Cybersecurity Newsfeed - 29/04/26
Daily cybersecurity news covering vulnerabilities, adversaries, trends, breaches, and other notable security developments.
Cybersecurity Newsfeed
📅 29/04/26
🛡️ Vulnerabilities
Critical GitHub RCE (CVE-2026-3854): A flaw in repository metadata processing allows remote code execution by bypassing security sandboxes. GitHub has released mitigations, but users are urged to update internal Enterprise instances. More info
LiteLLM Pre-Auth SQL Injection: Attackers are actively exploiting an open-source proxy for LLM providers, allowing arbitrary SQL commands without authentication. More info
Microsoft Zero-Day Exploitation: Microsoft confirmed APT groups are actively using a new zero-day for remote code execution across the ecosystem. Emergency mitigations and signatures have been released. More info
CISA Adds Two Flaws to KEV: Two new vulnerabilities affecting enterprise software have been added to the Known Exploited Vulnerabilities catalog. Federal agencies have strict deadlines to patch. More info
Hugging Face AI Platform Flaw (CVE-2026-25874): A critical vulnerability could allow unauthorized access to private repositories or arbitrary code execution within the platform’s infrastructure. More info
Microsoft Entra ID Role Escalation: An emergency patch addresses a logic error in Entra ID (formerly Azure AD) that allowed limited users to grant themselves administrative privileges. More info
🎯 Adversaries
BlueNoroff Hijacks Legitimate Entities: The North Korean group is now using compromised infrastructure of previous victims to host malicious content, bypassing reputation filters to target financial institutions. More info
LofyGang Targets Developers: The Brazilian threat group has returned, spreading malicious NPM and GitHub packages that use advanced obfuscation to steal SSH keys and environment variables. More info
Scattered Spider Member Charged: US authorities filed charges against a key member of the group following an arrest in Finland. The group is known for aggressive SIM swapping and social engineering. More info
Ransomware “Turf War” (0APT vs. Krybit): Two rival groups are actively sabotaging each other’s infrastructure and leaking data to damage reputations, creating a chaotic environment for victims. More info
Firestarter Backdoor Targets Cisco: A new Linux-based backdoor is specifically targeting Cisco Firepower devices to intercept network traffic and maintain long-term persistence. More info
📈 Trends
Crypto Custody Concentration Risks: Analysis shows $152.9 billion in digital assets is concentrated within top-tier custodians, creating a systemic “too big to fail” risk for the DeFi ecosystem. More info
OpSec Playbooks for EDR Evasion: Investigations reveal threat actors are using detailed playbooks to mimic administrative behavior and use LoLBins to stay resident in memory and evade detection. More info
Fake Captcha Mobile Scams: Attackers are using fraudulent verification buttons to silently subscribe mobile users to expensive premium-rate SMS services via carrier billing systems. More info
Glassworm VS Code Extensions: Malicious extensions in the VS Code Marketplace are mimicking popular tools to steal developer credentials and compromise supply chains. More info
Robinhood Workflow Weaponized: Attackers abused Robinhood’s account creation process to send legitimate-looking phishing emails that successfully bypassed standard spam filters. More info
DHL Phishing Campaign: A high-fidelity campaign mirrors the official DHL portal to harvest credentials through complex multi-stage attack chains and obfuscated JavaScript. More info
💥 Breaches & Leaks
Vimeo Data Breach via Anodot: Video platform Vimeo confirmed a breach after its third-party analytics provider was compromised, exposing user account details and usage metrics. More info
Ransomware Feud Data Leaks: Rival ransomware syndicates have begun leaking each other’s stolen data and internal chats, increasing the risk of exposure for affected organizations. More info