The Hacker News

🛑 North Korea-linked hackers spread #malware across five open-source ecosystems. 1,700+ packages on npm, PyPI, Go, Rust, and PHP posed as dev tools but loaded infostealer and RAT malware, hidden inside normal functions, not install. 🔗 Read → https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html

⚠️ Iran linked hackers are targeting U.S. critical infrastructure with direct PLC disruption. They access internet exposed devices using legitimate tools, then alter system data and operations, disrupting water, energy, and government services and causing financial loss. 🔗 Read → https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

🚨 WARNING - APT28 ran a global router hijack to steal credentials. The group compromised MikroTik and TP-Link devices, rewrote DNS settings, and redirected traffic for credential theft at scale -- impacting 18,000+ IPs across 120 countries, including government and cloud targets. 🔗 Read here → https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html

--- ⚠️ WEBINAR ALERT --- The biggest identity risk in 2026 isn’t inside your IAM. It’s everything outside it. Hundreds of unmanaged apps are now being accessed by AI agents, expanding risk beyond what your team can see or control. 🔗 Join the WEBINAR for data and practical steps to close the gaps → https://thehackernews.com/2026/04/webinar-how-to-close-identity-gaps-in.html

🛑 Docker fixed a flaw letting attackers bypass AuthZ plugins with a padded API request (>1MB). The plugin sees no body and allows it, while Docker executes it—creating a privileged container with host access and exposed credentials. 🔗 Learn how this leads to full host compromise → https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html

⚠️ Attackers are hijacking exposed ComfyUI servers into crypto mining and proxy botnets. Scanners exploit unauthenticated setups via custom nodes, run code, and install persistent malware. Infected systems mine crypto and resist removal. 🔗 Read → https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html

Most attacks don’t start with exploits anymore. They start with access. Across thousands of real-world incidents analyzed in the 2026 Annual Threat Report, one pattern is clear: Attackers aren’t breaking in. They’re logging in. Here’s what we’re seeing: ↳ Legitimate credentials are the #1 entry point ↳ Remote access tools are being used against you ↳ Traditional detection is missing what looks “normal” This isn’t theory. This is what actually worked for attackers in 2025. If your security strategy is still built around stopping malware, you’re already behind. Download the Blackpoint Cyber 2026 Annual Threat Report and see how modern attacks are actually unfolding. Download the report: https://thn.news/blackpoint-threat-2026

Credential security isn’t just about breaches. Daily issues add up: 30% of helpdesk tickets are password resets (~$70 each), while exposed credentials often go unnoticed. Forced resets increase weak passwords without reducing risk. 🔗 Why credential issues cost more than breaches → https://thehackernews.com/2026/04/the-hidden-cost-of-recurring-credential.html

Ilan Nacmias at Sygnia shares a case where AI security tools worked, but no decisions were made. Risks were clear, but teams disagreed and leaders saw things as under control. Progress came only after linking risk to business impact. 🔗 Why AI didn’t fix execution in cybersecurity → https://thehackernews.com/expert-insights/2026/04/ai-will-change-cybersecurity-humans.html

⚡ New research shows GPUs can be used to take over a system. GPUBreach attack enables root access by flipping bits in GPU memory, corrupting page tables, and chaining into CPU exploits—even with IOMMU enabled. 🔗 Read details → https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html

⚠️ WARNING: China-linked Storm-1175 is breaching networks and deploying ransomware in under 72 hours. It chains zero-day and known flaws, then uses trusted tools to move, steal data, and evade detection across healthcare, finance, and more. 🔗 Read → https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html

🛑 Flowise has a CVSS 10.0 RCE flaw (CVE-2025-59528) now under active attack. A bug in MCP config lets attackers run JavaScript with full system access using just an API token. Over 12,000 exposed instances raise risk. 🔗 Exploitation details → https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html