Apr 04 2026
Welcome to Gone Phishing, where the only thing getting hooked is bad actors. No bots, no fluff, just the week's most dangerous catches. 🎣
That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.
Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.
Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.
If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.
1. Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 (CVSS 10.0) The Interlock ransomware group exploited a maximum-severity insecure Java deserialization bug in Cisco Secure Firewall Management Center as a zero-day for 36 days before public disclosure on March 4, 2026. Amazon Threat Intelligence confirmed exploitation began January 26, deploying web shells, custom RATs, and ConnectWise ScreenConnect. CISA ordered federal agencies to patch by March 22. Read more →
2. North Korean Group UNC1069 Behind Axios npm Supply Chain Attack (83M Weekly Downloads) Google attributed the compromise of the Axios JavaScript library to North Korean threat cluster UNC1069 (Sapphire Sleet/BlueNoroff). Attackers hijacked the maintainer's npm and GitHub accounts on March 31, 2026, injected a malicious dependency deploying a cross-platform RAT, and had pre-staged the attack 18 hours in advance with OS-specific payloads. Developers who installed Axios 1.14.1 during the ~3-hour window should rotate all credentials immediately. Read more →
3. Chrome Zero-Day CVE-2026-5281 Actively Exploited — 4th Chrome 0-Day of 2026 Google patched CVE-2026-5281, a use-after-free bug in Dawn (Chrome's WebGPU layer), after confirming active in-the-wild exploitation. The flaw enables arbitrary code execution as part of an exploit chain and affects all Chromium-based browsers. CISA added it to the KEV catalog on April 1 with a federal deadline of April 15. Update Chrome to 146.0.7680.177/178 immediately. Read more →
4. Langflow AI Platform CVE-2026-33017 Exploited Within 20 Hours of Disclosure A critical unauthenticated RCE flaw (CVSS 9.3) in the Langflow AI platform was weaponized in under 20 hours of advisory publication — no public PoC needed. Sysdig observed 1,000+ exploitation attempts dropping info-stealers, reverse shells, and cryptominers; attackers could also extract OpenAI, Anthropic, and AWS API keys stored in instances. CISA added it to the KEV catalog March 25 with a federal deadline of April 8. Patch beyond version 1.8.1 immediately. Read more →
5. China's Red Menshen Upgrades BPFDoor Backdoor to Spy on Global Telecom Networks Rapid7 revealed that Chinese APT Red Menshen (Earth Bluecrow) has significantly upgraded its BPFDoor kernel implant to hide activation triggers inside HTTPS traffic and specifically target SCTP — the signaling backbone of 4G/5G networks — granting population-scale access to SMS contents, subscriber identities, and location data. New variants disguise themselves as HPE ProLiant or Kubernetes processes. Rapid7 has released a detection script for Linux systems. Read more →
6. Citrix NetScaler CVE-2026-3055 (CVSS 9.3) Moves From Disclosure to Active Exploitation A critical memory overread flaw in Citrix NetScaler ADC and Gateway rapidly escalated from disclosure to active reconnaissance to confirmed exploitation within days. Security firm watchTowr compared it to the notorious CitrixBleed, noting the required SAML IDP configuration is common in SSO deployments. CISA added CVE-2026-3055 to the KEV catalog on March 20. Patch to NetScaler 14.1-66.59 or later immediately. Read more →
7. Oracle Health Breach Exposes Patient Data Across US Hospitals
Oracle Health (formerly Cerner) confirmed a breach of legacy Cerner migration servers affecting patient data from multiple US hospitals. Attackers accessed the servers using compromised customer credentials and exfiltrated data to an external location; Oracle is notifying affected hospitals individually rather than via public disclosure. The incident has drawn scrutiny from the HHS Office for Civil Rights over potential HIPAA notification delays.
Read more →
8. CERT-UA Impersonated in Phishing Campaign Delivering AGEWHEEZE RAT to 1 Million Emails Threat actors tracked as UAC-0255 impersonated Ukraine's own cybersecurity agency (CERT-UA) on March 26–27, 2026, distributing a Go-based RAT dubbed AGEWHEEZE via password-protected ZIP files, claiming to have reached 1 million ukr.net mailboxes and compromised 200,000 devices. Targets spanned Ukrainian state bodies, hospitals, financial institutions, and software developers — highlighting how trusted cybersecurity brands are weaponized in active conflict zones. Read more →
9. DragonForce Ransomware Cartel Strikes MSP via SimpleHelp in Supply Chain Attack DragonForce breached a managed service provider by exploiting a chain of SimpleHelp RMM vulnerabilities (CVE-2024-57726/27/28), then pivoted through the MSP's trusted access to hit downstream customers with ransomware and data theft. The group now operates as a full white-label ransomware cartel offering affiliates an 80% profit split and full infrastructure support, dramatically lowering the criminal entry barrier. MSPs should urgently patch SimpleHelp and enforce strict customer network isolation. Read more →
10. Cisco Patches Dual CVSS 9.8 Flaws: IMC Authentication Bypass and SSM On-Prem RCE Cisco patched CVE-2026-20093, a flaw in Integrated Management Controller (IMC) allowing unauthenticated remote attackers to bypass authentication and take over any user account including Admin via a crafted HTTP request, and CVE-2026-20160 in Smart Software Manager On-Prem enabling unauthenticated OS command execution. The IMC flaw is especially dangerous as it operates out-of-band from the host OS, meaning compromise persists through reboots. No workarounds exist — only patching resolves these issues. Read more →
Zero-day windows are collapsing — Cisco FMC, Chrome, Citrix, and Langflow were all exploited before or within hours of disclosure. Real-time patch prioritization is no longer optional.
Supply chain is the preferred nation-state vector — North Korea's Axios compromise and DragonForce's MSP attack both weaponize trusted software delivery pipelines and management tools for maximum blast radius.
AI tools are opening underdefended attack surfaces — From Langflow exposing stored AI API keys to an AI agent discovering a Microsoft RCE, the AI layer of the modern stack is rapidly becoming a critical security frontier most organizations haven't hardened.
Retirement savings face two quiet threats: cash flow gaps and inflation eroding purchasing power over time. The 15-Minute Retirement Plan helps investors with $1,000,000 or more account for both and build a portfolio designed to last the distance.
Let us know what you think.
So long and thanks for reading all the phish!
