[{"data":1,"prerenderedAt":176},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-20":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-20","CISA KEV Alerts, Windows Defender Exploits, and Axios Supply Chain Attack Dominate Threat Landscape","This week in cybersecurity, CISA added eight actively exploited vulnerabilities to its KEV catalog, demanding urgent patching for products from Cisco, JetBrains, and PaperCut. Security researchers confirmed that three exploits targeting Windows Defender, including two unpatched flaws, are being used in live attacks to gain SYSTEM-level privileges. A major supply chain attack compromised the popular Axios NPM library, injecting a remote access trojan into dependent applications. Other significant events include the discovery of the 'DarkSword' iPhone zero-day, new data breach claims from LockBit and ShinyHunters, and Microsoft's massive April Patch Tuesday addressing over 160 vulnerabilities.","2026-04-20",9,[10,36,58,88,111,124,139,153,164],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":25,"createdAt":29,"updatedAt":30,"readingTime":31,"cves":32,"isUpdate":33,"updateSummary":34,"updateContent":35},"b81c4c0c-935e-4b66-8d6b-3904e5452ddd","anthropic-claude-mythos-ai-discovers-zero-day-vulnerabilities","Anthropic's \"Claude Mythos\" AI Discovers Thousands of Zero-Days, Public Release Withheld Over Security Risks","Anthropic's 'Claude Mythos' AI Uncovers Thousands of Critical Vulnerabilities, Prompting Unprecedented Defensive Coalition with Big Tech","critical","Artificial intelligence firm Anthropic has announced that its unreleased frontier model, 'Claude Mythos Preview,' has autonomously discovered thousands of high-severity zero-day vulnerabilities in major operating systems and software. Due to the immense security risks, the model is being withheld from public release. Instead, Anthropic has launched 'Project Glasswing,' a coalition with tech giants including Amazon Web Services, Apple, Google, and Microsoft, to use the AI for defensive purposes to secure critical software. The model has already identified decades-old flaws, including a critical remote code execution vulnerability (CVE-2026-4747) in FreeBSD's NFS server, fundamentally altering the landscape of vulnerability discovery.",[18,19,20,21,22,23,24],"AI","Artificial Intelligence","Zero-Day","Vulnerability Discovery","Project Glasswing","Anthropic","CVE-2026-4747",[26,27,28],"Threat Intelligence","Vulnerability","Other","2026-04-09T15:00:00.000Z","2026-04-20T00:00:00.000Z",6,[24],true,"Unit 42 research confirms frontier AI models autonomously find zero-days, posing immediate, large-scale threat to OSS and accelerating exploitation to N-hours.","Palo Alto Networks' Unit 42 independently validated that frontier AI models can autonomously discover zero-day vulnerabilities and complex exploit chains. Their research highlights a critical risk to open-source software (OSS) due to AI's ability to analyze source code, accelerating the vulnerability-to-exploitation timeline from N-days to N-hours. This lowers the barrier for attackers, predicting a surge in AI-driven supply chain attacks. Unit 42 details a hypothetical AI attack path, emphasizing the need for prevention-first security to counter machine-speed threats.",{"id":37,"slug":38,"headline":39,"title":40,"severity":41,"excerpt":42,"tags":43,"categories":49,"createdAt":53,"updatedAt":54,"readingTime":55,"isUpdate":33,"updateSummary":56,"updateContent":57},"eceb1dc5-2b06-4372-9d8c-cb86277a1f24","basic-fit-data-breach-exposes-member-personal-and-financial-details","Massive Basic-Fit Data Breach Exposes Personal and Financial Data of 1 Million Members","European Fitness Chain Basic-Fit Suffers Major Data Breach Affecting One Million Members","high","Basic-Fit, Europe's largest fitness chain, has admitted to a massive data breach affecting approximately one million members across several European countries. The compromised data includes sensitive personal information such as full names, addresses, phone numbers, and bank account details. The attack targeted the system