🇺🇸 Medical device maker Stryker said a March 11 cyberattack disrupted operations and will affect first-quarter results — The company says it has no cyber insurance and faces lawsuits and data theft claims. Hacktivists claim they wiped devices and exfiltrated large amounts of Stryker data.

💸 Kraken says criminals are extorting them with videos showing limited internal support-system access. The company says systems were not breached, funds are safe, and about 2,000 accounts (0.02%) had limited support-data exposure. Kraken revoked access, will not pay, and is working with law enforcement to prosecute those responsible.

🇺🇸 McGraw-Hill says hackers exploited a Salesforce misconfiguration to access a limited set of data on a hosted webpage. The company insists no Salesforce accounts, customer databases, student records, SSNs, or financial data were exposed. Extortion group ShinyHunters claims a much larger haul and threatened to leak data.

🇺🇸 Cookeville Regional Medical Center in Tennessee suffered a ransomware attack that exposed personal and medical data. The breach, discovered July 14, 2025, affects over 337,000 people and may include SSNs, medical records, and financial details. The hackers leaked about 500 GB of stolen data after failing to sell it.

✈ Booking.com says hackers may have accessed customers’ personal data like names, emails, addresses, phone numbers, and booking details. Some customers reported receiving phishing messages that used stolen booking information. The company says it contained the issue, updated reservation PINs, and that financial data was not accessed.

🪩 🕺 RCI Hospitality disclosed a data breach after an IDOR vulnerability in an IIS web server allowed unauthorized access starting March 19. The exposed data included names, birth dates, contact info, SSNs, and driver’s license numbers of many independent contractors. The company says customer and financial systems were not affected and it does not expect a material impact.

🇪🇺 🏋‍♂️ Dutch gym chain Basic-Fit says hackers accessed data for about 1 million members across several European countries. Exposed information includes names, addresses, emails, phone numbers, birthdates, bank details, and membership data. The company stopped the intrusion quickly, informed affected members, and is investigating with external security experts.

❌ Law enforcement from 21 countries seized 53 DDoS-for-hire domains and arrested four people in Operation PowerOFF. They recovered data on over 3 million user accounts and warned more than 75,000 alleged participants to stop. The operation disrupted infrastructure used to launch attacks that target websites, networks, and services.

🇰🇵 ➡ 🇺🇸 Two U.S. citizens were sentenced to prison for helping North Korea place fake IT workers in American companies. The scheme used laptop farms and stolen identities to steal about $5 million and access U.S. company systems. The operation helped fund North Korea and risked U.S. national security.

❌ The FBI says it dismantled a global phishing operation called W3LL that targeted over 17,000 victims — Authorities arrested the alleged developer and seized key domains after working with Indonesian police. The W3LL kit let criminals buy fake login pages and sell stolen credentials, enabling millions in attempted fraud.

🇹🇭 🇩🇪 Bangkok police arrested 27-year-old German Noah Christopher, wanted on 74 European warrants for running ransomware and cyberattack-for-hire platforms. Investigators say he developed services that enabled global DDoS attacks and ransom payments in cryptocurrency. His visa was revoked and he is held for extradition to Germany.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 Nicholas Moore admitted hacking the U.S. Supreme Court’s electronic filing system and other government networks. He posted stolen personal data online and used a victim’s login to break in. He was sentenced to one year of probation after prosecutors sought no prison time.

🇺🇸 ❌ 🎒 CISA has canceled this year’s CyberCorps summer internships because DHS is unfunded — This leaves Scholarship for Service students without required placements and disrupts their career plans. Officials say agencies are working to place or defer students once the shutdown ends.

🇺🇸 Senator Markwayne Mullin’s confirmation as Homeland Security Secretary is important, but CISA still lacks a Senate-confirmed director. Sean Plankey, a qualified cybersecurity leader, should be confirmed to close that gap. Rising global cyber threats make CISA leadership urgent for national security.

💧 ZionSiphon is new malware aimed at sabotaging water treatment and desalination systems. It can raise chlorine levels and change pressure by editing control files, but a coding error currently prevents it from working. Researchers warn future fixes could make it dangerous, especially against Israeli targets.

🇺🇦 🏥 CERT-UA says a group called UAC-0247 ran a malware campaign from March–April 2026 targeting Ukrainian clinics, hospitals, and government to steal data from Chromium browsers and WhatsApp. Attackers used phishing links to deliver LNK/HTA files that load loaders (RAVENSHELL, AGINGFLY, SILENTLOOP) and tools to exfiltrate credentials, run commands, and tunnel traffic. CERT-UA advises blocking execution of LNK, HTA, JS and tools like mshta.exe, powershell.exe, and wscript.exe to reduce risk.

⚠ 🎠 A fake Claude website tricked users into downloading a trojanized installer that looks like the real Anthropic app. The installer runs a VBScript that sideloads a signed updater to deploy the PlugX remote access trojan. PlugX connects to a C2 server and persists via startup files, hiding its traces and making attribution difficult.

🎠 🏦 JanelaRAT is a banking trojan that targets Latin American banks, stealing financial and crypto data and monitoring user activity. In 2025, Kaspersky recorded 14,739 attacks in Brazil and 11,695 in Mexico, with infections spread via phishing, ZIPs, VBScript, and malicious MSI installers using DLL side‑loading. The malware uses browser extensions, window-title detection, overlays, keystroke capture, and remote commands to harvest credentials and evade detection.

🧩 Researchers found 108 malicious Chrome extensions that share the same backend and steal user data while injecting ads and scripts. About 20,000 installs across five publisher identities exfiltrate Google and Telegram credentials and bypass security headers. Users should remove these extensions and log out of Telegram Web immediately.

