SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 Extra Tales

Canadian authorities have arrested three males for working an SMS blaster machine that masquerades as a mobile tower to ship phishing texts to close by telephones. These instruments trick units into connecting to them by emitting alerts that mimic a legit tower. “An SMS blaster works by mimicking a legit mobile tower. When close by telephones hook up with it, customers obtain fraudulent textual content messages that seem to come back from trusted organizations,” authorities mentioned. “These messages typically immediate recipients to click on on hyperlinks that result in pretend web sites designed to seize private data, together with banking credentials and passwords.” The three males are going through 44 expenses in reference to the crime. About tens of 1000’s of units have been related to the blaster over a number of months, the official mentioned. That is the primary time that an SMS blaster has been noticed within the nation.

A brand new provide chain assault has leveraged an npm bundle impersonating TanStack to ship malicious variations that exfiltrate setting variables from builders’ machines throughout set up. The bundle, named tanstack, is designed to “silently steal setting variable information, together with .env, .env.native, and .env.manufacturing, from builders’ machines at set up time, exfiltrating them to an attacker-controlled endpoint,” Socket mentioned. The malicious bundle is maintained by a consumer named “sh20raj.” Variations 2.0.4 by 2.0.7 are confirmed malicious.

In a brand new evaluation, LayerX discovered that a number of networks of browser extensions accumulate consumer knowledge and resell it for revenue. Not like malicious extensions that conceal their conduct by providing some innocent performance, the recognized 80 extensions explicitly inform customers of their privateness coverage that they accumulate and promote knowledge of customers who set up their extensions. “A community of 24 media extensions which might be put in on 800,000 customers and accumulate viewing knowledge and demographic data on main streaming platforms reminiscent of Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others,” LayerX mentioned. “12 separate advert blockers with a mixed set up base of over 5.5 million customers overtly promoting consumer knowledge. Almost 50 different extensions, with over 100,000 customers in mixture, that collected and resold customers’ searching knowledge.”

Huntress has revealed that unknown menace actors used stolen VPN credentials to pivot right into a Home windows workstation belonging to an unspecified group by way of Impacket’s smbexec.py, and dropped a SYSTEM-level backdoor utilizing the Komari agent, a Go-based remote-control, monitoring, and administration instrument. The event marks the primary publicly documented case of the instrument being abused in a real-world intrusion. It additionally illustrates how unhealthy actors are more and more switching to publicly obtainable and bonafide instruments to conduct assaults. “Komari just isn’t a telemetry instrument that occurs to be abusable – it’s a bidirectional management channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent occasion varieties out of the field: exec (arbitrary command execution by way of PowerShell / sh), terminal (interactive PTY reverse shell within the operator’s browser), and ping (ICMP / TCP / HTTP probing),” Huntress mentioned. “All three are enabled by default.” Whereas different instruments like Velociraptor and SimpleHelp which have been abused by menace actors sometimes act as means to an finish, Komari offers an operator arbitrary command execution, an interactive PTY reverse shell, and community probing by default, over a TLS-fronted WebSocket.

Risk actors have detailed two new phishing kits named Saiga 2FA and Phoenix System which have been linked to emails and SMS phishing assaults. In keeping with Barracuda, Saiga 2FA goes past conventional adversary-in-the-middle (AitM) options by integrating instruments like FM Scanner for extracting and analyzing mailbox content material. “Saiga 2FA is an instance of how phishing kits are evolving into application-level platforms,” the corporate mentioned. “Not like conventional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities right into a unified system, supporting superior and extremely focused campaigns.” Phoenix System, however, has been tied to over 2,500 phishing domains since January 2025, whereas counting on IP-based filtering and geofencing for precision concentrating on. It is assessed to be the successor to the now-defunct Mouse System. “The campaigns are delivered by way of SMS, doubtlessly leveraging pretend Base Transceiver Stations (BTS) to bypass carrier-level filtering and permit menace actors to ship messages that seem beneath the model names of trusted organizations on to victims,” Group-IB mentioned. “The marketing campaign has thus far focused greater than 70 organizations throughout the monetary providers, telecommunications, and logistics sectors globally.”

A brand new evaluation from Forescout has discovered 1.8 million RDP and 1.6 million VNC servers are uncovered on the web. “China accounts for 22% of uncovered RDP and 70% of uncovered VNC servers; the U.S. accounts for 20% and seven%; Germany accounts for 8% and a pair of%,” the corporate mentioned. “Of 91,000 RDP and 29,000 VNC servers mapped to particular industries, retail, providers, and training lead RDP publicity; training, providers, and healthcare lead VNC.” What’s extra, 18% of uncovered RDP servers run end-of-life Home windows variations, greater than 19,000 RDP servers stay weak to BlueKeep (CVE-2019-0708), and almost 60,000 VNC servers have authentication disabled. To make issues worse, greater than 670 uncovered VNC servers have authentication disabled and supply direct entry to OT/ICS management panels.