used for member visit registration. While the company claims its monitoring tools detected and stopped the intrusion 'within minutes,' the attackers had already exfiltrated a large volume of data. Basic-Fit has notified the Dutch Data Protection Authority and is in the process of informing affected members, who now face a significant risk of targeted phishing campaigns and financial fraud.",[44,45,46,47,48],"PII","GDPR","financial fraud","phishing","Netherlands",[50,51,52],"Data Breach","Phishing","Regulatory","2026-04-13T15:00:00.000Z","2026-04-20T12:00:00.000Z",5,"Update clarifies Basic-Fit breach did not compromise passwords or ID documents, confirming specific intrusion date.","New information regarding the Basic-Fit data breach confirms that while personal and financial details of nearly one million members were exfiltrated, passwords and identification documents were not compromised as they were stored in a separate system. The intrusion occurred on April 13, 2026, with attackers gaining brief access to a system recording member visits. This clarification slightly refines the scope of the compromised data, reducing the risk of direct account takeover via stolen credentials, though the primary threat of targeted phishing and financial fraud using bank account details remains high.",{"id":59,"slug":60,"headline":61,"title":62,"severity":15,"excerpt":63,"tags":64,"categories":73,"createdAt":76,"updatedAt":54,"readingTime":55,"cves":77,"cvssScore":85,"isUpdate":33,"updateSummary":86,"updateContent":87},"14f46649-6f18-44ea-92dd-420793606564","microsoft-april-2026-patch-tuesday-fixes-167-flaws-including-two-zero-days","Microsoft's Colossal April 2026 Patch Tuesday: 167 Flaws Patched, Two Zero-Days Under Fire","Microsoft's April 2026 Patch Tuesday Addresses 167 Vulnerabilities, Including Actively Exploited SharePoint Flaw and Publicly Disclosed Defender Bug","Microsoft has released one of its largest security updates ever for April 2026, patching 167 vulnerabilities across its product ecosystem. The update is critically important, as it addresses two zero-day vulnerabilities: an actively exploited spoofing flaw in SharePoint Server (CVE-2026-32201) which has been added to CISA's KEV catalog, and a publicly disclosed privilege escalation flaw in Microsoft Defender (CVE-2026-33825). The update also fixes eight critical vulnerabilities, including a near-perfect CVSS 9.8 RCE flaw in the Windows IKE Service (CVE-2026-33824), underscoring the urgent need for organizations to apply these patches immediately.",[65,20,66,67,68,69,70,71,72],"Patch Tuesday","Microsoft","SharePoint","Microsoft Defender","CVE-2026-32201","CVE-2026-33825","CISA","KEV",[74,27,75],"Patch Management","Cyberattack","2026-04-15T15:00:00.000Z",[69,70,78,79,80,81,82,83,84],"CVE-2026-33824","CVE-2026-33827","CVE-2026-23666","CVE-2026-32157","CVE-2026-32190","CVE-2026-33114","CVE-2026-33826",9.8,"New critical RCEs in Active Directory and RDP Client were disclosed. Adobe also released patches for 56 flaws, including an actively exploited Acrobat Reader RCE.","The April 2026 Patch Tuesday update now includes fixes for additional critical vulnerabilities. These include CVE-2026-33826, a Remote Code Execution (RCE) flaw in Windows Active Directory, and CVE-2026-32157, an RCE vulnerability affecting the Remote Desktop Client. Exploitation of the AD flaw could lead to full network compromise, while the RDP client bug could allow code execution on a user's machine by connecting to a malicious server. Furthermore, Adobe released its own set of patches for 56 vulnerabilities, most notably CVE-2026-34621, a critical RCE in Acrobat Reader that has been actively exploited since November 2025. New cyber observables for these threats have also been provided, emphasizing the need for urgent patching across all affected systems.",{"id":89,"slug":90,"headline":91,"title":92,"severity":15,"excerpt":93,"tags":94,"categories":99,"createdAt":100,"updatedAt":100,"readingTime":55,"cves":101,"isUpdate":110},"b44bb6f4-1363-4079-8b25-13b99d42d545","cisa-adds-eight-actively-exploited-vulnerabilities-to-kev-catalog","CISA