The Hacker News

AI-enabled cyber attacks are on the rise. Are you prepared? Most orgs aren’t as prepared as they think for AI-enabled attacks, but it’s never too late to start. The cyber risk playbook for the AI threat era draws on research from over 200 GRC, IT, and cybersecurity professionals to gain new insights into AI-enabled attacks and the need for proactive cyber resilience. Get the playbook today → https://thn.news/nyc-cyber-training

⚠️ Malware now ships its payload inside the installer. DEEP#DOOR embeds a Python backdoor in a script, extracts it at runtime, and avoids external downloads. Using tunneling, it keeps access and steals credentials with minimal trace. 🔗 Read → https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html

🚨 Attackers are targeting enterprise admins with fake tools and running control through #Ethereum smart contracts. Malware spreads via SEO-poisoned #GitHub repos, then pulls live C2 from blockchain. No domains to block. Access lands on high-privilege systems. 🔗 Learn how this campaign turns search results into enterprise breaches → https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html

⚠️ A new #Linux flaw mirrors Dirty Pipe—but adds cross-container impact. “Copy Fail” (CVE-2026-31431) lets any local user overwrite cached system files and run them as root. No race condition. Works across major Linux distros since 2017. 🔗 Read → https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html

⚠️ UPDATE: #cPanel flaw now tracked as CVE-2026-41940 (CVSS 9.8)—an auth bypass granting unauthenticated admin access. Actively exploited as a 0-day for weeks. Root cause: CRLF injection lets attackers forge sessions and escalate to root. 🔗 Exploit mechanics and real-world impact → https://thehackernews.com/2026/04/critical-cpanel-authentication.html

🛑 Gemini and Cursor vulnerabilities exposed direct code execution in dev workflows. #Gemini CLI (CVSS 10.0) auto-trusted folders in CI, letting malicious .gemini/ configs from PRs run on hosts. #Cursor bugs triggered hidden Git hooks and exposed local API keys via extensions. 🔗 Details → https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html

⚠️ ALERT — SAP related npm packages were just found shipping credential-stealing malware. A preinstall script runs on install, steals tokens, and injects GitHub Actions to self-propagate, exfiltrating encrypted secrets via victim-owned repos. 🔗 Read → https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html

🛑 A wave of attacks is using layered npm dependencies to deliver hidden malware. Fake SDKs, AI-assisted commits, and job scams all route through packages that pull second-stage payloads, stealing crypto wallets, credentials, and source code. Linked to North Korean campaigns targeting developers. 🔗 Learn how these attacks connect across npm, PyPI, and GitHub → https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html

BeyondTrust’s latest Microsoft Vulnerabilities Report is out, and the numbers should concern every security leader. Critical vulnerabilities doubled, Azure & Dynamics surged 9x, and 40% of all flaws were tied to Elevation of Privilege. More insights: https://thn.news/msft-vuln-report #MVR2026#LeastPrivilege

Security teams close hundreds of vulnerabilities and still can’t prove they’re safer. Only ~2% of exposures matter when mapped to real attack paths and critical assets. The rest is noise from tools that miss context and exploitability. 🔗 Why most platforms miss real risk → https://thehackernews.com/2026/04/what-to-look-for-in-exposure-management.html

🚨 WARNING: cPanel patched an auth flaw affecting all supported versions—forcing providers to restrict access. Namecheap blocked ports 2083/2087, disabling control panel access until patches deployed. 🔗 Read → https://thehackernews.com/2026/04/critical-cpanel-authentication.html

⚠️ CISA added two actively exploited vulnerabilities to KEV, affecting Windows and ScreenConnect. A Windows flaw links to an incomplete patch tied to APT28 campaigns. ScreenConnect bugs are now used in Medusa ransomware attacks. 🔗 Read → https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html