.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }
Welcome to Gone Phishing, where the only thing getting hooked is bad actors. No bots, no fluff, just the week's most dangerous catches. 🎣
Speak your PR description, bug reproduction, or Cursor prompt. Wispr Flow auto-tags file names, preserves variable names, and formats everything for immediate paste into GitHub, Jira, or your editor.
No re-typing. No context gaps. No mangled syntax. Works natively inside Cursor, Warp, and every IDE at the system level.
4x faster than typing. 89% of messages sent with zero edits. Used by engineering teams at OpenAI, Vercel, and Clay.
Try Wispr Flow free
Top 10 Cybersecurity Updates — April 3–10, 2026
Weekly Cybersecurity Briefing — April 17–24, 2026
|
Critical · Dark Reading
1. Three Windows Defender Zero-Days Now Exploited in the Wild
A disgruntled researcher leaked three Windows Defender zero-day exploits — BlueHammer (CVE-2026-33825), RedSun, and UnDefend — over 13 days, and Huntress confirmed on April 17 that all three are being actively used in real attacks. BlueHammer is a TOCTOU local privilege escalation flaw exploited since April 10; RedSun abuses Defender cloud file rollback; UnDefend gradually degrades Defender protection. Microsoft has only patched BlueHammer; two remain unpatched — CISA added CVE-2026-33825 to its KEV catalog on April 22 with a May 6 federal deadline.
Read more → |
|
|
|
Breach · BleepingComputer
2. Vercel Confirms Supply Chain Breach — Data Listed for $2M on BreachForums
Vercel confirmed a breach tied to a supply chain attack on AI tool Context.ai: a Context.ai employee PC was infected with Lumma Stealer via fake Roblox cheats in February, harvesting credentials used to steal a Vercel OAuth token and access internal environment variables. ShinyHunters claimed to be selling customer API keys, source code, and database data for $2 million on BreachForums. Vercel contacted a limited subset of affected customers to rotate credentials immediately, warning of potential downstream breaches across hundreds of organizations.
Read more → |
|
|
|
Government Breach · SC Media
3. France National ID Agency (ANTS) Breached — 19 Million Records Allegedly Stolen
France Titres (ANTS), the agency issuing French passports, national ID cards, and driver licences, confirmed a breach detected April 15 after threat actor breach3d listed 19 million records for sale on a dark web forum. Exposed data includes full names, email addresses, dates of birth, postal addresses, and account identifiers. The breach has triggered widespread phishing alerts; CNIL, national cybersecurity agency ANSSI, and the Paris Public Prosecutor are now all engaged in the investigation.
Read more → |
|
|
|
AI Security · The Hacker News
4. Anthropic MCP Design Flaw Exposes 150M+ Downloads to Remote Code Execution
OX Security disclosed a critical architectural vulnerability in Anthropic Model Context Protocol (MCP) that allows arbitrary OS command execution across all implementations (Python, TypeScript, Java, Rust) via the STDIO interface. The flaw affects over 7,000 publicly accessible servers, 150 million+ total downloads, and an estimated 200,000 vulnerable instances in products including LiteLLM, LangFlow, Windsurf, Cursor, and Flowise — with 14 CVEs already assigned. Anthropic has declined to modify the architecture, stating the behavior is expected, leaving the root cause unaddressed at the protocol level.
Read more → |
|
|
|
Vulnerability · BleepingComputer
5. Microsoft Emergency Out-of-Band Patch: ASP.NET Core SYSTEM Privilege Escalation (CVE-2026-40372, CVSS 9.1)
Microsoft released an emergency out-of-band update on April 21 for a critical privilege escalation flaw (CVE-2026-40372, CVSS 9.1) introduced accidentally in the April 14 Patch Tuesday .NET 10.0.6 release. The bug causes ASP.NET Core Data Protection to compute HMAC validation over incorrect payload bytes, allowing unauthenticated attackers to forge authentication cookies and gain SYSTEM-level access. Organizations using .NET 10.0.0 through 10.0.6 should immediately upgrade the Microsoft.AspNetCore.DataProtection package to version 10.0.7.
