A global utility infrastructure vendor disclosed unauthorized access to its corporate IT systems via SEC 8-K filing, creating potential supply chain exposure for electricity, gas, and water utilities running its smart metering and grid management products. A new threat group (UNC6692) is deploying the three-component Snow malware suite — Snowbelt browser extension, Snowglaze tunneler, and Snowbasin backdoor — for deep persistent access via social engineering. Four new KEV additions include a CVSS 9.9 privilege escalation in SimpleHelp remote support software used by managed service providers. A second medical device company disclosed a breach, confirming the sector as a target category. Firefox 150 and Tor 15.0.10 patch CVE-2026-6770 in the shared browser engine.

• ttps://www.securityweek.com/itron-8k-sec-filing-unauthorized-access/
• https://www.bleepingcomputer.com/news/security/unc6692-snow-malware-suite-browser-tunneler-backdoor/
• https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-simplehelp-samsung-dlink.html
• https://www.bleepingcomputer.com/news/security/medtronic-breach-corporate-it-systems/
• https://www.securityweek.com/firefox-150-tor-15-cve-2026-6770/
• https://www.cybermaterial.com/p/cyber-briefing-20260427
• https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

TeamPCP struck Checkmarx for the second time in a month, poisoning official Docker Hub images (KICS), VS Code extensions, and GitHub Actions — then reaching Bitwarden CLI v2026.4.0 through the compromised pipeline. The attack is a self-propagating worm using stolen GitHub credentials to inject malicious workflows across repositories. Blast radius spans Docker Hub, VS Code, Open VSX, GitHub Actions, npm, and a major password manager. LMDeploy, an AI LLM deployment toolkit, was exploited within 13 hours of disclosure (CVE-2026-33626, CVSS 7.5) — the fourth AI platform exploitation tracked after Langflow, Flowise, and Marimo. A newly documented threat group uses Discord, Slack, and M365 Outlook as covert C2 channels via the Microsoft Graph API. Commercial shipping vessels were seized in the Strait of Hormuz, escalating physical supply chain risk for Gulf enterprises.

• https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
• https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
• https://www.docker.com/blog/trivy-kics-and-the-shape-of-supply-chain-attacks-so-far-in-2026/
• https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
• https://socket.dev/blog/checkmarx-supply-chain-compromise
• https://thehackernews.com/2026/04/lmdeploy-ssrf-cve-2026-33626-exploited.html
• https://thehackernews.com/2026/04/gopherwhisper-apt-discord-slack-outlook-c2.html
• https://cybernews.com/security/checkmarx-popular-tools-spread-credential-stealing-malware/

A board-level strategic briefing synthesizing the week that confirmed the AI cyber arms race is live. Two frontier AI companies shipped cyber-specialized models within nine days of each other. A twelve-company coalition committed $100M. Mandiant M-Trends reports 22-second adversary handoff times while CrowdStrike tracks 29-minute eCrime breakout — both shrinking. A CVSS 9.8 authentication bypass in the Model Context Protocol proves the AI agent integration layer is being deployed with default-open configurations. AI coding tools correlate with a 4x spike in critical findings — AI is simultaneously finding and creating more vulnerabilities. And automated voice phishing using human operators and AI agents has launched as a platform. Four board-level questions address machine-speed SOC operations, AI agent protocol governance, AI-generated code scrutiny, and social engineering defense updates.

• https://www.anthropic.com/glasswing
• https://thehackernews.com/2026/04/openai-gpt-54-cyber-defensive-model.html
• https://thehackernews.com/2026/04/nginx-ui-mcp-auth-bypass-cve-2026-33032.html
• https://thehackernews.com/2026/04/mandiant-m-trends-2026-22-second-handoff.html
• https://www.crowdstrike.com/global-threat-report/
• https://thehackernews.com/2026/04/ai-coding-tools-critical-findings-quadrupling.html
• https://www.bleepingcomputer.com/news/security/athr-voice-phishing-platform-ai-agents/
• https://www.darktrace.com/blog/the-state-of-ai-cybersecurity-2026

A rival AI company officially launched GPT-5.4-Cyber, a frontier model optimized for defensive cybersecurity, days after Project Glasswing — making the AI cyber arms race live with two competing frontier models now shipping for enterprise security. A critical authentication bypass (CVE-2026-33032, CVSS 9.8) was discovered in the Model Context Protocol (MCP) integration for nginx-ui, allowing any network attacker to invoke all MCP tools without authentication. Patch Tuesday zero-days identified: CVE-2026-32201 (SharePoint spoofing, in KEV, deadline April 28) and CVE-2026-33825 (Defender privilege escalation to SYSTEM, the "BlueHammer" disclosure). A new cybercrime platform ATHR offers fully automated voice phishing using human operators and AI agents. Attackers are exploiting Marimo Python notebooks to deploy NKAbuse malware hosted on Hugging Face Spaces.

