# Top Stories

Apache ActiveMQ Classic vulnerability CVE-2026-34197 (CVSS 8.8) has been added to CISA's Known Exploited Vulnerabilities catalog due to active exploitation in the wild. Federal agencies must patch this high-severity flaw to prevent potential system compromise through the widely-used message broker.

Security researchers discovered ZionSiphon, a new malware specifically targeting water treatment and desalination operational technology systems to sabotage critical infrastructure operations. This OT-focused threat demonstrates increasing attacker sophistication in targeting industrial control systems that manage essential water services.

Operation PowerOFF coordinated action across 21 countries on April 13, 2026, seized 53 DDoS-for-hire domains and identified over 75,000 users of these illegal services. Law enforcement warned each identified cybercriminal to cease their distributed denial-of-service activities as part of the ongoing crackdown.

Researcher 'Chaotic Eclipse' released a proof-of-concept exploit for Microsoft Defender zero-day 'RedSun' that grants SYSTEM privileges, marking the second Defender zero-day published in two weeks. This follows the researcher's protest against Microsoft's handling of security researcher relationships and vulnerability disclosure processes.

North Korean threat group Sapphire Sleet is using ClickFix attacks targeting macOS users through fake job offers and fraudulent Zoom updates. The campaign steals credentials and sensitive data from Mac systems, expanding North Korea's cyber operations beyond traditional Windows targets.

Threat actors are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy NKAbuse malware variants hosted on Hugging Face Spaces. This supply chain attack leverages the popular AI development platform to distribute malware through compromised data science tools.

Kejia Wang (sentenced to 9 years) and Zhenxing Wang (nearly 8 years) were convicted for operating North Korean IT worker 'laptop farms' that helped operatives obtain jobs at over 100 U.S. companies. Their shell company operation generated more than $5 million for the North Korean government through fraudulent remote work schemes.

Cisco Talos researchers discovered PowMix botnet targeting Czech Republic workers since December 2025, using randomized command-and-control beaconing intervals to evade network detection. The botnet avoids persistent C2 connections in favor of randomized communication patterns that bypass signature-based security controls.

The ShinyHunters extortion group leaked data from 13.5 million McGraw Hill user accounts after breaching the education technology company's Salesforce environment. This massive breach affects one of the largest educational publishers, potentially exposing student and educator personal information.

Security researchers identified REF6598 campaign abusing Obsidian note-taking application to deliver PHANTOMPULSE RAT targeting finance and cryptocurrency sectors. The novel social engineering attack leverages the popular cross-platform productivity tool as an initial access vector for remote access trojan deployment.