A China-linked on-line affect marketing campaign tried to undermine April 26 elections for the Tibetan parliament-in-exile with little affect. The operation, a part of Spamouflage, a long-running affect community linked to Beijing, has used a cluster of 90 Fb profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its management. “The community tries to drive wedges inside the group,” DFRLab mentioned. “The aim is to erode belief within the exile authorities, weaken its worldwide voice, and lift doubts about whether or not it could credibly signify Tibetans with out the Dalai Lama. Nonetheless, just about none of those posts appear to have attracted any natural engagement, probably as a result of all of the recognized belongings are common Fb profiles with restricted attain and never established pages.”

An unpatched vulnerability can permit for native privilege escalation in Home windows techniques by the abuse of the Distant Process Name (RPC) structure within the working system. Known as PhantomRPC, the flaw stems from an architectural weak point in how RPC handles connections to unavailable providers. To use the flaw, an attacker with restricted native entry must first compromise a privileged service that runs beneath the Community Service identification, deploy a pretend RPC server with the identical RPC interface UUID and uncovered endpoint identify (i.e., TermService), take heed to particular requests, after which impersonate the focused service to escalate their privileges to SYSTEM. Kaspersky, which recognized the weak point, mentioned it found 4 PhantomRPC exploitation paths that would result in privilege escalation. Following accountable disclosure in September 2025, Microsoft opted to not deal with the difficulty because it requires an attacker to first compromise the machine by another means.

The knowledge stealer often known as Vidar (now in its second iteration referred to as Vidar Stealer 2.0) has vaulted to the highest of the infostealer market since November 2025 within the aftermath of legislation enforcement takedowns of Lumma and Rhadamanthys. “Vidar profited from the generated chaos to rise to the highest of the stealer ecosystem,” Intrinsec mentioned. “We assess that this rise was made obtainable because of the launch of model 2.0 of the malware, and to the collaboration with ‘Cloud’ Telegram channels.” It is marketed by a consumer named “Loadbaks” on underground boards. Current campaigns have been noticed distributing malware that has used bogus hyperlinks shared by way of YouTube movies selling pretend software program to direct customers to Mediafire pages, that are used to ship executables accountable for downloading and working the broad-spectrum credential harvester. The stolen credentials are then shortly monetized on underground marketplaces like Russian Market.

Thirty-eight crucial security vulnerabilities have been disclosed in OpenEMR, the world’s most generally used open-source digital medical information platform. The vulnerabilities, now patched, vary in severity from medium to crucial and embrace lacking or incorrect authorization checks, cross-site scripting (XSS), SQL injection, path traversal, and inadequate session expiration. These points, which embrace two designated crucial (CVE-2026-24908 and CVE-2026-23627), may have been exploited to entry and tamper with affected person and supplier knowledge, posing a severe well being and regulatory threat to people and establishments. “In essentially the most extreme instances, SQL injection vulnerabilities mixed with modest database privileges may have led to full database compromise, PHI exfiltration at scale, and distant code execution on the server,” AISLE mentioned. OpenEMR is utilized by greater than 100,000 medical suppliers, serving greater than 200 million sufferers in 34 languages.

A coordinated police operation in Switzerland has led to the arrest of 10 suspected members of the Black Axe legal community, together with the Black Axe “Regional Head” for the Southern European area. Most of these arrested are reported to be of Nigerian origin. The suspects are accused of quite a few crimes, together with romance scams, cyber fraud offences inflicting hundreds of thousands of Swiss francs in damages, and cash laundering. “The legal community is thought for its involvement in a variety of legal actions, together with cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed theft, and fraudulent non secular practices,” Europol mentioned.

In one more software program provide chain assault, unknown menace actors pushed a malicious model of the favored “elementary-data” bundle on the Python Package deal Index (PyPI) to steal delicate developer knowledge and cryptocurrency wallets. In keeping with StepSecurity, elementary-data model 0.23.3 was uploaded to PyPI on April 24, 2026, at 10:20 p.m. UTC. The attacker opened a pull request with malicious code and exploited a script-injection vulnerability in certainly one of its GitHub Actions workflows to publish it as launch 0.23.3. Particularly, it got here embedded with a “elementary.pth” file that enabled the theft of developer credentials and secrets and techniques. “The attacker exploited a script injection vulnerability in one of many mission’s personal GitHub Actions workflows, then used the workflow’s GITHUB_TOKEN to forge a signed launch commit and dispatch the legit publishing pipeline in opposition to it – with out ever touching the grasp department or opening a pull request,” the corporate mentioned. The builders urged customers who put in 0.23.3, or pulled and ran its Docker picture, to imagine compromise and rotate any credentials.

