# Top Stories

North Korean operatives conducted a sophisticated $280 million theft from cryptocurrency platform Drift using fake quantitative trading companies as cover. The six-month operation began when attackers approached Drift officials at a crypto conference, demonstrating the evolving tactics of DPRK-linked financial cybercrime groups targeting digital asset platforms.

Iranian-linked threat actors are targeting nearly 4,000 exposed Rockwell Automation programmable logic controllers (PLCs) in attacks against U.S. critical infrastructure networks. The campaign highlights the vulnerability of industrial control systems and represents a significant escalation in state-sponsored attacks on operational technology environments.

Attackers compromised CPUID's API infrastructure and modified download links on the official website to distribute malware through popular system monitoring tools CPU-Z and HWMonitor. The supply chain attack demonstrates how threat actors are targeting trusted software distribution channels to reach a broad user base of system administrators and enthusiasts.

A critical remote code execution vulnerability (CVE-2026-39987) in the Marimo Python notebook platform was exploited within 10 hours of public disclosure. The flaw affects all Marimo versions prior to 3.5.1.35 and allows pre-authenticated attackers to execute arbitrary code, highlighting the dangers of immediate weaponization of disclosed vulnerabilities.

A ransomware attack on Dutch healthcare software vendor ChipSoft has disrupted digital services at hospitals across the Netherlands, forcing the company to disable patient and provider systems. The incident affects a critical healthcare IT infrastructure provider, demonstrating the cascading impact of attacks on software vendors serving multiple healthcare organizations.

Microsoft's Storm-2755 threat group is conducting "payroll pirate" attacks targeting Canadian employees by hijacking their accounts to steal salary payments. The financially motivated campaign represents a new vector for cybercriminals to directly monetize compromised employee credentials through payroll system manipulation.

Attackers have been exploiting an unpatched zero-day vulnerability in Adobe Reader since December using maliciously crafted PDF documents. Security researcher Haifei Li discovered evidence of the ongoing exploitation, indicating a months-long campaign targeting one of the world's most widely deployed document readers.

Threat actors compromised Nextend's update servers to distribute a backdoored version of Smart Slider 3 Pro (version 3.5.1.35) for WordPress and Joomla. The supply chain attack affects a popular slider plugin with over 800,000 active WordPress installations, demonstrating how attackers target plugin update mechanisms to achieve widespread distribution.

A new Lua-based malware called LucidRook is being deployed by threat group UAT-10362 in spear-phishing campaigns targeting Taiwanese NGOs and universities. The sophisticated stager embeds a Lua interpreter and Rust-compiled libraries within a DLL, representing an evolution in multi-language malware development techniques.

Cybercriminals are using a new phishing-as-a-service platform called "VENOM" to specifically target C-suite executives' Microsoft credentials across multiple industries. The campaign demonstrates the increasing sophistication of credential theft operations focusing on high-value targets within organizations.