Read more → |
|
|
|
Regulatory · The Hacker News
6. CISA Adds 8 Actively Exploited Vulnerabilities to KEV Catalog
CISA added eight exploited vulnerabilities to its KEV catalog on April 21, targeting widely deployed enterprise products: PaperCut NG/MF, JetBrains TeamCity, Quest KACE SMA, Zimbra Collaboration Suite, Kentico Xperience, and three Cisco Catalyst SD-WAN Manager flaws. Federal agencies face two patching deadlines — April 23 and May 4, 2026. The Cisco SD-WAN flaws are particularly severe, prompting CISA to separately issue Emergency Directive 26-03 and dedicated Hunt & Hardening Guidance for those devices.
Read more → |
|
|
|
Geopolitical · The Hacker News
7. Sanctioned Russian Crypto Exchange Grinex Shuts Down After $13.7M Hack
Grinex, a Russia-linked cryptocurrency exchange used to evade Western sanctions, halted all operations on April 17 after a cyberattack drained approximately $13.74 million, primarily in USDT on the TRON blockchain. The exchange blamed hostile states and Western intelligence agencies, claiming state-level sophistication — though Elliptic and TRM Labs found no technical evidence supporting this attribution. The incident disrupts a key sanctions-evasion financial channel and raises questions about offensive cyber operations targeting financial infrastructure.
Read more → |
|
|
|
Emergency Directive · BleepingComputer
8. CISA Issues Emergency Directive 26-03 for Cisco Catalyst SD-WAN Manager
CISA issued Emergency Directive 26-03 targeting three actively exploited Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133), setting an April 23 federal deadline. The flaws allow remote attackers to view sensitive system information, overwrite system files via privileged API abuse, and extract stored credentials from affected devices, respectively. CISA also published dedicated Hunt & Hardening Guidance reflecting confirmed exploitation across federal networks and the need for immediate containment.
Read more → |
|
|
|
Vulnerability · The Register
9. 13-Year-Old Apache ActiveMQ Flaw Resurfaces as Actively Exploited (CVE-2026-34197)
CISA added CVE-2026-34197 (CVSS 8.8), a long-dormant improper input validation flaw in Apache ActiveMQ Classic, to its KEV catalog after evidence of active exploitation emerged. Attackers invoke the Jolokia management API to trick the broker into fetching a remote configuration file and running arbitrary OS commands; Shadowserver identified 6,364 vulnerable internet-facing servers on April 19. CISA set a federal patching deadline of April 30 — administrators should upgrade to ActiveMQ 5.19.4 or 6.2.3 without delay.
Read more → |
|
|
|
Vulnerability · Dark Reading
10. Critical React and Next.js Flaw Triggers Urgent Calls for Immediate Action
A critical vulnerability (CVE-2026-23864) in React and Next.js enabling denial-of-service via memory exhaustion has drawn urgent patching calls this week, with Akamai researchers estimating 39% of cloud environments are exposed. Exploitable without authentication via crafted requests to React Server Component-based applications, the flaw can take services offline at scale. Organizations should upgrade to the latest patched versions of React 19.x and Next.js 15.x/16.x immediately given the broad ecosystem footprint.
Read more → |
|
🔍 Key Themes This Week
• Exploit weaponization is outpacing patch cycles. Three unpatched Windows Defender zero-days, an emergency out-of-band ASP.NET fix, and a wave of CISA KEV additions confirm attackers are operationalizing vulnerabilities within days — often before patches exist. Effective patch windows have effectively collapsed.
• AI tooling and supply chains are now prime attack vectors. The Vercel/Context.ai breach and the Anthropic MCP architectural flaw both illustrate how AI infrastructure creates novel trust boundaries — OAuth integrations, MCP server deployments, and agentic pipelines are high-value targets with cascading downstream impact.
• Government and critical infrastructure data remains acutely at risk. France Titres (19M national ID records), CISA Emergency Directive 26-03 for Cisco SD-WAN, and the resurgence of 13-year-old ActiveMQ exploits collectively highlight sustained pressure on government systems and the danger of unpatched legacy infrastructure.
|
|
Benchmark against 2,000+ private B2B SaaS and AI companies
Is your growth in-line with your peers in B2B SaaS & AI?
Benchmark yourself against actual billings data for Maxio’s 2000+ global customers.
Key takeaways from the report:
Download the Report
Let us know what you think.
So long and thanks for reading all the phish!