22-year-old Evan Tangeman of Newport Seaside, California, was sentenced to 70 months in jail for laundering funds stolen in an enormous $230 million cryptocurrency heist as a part of an elaborate social engineering scheme. “This legal enterprise was constructed on greed so brazen it borders on the cartoonish. They stole hundreds of thousands, spent it on half-million-dollar nightclub tabs, Lamborghinis, and Rolexes,” mentioned U.S. Lawyer Jeanine Ferris Pirro. “However Evan Tangeman did not simply launder the cash that fueled that way of life. When his co-conspirators have been arrested, he moved to destroy the proof. That’s consciousness of guilt, and this workplace and the courtroom have handled that accordingly.” Tangeman pleaded responsible in December 2025. The legal enterprise started no later than October 2023 and continued by a minimum of Might 2025.

Microsoft has introduced plans to start out blocking legacy TLS connections for POP and IMAP e-mail purchasers in Trade On-line beginning in July 2026. “We’re planning to completely deprecate assist for legacy TLS variations (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Trade On-line. These older TLS variations have been industry-deprecated for a while and are not thought-about safe,” the corporate mentioned. “A number of years in the past, we began the transfer to dam these older variations, however we did permit you to use them by opting in; we’re now eradicating assist for them solely. Our expectation is that solely prospects who’ve explicitly opted into utilizing these legacy endpoints are impacted by the deprecation.”

Risk actors are abusing on-line buying and selling platform Robinhood’s account creation course of to ship phishing emails that bypass spam filters. The emails, which originate from “noreply@robinhood[.]com,” warn of suspicious exercise tied to their accounts and urge them to click on to finish a security test by clicking on a hyperlink that directs to a phishing web site. “This phishing try was made doable by an abuse of the account creation stream,” Robinhood mentioned in an X publish. “It was not a breach of our techniques or buyer accounts, and private data and funds weren’t impacted. For those who obtained this e-mail, please delete it and don’t click on any suspicious hyperlinks. In case you have clicked a suspicious hyperlink or have any questions on your account, please contact us straight inside the Robinhood app or web site.” Stories on Reddit point out that the attackers created new Robinhood accounts utilizing modified variations of present Gmail addresses by way of the so-called “dot trick.” The approach takes benefit of the truth that Gmail ignores intervals inserted into or faraway from a username, whereas Robinhood treats every variation as a definite consumer, permitting the attackers to create a brand new account that factors to an present account.

The U.S. Federal Commerce Fee (FTC) warned of an enormous improve in losses from social media scams since 2020, exceeding $2.1 billion in 2025, together with $794 million to scams that began on Fb, greater than on every other platform. “In 2025, almost 30% of people that reported dropping cash to a rip-off mentioned that it began on social media, with reported losses reaching a staggering $2.1 billion. Social media scams produced way more in losses – an eightfold improve since 2020 – than every other contact methodology utilized by scammers to succeed in customers,” the FTC mentioned. “Social media creates quick access to billions of individuals from anyplace on the planet, making a scammer’s job simpler at little or no price. Scammers could hack a consumer’s account, exploit what a consumer posts to determine how you can goal them, or purchase adverts and use the identical instruments utilized by actual companies to focus on folks by age, pursuits, or buying habits.”

KELA mentioned it tracked 2.86 billion compromised credentials in 2025 globally. These included usernames, passwords, session tokens, cookies present in URL, login and password (ULP) lists, breached e-mail repositories, and cybercrime marketplaces. At the least 347 million have been initially obtained by infostealers discovered on round 3.9 million contaminated machines.

