{"id":697,"date":"2026-04-23T16:34:20","date_gmt":"2026-04-23T16:34:20","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=697"},"modified":"2026-04-23T16:34:20","modified_gmt":"2026-04-23T16:34:20","slug":"290m-defi-hack-macos-lotl-abuse-proxysmart-sim-farms-25-new-stories","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=697","title":{"rendered":"$290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 23, 2026<\/span><\/span>Hacking News \/ Cybersecurity News<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes.<\/p>\n

The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work, giving attackers easy access.<\/p>\n

AI tools are also part of the problem now. They trust bad input and take real actions, which makes the damage bigger. Then there are quieter issues. Apps take data they should not. Devices behave in strange ways. Attackers keep testing what they can get away with. No noise. Just ongoing damage.<\/p>\n

Here is the list for this week\u2019s ThreatsDay Bulletin.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n State-backed crypto heist<\/span><\/p>\n

    \n Inter-blockchain communication protocol LayerZero has revealed<\/a> that North Korean threat actors tracked TraderTraitor may have been behind the recent hack<\/a> of decentralized finance (DeFi) project KelpDAO, resulting in the theft of $290 million. \u00abThe attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions,\u00bb LayerZero said. KelpDAO, in a post<\/a> on X, said, \u00abTwo RPC nodes hosted by LayerZero were compromised. A simultaneous DDoS attack was launched against the third RPC node. This was an attack on LayerZero’s infrastructure. Kelp’s own systems were not involved in building or operating that infrastructure.\u00bb Meanwhile, the Arbitrum Security Council has temporarily frozen<\/a> the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. It’s worth noting that TraderTraiter was attributed to the mega Bybit hack in early 2025 that led to the theft of $1.5 billion in digital assets. Recently, Lazarus Group was also linked to the $285 million theft from the Drift Protocol.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  2. \n <\/p>\n
    \n Active RCE exploits<\/span><\/p>\n

    \n Separately, VulnCheck has warned of attacks attempting to exploit two flaws in MajorDoMo, a smart home automation platform. While CVE-2026-27175<\/a> is a critical command injection vulnerability that started seeing exploitation on April 13, CVE-2026-27174<\/a> allows unauthenticated remote code execution via the PHP console in the admin panel and was first detected on April 18. \u00abCVE-2026-27175 was exploited to drop a PHP webshell that delivers persistent backdoor access,\u00bb VulnCheck said<\/a>. \u00abCVE-2026-27174 saw exploitation that ended in a Metasploit php\/meterpreter\/reverse_tcp staged payload.\u00bb Other vulnerabilities that have witnessed exploitation efforts include CVE-2025-22952<\/a>, an SSRF in Elestio Memos, and CVE-2024-57046<\/a>, an authentication bypass in NETGEAR DGN2200 routers.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n Supply chain malware surge<\/span><\/p>\n

    \n A number of malicious packages have been discovered in the npm registry: ixpresso-core<\/a>, forge-jsx<\/a>, @genoma-ui\/components, @needl-ai\/common, rrweb-v1<\/a>, cjs-biginteger, sjs-biginteger, bjs-biginteger<\/a>, @fairwords\/websocket, @fairwords\/loopback-connector-es, @fairwords\/encryption<\/a>, js-logger-pack<\/a>, and @kindo\/selfbot<\/a>. These packages come with features to steal sensitive data from compromised hosts, perform system reconnaissance, andimplant an SSH backdoor by injecting the attacker’s public key into ~\/.ssh\/authorized_keys, deliver an information stealer, and spread the XWorm remote access trojan (RAT). The packages published under the \u00ab@fairwords\u00bb scope have also been found to self-propagate to all npm packages using the victim’s token and attempt cross-ecosystem propagation to PyPI via .pth file injection. New versions of js-logger-pack<\/a> have since been found to leverage the Hugging Face repository to poll for updates and use it as a data-theft destination. Also detected was the compromise of @velora-dex\/sdk<\/a> (version 9.4.1) to decode and execute a Base64 payload that fetches a shell script from a remote server that, in turn, downloads and persists a Go-based remote access trojan called minirat on macOS systems. Another legitimate package to be compromised was mgc<\/a> (versions 1.2.1 through 1.2.4), which was injected with a dropper that detects the operating system and fetches a platform-specific RAT from a GitHub Gist to exfiltrate valuable data.\n <\/p>\n<\/p><\/div>\n<\/li>\n