• https://thehackernews.com/2026/04/openai-gpt-54-cyber-defensive-model.html
• https://thehackernews.com/2026/04/nginx-ui-mcp-auth-bypass-cve-2026-33032.html
• https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/
• https://www.bleepingcomputer.com/news/security/athr-voice-phishing-platform-ai-agents/
• https://www.bleepingcomputer.com/news/security/marimo-python-notebook-nkabuse-hugging-face/
• https://www.integrity360.com/cyber-news-roundup-april-17th-2026
• https://www.anthropic.com/glasswing
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Mandiant's M-Trends 2026 reports adversary handoff times have collapsed to 22 seconds. CrowdStrike's Global Threat Report puts average eCrime breakout at 29 minutes. Six new KEV additions today include FortiClient EMS CVE-2026-21643, Adobe Acrobat Reader, Microsoft Exchange, and Windows CLFS — all under active exploitation with an April 27 patch deadline. A major AI company rotated macOS certificates after its build environment consumed the compromised Axios library — the state-linked supply chain attack is reaching AI infrastructure. ViperTunnel, a Python-based backdoor, has been linked to DragonForce ransomware targeting Windows servers. A state-linked espionage group is targeting journalists via Signal/Google/Zoom lures through professional networking platforms. An email provider breach exposed 40M+ records including corporate and diplomatic communication metadata.

• https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html
• https://thehackernews.com/2026/04/mandiant-m-trends-2026-22-second-handoff.html
• https://www.crowdstrike.com/global-threat-report/
• https://hackread.com/vipertunnel-dragonforce-ransomware-windows-servers/
• https://hackread.com/openai-rotates-macos-certificates-axios-compromise/
• https://hackread.com/bitter-apt-journalists-signal-zoom-spearphishing/
• https://cybernews.com/email-provider-leak-40-million-records/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Attackers hijacked the update infrastructure for Smart Slider 3 Pro (800K+ WordPress installations) and pushed a fully weaponized remote access toolkit through the official update channel for approximately six hours. Adobe released an emergency patch for CVE-2026-34621 (CVSS 8.6), a prototype pollution flaw in Acrobat Reader under active exploitation via malicious PDFs. The GlassWorm campaign evolved with a Zig-compiled dropper targeting multiple developer IDEs simultaneously. Google shipped Device Bound Session Credentials (DBSC) in Chrome 146, binding session cookies to hardware TPM to block infostealer session replay. Thousands of internet-exposed Rockwell PLCs were confirmed, expanding the OT attack surface quantification.

• https://thehackernews.com/2026/04/smart-slider-3-pro-wordpress-update-hijack.html
• https://thehackernews.com/2026/04/adobe-acrobat-reader-cve-2026-34621-zero-day.html
• https://thehackernews.com/2026/04/glassworm-zig-dropper-developer-ides.html
• https://www.hendryadrian.com/cybersecurity-news-daily-recap-11-apr-2026/
• https://hackread.com/adobe-reader-zero-day-actively-exploited/
• https://www.bleepingcomputer.com/news/security/rockwell-plc-thousands-exposed/
• https://this.weekinsecurity.com/this-week-in-security-april-12-2026-edition/
• https://www.bleepingcomputer.com/news/security/google-chrome-dbsc-device-bound-session-credentials/

State-linked actors are actively targeting internet-exposed Rockwell/Allen-Bradley PLCs on critical infrastructure networks, moving the threat from IT management planes into the operational technology layer. A second AI workflow platform — Flowise (CVE-2025-59528, max severity) — is under active exploitation for arbitrary code execution, two weeks after Langflow. Docker Engine CVE-2026-34040 (CVSS 8.8) bypasses authorization plugins via an incomplete fix from 2024. Ponemon Institute research reveals hundreds of "dark matter" applications disconnected from centralized identity in the typical enterprise, creating an unmanaged attack surface now exploited by AI agents. A law enforcement operation disrupted a state-linked campaign hijacking home routers to steal cloud credentials. The FortiClient EMS zero-day KEV deadline is tomorrow.