An evaluation of two.7 million submissions to the arXiv preprint service — which additionally makes obtainable the LaTeX sources and different information used to create them — has discovered that they embrace pointless information, expose metadata embedded in information (usernames, e-mail addresses, {hardware} particulars, GPS data, software program variations), and leak irrelevant content material in information reminiscent of supply code feedback. This contains backups, hidden .nfs information, Git repositories (together with modifying histories), andconfiguration information containing API keys. “Aside from unused template information that put pointless storage burden on arXiv, we additional found scripts, analysis knowledge, and even total Git repositories. Moreover, feedback in LaTeX sources reveal, e.g., creator conversations or todo gadgets – for a few of these feedback, we’re sure that the authors didn’t intend to reveal them publicly. Alarmingly, our findings additionally embrace URLs with none entry restrictions to different assets (e.g., Google Docs), security tokens, and personal keys,” the examine mentioned. Whereas arXiv recommends Google’s arxiv_latex_cleaner to scrub the LaTeX code, the researchers have launched a instrument referred to as ALC-NG to comprehensively take away information, metadata, and feedback that aren’t wanted to compile a LaTeX paper.

The Ukrainian police have arrested three people who hacked greater than 610,000 Roblox gaming accounts and bought them for a revenue of $225,000 on Russian web sites. The suspects withstand 15 years in jail if convicted and have been positioned in pretrial detention whereas the investigation is in progress. The scheme was allegedly masterminded by a 19-year-old resident of Drohobych, Lviv Oblast, who met his accomplices, aged 21 and 22, on gaming boards final yr. From October 2025 to January 2026, the suspects are believed to have accessed greater than 600,000 Roblox consumer accounts.

The Iran-linked menace actor Handala Hack has focused U.S. troops in Bahrain in an affect marketing campaign carried out by way of WhatsApp, in response to Stars and Stripes. The messages, signed Handala and containing a hyperlink to the group’s web site, claimed the service members have been beneath surveillance and shortly to be focused with drones and missiles. “Your identities are totally recognized to our missile items, and each transfer you make is beneath our surveillance. Very quickly, you’ll be focused by our Shahed drones and Kheibar and Ghadeer missiles,” the message despatched on April 28, 2026, learn.

U.S. states issued $3.45 billion in privacy-related fines to corporations in 2025, a complete bigger than the final 5 years mixed, per Gartner. “Regulators are additionally shifting their efforts away from spreading consciousness to full-scale enforcement,” the corporate mentioned. “That is more and more turning into the usual in 2026 and past.”

Anchor Internet hosting has revealed {that a} WordPress plugin named Fast Web page/Put up Redirect plugin, which has over 70,000 installs, was compromised with a backdoor that allows injecting arbitrary code into customers’ websites. Plugin variations 5.2.1 and 5.2.2, launched between 2020 and 2021, have been discovered to incorporate a covert self-update mechanism that reaches out to a third-party area, anadnet[.]com, to facilitate the execution of arbitrary code. It is value noting that the passive backdoor triggers just for logged-out customers to cover its exercise from web site directors. As of April 16, the plugin has been closed quickly pending a full overview.

Hackers are exploiting two authentication bypass vulnerabilities in Qinglong, an open-source timed process administration platform with over 19,500 GitHub stars, to deploy cryptocurrency miners. The 2 flaws – CVE-2026-3965 and CVE-2026-4047 – allow authentication bypass that ends in distant code execution. “Whereas these vulnerabilities have been formally reported on February 27, exploitation had already been underway for weeks,” Snyk mentioned. “Beginning round February 7-8, 2026, Qinglong customers started opening points a couple of hidden course of referred to as .fullgc consuming 85-100% of their CPU. The .fullgc filename could have been chosen to mix in with legit processes. In Java/JVM environments, ‘Full GC’ (Full Rubbish Assortment) is a recognized supply of CPU spikes, which may delay an administrator’s investigation.” The problems have since been addressed in #PR 2941.

In a brand new replace shared this week, Checkmarx mentioned its investigation into the cybersecurity incident has revealed the TeamPCP assault affecting the Trivy scanner is the “seemingly vector that enabled the attackers to acquire credentials and to achieve unauthorized entry to our GitHub repositories.” This, in flip, allowed the attackers to work together with Checkmarx’s GitHub setting and publish malicious code to sure artifacts. The event comes as the corporate acknowledged that knowledge stolen from the GitHub repository was revealed on the darkish net by a cybercrime group often known as LAPSUS$.

The North Korean menace actor often known as Well-known Chollima has been attributed to the npm bundle named js-logger-pack that comes embedded with a WebSocket stealer that is triggered by way of a postinstall hook. “The payload is a long-running WebSocket agent that: installs the attacker’s RSA key into ~/.ssh/authorized_keys on Linux; exfiltrates Telegram Desktop tdata classes; drains credentials from 27 crypto wallets and Chromium-family browsers; steals .npmrc, cloud supplier tokens, and shell historical past; and runs a local keylogger on Home windows, macOS, and Linux with autostart persistence on all three,” SafeDep mentioned.