惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
aimingoo的专栏
aimingoo的专栏
IT之家
IT之家
G
Google Developers Blog
爱范儿
爱范儿
博客园 - 司徒正美
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
J
Java Code Geeks
The Cloudflare Blog
M
MIT News - Artificial intelligence
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Security Blog
Microsoft Security Blog
博客园 - Franky
雷峰网
雷峰网
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
Vercel News
Vercel News
宝玉的分享
宝玉的分享
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
T
Troy Hunt's Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
H
Hacker News: Front Page
H
Help Net Security
S
Security @ Cisco Blogs
V
V2EX
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
O
OpenAI News
L
LINUX DO - 最新话题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Help Net Security
Help Net Security
F
Full Disclosure
博客园 - 叶小钗
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
K
Kaspersky official blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
Scott Helme
Scott Helme

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
info@thehack · 2026-04-30 · via The Hacker News

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online.

Security is always a moving target. Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us.

Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign. You have to see these latest updates to believe them. Let’s look at the full list...

  1. SMS blaster phishing crackdown

    Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. "An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations," authorities said. "These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords." The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said. This is the first time that an SMS blaster has been spotted in the country.

  2. npm brandsquat data theft

    A new supply chain attack has leveraged an npm package impersonating TanStack to ship malicious versions that exfiltrate environment variables from developers’ machines during install. The package, named tanstack, is designed to "silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint," Socket said. The malicious package is maintained by a user named "sh20raj." Versions 2.0.4 through 2.0.7 are confirmed malicious.

  3. Extensions legally sell user data

    In a new analysis, LayerX found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions. "A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others," LayerX said. "12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data. Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data."

  4. Komari tool weaponized in attacks

    Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket's smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion. It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. "Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator's browser), and ping (ICMP / TCP / HTTP probing)," Huntress said. "All three are enabled by default." Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket.

  5. Next-gen phishing kits escalate

    Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle (AitM) features by integrating tools like FM Scanner for extracting and analyzing mailbox content. "Saiga 2FA is an example of how phishing kits are evolving into application-level platforms," the company said. "Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns." Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting. It's assessed to be the successor to the now-defunct Mouse System. "The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims," Group-IB said. "The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally."

  6. Mass exposure of remote access servers

    A new analysis from Forescout has found 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. "China accounts for 22% of exposed RDP and 70% of exposed VNC servers; the U.S. accounts for 20% and 7%; Germany accounts for 8% and 2%," the company said. "Of 91,000 RDP and 29,000 VNC servers mapped to specific industries, retail, services, and education lead RDP exposure; education, services, and healthcare lead VNC." What's more, 18% of exposed RDP servers run end-of-life Windows versions, more than 19,000 RDP servers remain vulnerable to BlueKeep (CVE-2019-0708), and nearly 60,000 VNC servers have authentication disabled. To make matters worse, more than 670 exposed VNC servers have authentication disabled and provide direct access to OT/ICS control panels.

  7. China-linked influence op falters

    A China-linked online influence campaign attempted to undermine April 26 elections for the Tibetan parliament-in-exile with little impact. The operation, part of Spamouflage, a long-running influence network linked to Beijing, has used a cluster of 90 Facebook profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its leadership. "The network tries to drive wedges within the community," DFRLab said. "The goal is to erode trust in the exile government, weaken its international voice, and raise doubts about whether it can credibly represent Tibetans without the Dalai Lama. However, virtually none of these posts seem to have attracted any organic engagement, possibly because all the identified assets are regular Facebook profiles with limited reach and not established pages."

  8. Unpatched RPC privilege escalation

    An unpatched vulnerability can allow for local privilege escalation in Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in the operating system. Called PhantomRPC, the flaw stems from an architectural weakness in how RPC handles connections to unavailable services. To exploit the flaw, an attacker with limited local access needs to first compromise a privileged service that runs under the Network Service identity, deploy a fake RPC server with the same RPC interface UUID and exposed endpoint name (i.e., TermService), listen to specific requests, and then impersonate the targeted service to escalate their privileges to SYSTEM. Kaspersky, which identified the weakness, said it discovered four PhantomRPC exploitation paths that could lead to privilege escalation. Following responsible disclosure in September 2025, Microsoft opted to not address the issue as it requires an attacker to first compromise the machine through some other means.

  9. Vidar dominates infostealer market

    The information stealer known as Vidar (now in its second iteration called Vidar Stealer 2.0) has vaulted to the top of the infostealer market since November 2025 in the aftermath of law enforcement takedowns of Lumma and Rhadamanthys. "Vidar profited from the generated chaos to rise to the top of the stealer ecosystem," Intrinsec said. "We assess that this rise was made available due to the release of version 2.0 of the malware, and to the collaboration with 'Cloud' Telegram channels." It's advertised by a user named "Loadbaks" on underground forums. Recent campaigns have been observed distributing malware that has used bogus links shared via YouTube videos promoting fake software to direct users to Mediafire pages, which are used to deliver executables responsible for downloading and running the broad-spectrum credential harvester. The stolen credentials are then quickly monetized on underground marketplaces like Russian Market.