• https://www.bleepingcomputer.com/news/security/iranian-hackers-targeting-rockwell-plcs-critical-infrastructure/
• https://www.bleepingcomputer.com/news/security/flowise-ai-platform-max-severity-rce-exploited/
• https://thehackernews.com/2026/04/docker-engine-authz-bypass-cve-2026-34040.html
• https://thehackernews.com/2026/04/ponemon-dark-matter-applications-identity.html
• https://www.bleepingcomputer.com/news/security/frostarmada-apt28-router-hijack-disrupted/
• https://www.bleepingcomputer.com/news/security/cisa-forticlient-ems-patch-deadline-friday/
• https://thehackernews.com/2026/04/iran-nexus-password-spraying-m365-israel-uae.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

A state intelligence-linked threat actor is conducting an active password-spraying campaign against Microsoft 365 environments across the Gulf, impacting 300+ organizations in three distinct attack waves on March 3, 13, and 23 — each separated by exactly 10 days. Targets include government, municipalities, technology, transportation, and energy. A state-sponsored actor deployed BRICKSTORM kernel implants and passive backdoors targeting VMware vSphere/vCenter/ESXi for long-term espionage below the guest OS layer. The Coruna iOS exploit kit was confirmed to contain an updated kernel exploit from the Operation Triangulation campaign. Apple expanded DarkSword patches to iOS 18.7.7 for older devices. Malicious npm packages masquerading as Strapi community plugins were identified across four sock puppet accounts.

• https://thehackernews.com/2026/04/iran-nexus-password-spraying-m365-israel-uae.html
• https://www.cybersecurity-review.com/news-april-2026/
• https://www.securityweek.com/brickstorm-vmware-vsphere-kernel-implants/
• https://thehackernews.com/2026/04/malicious-strapi-npm-plugins.html
• https://www.securityweek.com/coruna-operation-triangulation-kernel-exploit/
• https://thehackernews.com/2026/04/fortinet-forticlient-ems-cve-2026-35616-zero-day.html
• https://thehackernews.com/2026/04/apple-darksword-ios-18-7-7-patches.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Fortinet released an emergency out-of-band patch for CVE-2026-35616 (CVSS 9.1), a pre-authentication API access bypass in FortiClient EMS exploited as a zero-day — the second critical FortiClient EMS vulnerability in weeks after CVE-2026-21643. The bloc's cybersecurity service attributed a major continental government cloud breach to TeamPCP, exposing data from 29 additional institutional entities. The $285M Drift Protocol heist was attributed to a state-linked financial theft group after a six-month social engineering operation. Device code phishing exploiting the OAuth 2.0 Device Authorization Grant flow has surged 37x this year, targeting 340+ organizations across five countries.

• ttps://thehackernews.com/2026/04/fortinet-forticlient-ems-cve-2026-35616-zero-day.html
• https://www.bleepingcomputer.com/news/security/teampcp-european-commission-cloud-breach-29-entities/
• https://thehackernews.com/2026/04/drift-protocol-285m-heist-state-linked.html
• https://www.bleepingcomputer.com/news/security/device-code-phishing-oauth-surge-37x/
• https://thehackernews.com/2026/04/cisco-imc-authentication-bypass-cve-2026-20093.html
• https://www.bleepingcomputer.com/news/security/axios-post-mortem-social-engineering-north-korea/
• https://dev.to/mrcomputerscience/breaking-cybersecurity-news-for-20260404-pithy-cyborg-threats-breaches-intel-bok
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Cisco patched CVE-2026-20093 (CVSS 9.8) in the Integrated Management Controller — an authentication bypass that allows an unauthenticated attacker to change any user's password, including the administrator, and gain full system control via a single crafted HTTP request. This continues the management plane attack pattern tracked since March across Intune, Cisco FMC, SD-WAN, and FortiClient EMS. A mass exploitation campaign using automated credential harvesting compromised 766 hosts via a web framework vulnerability, exfiltrating database credentials, SSH keys, cloud secrets, and API keys. Ransomware tracking shows 2,726 victims year-to-date through April 3 with 104 in the first three days of April. A state-linked actor publicly announced intent to escalate attacks on technology companies across the region.

• https://thehackernews.com/2026/04/cisco-imc-authentication-bypass-cve-2026-20093.html
• https://dev.to/mrcomputerscience/breaking-cybersecurity-news-for-20260404-pithy-cyborg-threats-breaches-intel-bok
• https://this.weekinsecurity.com/this-week-in-security-april-5-2026-edition/
• https://kcnet.in/2026/04/02/cybersecurity-incidents-alerts-april-2026/
• https://cybernews.com/news/iran-threatens-us-big-tech-middle-east/
• https://www.cybermaterial.com/p/cyber-briefing-20260401
• https://thehackernews.com/2026/04/chrome-zero-day-dawn-webgpu.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog