The Hacker News

⚠️ Iran-linked actors targeted Microsoft 365 accounts in 3 attack waves in March 2026, hitting 300+ orgs in Israel and 25+ in the UAE. They used password spraying via Tor/VPNs to access mailboxes. At the same time, Pay2Key ransomware resurfaced with stronger evasion and log wiping. 🔗 Read → https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html

🚨 DPRK-linked attackers used GitHub as C2 in phishing-led attacks on South Korean orgs. LNK files trigger hidden PowerShell, set persistence, and exfiltrate system data to attacker repos while pulling new payloads. 🔗 Read → https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html

🚨 Attackers now move across Windows, macOS, Linux, and mobile in one campaign. Multi-OS attacks break SOC workflows, splitting one threat into many investigations and slowing validation. That delay gives attackers time to spread and persist. 🔗 Why fragmented triage increases risk → https://thehackernews.com/2026/04/multi-os-cyberattacks-how-socs-close.html

Automated pentesting evaluates environments through chained attack paths. If step A fails, steps B through Z never execute. One blocked step near the top = cascading blind spot across every downstream technique. Picus Security mapped these two other structural gaps in a new whitepaper. Download now → https://thn.news/automated-blind-spots

⚠️ A compromised AI library exposed developer machines. 1,705 packages pulled infected LiteLLM versions, harvesting SSH keys and cloud creds from local systems via dependencies. It worked because secrets sit in plaintext across files and tools. 🔗 How one dependency exposed thousands of environments → https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html

Everything hit at once this week ... 📦 Supply-chain: Axios hack 🌐 Exploits: Chrome 0-day, TrueConf, Fortinet 🍎 Patches: Apple DarkSword fixes 🧩 Malware: ClickFix, DeepLoad, Mirax, Venom 🤖 Leak: Claude code exposure 🎯 Phishing: device code surge, banking scams 🕵️ Privacy: LinkedIn tracking claims 🛰️ Spyware: Paragon use confirmed 🌍 Infra: residential proxy abuse 💰 Targeting: crypto org attacks 📱 Policy: India SIM-binding 🔁 APT: access regain attempts 💣 Insider: extortion case ❤️ Data: OkCupid settlement 🧠 Trend: stealer surge, malicious extensions Read the full recap → https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

AI isn’t making attacks smarter, says Martin Zugec, Technical Solutions Director at Bitdefender. It’s making them cheaper and easier to scale. Current AI malware is often unreliable and less advanced, but it can hit thousands of standardized systems fast. 🔗 Why scale matters more than sophistication in AI threats → https://thehackernews.com/expert-insights/2026/04/why-ai-does-not-need-to-be-innovative.html

🛑 Qilin and Warlock #ransomware are disabling defenses before attacks using BYOVD techniques. Qilin uses a side-loaded DLL to kill 300+ EDR drivers via vulnerable kernel drivers. Warlock exploits SharePoint and uses similar drivers to bypass kernel-level security, often delaying ransomware execution. 🔗 Find the technique disabling EDR tools → https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html

🔥 Germany’s BKA has identified a key figure behind the REvil #ransomware group. Daniil Shchukin (“UNKN”) is accused of leading REvil, linked to 130 attacks in Germany causing over €35.4M in damage, with €1.9M in ransom paid. 🔗 Learn more here → https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

🚨 North Korea-linked hackers spent 6 months building trust before stealing $285M from Drift. They posed as a trading firm, met contributors in person, deposited $1M+, then used malicious code and a fake wallet app to gain access. 🔗 How social engineering enabled the Drift crypto theft → https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

🛑 36 npm packages posing as Strapi plugins were used to deliver malware that runs on install. They exploited Redis and PostgreSQL, stole credentials, and deployed backdoors via postinstall scripts with full user or CI/CD access. 🔗 Details → https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html

⚠️ Fortinet is warning of active exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS. The flaw lets unauthenticated attackers bypass API controls and run code. This is the second critical EMS flaw exploited in weeks. 🔗 Full details → https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html