TECHZONE™

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069. Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture https://thehackernews.com/2026/04/why-third-party-risk-is-biggest-gap-in.html The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it. Cynomi's new guide, Securing the Modern Perimeter: The Rise of Third-Party

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. "This

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories https://thehackernews.com/2026/04/threatsday-bulletin-pre-auth-chains.html The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic

The State of Trusted Open Source Report https://thehackernews.com/2026/04/the-state-of-trusted-open-source-report.html In December 2025, we shared the first-ever The State of Trusted Open Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. These insights shed light on what teams pull, deploy, and maintain day to day, alongside the vulnerabilities and

WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action https://thehackernews.com/2026/04/whatsapp-alerts-200-users-after-fake.html Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware. According to reports from Italian newspaper La Repubblica and news agency ANSA, the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering

Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit https://thehackernews.com/2026/04/apple-expands-ios-1877-update-to-more.html Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security

Digital assets after death: Managing risks to your loved one’s digital estate https://www.welivesecurity.com/en/cybersecurity/digital-assets-death-managing-risks-your-loved-ones-digital-estate/ Fraudsters often target the accounts of the deceased or their grieving relatives. Here’s how to keep the scammers at bay.

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.html The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into

Block the Prompt, Not the Work: The End of "Doctor No" https://thehackernews.com/2026/04/block-prompt-not-work-end-of-doctor-no.html There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable. Its entire function is to say "No." No to ChatGPT. No to DeepSeek. No to the file-sharing tool the product team swears by. For years, this looked like security. But in 2026, "Doctor No" is no longer just a management headache &

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures https://thehackernews.com/2026/04/casbaneiro-phishing-targets-latin.html A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot. The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. "Use-after-free in Dawn in Google Chrome prior

3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming) https://thehackernews.com/2026/04/3-reasons-attackers-are-using-your.html For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next. Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean