Cybersecurity

Attackers published lightning 2.6.2 and 2.6.3 to PyPI on April 30, executing an obfuscated JavaScript payload to harvest cloud credentials from anyone who imported the package. Maintainers quarantined the malicious builds within 42 minutes.

CVE-2026-31431, discovered by Theori using its AI scanner Xint Code, lets unprivileged users root Ubuntu, Amazon Linux, RHEL, and SUSE through a logic flaw in the kernel's crypto subsystem.

CVE-2026-3854 let any authenticated user run code on GitHub's backend with a single git push. GitHub patched github.com in two hours on March 4; public disclosure on April 28 found most Enterprise Server instances still vulnerable.

CISA's April 24 KEV update flags four actively exploited vulnerabilities tied to ransomware against managed service providers and Mirai DDoS botnets, with a May 8 federal patching deadline.

CISA added CVE-2026-32202 and CVE-2024-1708 to the Known Exploited Vulnerabilities catalog on April 28, giving federal agencies until May 12 to patch a zero-click NTLM coercion flaw whose Patch Tuesday entry carried no exploitation marker.

An unauthenticated WebSocket flaw in the popular Marimo notebook (CVE-2026-39987, CVSS 9.3) was weaponized within 9 hours 41 minutes of disclosure, with credential theft completed in under three minutes. CISA has since added the bug to its KEV catalog with a May 7 federal deadline.

Home security giant ADT says attackers detected on April 20 stole names, phone numbers and addresses for 5.5 million customers after voice-phishing an employee's Okta single sign-on. ShinyHunters published an 11GB archive when the company refused to pay.

A Lumma Stealer infection at AI startup Context.ai escalated into a cross-tenant OAuth attack on Vercel, exposing employee accounts, environment variables, and customer credentials, with attackers reportedly demanding a $2 million ransom in Telegram messages with the company.

A malicious build of @bitwarden/cli@2026.4.0 was live on npm for roughly 93 minutes on April 22 after attackers used credentials stolen from Checkmarx to push a self-propagating worm that harvests cloud, Git, and AI tooling credentials.

A researcher's protest disclosure turned Microsoft Defender's remediation engine into an attack vector, with two of three zero-days remaining unpatched as ransomware actors move in.

France's national identity document agency confirmed hackers breached its portal and stole data on up to 12 million citizens, while the threat actor claims 19 million records are for sale.

A regression shipped in .NET 10.0.6 broke HMAC validation and exposed cookie-forging attacks. Microsoft released out-of-band .NET 10.0.7 on April 21 to patch CVE-2026-40372, rated 9.1 CVSS.