# Top Stories

Microsoft released patches for 167 vulnerabilities in April 2026 Patch Tuesday, including an actively exploited SharePoint Server zero-day and a publicly disclosed Windows Defender flaw called "BlueHammer." Google also patched its fourth Chrome zero-day of 2026, while Adobe fixed an actively exploited Reader vulnerability enabling remote code execution.

Microsoft's April 2026 Patch Tuesday addresses 167 security flaws including 2 zero-day vulnerabilities, marking the second-largest monthly security update on record by CVE count. The patches include fixes for elevation-of-privilege bugs that comprised over half of the vulnerabilities addressed.

Security researchers discovered over 100 malicious Chrome extensions in the official Web Store targeting users' Google OAuth2 Bearer tokens, deploying backdoors, and conducting ad fraud. These extensions represent a significant supply chain threat through Google's official distribution channel.

CISA added 6 actively exploited vulnerabilities to its KEV catalog, including CVE-2026-21643 (CVSS 9.1) affecting Fortinet FortiClient EMS through SQL injection, plus Microsoft and Adobe flaws. The additions indicate ongoing active exploitation of these critical security defects in enterprise environments.

A fake Ledger Live app distributed through Apple's App Store stole approximately $9.5 million in cryptocurrency from 50 victims within just a few days in April 2026. The malicious macOS application successfully bypassed Apple's security review process to target crypto wallet users.

Education company McGraw-Hill confirmed hackers exploited a Salesforce misconfiguration to access internal data and subsequently made extortion threats. The breach highlights risks from cloud service misconfigurations in enterprise environments handling sensitive educational data.

Europe's largest gym chain Basic-Fit reported a data breach affecting 1 million members across multiple EU countries, with hackers stealing names, dates of birth, and bank account details. The incident represents one of the largest fitness industry breaches affecting European consumers.

Cryptocurrency exchange Kraken disclosed that cybercriminals are attempting extortion after an insider breach, threatening to release videos showing internal systems containing client data. The incident highlights insider threat risks at major financial platforms handling sensitive customer information.

The FBI and Indonesian law enforcement dismantled the W3LL phishing tool that allowed hackers to create fake login portals for major services at just $500 per license. This takedown disrupts a widely-used cybercrime-as-a-service platform that enabled large-scale credential theft operations.

Security expert Bruce Schneier analyzes Anthropic's restricted Claude Mythos Preview model and Project Glasswing initiative, which aims to find and patch vulnerabilities before the AI model's offensive capabilities become publicly available. The analysis examines implications of AI-powered vulnerability discovery outpacing traditional security practices.