🇰🇵 🎠 North Korea-linked APT37 used fake Facebook accounts to befriend targets and move them to Messenger and Telegram. They tricked victims into installing a tampered Wondershare PDF viewer that ran shellcode and fetched a JPG carrying RokRAT. The malware used compromised legitimate sites and cloud services for stealthy command-and-control and remote access.

🎠 Attackers briefly hacked CPUID’s site to replace CPU-Z and HWMonitor downloads with trojanized installers that delivered a malicious DLL. The DLL installed STX RAT, a remote-access trojan that steals data and enables full remote control. Over 150 victims — mainly in Brazil, Russia, and China — were hit before the compromise was detected.

⏩ 🐛 Top cyber groups in the US and UK warn Claude Mythos and similar AIs make finding and weaponizing vulnerabilities much faster, lowering the skill needed for serious attacks. Tests show Mythos can solve many expert-level challenges and complete large multi-step simulated attacks on weak networks. Experts say defenders face harder, slower fixes because organizations must balance bureaucracy and legacy tech against fast, automated threats.

📞 🎠 A cybercrime platform called ATHR consolidates the entire TOAD (telephone-oriented attack delivery) kill chain into a single AI-powered product, sold on criminal networks for $4,000 plus a cut of profits. It ships with a built-in spoofing mailer, brand-accurate phishing panels for eight platforms (including Coinbase, Google, and Microsoft), and AI voice agents that handle the full social engineering call without a human operator. Lure emails pass SPF, DKIM, and DMARC checks, carry no malicious links, and are personalized per target — leaving traditional email security controls with almost nothing to flag.

🐛 A design flaw in Anthropic’s Model Context Protocol (MCP) STDIO implementation can let attackers run commands and take over local systems. OX Security showed the flaw is widely inherited, easily exploitable, and exposes millions of users and sensitive data. Anthropic has not fixed the root cause, only issued cautious guidance, leaving developers to shoulder the security risk.

🆕 OpenAI released GPT-5.4-Cyber, a version of GPT‑5.4 tuned for defensive cybersecurity — They are expanding Trusted Access for Cyber to many verified defenders and teams. OpenAI says this aims to speed fixes while limiting misuse through careful, controlled rollout and stronger safeguards.

🍎 OpenAI found a GitHub Actions workflow used to sign its macOS apps downloaded a malicious Axios package but says no user data was accessed. It is revoking and rotating the signing certificate and will block older macOS app versions after May 8, 2026. The Axios and related Trivy supply-chain attacks exposed stolen secrets and widespread risk across open-source ecosystems.

💸 An international law enforcement action called Operation Atlantic identified over 20,000 victims of cryptocurrency fraud across Canada, the U.K., and the U.S. Authorities froze more than $12 million and traced over $45 million in stolen crypto while disrupting approval-phishing and investment scams. Officials said public-private cooperation was key and vowed to keep pursuing criminals and helping victims.

🔓 A severe bug in GitHub Copilot Chat let attackers hide instructions in pull requests to make the AI steal secrets from private repos. The stolen data was exfiltrated covertly through GitHub’s own image proxy, bypassing normal network controls. This attack shows AI assistants with context access can be abused for data theft and requires new endpoint defenses.

➝ From the Patching Department:

🎯 NIST will only prioritize detailed analysis for CVEs tied to exploited, federal, or critical software to handle a huge and growing backlog. Many other CVEs will still appear in the NVD but without extra enrichment or CVSS scoring. The change shifts more responsibility to CNAs and private groups as vulnerabilities surge.

💰 Microsoft paid $2.3 million to researchers after nearly 700 submissions to its Zero Day Quest hacking contest. Over 80 high-impact cloud and AI vulnerabilities were found during the live event. The contest supports Microsoft’s Secure Future Initiative to improve cloud and AI security.

🩹 🌐 Esri issued urgent April 2026 security patches for two critical ArcGIS credential vulnerabilities that let API keys and OAuth2 tokens gain excessive permissions. Cloud services were patched, but on-premises Portal for ArcGIS (11.5 and 12.0) admins must apply the updates now. If you cannot patch immediately, disable or audit all API keys and OAuth tokens until you do.

💥 A critical Nginx UI vulnerability (CVE-2026-33032) tied to its AI integration has been exploited in the wild. Researchers found thousands of exposed instances and published exploit details, letting attackers take full control of servers. This joins other recent Nginx UI flaws that can leak backups or let attackers modify user resources.

🔓 A critical flaw (CVE-2026-5194) in the wolfSSL library lets weak or incorrectly sized hashes be accepted when verifying ECDSA and other signatures. Attackers could use this to make vulnerable devices or apps accept forged certificates and malicious servers. Users should update to wolfSSL 5.9.1 and check vendor packages or firmware for fixes.

💥 A critical pre-auth RCE in Marimo (CVE-2026-39987) let unauthenticated users access an interactive shell via /terminal/ws. Attackers exploited it within hours to quickly steal .env secrets and SSH keys. Users must upgrade to 0.23.0, block /terminal/ws, and rotate exposed credentials.

🩹 ICS Patch Tuesday — Eight major industrial vendors — including Siemens, Schneider Electric, ABB, Mitsubishi Electric, Rockwell, Aveva, Phoenix Contact, and Moxa — released new ICS security advisories this Patch Tuesday. The fixes range from critical Wi‑Fi and authorization flaws to privilege escalation, DoS, and information‑disclosure issues across many products. CISA and Germany’s CERT@VDE also published multiple related advisories for other industrial vendors.

🇸🇪 🇷🇺 Sweden says Russian government-linked hackers tried to disrupt a thermal power plant in early 2025 but were stopped by built-in protections. Officials warn these groups are shifting from denial-of-service to destructive attacks on critical infrastructure. Similar attacks on energy and water systems in Europe and Ukraine have been blamed on Russian-linked actors.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.