Friday Wrap Up: 3 April 2026
This week in cybersecurity was a masterclass in how fast things can go sideways. 🔐
Ransomware operators are now completing full attacks in under an hour. AI platforms you use every day shipped critical vulnerabilities. A supply chain attack hit a JavaScript library with 100M+ weekly downloads. And someone accidentally leaked 512,000 lines of AI source code — which attackers immediately weaponized into a malware campaign on GitHub.
If your patch queue looks overwhelming right now, you’re not alone. Chrome, Cisco, F5, Fortinet, and more all dropped critical fixes this week — many already under active exploitation before patches shipped.
Check out this week’s Friday Wrap-Up for the full breakdown. 👇
#Cybersecurity #PatchManagement #SupplyChainSecurity #FWU #fridaywrapup #Malware #DataBreach #Ransomware
Major Cyberattacks & Incidents
This week’s breach roundup spans AI firms, healthcare, toys, and crypto — a reminder that no sector is immune when attackers are operating at this pace and scale.
🔓 AI recruitment firm Mercor confirmed a breach stemming from a LiteLLM supply chain attack. Hackers claim to have exfiltrated 4TB of sensitive data, including user records and internal systems. (Published on April 3, 2026, Hackread). Read More
🕵️ The ShinyHunters group claims to have stolen over 3 million Cisco records via Salesforce and AWS, threatening a public data leak if their demands are not met. (Published on April 2, 2026, Hackread). Read More
🏥 A January 2026 cyberattack on Nacogdoches Memorial Hospital compromised personal and health information belonging to 250,000 patients after a threat actor breached the hospital’s internal network. (Published on April 2, 2026, SecurityWeek). Read More
🎲 Toy giant Hasbro is investigating a cyberattack that may have resulted in file compromise. The full scope of the breach is still under determination, with no confirmed exfiltration yet. (Published on April 1, 2026, SecurityWeek). Read More
💸 A Maryland man faces federal charges for allegedly exploiting smart contract vulnerabilities to steal $53 million from Uranium Finance and laundering the proceeds through crypto mixing services. (Published on March 31, 2026, Infosecurity). Read More
Malware & Vulnerabilities
From AI-generated evasion code to ransomware completing full attacks in under an hour, threat actors are raising the bar on speed and sophistication this week.
📱 A new SparkCat malware variant found in App Store and Google Play apps uses OCR to scan images for crypto wallet recovery phrases, hidden inside seemingly legitimate applications. (Published on April 3, 2026, The Hacker News). Read More
🐍 Threat actors are exploiting Anthropic’s Claude Code source code leak by publishing fake GitHub repositories that deliver Vidar information-stealing malware to unsuspecting developers. (Published on April 2, 2026, BleepingComputer). Read More
🦠 DeepLoad, a newly discovered malware, is distributed via ClickFix social engineering attacks. It steals credentials, installs a malicious browser extension, and can self-propagate via USB drives. (Published on April 1, 2026, SecurityWeek). Read More
🤖 ReliaQuest researchers warn that DeepLoad leverages AI-generated code alongside ClickFix techniques to evade detection while persistently targeting enterprise credentials across organizations. (Published on March 30, 2026, Infosecurity). Read More
📨 Microsoft warns of a WhatsApp-based campaign tricking users into executing malicious Visual Basic Script files, enabling attackers to establish persistence and remote access on compromised systems. (Published on April 1, 2026, CSO Online). Read More
📦 Attackers hijacked the npm account of Axios — a JavaScript HTTP client with over 100 million weekly downloads — distributing remote access trojans targeting Linux, Windows, and macOS systems. (Published on March 31, 2026, BleepingComputer). Read More
🛤️ A newly identified implant named RoadK1ll uses WebSocket communications to enable threat actors to quietly move laterally from a compromised host to other systems on the internal network. (Published on March 30, 2026, BleepingComputer). Read More
🇷🇺 A Russian-origin remote access toolkit called CTRL spreads through malicious Windows shortcut files disguised as private key folders, hijacking RDP sessions via FRP tunneling. (Published on March 30, 2026, The Hacker News). Read More
⏱️ Halcyon researchers report that the Akira ransomware group can now execute a full attack — from initial access to encryption — in under one hour, dramatically shrinking defender response windows. (Published on April 2, 2026, Infosecurity). Read More
Critical Vulnerabilities & Patches
A relentless wave of critical patches hit this week across Cisco, Chrome, F5, Fortinet, and AI platforms — with many already under active exploitation, making patch fatigue a luxury no one can afford.
🔧 Cisco released patches for a critical authentication bypass in its Integrated Management Controller affecting many servers and appliances, allowing unauthenticated remote attackers to gain admin access. (Published on April 2, 2026, CSO Online). Read More
⚠️ Cisco also patched several high-severity IMC vulnerabilities that, combined with the critical auth bypass, could allow unauthenticated attackers to gain full administrative control over enterprise hardware. (Published on April 2, 2026, BleepingComputer). Read More
📹 Attackers are actively exploiting a zero-day in TrueConf conference servers that executes arbitrary files across all connected endpoints by pushing malicious software updates to clients. (Published on April 1, 2026, BleepingComputer). Read More
🌐 Google released emergency Chrome updates addressing 21 vulnerabilities, including a high-severity use-after-free zero-day in Dawn (CVE-2026-5281) that has been actively exploited in the wild. (Published on April 1, 2026, The Hacker News). Read More
🤖 Vulnerabilities in the CrewAI multi-agent AI framework can be exploited via prompt injection, allowing attackers to chain bugs, escape sandboxes, and execute arbitrary code on host devices. (Published on March 31, 2026, SecurityWeek). Read More
☁️ A security blind spot in Google Cloud’s Vertex AI could allow weaponized AI agents to gain unauthorized access to sensitive data and compromise an organization’s entire cloud environment. (Published on March 31, 2026, The Hacker News). Read More
🔒 A critical SQL injection flaw in Fortinet’s FortiManager (CVE-2026-21643) is under active exploitation, allowing unauthenticated attackers to fully compromise enterprise management servers remotely. (Published on March 30, 2026, CSO Online). Read More
🔑 A flaw in OpenAI’s Codex allowed attackers to steal GitHub tokens by exploiting hidden Unicode command injection embedded in maliciously crafted branch names within code repositories. (Published on March 30, 2026, Hackread). Read More
🔐 A 15-year-old integer underflow bug in strongSwan’s EAP-TTLS plugin allows attackers to crash VPN services, with multiple versions affected across widely deployed global installations. (Published on March 30, 2026, Hackread). Read More
🚨 F5 reclassified a BIG-IP APM flaw from denial-of-service to critical RCE after confirming active exploitation, with attackers deploying webshells on unpatched devices. Patch immediately. (Published on March 30, 2026, BleepingComputer). Read More
Credential Harvesting & Phishing
Attackers are automating credential theft at scale this week, sweeping hundreds of Next.js servers and targeting LinkedIn professionals with convincing lookalike campaigns.
🎣 Attackers using automated scanning and the Nexus Listener framework exploited React2Shell to compromise over 750 systems in a coordinated, large-scale credential harvesting operation. (Published on April 3, 2026, SecurityWeek). Read More
🗝️ Exploiting CVE-2025-55182, attackers breached 766 Next.js hosts to steal database credentials, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens en masse. (Published on April 2, 2026, The Hacker News). Read More
📧 A LinkedIn phishing campaign uses fake notification emails and convincing lookalike domains to steal credentials, hijack professional accounts, and access sensitive business data at scale. (Published on April 1, 2026, Hackread). Read More
Espionage & Nation-State Activity
Russia’s Star Blizzard is upgrading its mobile arsenal, adopting a sophisticated iOS exploit kit to sharpen campaigns against high-value government and institutional targets worldwide.
🌨️ Russian state-sponsored APT Star Blizzard is using the DarkSword iOS exploit kit in campaigns targeting government, higher education, financial, legal entities, and think tanks globally. (Published on March 30, 2026, SecurityWeek). Read More
AI & Policy
Anthropic had a rough week operationally — an accidental source code leak revealed details of a powerful new AI model, and attackers immediately turned the exposure into a malware delivery campaign.
🤦 Human error at Anthropic exposed over 512,000 lines of Claude AI source code, inadvertently revealing internal projects codenamed KAIROS and Capybara and prompting a shift to the Native Installer. (Published on April 1, 2026, Hackread). Read More
🧠 Details of Anthropic’s Mythos — described as its most capable AI model yet, with enhanced reasoning and coding skills — leaked unintentionally via a CMS data exposure, bypassing any planned announcement. (Published on March 30, 2026, CSO Online). Read More
DDoS, Outages & Infrastructure
Microsoft’s Exchange Online continues to battle mailbox reliability issues, leaving Outlook users on mobile and macOS dealing with intermittent disruptions stretching into their third week.
📬 Microsoft is investigating persistent Exchange Online mailbox access problems intermittently affecting Outlook mobile and macOS users for weeks, with no confirmed resolution timeline yet. (Published on April 3, 2026, BleepingComputer). Read More
Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!