    <\/p>\n

  4. \n <\/p>\n
    \n AI prompt injection surge<\/span><\/p>\n

    \n Forcepoint has detected 10 new indirect prompt injection (IPI) payloads targeting artificial intelligence (AI) agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft, and AI denial-of-service attacks. \u00abRegardless of the specific payload technique or attacker intent, every case follows the same fundamental sequence: the attacker poisons web content, hides the payload from human view, waits for an AI agent to ingest the page, exploits the LLM’s inability to distinguish trusted instructions from attacker-controlled content, and triggers a real-world action with a covert exfiltration return channel back to the attacker,\u00bb the company said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n Covert browser data access<\/span><\/p>\n

    \n The Claude desktop app has been found<\/a>\u00a0granting itself permission to access web browser data, even if some browsers haven’t even been installed on a user’s computer, web privacy expert Alexander Hanff said. The app has been spotted placing configuration files in preset locations for Chromium-based browsers like Brave, Google Chrome, Microsoft Edge, and Vivaldi. The Native Messaging manifest files pre-authorize Claude to interact with the browser even before the user installs it. The issue has been described as a case of dark pattern that violates privacy laws in the E.U.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n Hardware display protection<\/span><\/p>\n

    \n The U.K. National Cyber Security Centre (NCSC) has unveiled a new technology called SilentGlass that’s designed to protect video connections from cyber attacks. \u00abSilentGlass, a plug-and-play device, actively blocks anything unexpected or malicious between HDMI and Display Port connections and screens,\u00bb NCSC said<\/a>. \u00abAlready successfully deployed on Government estates, SilentGlass is now available for anyone to buy and use. It has been approved for use in the most high-threat environments.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Passkeys replace passwords<\/span><\/p>\n

    \n In a related development, the NCSC also endorsed passkeys<\/a> as the default authentication standard and the \u00abfirst choice of login\u00bb for access to all digital services. \u00abPasskeys are a newer method for logging into online accounts, which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password,\u00bb NCSC said<\/a>. \u00abThis makes passkeys quicker and easier to use and harder for cyber attackers to compromise.\u00bb It also said the majority of cyber harms to individuals begin with criminals stealing or compromising login details, which makes passkey adoption a \u00abhuge leap\u00bb in boosting resilience to phishing attacks. More than 50% of active Google services users in the U.K. are said to be already using passkeys.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n Backdoor sabotage claims<\/span><\/p>\n

    \n Reports from Iranian media have claimed that hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran, despite the country being cut off from the global internet. \u00abThe most striking and suspicious aspect of this incident is its precise timing and the lack of access to the international internet at that moment,\u00bb Iranian news website Entekhab said<\/a>. \u00abThis disruption occurred at a time when international gateways were effectively blocked or inaccessible; therefore, attributing this chain collapse to ‘a simple cyber attack from beyond the borders’ is not only unconvincing but also reveals the traces of deep-seated sabotage embedded within the equipment.\u00bb The report hypothesizes the presence of hidden firmware backdoors or rogue implants within compromised devices, creating a dormant botnet that’s activated when a certain event occurs without the need for internet access. The other possibility is a supply chain compromise. \u00abIf the chips or installation files of Cisco and Juniper products are compromised before entering the country, even replacing the operating system will not solve the problem, because the root of the problem is embedded in the hardware and read-only memory (ROM),\u00bb the report said. These arguments have found purchase in China, whose state media agency Xinhua called<\/a> U.S.-made equipment the \u00abreal trojan horse.\u00bb The disclosure comes as DomainTools revealed<\/a> that the various hacktivist personas adopted by Iran, such as Homeland Justice, Karma, and Handala, \u00abconstitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n Ransomware infighting escalates<\/span><\/p>\n

