➔ Google patched CVE-2026-5281, a use-after-free bug in Dawn (WebGPU), marking the fourth Chrome zero-day exploited in the wild this year. Affected versions were updated to 146.0.7680.177/178 for Windows, macOS, and Linux.
➔ CVE-2026-5281 is the fourth Chrome zero-day patched in 2026, following CVE-2026-2441 (CSSFontFeatureValuesMap iterator invalidation), CVE-2026-3909 (Skia out-of-bounds write), and CVE-2026-3910 (V8 inappropriate implementation). All four were confirmed exploited in attacks before patches shipped.
➔ Attackers exploiting CVE-2025-55182 breached 766 Next.js hosts and exfiltrated database credentials, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens. The Nexus Listener framework was used to automate the credential harvesting operation across targets.
➔ A React2Shell exploitation campaign using automated scanning compromised over 750 systems in a coordinated credential harvesting operation. The Nexus Listener framework enabled large-scale, systematic access across the victim pool.
➔ A threat actor is claiming the theft of millions of Cisco-linked records and has set a leak deadline, adding reputational and response pressure to the company. Attribution and scope have not been independently confirmed as of this report.
➔ Texas-based fintech firm Marquis disclosed a 2025 ransomware attack exposing 672,000 individuals' names, dates of birth, home addresses, bank account details, debit and credit card numbers, and Social Security numbers. Marquis subsequently sued firewall vendor SonicWall, alleging a security flaw allowed attackers to steal configuration files used to map and penetrate the network.
➔ Akira ransomware claimed a breach of Andorra's Pyrénées Group, alleging exfiltration of 263 GB of data including names, email addresses, and payment information. Pyrénées Group confirmed the incident, stated it did not pay the ransom, and said operations have been restored.
➔ PEAR ransomware hit Monmouth University in New Jersey. The group claims 16 TB of data exfiltrated and has posted samples on its leak site as leverage.
➔ Australia's healthcare sector is under sustained ransomware pressure from multiple threat groups exploiting weak access controls and legacy systems. No single group has been attributed, but the pace of incidents is accelerating.
➔ APT28 exploited CVE-2019-66376, a high-severity Zimbra vulnerability, via spear-phishing to gain remote code execution against Ukrainian government systems. Credential theft, session token harvesting, and mailbox data exfiltration were confirmed outcomes.
➔ CISA has ordered federal agencies to patch CVE-2026-20131, a maximum-severity Cisco Secure Firewall Management Center flaw allowing unauthenticated root access or remote code execution. The advisory flags high risk of full system compromise for unpatched deployments.
➔ CISA also mandated patching of CVE-2026-33017, an actively exploited Langflow vulnerability enabling remote code execution, workflow hijacking, and theft of credentials and database contents from AI pipeline infrastructure.
➔ The KadNap botnet is infecting ASUS routers and edge devices to build a criminal proxy network used to route and obscure malicious traffic. Thousands of devices have been confirmed compromised.
➔ LiteLLM supply chain malware is enabling credential theft at scale, targeting SSH keys, API tokens, and cloud secrets from developer environments. Successful compromise gives attackers backdoor access and the ability to pivot into downstream cloud infrastructure and applications.
➔ Stryker disclosed a cyber attack against its global Microsoft environment, causing a network disruption. The company stated there is no current indication that patient data was exfiltrated.
➔ The Trump administration published an Executive Order on March 6, 2026 directing the Attorney General and DHS to develop a 120-day action plan targeting transnational criminal organizations behind ransomware, phishing, and financial fraud schemes. The order also establishes an operational coordination cell within the National Coordination Center with private sector involvement.
➔ CISA is holding virtual town halls through April 2026 on its CIRCIA rulemaking. The proposed rules require covered critical infrastructure entities to report cyber incidents within 72 hours and ransom payments within 24 hours.
➔ Ransomware volume remains elevated. 39 new victims were posted across leak sites in the last 24-hour window, with 104 confirmed for the month of April and 2,726 year-to-date as of April 3.
More updates at PithyCyborg.Substack.com, read daily by CISOs, researchers, and operators who are significantly smarter than the author.
Top comments (0)