Featured image of post Cybersecurity Week in Review: April 7, 2026 – April 13, 2026
News

Cybersecurity Week in Review: April 7, 2026 – April 13, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Rockstar Games Breach

Summary:
Rockstar Games suffered a significant breach this week, with the ShinyHunters threat group claiming responsibility. Attackers reportedly accessed Rockstar’s Snowflake cloud servers by exploiting a breach in the Anodot monitoring service. The group demanded a ransom to prevent the release of stolen data.

Key Details:

  • Organization: Rockstar Games
  • Attack Vector: Compromised Anodot monitoring service credentials
  • Data Exfiltration: Yes, details on the volume and type of data are still emerging
  • Ransom Demand: Confirmed, but amount undisclosed
  • Discovery Date: April 2026

Cross-reference notes:
Multiple sources confirm ShinyHunters’ involvement and the use of a third-party service as the initial access vector1.

Anodot Cloud Token Theft

Summary:
Hackers infiltrated Anodot, stealing authentication tokens used by customers to access cloud storage. These tokens were then used to exfiltrate data from over a dozen organizations, highlighting the risks of supply chain and third-party service dependencies.

Key Details:

  • Organization: Anodot (impacting multiple customers)
  • Attack Vector: Theft of authentication tokens
  • Data Exfiltration: Confirmed for multiple organizations
  • Discovery Date: April 2026

Cross-reference notes:
This incident is linked to the Rockstar Games breach and demonstrates the cascading impact of third-party compromises1.

Brockton Hospital (Signature Healthcare) Attack

Summary:
Signature Healthcare’s Brockton Hospital experienced a cyberattack that forced the diversion of ambulances and caused significant network disruption. Inpatient and emergency services remained operational, but the attack underscored the ongoing threat to healthcare infrastructure.

Key Details:

  • Organization: Signature Healthcare (Brockton Hospital)
  • Impact: Ambulance diversion, network disruption
  • Discovery Date: April 2026

Cross-reference notes:
Healthcare remains a top target, with ransomware and network outages causing direct patient care impacts1.

Significant Cyberattacks

Winona County Ransomware Attack

Summary:
Winona County, Minnesota, was hit by a ransomware attack that disrupted computer systems. Emergency services and 911 operations were not affected, but other county operations experienced downtime.

Key Details:

  • Organization: Winona County, MN
  • Attack Vector: Ransomware (variant not disclosed)
  • Impact: Disruption of county systems, emergency services unaffected
  • Discovery Date: April 2026

Cross-reference notes:
Local government entities continue to be targeted by ransomware, with varying impacts on public services1.

GlassWorm Campaign Targets Developer IDEs

Summary:
A new evolution of the GlassWorm campaign was observed, using a Zig-compiled dropper to infect multiple developer IDEs via a malicious Open VSX extension. The extension, masquerading as a legitimate WakaTime tracker, was quickly removed after discovery.

Key Details:

  • Malware Family: GlassWorm
  • Attack Vector: Malicious IDE extension (Open VSX)
  • Impact: Stealthy infection of developer environments
  • Discovery Date: April 2026

Cross-reference notes:
This campaign highlights the growing risk of supply chain attacks targeting developer tools2.

Smart Slider 3 Pro Supply Chain Attack

Summary:
Unknown threat actors compromised the update system for the Smart Slider 3 Pro plugin (WordPress/Joomla), distributing a backdoored version (3.5.1.35) via the official update channel. The malicious update was available for approximately six hours before detection.

Key Details:

  • Product: Smart Slider 3 Pro (WordPress/Joomla)
  • Attack Vector: Compromised update infrastructure
  • Impact: Remote access toolkit deployed to affected sites
  • Discovery Date: April 7, 2026

Cross-reference notes:
This incident underscores the importance of monitoring plugin update channels for tampering2.

Critical Vulnerabilities

Marimo RCE Flaw (CVE-2026-39987)

Summary:
A critical pre-authenticated remote code execution vulnerability (CVE-2026-39987, CVSS 9.3) was disclosed in Marimo, an open-source Python notebook. The flaw was exploited within 10 hours of public disclosure, allowing attackers to obtain a full PTY shell via an unauthenticated WebSocket endpoint.

Key Details:

  • Product: Marimo (all versions ≤ 0.20.4)
  • CVE: CVE-2026-39987
  • CVSS Score: 9.3
  • Attack Vector: Unauthenticated WebSocket endpoint
  • Patch Available: Yes, in version 0.23.0
  • Exploitation: Confirmed in the wild

Cross-reference notes:
Rapid exploitation highlights the need for immediate patching of critical vulnerabilities2.

EngageLab SDK Android Flaw

Summary:
A now-patched vulnerability in the EngageLab SDK, used by millions of Android apps (including 30M crypto wallet installs), allowed apps to bypass Android’s security sandbox and access private data. Microsoft Defender Security Research Team published details and confirmed the risk to cryptocurrency wallet users.

Key Details:

  • Product: EngageLab SDK (Android)
  • Impact: Unauthorized access to private data across apps
  • Affected Users: 50M+ (including 30M crypto wallet installs)
  • Patch Status: Patched

Cross-reference notes:
This vulnerability demonstrates the risks posed by third-party SDKs in mobile app ecosystems2.

Fortinet FortiClient Zero-Day

Summary:
Fortinet issued an emergency patch for a zero-day vulnerability in FortiClient, which was being actively exploited. Details on the CVE and technical specifics are pending, but organizations are urged to update immediately.

Key Details:

  • Product: FortiClient
  • Vulnerability: Zero-day (details pending)
  • Patch Status: Emergency patch released

Cross-reference notes:
Active exploitation and emergency patching signal a high-priority risk for enterprise users3.

Government Responses

CISA Adds New Exploited Vulnerabilities to Catalog

Summary:
CISA added multiple new vulnerabilities to its Known Exploited Vulnerabilities Catalog this week, including seven on April 13 and one on April 8. These advisories provide actionable intelligence for defenders and mandate patching timelines for federal agencies.

Key Details:

  • Dates: April 8, 2026; April 13, 2026
  • Action: Addition of new exploited vulnerabilities to CISA catalog
  • Impact: Federal agencies required to patch; private sector strongly advised

Cross-reference notes:
CISA’s catalog remains a critical resource for tracking active exploitation trends4.

CISA Advisory: Iranian-Affiliated Actors Target US Critical Infrastructure

Summary:
CISA released an advisory (AA26-097A) detailing how Iranian-affiliated cyber actors are exploiting programmable logic controllers (PLCs) across US critical infrastructure sectors. The advisory includes TTPs, IOCs, and recommended mitigations.

Key Details:

  • Threat Actor: Iranian-affiliated groups
  • Target: US critical infrastructure (PLCs)
  • Advisory: AA26-097A
  • Mitigations: Provided in CISA advisory

Cross-reference notes:
This advisory highlights the ongoing threat from state-sponsored actors targeting industrial control systems4.

Miscellaneous

AI Browser Extensions: New Enterprise Threat Surface

Summary:
A new report from LayerX reveals that AI-powered browser extensions are emerging as a significant, under-monitored threat surface. These extensions are more likely to have vulnerabilities, elevated permissions, and access to sensitive data, yet often evade traditional security controls.

Key Details:

  • Threat: AI browser extensions
  • Risks: High vulnerability rate, elevated permissions, data access
  • Recommendation: Increased monitoring and policy controls

Cross-reference notes:
The report urges enterprises to treat browser extensions as critical assets in their security posture2.

Source List

End of Report

© 2026 Senthorus Blog