Cybersecurity News | Daily Recap [24 Apr 2026]

Supply Chain

• Bitwarden and Checkmarx suffered separate npm/Docker/extension compromises that stole developer secrets and credentials, with malicious packages and loaders affecting CLI, KICS, VS Code, and Open VSX users – Bitwarden CLI, Bitwarden Package, Checkmarx KICS
• Vercel said fallout from a third-party Context.ai intrusion exposed more customers than expected, with Lumma Stealer used to steal API keys and tokens that could affect downstream systems – Vercel Fallout

State-Linked Threats

• Allied agencies warned that China-linked actors are industrializing covert botnets built from compromised SOHO routers, IoT, and smart devices, enabling reconnaissance, malware delivery, and espionage – Covert Networks, Botnet Abuse
• GopherWhisper was linked to espionage against Mongolian government targets using Slack, Discord, Microsoft 365 Outlook, and custom backdoors like LaxGopher and RatGopher – Cloud Spy, Mongolia Spy
• Tropic Trooper shifted tactics to target users in Japan, Taiwan, and South Korea with router/DNS hijacks, trojanized updates, and tools including Cobalt Strike, Merlin, and C6DOOR – Tropic Trooper
• Microsoft warned that nation-state cyber programs have become core instruments of state power, urging coordinated response paths as actors from North Korea to groups tied to SolarWinds and Colonial Pipeline shape modern operations – State Programs

Vulnerability & Exposure

• More than 10,000 Zimbra servers remain exposed to active exploitation of CVE-2025-48700, prompting CISA KEV listing and urgent patching as past abuse has been linked to APT28 and APT29 – Zimbra Flaw
• U.S. and U.K. agencies said attackers hid on Cisco firewalls using the FIRESTARTER backdoor, while CISA reported a federal agency breach through Cisco flaws and the use of Line Viper to bypass VPN authentication – Firestarter, Cisco Breach
• Researchers found a file upload bug in the Breeze Cache WordPress plugin is being exploited, extending the wave of public-facing app abuse – Breeze Cache
• Vulnerabilities in telecom signaling and surveillance tooling were abused to track locations via hidden SMS commands and SS7/Diameter protocols, with evidence pointing toward an Israeli company – Telecom Spy

Malware & Ransomware

• UNC6692 impersonated an IT helpdesk over Microsoft Teams to deploy SNOW malware, continuing the trend of social-engineering-led intrusions – SNOW Malware
• Trigona ransomware operators used a custom exfiltration tool, uploader_client.exe, to speed up theft and evade detection during data theft operations – Trigona Tool
• ZionSiphon was touted as AI-generated malware targeting Israeli water systems, but analysts said it appears broken and more hype than real threat – ZionSiphon

AI & Identity

• Security leaders said autonomous agents create dual-use risk, recommending treating AI as an identity and applying identity threat detection to control rogue agents – Autonomous AI
• Microsoft now lets enterprise admins uninstall Copilot on managed Windows 11 devices via the RemoveMicrosoftCopilotApp policy – Copilot Policy
• A study of 1,000 Android apps found privacy policies often fail to disclose logging of sensitive data, creating compliance risk under GDPR and CCPA – Android Privacy
• Gartner forecast global IT spending will hit $6.31 trillion in 2026, driven by AI infrastructure, data centers, and specialized hardware – IT Spending

Fraud & Breaches

• U.S. authorities sanctioned Cambodian senator Kok An and 28 associates over scam compounds that stole millions, tied to human trafficking and money laundering – Scam Sanctions
• Rituals disclosed a data breach affecting My Rituals members after attackers exfiltrated personal information, though passwords and payment data were not accessed – Rituals Breach

Funding & Operations

• Cloudsmith raised $72 million in Series C, bringing total funding to $124 million to expand software supply-chain protections – Cloudsmith Funding
• Passwork highlighted how DORA turns credential management into a financial resilience control for EU firms, emphasizing phishing-resistant MFA and encrypted vaulting – DORA Credentials

Cybersecurity News | Daily Recap – hendryadrian.com