The Hacker News

🛑 ALERT - A flaw in EngageLab’s #Android SDK exposed 30M+ crypto wallet installs to potential data access. The intent redirection bug allowed sandbox bypass via a malicious app on the same device. No active exploitation found. 🔗Read → https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html

Researchers tracked UAT-10362 targeting Taiwan via phishing. It uses DLL side-loading to deploy LucidRook, a Lua-based stager that steals system data and runs encrypted payloads in memory. Execution is limited to zh-TW systems to evade detection. 🔗 Full attack chain and toolkit details → https://thehackernews.com/2026/04/uat-10362-targets-taiwanese-ngos-with.html

📡 State of Browser Attacks — free webinar series Attackers have moved into the browser. These numbers tell the story: • OAuth attacks up 37x this year • ClickFix was the #1 initial access vector in 2025 (47% of attacks) • 1 in 3 phishing payloads now delivered outside email • Average breakout time to high-value assets: 29 minutes Most security tools never see it coming. Push Security is running a 3-part series with Troy Hunt (Have I Been Pwned), John Hammond (Huntress), and Matt Johansen (Vulnerable U) — breaking down exactly how these attacks work and what actually stops them. 📅 Starts April 16 🔗https://thn.news/push-browser-attacks

Another Thursday, another avalanche. 🦠 Hybrid botnet, 125K/day 🔓 13-yr Apache RCE, still live 💸 $17.7B lost to fraud in 2025 🌊 8M DDoS hits, H2 2025 📸 Meta insider, 30K stolen photos 🎭 BPOs hijacked, enterprises breached 🛒 SVG skimmer, 99 Magento stores 🙂 Emojis beating security filters 🐀 ClickFix → Node.js RAT, in-memory 🍎 ClickFix → macOS via AppleScript 🤖 PyPI package stealing AI prompts 🏭 5K+ Rockwell PLCs, wide open 💀 Claude Code leak → stealer wave 👾 Remus = Lumma's 64-bit ghost ⚖️ Anthropic's risk label stands 📋 Fake Proxifier → clipboard clipper 📧 GitHub & Jira flipped for phishing 🔑 Linux SMB3 leaks AES keys 🧠CLAUDE.md → prompt injection 👻 GrafanaGhost, silent data exfil 💳 LSPosed = Android payment fraud 🔗 Read more → https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html

⚠️ Attackers are exploiting a 0-day in Adobe Reader via malicious PDFs. Opening the file runs hidden JavaScript to steal data and stage further exploits, including possible RCE. It works on the latest version & has been active since Dec 2025. 🔗 Read → https://thehackernews.com/2026/04/adobe-reader-zero-day-exploited-via.html

⚠️ WARNING - A hack-for-hire campaign linked to the “Bitter” cluster targeted journalists across MENA. One Apple account was fully compromised, giving attackers persistent access. Others were hit with phishing using fake logins and Google OAuth abuse. 🔗 Tactics, targets, and spyware links → https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html

⚠️ ALERT - New Chaos malware variant now targets misconfigured cloud setups, expanding beyond routers. New variant exploits exposed services, installs a payload & adds proxy features to route attacker traffic, making activity harder to trace. 🔗 Read → https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html

🚨 Masjesu, a DDoS botnet active since 2023, is spreading across IoT devices. Built for stealth and persistence, it avoids high-risk targets while exploiting routers and cameras to grow its network and launch attacks. 🔗 Details here → https://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.html

Most DDoS failures aren’t caused by bad protection tools. They’re caused by hidden gaps in configuration, architecture, and readiness—often discovered too late. Here are 5 gaps consistently uncovered in DDoS test simulations: https://thn.news/ddos-testing-reveals

⚠️ APT28 is targeting Ukraine and allied supply chains using a confirmed zero-day (CVE-2026-21513) and PRISMEX malware. It also exploits CVE-2026-21509, with LNK delivery possibly chaining both flaws to enable theft and file-wiping. 🔗 Read here → https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html

🚨 Nearly half of identity activity is invisible. 46% sits outside IAM, across shadow apps, local accounts, and machine identities. This “identity dark matter” is where real risk lives. IVIP brings full, real-time visibility across systems. 🔗 Learn why IAM alone is no longer enough → https://thehackernews.com/2026/04/shrinking-iam-attack-surface-through.html

🔥 Anthropic’s new Claude Mythos model has found thousands of high-severity zero-days across major OS, browsers, and software — showing capabilities that can surpass top human experts. Project Glasswing deploys it to secure critical systems ahead of potential misuse. 🔗 Details → https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html