  10. Critical flaws hit healthcare platform

    Thirty-eight critical security vulnerabilities have been disclosed in OpenEMR, the world's most widely used open-source electronic medical records platform. The vulnerabilities, now patched, range in severity from medium to critical and include missing or incorrect authorization checks, cross-site scripting (XSS), SQL injection, path traversal, and insufficient session expiration. These issues, which include two designated critical (CVE-2026-24908 and CVE-2026-23627), could have been exploited to access and tamper with patient and provider data, posing a serious health and regulatory risk to individuals and institutions. "In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server," AISLE said. OpenEMR is used by more than 100,000 medical providers, serving more than 200 million patients in 34 languages.

  11. Swiss crackdown on Black Axe

    A coordinated police operation in Switzerland has led to the arrest of 10 suspected members of the Black Axe criminal network, including the Black Axe "Regional Head" for the Southern European region. Most of those arrested are reported to be of Nigerian origin. The suspects are accused of numerous crimes, including romance scams, cyber fraud offences causing millions of Swiss francs in damages, and money laundering. "The criminal network is known for its involvement in a wide range of criminal activities, including cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices," Europol said.

  12. PyPI package hijacked via CI exploit

    In yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular "elementary-data" package on the Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. According to StepSecurity, elementary-data version 0.23.3 was uploaded to PyPI on April 24, 2026, at 10:20 p.m. UTC. The attacker opened a pull request with malicious code and exploited a script-injection vulnerability in one of its GitHub Actions workflows to publish it as release 0.23.3. Specifically, it came embedded with a "elementary.pth" file that enabled the theft of developer credentials and secrets. "The attacker exploited a script injection vulnerability in one of the project's own GitHub Actions workflows, then used the workflow's GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it – without ever touching the master branch or opening a pull request," the company said. The developers urged users who installed 0.23.3, or pulled and ran its Docker image, to assume compromise and rotate any credentials.

  13. $230M crypto laundering sentence

    22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist as part of an elaborate social engineering scheme. "This criminal enterprise was built on greed so brazen it borders on the cartoonish. They stole millions, spent it on half-million-dollar nightclub tabs, Lamborghinis, and Rolexes," said U.S. Attorney Jeanine Ferris Pirro. "But Evan Tangeman didn't just launder the money that fueled that lifestyle. When his co-conspirators were arrested, he moved to destroy the evidence. That is consciousness of guilt, and this office and the court have treated that accordingly." Tangeman pleaded guilty in December 2025. The criminal enterprise began no later than October 2023 and continued through at least May 2025.

  14. Legacy TLS finally deprecated

    Microsoft has announced plans to start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026. "We're planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry-deprecated for some time and are no longer considered secure," the company said. "Several years ago, we started the move to block these older versions, but we did allow you to use them by opting in; we're now removing support for them entirely. Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation."

  15. Phishing via account flow abuse

    Threat actors are abusing online trading platform Robinhood's account creation process to send phishing emails that bypass spam filters. The emails, which originate from "noreply@robinhood[.]com," warn of suspicious activity tied to their accounts and urge them to click to complete a security check by clicking on a link that directs to a phishing site. "This phishing attempt was made possible by an abuse of the account creation flow," Robinhood said in an X post. "It was not a breach of our systems or customer accounts, and personal information and funds were not impacted. If you received this email, please delete it and do not click any suspicious links. If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website." Reports on Reddit indicate that the attackers created new Robinhood accounts using modified versions of existing Gmail addresses via the so-called "dot trick." The technique takes advantage of the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as a distinct user, allowing the attackers to create a new account that points to an existing account.

  16. Social media scams surge

    The U.S. Federal Trade Commission (FTC) warned of a massive increase in losses from social media scams since 2020, exceeding $2.1 billion in 2025, including $794 million to scams that started on Facebook, more than on any other platform. "In 2025, nearly 30% of people who reported losing money to a scam said that it started on social media, with reported losses reaching a staggering $2.1 billion. Social media scams produced far more in losses – an eightfold increase since 2020 – than any other contact method used by scammers to reach consumers," the FTC said. "Social media creates easy access to billions of people from anywhere in the world, making a scammer's job easier at very little cost. Scammers may hack a user's account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests, or shopping habits."

  17. Billions of credentials exposed

    KELA said it tracked 2.86 billion compromised credentials in 2025 globally. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories, and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines.