    \n The Krybit ransomware group has hacked the website of rival ransom group 0APT after the latter threatened<\/a> to dox Krybit’s members. According to security firm Barricade<\/a>, 0APT leaked the complete database of the Krybit ransomware operation, including victim records, plaintext credentials, Bitcoin wallets, encryption tokens, and a 56MB exfiltration file inventory. In return, Krybit has hit back by compromising 0APT’s server within 48 hours, defacing their data leak site, and publishing source code, bash history, Nginx logs, and system files. To rub salt into the wound, the group listed 0APT as victim #1 on their own leak site.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n Stealth malware-as-a-service<\/span><\/p>\n

    \n There is a new cryptor-as-a-service platform called FUD Crypt (fudcrypt[.]net). \u00abFor $800 to $2,000 per month, subscribers upload an arbitrary Windows executable and receive a multi-stage deployment package that attempts automatic DLL sideloading, in-memory AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tamper via Group Policy on Enterprise builds,\u00bb Ctrl-Alt-Intel said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n Formbook phishing surge<\/span><\/p>\n

    \n Two different phishing campaigns targeting Greek, Spanish, Slovenian, Bosnian, Latin, and Central American companies are using different techniques to deliver Formbook malware. \u00abFormBook is a data-stealing malware that targets Windows systems, primarily distributed through phishing emails with malicious attachments,\u00bb WatchGuard said<\/a>. \u201cIt collects sensitive information like login credentials, browser data, and screenshots, using advanced evasion techniques to avoid detection.\u201d\n <\/p>\n<\/p><\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n Stealth .NET execution abuse<\/span><\/p>\n

    \n A highly sophisticated, multi-stage post-exploitation framework has been observed targeting organizations in the Middle East and EMEA financial sectors. \u00abThe threat actor leverages a legitimate, digitally signed Intel utility (IAStorHelp.exe) by abusing the .NET AppDomainManager mechanism, effectively turning a trusted binary into a stealthy execution container,\u00bb CYFIRMA said<\/a>. \u00abThis approach allows malicious code to be executed within a trusted environment. It bypasses conventional security controls without modifying the original signed binary.\u00bb Because AppDomainManager hijacking enables stealth execution within a trusted signed binary, it allows malicious code to run without modifying the original executable, effectively bypassing code-signing trust controls. The attack begins with a phishing email containing a ZIP archive, which contains an LNK file<\/a> masquerading as a PDF document to execute \u00abIAStorHelp.exe.\u00bb It’s currently not known who is behind the campaign, but the level of sophistication, modular design, and operational discipline suggest capabilities consistent with advanced threat actors.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n RAT plus adware bundle<\/span><\/p>\n

    \n A new malware campaign is spreading both a remote access trojan and adware together, allowing attackers to establish persistent access and make financial profits. The attack has been found to leverage a loader to deliver Gh0st RAT\u00a0trojan<\/a> and CloverPlus adware, an unwanted software designed to install advertising components and change browser behavior, such as startup pages and pop-up ads, per Splunk<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n macOS stealth execution abuse<\/span><\/p>\n