Mandates Urgent Patching for Eight Actively Exploited Flaws in Cisco, JetBrains, and More","CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog, Requiring Federal Action","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding eight new security flaws affecting a range of enterprise products. The vulnerabilities, found in software from Cisco, PaperCut, JetBrains, Kentico, Quest, and Synacor, are confirmed to be under active exploitation. This action mandates that Federal Civilian Executive Branch (FCEB) agencies apply patches by a specified deadline to mitigate significant risk. The additions include critical issues such as improper authentication, path traversal, and exposure of sensitive information, highlighting a persistent threat to both public and private sector networks. CISA strongly advises all organizations to prioritize the remediation of these vulnerabilities to defend against ongoing cyberattacks.",[72,71,95,96,97,98],"Vulnerability Management","Patching","Active Exploitation","BOD 22-01",[27,74,26],"2026-04-20T15:00:00.000Z",[102,103,104,105,106,107,108,109],"CVE-2026-20122","CVE-2026-20128","CVE-2026-20133","CVE-2023-27351","CVE-2024-27199","CVE-2025-2749","CVE-2025-32975","CVE-2025-48700",false,{"id":112,"slug":113,"headline":114,"title":115,"severity":41,"excerpt":116,"tags":117,"categories":122,"createdAt":100,"updatedAt":100,"readingTime":55,"isUpdate":110},"8183148b-a38f-4502-9b47-1fbac18250d4","exploitation-surges-found-to-precede-public-cve-disclosure","Attackers Exploit Flaws Weeks Before CVEs Are Published, Report Finds","Report Finds Vulnerability Exploitation Surges Weeks Before Public Disclosure","A new report from internet intelligence firm GreyNoise reveals a concerning trend: significant spikes in scanning and exploitation activity for software vulnerabilities often occur weeks, and sometimes over a month, before the flaws are publicly disclosed. The research, analyzing traffic from late 2025 to early 2026, found that approximately half of the observed activity surges were followed by a corresponding CVE disclosure within three weeks. High-profile examples include vulnerabilities in Cisco, VMware, and MikroTik products being exploited 39, 36, and 24 days respectively before public announcement. This 'pre-disclosure' exploitation gives attackers a significant head start and suggests that monitoring for anomalous network traffic can serve as a crucial early warning system for defenders, enabling proactive defense even before patches are available.",[118,20,119,26,120,121],"GreyNoise","Vulnerability Disclosure","Proactive Defense","Scanning",[26,27,123],"Security Operations",{"id":125,"slug":126,"headline":127,"title":128,"severity":15,"excerpt":129,"tags":130,"categories":137,"createdAt":100,"updatedAt":100,"readingTime":31,"isUpdate":110},"7655194c-8843-450e-a459-83f782b7c577","darksword-iphone-zero-day-exploit-found-on-ukrainian-court-website","Sophisticated 'DarkSword' iPhone Zero-Day Exploit Found For Sale on Hacked Ukrainian Websites","'DarkSword' iPhone Zero-Day Exploit Framework Discovered on Compromised Ukrainian Websites","A sophisticated, fileless iPhone zero-day exploit framework named 'DarkSword' has been discovered hosted on two compromised Ukrainian websites, including the official site of the Seventh Administrative Court of Appeals. A joint investigation by iVerify, Lookout, and Google's Threat Intelligence Group uncovered the framework, which is described as 'cleanly organized' and designed for easy repurposing and distribution. The exploit affects a wide range of iPhone models and its fileless nature makes it extremely difficult to detect. Most alarmingly, the framework appeared to be for sale to any interested buyer, posing a severe threat to high-risk individuals like journalists, activists, and government officials worldwide who rely on iPhones for secure communication.",[131,20,132,133,134,135,136],"iPhone","Spyware","DarkSword","Fileless Malware","Ukraine","Watering Hole Attack",[27,75,138],"Threat