Issue #193 - April 6, 2026
- Apr 6
- 2 min read
Hackers Exploiting Acrobat Reader Zero-Day Flaw Since December
Source: BleepingComputer
Security researcher Haifei Li discovered that attackers have been actively exploiting an unpatched zero-day vulnerability in Adobe Reader since at least December 2025, using a sophisticated fingerprinting-style PDF exploit that requires no user interaction beyond opening a file. The flaw enables attackers to steal local information via privileged Acrobat APIs and potentially launch follow-on remote code execution attacks for full system compromise. Adobe has been notified but had not released a patch as of April 9, 2026 — users are urged not to open PDF documents from untrusted sources until a fix is available.
Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
Source: The Hacker News
Fortinet released an emergency hotfix for a critical pre-authentication API bypass vulnerability in FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-35616 with a CVSS score of 9.1, after researchers confirmed zero-day exploitation in the wild beginning March 31, 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on April 6, requiring federal agencies to patch by April 9. The vulnerability allows unauthenticated attackers to bypass API access controls and execute unauthorized commands via crafted HTTP requests, with watchTowr noting the timing of exploitation ramp-up was “likely not coincidental” given the Easter holiday weekend.
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust
Source: The Hacker News
Financially motivated North Korean threat actor UNC1069 — previously linked to the Axios npm supply chain attack — has dramatically expanded its malicious package campaign, spreading 1,700 packages across npm, PyPI, Go, and Rust repositories in multi-week, low-pressure social engineering operations across Telegram, LinkedIn, and Slack. The Security Alliance reported blocking 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom between February 6 and April 7, 2026, with attackers using ClickFix-style lures that install cross-platform malware for credential theft and post-exploitation data exfiltration.
Madison Square Garden Data Breach Confirmed Months After Hacker Attack
Source: SecurityWeek
Madison Square Garden Entertainment has confirmed a data breach stemming from the 2025 Oracle E-Business Suite hacking campaign, in which the Cl0p ransomware group exploited zero-day vulnerabilities to compromise more than 100 organizations. Attackers stole names, Social Security numbers, and other personal data from MSG's third-party-hosted Oracle EBS instance in August 2025, with Cl0p leaking over 210GB of files after MSG declined to pay a ransom. MSG has now begun notifying affected individuals, joining a growing list of high-profile organizations impacted by the Oracle EBS campaign.
Google Warns of New Threat Group Targeting BPOs and Helpdesks
Source: Infosecurity Magazine
Google's Threat Intelligence Group has identified a new financially motivated extortion cluster called UNC6783, possibly linked to a persona named “Raccoon,” that is targeting business process outsourcing providers and large enterprise helpdesks through live chat social engineering. The group directs employees to spoofed Okta login pages using domain patterns that mimic the target organization, or tricks users into installing remote access malware via fake security software updates — then delivers ransom notes via Proton Mail following data exfiltration. The tactics closely resemble those of Scattered Lapsus$ Hunters, underscoring the ongoing threat that helpdesk and support staff pose as high-value entry points for financially motivated attackers.