WEEKLY INTELLIGENCE BRIEFING

Critical Marimo pre-auth RCE flaw now under active exploitation. CVE-2026-39987 (CVSS 9.3) exploited within 10 hours of disclosure for credential theft via unauthenticated WebSocket endpoint.

Adobe Patches Reader Zero-Day Exploited for Months. CVE-2026-34621 (CVSS 9.6) enables arbitrary code execution, actively exploited since November 2025 with Russian APT connections.

Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000. Two critical heap buffer overflow flaws in WebML component patched with significant bounties.

Orthanc DICOM Vulnerabilities Lead to Crashes, RCE. Nine flaws in healthcare DICOM server enable DoS, data leaks, and remote code execution.

Key Takeaway

Patch critical vulnerabilities immediately as exploitation windows have collapsed to hours, not days.

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks. Iranian APTs target exposed Rockwell PLCs with SCADA display manipulation causing operational disruptions since March 2026.

GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware. North Korean Lazarus Group registers legitimate Florida LLCs and uses GitHub typosquatting to distribute RATs to developers.

Hacker Used Claude Code, GPT-4.1 to Exfiltrate Hundreds of Millions of Mexican Records. Single attacker used AI to automate reconnaissance and exfiltrate 195M tax records from nine Mexican agencies.

Key Takeaway

Nation-state actors are weaponizing AI for reconnaissance and targeting critical infrastructure with increasing sophistication. Learn more

Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitor. API compromise led to trojanized downloads for six hours, affecting widely-used system monitoring tools.

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers. WordPress plugin update infrastructure hijacked for six hours, potentially impacting 800K+ installations.

FBI Recovers Deleted Signal Messages Through iPhone Notifications. Push notification cache vulnerability affects all messaging apps, exposes content even after app deletion.

GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs. Fake VS Code extension deploys multi-IDE malware via Solana blockchain C2.

Key Takeaway

Validate software downloads from official sources and monitor third-party update infrastructure for signs of compromise. Learn more

ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot. Major gaming studio breached through supply chain attack via Anodot-Snowflake integration.

Android Banking Trojan Linked to Cambodia Scam Compounds Hits 21 Countries. Forced labor operations in Cambodia power global banking trojan campaign across 21 countries.

Over 20,000 crypto fraud victims identified in international crackdown. Operation Atlantic identifies 20K+ victims, freezes $12M in international law enforcement action.

Key Takeaway

Implement defense in depth for cloud environments and monitor third-party integrations for unauthorized access. Learn more

• https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/
• https://www.securityweek.com/adobe-patches-reader-zero-day-exploited-for-months/
• https://hackread.com/hacker-claude-code-gpt-4-1-mexican-records/
• https://www.bleepingcomputer.com/news/security/nearly-4-000-us-industrial-devices-exposed-to-iranian-cyberattacks/
• https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/
• https://thehackernews.com/2026/04/backdoored-smart-slider-3-pro-update.html
• https://hackread.com/fbi-atlanta-indonesian-police-w3llstore-phishing-market/
• https://thehackernews.com/2026/04/google-rolls-out-dbsc-in-chrome-146-to.html