of the Republic, has approved two landmark laws to establish a national cybersecurity framework and combat cybercrime. The legislation comes in response to a sharp increase in cyberattacks, with over 173,000 incidents recorded in 2024. The new framework will create a national regulatory authority, mandate specific security measures for both public and private sector entities, and introduce fines for non-compliance. The move is a significant step in securing the nation's digital infrastructure and aligning with international standards.

MozambiqueCybersecurity LawRegulationCybercrimeGovernment +1 more

Mozambique Passes Sweeping Cybersecurity and Cybercrime Laws to Combat Rising Digital Threats

Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails

Fake DHL Phishing Emails Drop SimpleHelp Remote Access Tool for Backdoor Access

A new phishing campaign is targeting businesses with convincing emails impersonating the shipping company DHL. The emails, with subject lines like 'Your shipment has arrived,' trick recipients into opening a malicious PDF attachment. Clicking a button within the PDF downloads a Windows screensaver file (.scr) which is a disguised installer for SimpleHelp, a legitimate remote monitoring and management (RMM) tool. The installer is pre-configured to connect to an attacker-controlled server, effectively giving the threat actors a persistent backdoor into the victim's network for further malicious activity.

PhishingDHLSimpleHelpRMMRemote Access +1 more

Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails

Two U.S. Senior Care Providers Disclose Data Breaches by Sinobi and Worldleaks Ransomware Gangs

Windward Life Care and Legend Senior Living Report Data Breaches from 2025 Ransomware Attacks

Two providers of senior care services, Windward Life Care in California and Legend Senior Living in Kansas, have disclosed data breaches resulting from ransomware attacks that occurred in 2025. The ransomware groups Sinobi and Worldleaks have claimed responsibility, respectively. Both incidents involved data exfiltration followed by encryption, with the stolen data later being leaked on the dark web. The compromised information is highly sensitive, including names, Social Security numbers, financial data, and protected health information (PHI) of a vulnerable population.

RansomwareHealthcareData BreachSinobiWorldleaks +2 more

Two U.S. Senior Care Providers Disclose Data Breaches by Sinobi and Worldleaks Ransomware Gangs

Critical 'NomShub' Vulnerability in Cursor AI Editor Allows for Complete Developer Machine Hijacking

CRITICAL

Vulnerability Chain in Cursor AI Editor Risks Developer Hijacking via Malicious Repository

A critical set of vulnerabilities in the Cursor AI coding editor, collectively named 'NomShub' by researchers at Straiker, could allow an attacker to gain full remote shell access to a developer's machine. The attack requires no user interaction beyond the victim opening a malicious code repository in the editor. The vulnerability chain combines a prompt injection with a command sandbox bypass, allowing the attacker to write malicious code and then abuse Cursor's remote tunnel feature for RCE. The attack is particularly stealthy as it routes traffic through legitimate Microsoft Azure infrastructure.

VulnerabilityCursor AIRCEDeveloper SecurityAI +2 more

Critical 'NomShub' Vulnerability in Cursor AI Editor Allows for Complete Developer Machine Hijacking

Updated Articles (2)

Researcher Leaks 'BlueHammer' Windows Zero-Day Exploit on GitHub After Dispute with Microsoft

CRITICAL

Unpatched 'BlueHammer' Windows Zero-Day Exploit for Privilege Escalation Leaked Publicly, Affecting All Modern Windows Versions

Update:

The original 'BlueHammer' zero-day has been patched by Microsoft as CVE-2026-33825. However, the same researcher has disclosed two new unpatched zero-days: 'RedSun', a local privilege escalation (LPE) to SYSTEM, and 'UnDefend', which disables Microsoft Defender updates. All three exploits, including the patched 'BlueHammer', are now confirmed to be actively exploited in the wild by hands-on-keyboard attackers, as reported by Huntress Labs. This significantly escalates the threat, as attackers can gain full system control and evade detection even on patched systems.

April 9, 2026

Updated: April 17, 2026

Zero-DayWindowsBlueHammerLPEPrivilege Escalation +2 more

Researcher Leaks 'BlueHammer' Windows Zero-Day Exploit on GitHub After Dispute with Microsoft

ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records

ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records

Update:

ShinyHunters has publicly leaked over 2.1 million Amtrak customer records on April 17, 2026, confirming the previously threatened breach. The leaked dataset includes unique email addresses, names, and physical addresses, and has been ingested by services like Have I Been Pwned. This development escalates the incident from a claimed threat to a verified data exposure, significantly increasing the impact on affected individuals. The breach continues to be attributed to a compromised Salesforce environment, consistent with the group's recent tactics.

April 16, 2026

Updated: April 17, 2026