    \n In a new analysis, Cisco Talos revealed that bad actors can bypass security controls in Apple macOS by repurposing native features like Remote Application Scripting (RAS) for remote execution and abusing Spotlight metadata (Finder comments) to stage payloads in a way that evades static file analysis. \u00abBecause Finder is scriptable over RAE, the comment of a file on a remote machine can be set via the \u201ceppc:\/\/\u201d protocol. By Base64 encoding a payload locally, a multi-line script can be stored within this single string field. The make new file command handles the creation of the target file, ensuring that no pre-existing file is required,\u00bb Talos said<\/a>. \u00abThe payload resides entirely within the Spotlight metadata, a location that remains largely unexamined by standard endpoint detection and response (EDR) solutions. This creates a stealthy staging area where malicious code can persist on the disk without triggering alerts associated with suspicious file contents.\u00bb In addition, attackers can move toolkits and establish persistence using built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP operating entirely outside the visibility of standard SSH-based telemetry. In some cases, adversaries can also bypass built-in restrictions by using Terminal as a proxy for execution, encoding payloads in Base64 and deploying them in stages.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n LLM agent testing framework<\/span><\/p>\n

    \n A group of academics has released a hackable, modular, and configurable open-source framework called Terrarium<\/a> for studying and evaluating decentralized LLM-based multi-agent systems (MAS). \u00abAs the capabilities of agents progress (e.g., tool calling) and their state space expands (e.g., the internet), multi-agent systems will naturally arise in unique and unexpected scenarios,\u00bb the researchers said<\/a>, adding it acts as \u00aban isolated playground for studying agent behavior, vulnerabilities, and safety. It enables full customization of the communication protocol, communication proxy, environment, tool usage, and agents.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  16. \n <\/p>\n
    \n AI data privacy purge<\/span><\/p>\n

    \n According to Reuters<\/a>, AI company Clarifai said it has deleted 3 million profile photos taken from dating site OkCupid in 2014. It follows a settlement reached last month between the U.S. Federal Trade Commission (FTC) and Match Group, OkCupid’s owner. Clarifai is said to have certified the data deletion to the FTC on April 7, 2026, and deleted any models that trained on the data. The company also emphasized that it hadn’t shared the data with third parties. The FTC opened the investigation in 2019, after The New York Times reported<\/a> that Clarifai had built<\/a> a training database using OkCupid dating profile photos. The behavior was a direct violation of OkCupid’s privacy policy, although Clarifai was not accused of wrongdoing.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  17. \n <\/p>\n
    \n Zero-credential RCE chain<\/span><\/p>\n

    \n VulnCheck said it’s seeing active exploitation of the Apache ActiveMQ Jolokia remote code execution chain that strings together CVE-2026-34197 and CVE-2024-32114. \u00abCVE-2024-32114 removes authentication from the Jolokia endpoint entirely on ActiveMQ versions 6.0.0 through 6.1.1,\u00bb VulnCheck’s Jacob Baines said<\/a>. \u00abCombined with CVE-2026-34197, that is zero-credential RCE.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  18. \n <\/p>\n
    \n Stealth phishing lure<\/span><\/p>\n

    \n There has been a surge in phishing emails utilizing empty subject lines as a way to lure users to actually click and open the email without the usual warning cues. Known as silent subject or null subject phishing, the technique is designed to exploit blind spots in email defenses, as it allows such emails to bypass security filters that rely on analyzing the subject lines for specific keywords that may indicate potential phishing or scam. \u00abEmails with empty subject lines evade user suspicion by exploiting human curiosity,\u00bb CyberProof said<\/a>. \u00abThe primary objective of a silent subject campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especially focusing on high-value or VIP users.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  19. \n <\/p>\n
    \n Industrial-scale SIM farms<\/span><\/p>\n

    \n A Belarus-based turnkey solution is assisting SIM farm operators in supporting cybercrime on an industrial scale. Infrawatch said that it identified 87 instances of ProxySmart control panels in 17 countries that are linked to at least 24 commercial proxy providers and 35 cellular providers. The footprint spans 94 phone farm locations, distributed across 19 U.S. states, as well as countries in Europe and South America. ProxySmart provides an end-to-end platform for operating and monetizing mobile proxy infrastructure, including farm management, device control, customer provisioning, retail proxy sales, and payment handling. It’s accessible via a web-based control panel that’s self-hosted by the farm operator. Devices in the farms are either physical Android phones or USB 4G\/5G modems. The phones are enrolled via an unsigned Android APK package downloaded from the ProxySmart website, with SMS send and receive capability included. Modems are managed through ModemManager, an open-source USB dongle management tool. The ProxySmart service is written in Python and obfuscated using PyArmour. \u00abProxySmart is publicly associated with a Belarus-based vendor footprint and offers an end-to-end stack for operating and monetizing a physical farm, including device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures,\u00bb the company said<\/a>. \u00abTechnical analysis indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.\u00bb SIM farms enable a range of cybercrime activity such as smishing, premium-rate number fraud, bot sign-ups, and one-time password interception. In response to the findings, ProxySmart disputed<\/a> its characterization as a SIM farm, stating it’s a \u00abdata-path proxy management platform\u00bb and that its mobile proxy infrastructure \u00abunderpins a wide range of legitimate commercial and research activity\u00bb including advertising verification, brand protection, price monitoring, and anti-fraud model training, among others.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  20. \n <\/p>\n
    \n Telegram under CSAM probe<\/span><\/p>\n

    \n Ofcom, the U.K.’s independent communications regulator, has launched an investigation into Telegram under the country’s Online Safety Act to examine whether the platform is being used to share child sexual abuse material (CSAM) and is doing enough to combat the threat. \u00abWe received evidence from the Canadian Centre for Child Protection regarding the alleged presence and sharing of child sexual abuse material on Telegram, and carried out our own assessment of the platform,\u00bb Ofcom said<\/a>. \u00abIn light of this, we have decided to open an investigation to examine whether Telegram has failed, or is failing, to comply with its duties in relation to illegal content.\u00bb In a statement shared<\/a> with The Record, Telegram said it \u00abcategorically denies Ofcom’s accusations,\u00bb adding it has \u00abvirtually eliminated the public spread of CSAM on its platform through world-class detection algorithms and cooperation with NGOs.\u00bb Earlier this year, Ofcom also commenced<\/a> a probe into X to determine whether the service is taking necessary steps to take down illegal content, including non-consensual intimate images and CSAM.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  21. \n <\/p>\n
    \n EU cracks disinfo ops<\/span><\/p>\n

    \n The European Union imposed sanctions<\/a> on two pro-Russian organizations accused of spreading disinformation and supporting the Kremlin’s hybrid influence operations against Europe and Ukraine. The measures target Euromore and the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad (Pravfond). The move is part of the E.U.’s broader effort to counter Russian information and influence operations targeting Europe since the start of Moscow’s full-scale invasion of Ukraine in 2022. The E.U. has imposed sanctions on 69 individuals and 19 entities linked to Russian hybrid warfare.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  22. \n <\/p>\n
    \n Bot farm dismantled<\/span><\/p>\n

    \n Ukrainian authorities have dismantled<\/a> a bot farm that’s alleged to have supplied thousands of fake social media accounts to Russian intelligence services for use in disinformation campaigns against Ukraine. The suspected organizer of the network has been detained in the northern city of Zhytomyr, and nearly 20,000 fraudulent online profiles that were used in information operations have been blocked. The suspect is believed to have sold more than 3,000 fake Telegram accounts each month to Russian clients. The accounts were created using Ukrainian mobile phone numbers and then advertised on online platforms used by pro-Russian actors. If convicted, the suspect faces up to six years in prison.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  23. \n <\/p>\n
    \n Malicious extensions surge<\/span><\/p>\n

    \n More than 130,000 users have downloaded and installed malicious Chrome and Edge extensions that, while offering the promised functionality, also implement covert tracking, remote configuration capabilities, and data collection mechanisms.The 12 extensions posed as tools to download TikTok videos and were available through the official Chrome and Edge stores. The activity has been codenamed StealTok. The extensions have been found to use remote configuration to bypass store review. \u00abBeyond privacy concerns, the use of remote configuration endpoints introduces a significant security risk, enabling post-installation behavior changes that bypass marketplace review mechanisms,\u00bb LayerX said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  24. \n <\/p>\n
    \n Joomla SEO spam backdoor<\/span><\/p>\n

    \n In a new campaign spotted by Sucuri, threat actors are planting a new PHP-based backdoor on Joomla sites to inject SEO spam. The injected script acts as a remote loader to send information about the infected website and awaits further instructions from an attacker-controlled server. \u00abAttackers inject malicious code that silently serves spam content to visitors and search engines, all without the site owner knowing,\u00bb Sucuri said<\/a>. \u00abThe goal is simple: abuse the site’s reputation to push traffic towards products the attacker wants to promote.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  25. \n <\/p>\n
    \n Post-exfiltration data trade<\/span><\/p>\n

    \n A new service called Leak Bazaar has been promoted on the Russian-speaking TierOne forum that claims to process data stolen from extortion and ransomware attacks and turn it into \u00absomething more legible, more selective and precise, and making it marketable for the general population to ingest.\u00bb It’s advertised by a user named Snow, who joined the forum on March 3, 2026. \u00abWhat Leak Bazaar is really offering is not a DLS or Data or Dedicated Leak Site in the conventional sense, but a post-exfiltration service layer,\u00bb Flare said<\/a>. \u00abIt is trying to reassure both suppliers and buyers that the platform can solve the most frustrating part of data theft, which is that a large percentage of exfiltrated material is too noisy, too unstructured, or too cumbersome to use without additional labor.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  26. \n <\/p>\n
    \n RDP scanning concentration<\/span><\/p>\n

    \n GreyNoise has disclosed<\/a> that a small cluster of 21 IP addresses is now responsible for generating nearly half of all the RDP scanning traffic on the public internet. The addresses are registered to ColocaTel (AS213438), a company based in the Seychelles. According to the threat intelligence firm, mass internet scanning activity is now preceding vendor vulnerability disclosures<\/a> more frequently than before, with 49% of surges arriving within 10 days of disclosure and 78% within 21 days.In a related development, security researcher Morgan Robertson revealed that almost three-quarters of Perforce P4 source code management servers connected to the internet are misconfigured and leaking source code and sensitive files. \u00abThe default Perforce settings allow unauthenticated users to create accounts, list existing users, access passwordless accounts, and, until version 2025.1, allowed syncing repositories remotely; potentially exposing intellectual property across more than a dozen sectors, including gaming, healthcare, automotive, finance, and government,\u00bb Robertson said<\/a>. \u00abAction is recommended for all Perforce administrators to ensure security hardening, including setting stronger authentication requirements, disabling automatic account creation, and raising security levels.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  27. \n <\/p>\n
    \n Emerging threat groups surge<\/span><\/p>\n

    \n Various new hacktivist, data extortion, and ransomware crews have been spottedin the wild. These include Harakat Ashab al-Yamin al-Islamia<\/a>, World Leaks<\/a>, Lamashtu<\/a>, Payouts King<\/a>, BravoX<\/a>, Black Shrantac<\/a>, NBLOCK<\/a>, Ndm448<\/a>, Chip<\/a>, Ransoomed<\/a>, and Zollo<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    None of this is new. That is the problem. Old paths still open, basic checks still skipped, and trust still given where it should not be. Attackers are not doing anything magical, they are just faster and less careful because they do not need to be.<\/p>\n

    The fixes are known but ignored. Patch early, check what you install, limit access, and stop trusting inputs by default. Most of the damage comes from things that were easy to prevent. Same story next week.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    \ue804Ravie Lakshmanan\ue802Apr 23, 2026Hacking News \/ Cybersecurity News You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still…<\/p>\n","protected":false},"author":1,"featured_media":698,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1379,383,1380,1384,637,1381,421,1382,1383,187],"class_list":["post-697","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-290m","tag-abuse","tag-defi","tag-farms","tag-hack","tag-lotl","tag-macos","tag-proxysmart","tag-sim","tag-stories"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=697"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/697\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/698"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}