Attackers hijacked the update infrastructure for Smart Slider 3 Pro (800K+ WordPress installations) and pushed a fully weaponized remote access toolkit through the official update channel for approximately six hours. Adobe released an emergency patch for CVE-2026-34621 (CVSS 8.6), a prototype pollution flaw in Acrobat Reader under active exploitation via malicious PDFs. The GlassWorm campaign evolved with a Zig-compiled dropper targeting multiple developer IDEs simultaneously. Google shipped Device Bound Session Credentials (DBSC) in Chrome 146, binding session cookies to hardware TPM to block infostealer session replay. Thousands of internet-exposed Rockwell PLCs were confirmed, expanding the OT attack surface quantification.

Links & Resources

• https://thehackernews.com/2026/04/smart-slider-3-pro-wordpress-update-hijack.html
• https://thehackernews.com/2026/04/adobe-acrobat-reader-cve-2026-34621-zero-day.html
• https://thehackernews.com/2026/04/glassworm-zig-dropper-developer-ides.html
• https://www.hendryadrian.com/cybersecurity-news-daily-recap-11-apr-2026/
• https://hackread.com/adobe-reader-zero-day-actively-exploited/
• https://www.bleepingcomputer.com/news/security/rockwell-plc-thousands-exposed/
• https://this.weekinsecurity.com/this-week-in-security-april-12-2026-edition/
• https://www.bleepingcomputer.com/news/security/google-chrome-dbsc-device-bound-session-credentials/