CISA KEV Alerts, Windows Defender Exploits, and Axios Supply Chain Attack Dominate Threat Landscape

CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog, Requiring Federal Action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding eight new security flaws affecting a range of enterprise products. The vulnerabilities, found in software from Cisco, PaperCut, JetBrains, Kentico, Quest, and Synacor, are confirmed to be under active exploitation. This action mandates that Federal Civilian Executive Branch (FCEB) agencies apply patches by a specified deadline to mitigate significant risk. The additions include critical issues such as improper authentication, path traversal, and exposure of sensitive information, highlighting a persistent threat to both public and private sector networks. CISA strongly advises all organizations to prioritize the remediation of these vulnerabilities to defend against ongoing cyberattacks.

KEVCISAVulnerability ManagementPatchingActive Exploitation +1 more

CISA Mandates Urgent Patching for Eight Actively Exploited Flaws in Cisco, JetBrains, and More

Patch Management

Threat Intelligence

Attackers Exploit Flaws Weeks Before CVEs Are Published, Report Finds

Report Finds Vulnerability Exploitation Surges Weeks Before Public Disclosure

A new report from internet intelligence firm GreyNoise reveals a concerning trend: significant spikes in scanning and exploitation activity for software vulnerabilities often occur weeks, and sometimes over a month, before the flaws are publicly disclosed. The research, analyzing traffic from late 2025 to early 2026, found that approximately half of the observed activity surges were followed by a corresponding CVE disclosure within three weeks. High-profile examples include vulnerabilities in Cisco, VMware, and MikroTik products being exploited 39, 36, and 24 days respectively before public announcement. This 'pre-disclosure' exploitation gives attackers a significant head start and suggests that monitoring for anomalous network traffic can serve as a crucial early warning system for defenders, enabling proactive defense even before patches are available.

GreyNoiseZero-DayVulnerability DisclosureThreat IntelligenceProactive Defense +1 more

Attackers Exploit Flaws Weeks Before CVEs Are Published, Report Finds

Threat Intelligence

Security Operations

Sophisticated 'DarkSword' iPhone Zero-Day Exploit Found For Sale on Hacked Ukrainian Websites

'DarkSword' iPhone Zero-Day Exploit Framework Discovered on Compromised Ukrainian Websites

A sophisticated, fileless iPhone zero-day exploit framework named 'DarkSword' has been discovered hosted on two compromised Ukrainian websites, including the official site of the Seventh Administrative Court of Appeals. A joint investigation by iVerify, Lookout, and Google's Threat Intelligence Group uncovered the framework, which is described as 'cleanly organized' and designed for easy repurposing and distribution. The exploit affects a wide range of iPhone models and its fileless nature makes it extremely difficult to detect. Most alarmingly, the framework appeared to be for sale to any interested buyer, posing a severe threat to high-risk individuals like journalists, activists, and government officials worldwide who rely on iPhones for secure communication.

iPhoneZero-DaySpywareDarkSwordFileless Malware +2 more

6 min read

Sophisticated 'DarkSword' iPhone Zero-Day Exploit Found For Sale on Hacked Ukrainian Websites

Cyberattack

LockBit and ShinyHunters Claim Major Breaches at Citizens Bank, Canada Life, and Law Firm

LockBit and ShinyHunters Post Data from Citizens Bank, Canada Life, and a Major Law Firm

Prominent threat groups LockBit and ShinyHunters have claimed responsibility for several high-profile data breaches, according to dark web monitoring services. The LockBit ransomware gang has allegedly exfiltrated and posted data from Bardehle Pagenberg, a major European patent law firm, raising alarms about the potential exposure of intellectual property. Concurrently, the data broker group ShinyHunters claimed a breach at Canada Life, a large insurance provider, while another group named Everest claimed an attack on Citizens Bank, a major U.S. retail bank. While the claims are still being verified, the history of these groups suggests a high probability of legitimacy, placing customers and clients of the affected organizations at significant risk of fraud and identity theft.

LockBitShinyHuntersEverestData BreachRansomware +2 more

LockBit and ShinyHunters Claim Major Breaches at Citizens Bank, Canada Life, and Law Firm

Ransomware

Columbia Bank Discloses Three-Month Data Breach After Unauthorized System Access

Columbia Bank Notifies Customers of Data Breach Spanning Nearly Three Months

Columbia Bank, a prominent financial institution in the Western U.S., has begun notifying customers of a prolonged data breach that occurred in late 2025. According to notification letters, an unauthorized third party had access to certain internal bank applications from October 2 to December 22, 2025. After discovering the intrusion, the bank hired an external forensics firm, but the investigation to determine the full scope of compromised data was not completed until March 6, 2026. This significant delay between the incident and notification has raised concerns. While the bank has not publicly detailed the specific data types exposed, the lengthy access period suggests a risk of exposure for sensitive personal and financial information. Attorneys are now investigating the incident for a potential class-action lawsuit.

Data BreachFinancial ServicesIncident ResponseDwell TimeClass Action

Incident Response

Tennessee Hospital Notifies 337,000 Patients of Data Breach, Nine Months After Rhysida Ransomware Attack

Tennessee Hospital Notifies 337,000 Patients of Data Breach, Months After Rhysida Ransomware Attack

Cookeville Regional Medical Center (CRMC) in Tennessee has begun notifying 337,917 individuals that their sensitive personal and medical data was stolen in a ransomware attack that occurred in July 2025. The notification letters, sent out nine months after the breach, confirm an attack by the Rhysida ransomware group. In August 2025, Rhysida claimed responsibility on its dark web leak site, stating it had stolen 500GB of data, including over 370,000 files. The compromised information is highly sensitive, potentially including Social Security numbers, financial details, and medical records. Despite the group's attempt to sell the data and later leaking it for free, the hospital stated it has 'no evidence' of data misuse, a claim met with skepticism by security experts. CRMC is offering 12 months of identity protection services.

RansomwareRhysidaHealthcareData BreachHIPAA +1 more

Ransomware

Updated Articles (3)

Massive Basic-Fit Data Breach Exposes Personal and Financial Data of 1 Million Members

European Fitness Chain Basic-Fit Suffers Major Data Breach Affecting One Million Members

Update:

New information regarding the Basic-Fit data breach confirms that while personal and financial details of nearly one million members were exfiltrated, passwords and identification documents were not compromised as they were stored in a separate system. The intrusion occurred on April 13, 2026, with attackers gaining brief access to a system recording member visits. This clarification slightly refines the scope of the compromised data, reducing the risk of direct account takeover via stolen credentials, though the primary threat of targeted phishing and financial fraud using bank account details remains high.

April 13, 2026

Updated: April 20, 2026

PIIGDPRfinancial fraudphishingNetherlands

Phishing

Regulatory

Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire

Microsoft's April 2026 Patch Tuesday Addresses 167 Vulnerabilities, Including Actively Exploited SharePoint Flaw and Publicly Disclosed Defender Bug

Update:

The April 2026 Patch Tuesday update now includes fixes for additional critical vulnerabilities. These include CVE-2026-33826, a Remote Code Execution (RCE) flaw in Windows Active Directory, and CVE-2026-32157, an RCE vulnerability affecting the Remote Desktop Client. Exploitation of the AD flaw could lead to full network compromise, while the RDP client bug could allow code execution on a user's machine by connecting to a malicious server. Furthermore, Adobe released its own set of patches for 56 vulnerabilities, most notably CVE-2026-34621, a critical RCE in Acrobat Reader that has been actively exploited since November 2025. New cyber observables for these threats have also been provided, emphasizing the need for urgent patching across all affected systems.

April 15, 2026

Updated: April 20, 2026

Patch TuesdayZero-DayMicrosoftSharePointMicrosoft Defender +4 more

Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire

Patch Management

Cyberattack

Anthropic's "Claude Mythos" AI Discovers Thousands of Zero-Days, Public Release Withheld Over Security Risks

AIArtificial IntelligenceZero-DayVulnerability DiscoveryProject Glasswing +2 more

Anthropic's 'Claude Mythos' AI Uncovers Thousands of Critical Vulnerabilities, Prompting Unprecedented Defensive Coalition with Big Tech

Update:

Palo Alto Networks' Unit 42 independently validated that frontier AI models can autonomously discover zero-day vulnerabilities and complex exploit chains. Their research highlights a critical risk to open-source software (OSS) due to AI's ability to analyze source code, accelerating the vulnerability-to-exploitation timeline from N-days to N-hours. This lowers the barrier for attackers, predicting a surge in AI-driven supply chain attacks. Unit 42 details a hypothetical AI attack path, emphasizing the need for prevention-first security to counter machine-speed threats.

April 9, 2026

Updated: April 20, 2026

6 min read

Anthropic's "Claude Mythos" AI Discovers Thousands of Zero-Days, Public Release Withheld Over Security Risks

Threat Intelligence