Apr 11 2026
Welcome to Gone Phishing, where the only thing getting hooked is bad actors. No bots, no fluff, just the week's most dangerous catches. 🎣
Last month, 48% of visitors to documentation sites across Mintlify were AI agents—not humans.
Claude Code, Cursor, and other coding agents are becoming the actual customers reading your docs. And they read everything.
This changes what good documentation means. Humans skim and forgive gaps. Agents methodically check every endpoint, read every guide, and compare you against alternatives with zero fatigue.
Your docs aren't just helping users anymore—they're your product's first interview with the machines deciding whether to recommend you.
That means:
→ Clear schema markup so agents can parse your content
→ Real benchmarks, not marketing fluff
→ Open endpoints agents can actually test
→ Honest comparisons that emphasize strengths without hype
In the agentic world, documentation becomes 10x more important. Companies that make their products machine-understandable will win distribution through AI.
1. Fortinet FortiClient EMS Zero-Day (CVE-2026-35616) Exploited Before Patch
A critical pre-authentication API access bypass (CVSS 9.1) in FortiClient EMS was detected being actively exploited by watchTowr sensors on March 31 — days before Fortinet published its advisory on April 4. The flaw affects versions 7.4.5–7.4.6 and allows unauthenticated remote code execution. CISA added it to KEV on April 6, mandating federal agencies patch by April 9, with 2,000+ exposed instances identified worldwide.
Read more →
2. FBI and DOJ Dismantle Russian GRU APT28 DNS Hijacking Network
The Justice Department announced a court-authorised operation on April 7–8 to neutralise a global DNS hijacking network run by Russia's GRU Unit 26165 (APT28/Fancy Bear). Since 2024, the group hijacked thousands of TP-Link SOHO routers — peaking at 18,000+ IPs across 120 countries — to conduct Actor-in-the-Middle attacks harvesting passwords, auth tokens, and emails. The FBI remotely reset DNS settings on US-based compromised routers.
Read more →
3. Iran-Linked Hackers Actively Disrupting US Water and Energy OT Systems
CISA, EPA, FBI, and NSA issued joint advisory AA26-097A on April 7 warning of an ongoing Iranian APT campaign targeting internet-exposed OT at US water, wastewater, and energy facilities. Since March 2026, attackers exploited Rockwell Automation/Allen-Bradley PLCs to wipe configurations, tamper with mechanical sensors, and disrupt HMI/SCADA displays. NERC confirmed active grid monitoring. Defenders must air-gap OT networks and patch internet-facing PLCs immediately.
Read more →
4. Anthropic Launches Project Glasswing — AI Model Discovers Thousands of Zero-Days
On April 7–8, Anthropic unveiled Project Glasswing, a $100M initiative giving vetted partners early access to Claude Mythos Preview — an unreleased frontier model that autonomously finds high-severity vulnerabilities across every major OS and browser. Partners include AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, and NVIDIA. Anthropic privately warned US officials that Mythos also makes large-scale cyberattacks significantly more feasible, restricting access to vetted defenders only.
Read more →
5. React2Shell (CVE-2025-55182, CVSS 10.0) Exploited in Automated Campaign Across 700+ Hosts
Cisco Talos uncovered a large-scale automated campaign by threat cluster UAT-10608 exploiting a critical unauthenticated RCE flaw in Next.js React Server Components, compromising 766+ hosts across multiple cloud providers globally. Without authentication, attackers upload a multi-phase payload exfiltrating database credentials, SSH keys, AWS secrets, and cloud tokens via a NEXUS Listener C2 framework. All Next.js operators with exposed RSC endpoints should audit immediately.
Read more →
6. Chrome Zero-Day CVE-2026-5281 (WebGPU) Under Active Exploitation — 4th of 2026
Google confirmed active exploitation of CVE-2026-5281, a high-severity use-after-free in Dawn (Chrome's WebGPU layer), patched April 1 in Chrome 146.0.7680.177/178. CISA added it to KEV with a federal deadline of April 15. The flaw allows a compromised renderer to achieve arbitrary code execution and can be chained to escape Chrome's sandbox entirely. This is the fourth Chrome zero-day exploited in the wild in 2026.
Read more →
7. Adobe Allegedly Breached via BPO Supply Chain — 13M Support Tickets Exposed
Threat actor "Mr. Raccoon" claims to have stolen 13 million Adobe customer support tickets, 15,000 employee records, and all submissions from Adobe's HackerOne bug bounty programme by compromising a third-party Indian BPO via phishing and RAT deployment. Researchers at vx-underground assessed the data as appearing legitimate. Exposure of unpublished HackerOne reports is especially alarming as those details could be weaponised before patches are issued. Adobe has not confirmed the breach.
Read more →
8. ChipSoft Ransomware Attack Hits Dutch Healthcare Vendor Serving 80% of Hospitals
ChipSoft, a Dutch vendor supplying electronic patient-record software to roughly 80% of Dutch hospitals, was knocked offline by a ransomware attack confirmed by Z-CERT on April 7–8. Most hospitals remained operational via locally cached systems, but the incident highlights the systemic risk of single-point-of-failure healthcare IT suppliers. The responsible threat group had not been publicly identified at time of reporting.
Read more →
9. Docker CVE-2026-34040 — Oversized Request Bypasses AuthZ Plugins, Grants Host Access
A high-severity flaw (CVSS 8.8) in Docker Engine allows attackers to bypass all authorization plugins by sending API requests exceeding 1 MB — middleware silently drops the body before AuthZ inspection while the daemon still executes the request. A single padded HTTP request can create a privileged container with full host filesystem access. Patched in Docker Engine 29.3.1 and Docker Desktop 4.66.1; upgrade immediately.
Read more →
10. DragonForce Ransomware Abuses SimpleHelp RMM in MSP Supply Chain Attack
DragonForce operators were found abusing SimpleHelp remote monitoring and management software to pivot through managed service providers and simultaneously reach multiple downstream customers — a textbook supply chain amplification. A single compromised MSP instance granted persistent lateral access to numerous clients. MSPs must enforce MFA on all RMM platforms, restrict API access by IP, and enforce network-layer client isolation.
Read more →
Key Themes This Week
Nation-state escalation into physical disruption: Both Russia (SOHO router DNS hijacking) and Iran (OT/SCADA manipulation at water and energy sites) moved beyond espionage into operations with real-world operational impact.
Supply chain and third-party access dominate breach vectors: Adobe (BPO), ChipSoft (healthcare vendor), and DragonForce (MSP/RMM) all exploited trusted third-party relationships — vendor risk management remains a critical gap.
AI as both sword and shield: Project Glasswing crystallised the dual-use dilemma — the same frontier AI capability that finds thousands of zero-days for defenders also dramatically lowers the bar for sophisticated offensive operations.
Don't wait. Sign up for The Hustle to unlock our side hustle database. Unlike generic "start a blog" advice, we've curated 100 actual business ideas with real earning potential, startup costs, and time requirements. Join 1.5M professionals getting smarter about business daily and launch your next money-making venture.
Let us know what you think.
So long and thanks for reading all the phish!
