The Hacker News

🚨 APT37 used Facebook to run a targeted malware campaign. Fake profiles built trust, moved chats to Telegram, then pushed a trojanized PDF app that installs RokRAT via a JPG payload, using compromised sites and Zoho WorkDrive for control. 🔗 Read → https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html

⚠️ WARNING - Are you using #ChatGPT, Codex, or OpenAI Atlas browser? Update now... Older #macOS apps will stop working after May 8, 2026 due to a supply chain attack on a dependency used in OpenAI’s signing workflow. No user data was compromised, but certificates are revoked. 🔗Read → https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

⚠️ ALERT - CPUID’s site was compromised for ~19 hours, serving trojanized CPU-Z and HWMonitor installers. Attackers used DLL sideloading to pair legit apps with a malicious file, deploying STX RAT. 150+ victims reported before detection. 🔗 Read → https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html

🛑 Adobe released emergency fixes for a 9.6 CVSS flaw (CVE-2026-34621) in Acrobat/Reader, confirmed under active exploitation. A prototype pollution bug lets malicious PDFs run arbitrary code via JavaScript. Evidence shows attacks may date back to Dec 2025. 🔗 Read → https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html

⚠️ Police and intelligence agencies are using phone ad data to track people. Up to 500M devices feed Webloc, built by Cobwebs and sold by Penlink, enabling location tracking, identity inference, and 3-year history, per Citizen Lab. 🔗 Learn more → https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html

AI browser extensions are a hidden risk in enterprise security. 99% of users run extensions, yet they bypass DLP and logs while accessing sessions, inputs, and data. AI extensions are riskier and often change permissions over time. 🔗 What security teams are missing → https://thehackernews.com/2026/04/browser-extensions-are-new-ai.html

A fake VS Code extension is spreading malware across developer tools. One plugin infects every IDE on the system, then installs a RAT and data stealer. It uses native Zig code to bypass sandbox limits and runs with full OS access. 🔗 Details here → https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html

Shadow AI is now a core security risk. 55% of employees use unapproved AI tools, sending sensitive data outside control. No visibility. No audit trail. Traditional security tools can’t monitor this shift. 🔗 How shadow AI creates hidden exposure → https://thehackernews.com/2026/04/the-hidden-security-risks-of-shadow-ai.html

⚠️ Marimo CVE-2026-39987 gave attackers a full shell with no authentication. A missing check in /terminal/ws allowed remote code execution on exposed systems. Exploitation began within 9 hours of disclosure—no PoC needed. 🔗 Details here → https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

A 13-year-old flaw in Apache ActiveMQ can lead to RCE. CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions. Patched in 5.19.4 and 6.2.3. 🔗 Learn more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#chained-flaws-enable-stealth-rce

🔥 Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 (Windows). It ties session cookies to a device using hardware keys, so stolen cookies can’t be reused without that device. Cookies expire quickly without validation. 🔗 Read → https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html

⚠️ Smart Slider 3 Pro shipped a backdoored update (3.5.1.35) via its official update system. For ~6 hours, installs got hidden admin accounts, pre-auth remote code execution via HTTP headers, and full credential + site data exfiltration with persistent backdoors. 🔗 Read → https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html