  18. arXiv papers leak sensitive data

    An analysis of 2.7 million submissions to the arXiv preprint service -- which also makes available the LaTeX sources and other files used to create them -- has found that they include unnecessary files, expose metadata embedded in files (usernames, email addresses, hardware details, GPS information, software versions), and leak irrelevant content in files such as source code comments. This includes backups, hidden .nfs files, Git repositories (including editing histories), andconfiguration files containing API keys. "Apart from unused template files that put unnecessary storage burden on arXiv, we further discovered scripts, research data, and even entire Git repositories. Additionally, comments in LaTeX sources reveal, e.g., author conversations or todo items – for some of those comments, we are certain that the authors did not intend to disclose them publicly. Alarmingly, our findings also include URLs without any access restrictions to other resources (e.g., Google Docs), security tokens, and private keys," the study said. While arXiv recommends Google's arxiv_latex_cleaner to clean the LaTeX code, the researchers have released a tool called ALC-NG to comprehensively remove files, metadata, and comments that are not needed to compile a LaTeX paper.

  19. Roblox account hacking ring busted

    The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000 on Russian websites. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation is in progress. The scheme was allegedly masterminded by a 19-year-old resident of Drohobych, Lviv Oblast, who met his accomplices, aged 21 and 22, on gaming forums last year. From October 2025 to January 2026, the suspects are believed to have accessed more than 600,000 Roblox user accounts.

  20. Iran-linked group targets troops

    The Iran-linked threat actor Handala Hack has targeted U.S. troops in Bahrain in an influence campaign carried out via WhatsApp, according to Stars and Stripes. The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. "Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles," the message sent on April 28, 2026, read.

  21. Record surge in privacy fines

    U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, per Gartner. "Regulators are also shifting their efforts away from spreading awareness to full-scale enforcement," the company said. "This is increasingly becoming the standard in 2026 and beyond."

  22. WordPress plugin backdoor uncovered

    Anchor Hosting has revealed that a WordPress plugin named Quick Page/Post Redirect plugin, which has over 70,000 installs, was compromised with a backdoor that enables injecting arbitrary code into users' sites. Plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, have been found to include a covert self-update mechanism that reaches out to a third-party domain, anadnet[.]com, to facilitate the execution of arbitrary code. It's worth noting that the passive backdoor triggers only for logged-out users to hide its activity from site administrators. As of April 16, the plugin has been closed temporarily pending a full review.

  23. Qinglong flaws abused for mining

    Hackers are exploiting two authentication bypass vulnerabilities in Qinglong, an open-source timed task management platform with over 19,500 GitHub stars, to deploy cryptocurrency miners. The two flaws – CVE-2026-3965 and CVE-2026-4047 – enable authentication bypass that results in remote code execution. "While these vulnerabilities were formally reported on February 27, exploitation had already been underway for weeks," Snyk said. "Starting around February 7-8, 2026, Qinglong users began opening issues about a hidden process called .fullgc consuming 85-100% of their CPU. The .fullgc filename may have been chosen to blend in with legitimate processes. In Java/JVM environments, 'Full GC' (Full Garbage Collection) is a known source of CPU spikes, which could delay an administrator's investigation." The issues have since been addressed in #PR 2941.

  24. Trivy hack enabled repo breach

    In a new update shared this week, Checkmarx said its investigation into the cybersecurity incident has revealed the TeamPCP attack affecting the Trivy scanner is the "likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories." This, in turn, allowed the attackers to interact with Checkmarx's GitHub environment and publish malicious code to certain artifacts. The development comes as the company acknowledged that data stolen from the GitHub repository was published on the dark web by a cybercrime group known as LAPSUS$.

  25. npm stealer tied to DPRK group

    The North Korean threat actor known as Famous Chollima has been attributed to the npm package named js-logger-pack that comes embedded with a WebSocket stealer that's triggered via a postinstall hook. "The payload is a long-running WebSocket agent that: installs the attacker's RSA key into ~/.ssh/authorized_keys on Linux; exfiltrates Telegram Desktop tdata sessions; drains credentials from 27 crypto wallets and Chromium-family browsers; steals .npmrc, cloud provider tokens, and shell history; and runs a native keylogger on Windows, macOS, and Linux with autostart persistence on all three," SafeDep said.

Security is a team sport. We keep seeing the same gaps because we focus on the new shiny toys while the basics, like simple passwords and old software versions, fall through the cracks. It is clear that just having a patch isn't enough if nobody actually installs it.

The best lesson here is to stay curious and cautious. Whether it is a weird text from a "trusted" source or a new tool that seems too good to be true, taking a second to verify can save a lot of trouble later. Let's keep learning and stay sharp until the next update!

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.