Actor",{"id":140,"slug":141,"headline":142,"title":143,"severity":41,"excerpt":144,"tags":145,"categories":152,"createdAt":100,"updatedAt":100,"readingTime":55,"isUpdate":110},"e3bc80f3-ed10-4986-92e7-ff8b895b3971","lockbit-shinyhunters-claim-breaches-at-citizens-bank-canada-life","LockBit and ShinyHunters Claim Major Breaches at Citizens Bank, Canada Life, and Law Firm","LockBit and ShinyHunters Post Data from Citizens Bank, Canada Life, and a Major Law Firm","Prominent threat groups LockBit and ShinyHunters have claimed responsibility for several high-profile data breaches, according to dark web monitoring services. The LockBit ransomware gang has allegedly exfiltrated and posted data from Bardehle Pagenberg, a major European patent law firm, raising alarms about the potential exposure of intellectual property. Concurrently, the data broker group ShinyHunters claimed a breach at Canada Life, a large insurance provider, while another group named Everest claimed an attack on Citizens Bank, a major U.S. retail bank. While the claims are still being verified, the history of these groups suggests a high probability of legitimacy, placing customers and clients of the affected organizations at significant risk of fraud and identity theft.",[146,147,148,50,149,150,151],"LockBit","ShinyHunters","Everest","Ransomware","Dark Web","Financial Services",[50,149,138],{"id":154,"slug":155,"headline":156,"title":157,"severity":41,"excerpt":158,"tags":159,"categories":163,"createdAt":100,"updatedAt":100,"readingTime":55,"isUpdate":110},"58affd4f-ee74-49ca-82f3-0ab084548f40","columbia-bank-discloses-prolonged-data-breach","Columbia Bank Discloses Three-Month Data Breach After Unauthorized System Access","Columbia Bank Notifies Customers of Data Breach Spanning Nearly Three Months","Columbia Bank, a prominent financial institution in the Western U.S., has begun notifying customers of a prolonged data breach that occurred in late 2025. According to notification letters, an unauthorized third party had access to certain internal bank applications from October 2 to December 22, 2025. After discovering the intrusion, the bank hired an external forensics firm, but the investigation to determine the full scope of compromised data was not completed until March 6, 2026. This significant delay between the incident and notification has raised concerns. While the bank has not publicly detailed the specific data types exposed, the lengthy access period suggests a risk of exposure for sensitive personal and financial information. Attorneys are now investigating the incident for a potential class-action lawsuit.",[50,151,160,161,162],"Incident Response","Dwell Time","Class Action",[50,160,138],{"id":165,"slug":166,"headline":167,"title":168,"severity":41,"excerpt":169,"tags":170,"categories":175,"createdAt":100,"updatedAt":100,"readingTime":55,"isUpdate":110},"02393807-5f14-4a3c-aea2-2c2ac73a643a","tennessee-hospital-notifies-337000-of-breach-after-rhysida-ransomware-attack","Tennessee Hospital Notifies 337,000 Patients of Data Breach, Nine Months After Rhysida Ransomware Attack","Tennessee Hospital Notifies 337,000 Patients of Data Breach, Months After Rhysida Ransomware Attack","Cookeville Regional Medical Center (CRMC) in Tennessee has begun notifying 337,917 individuals that their sensitive personal and medical data was stolen in a ransomware attack that occurred in July 2025. The notification letters, sent out nine months after the breach, confirm an attack by the Rhysida ransomware group. In August 2025, Rhysida claimed responsibility on its dark web leak site, stating it had stolen 500GB of data, including over 370,000 files. The compromised information is highly sensitive, potentially including Social Security numbers, financial details, and medical records. Despite the group's attempt to sell the data and later leaking it for free, the hospital stated it has 'no evidence' of data misuse, a claim met with skepticism by security experts. CRMC is offering 12 months of identity protection services.",[149,171,172,50,173,174],"Rhysida","Healthcare","HIPAA","Double Extortion",[149,50,138],1776724729064]