Latest news as of 4/5/2026, 6:20:17 PM
Bleeping Computer
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]
The Register
True-crime tales of criminals making fools of themselves Cybercrime crews have become almost mystical entities, with security vendors assigning them names like Wizard Spider and Velvet Tempest.… interview
The Hacker News
Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation. "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an
The Hacker News
Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,
Bleeping Computer
The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]
Bleeping Computer
Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]
Bleeping Computer
A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. [...]
Have I Been Pwned
In March 2026, the anime streaming service . The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. Crunchyroll suffered a data breach alleged to have impacted 6.8M users A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP.
Have I Been Pwned
In April 2026, the music trivia platform . The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars. SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum
The Register
Ex-CISA official tells The Reg: 'this would weaken the system for managing cyber risk' The US Cybersecurity and Infrastructure Security Agency's budget will see yet another deep cut if Congress approves President Trump's proposal to slash CISA's spending by $707 million in fiscal year 2027.…