Featured image of post Cybersecurity Week in Review: April 21–April 27, 2026
News

Cybersecurity Week in Review: April 21–April 27, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Checkmarx GitHub Repository Data Leak

Summary:
Checkmarx, a leading Israeli security company, confirmed that data from its GitHub repository was published on the dark web following a supply chain attack first detected on March 23, 2026. The company emphasized that the affected repository is separate from its customer production environment and does not store customer data. The investigation is ongoing, and Checkmarx has locked down access to the compromised repository as a precaution. The company has pledged to notify customers if any of their information is found to be involved.

Key Details:

  • Organization: Checkmarx (Israel)
  • Data Exposed: Internal repository data (no customer data confirmed)
  • Attack Vector: Supply chain compromise
  • Discovery Date: March 23, 2026 (public disclosure and dark web posting confirmed this week)
  • Response: Repository access locked, forensic investigation ongoing1

Significant Cyberattacks

PhantomCore Attacks on Russian TrueConf Servers

Summary:
A pro-Ukrainian hacktivist group, PhantomCore (also known as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901), has been linked to a series of attacks targeting TrueConf video conferencing servers in Russia. The attackers exploited a chain of three vulnerabilities to achieve remote code execution, despite the lack of public exploits for these flaws. The campaign, active since September 2025, has resulted in numerous breaches across Russian organizations.

Key Details:

  • Threat Actor: PhantomCore
  • Target: TrueConf video conferencing servers (Russia)
  • Attack Vector: Exploit chain of three vulnerabilities (details undisclosed)
  • Impact: Remote command execution, widespread compromise
  • Response: Ongoing investigation and remediation efforts1

Fast16 Malware Discovery

Summary:
Researchers uncovered a previously undocumented malware framework, dubbed “fast16,” which predates the infamous Stuxnet worm by at least five years. Written in Lua, fast16 was designed to target high-precision calculation software, tampering with results across entire facilities. The malware’s discovery highlights the long-standing sophistication of cyber sabotage tools and raises concerns about the potential for similar attacks on industrial systems.

Key Details:

  • Malware: fast16
  • Target: Engineering and high-precision calculation software
  • Discovery: Framework dates back to 2005
  • Impact: Tampering with calculation results, potential for facility-wide disruption1

Critical Vulnerabilities

CISA Adds Four Exploited Flaws to KEV Catalog

Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, setting a federal remediation deadline for May 2026. The vulnerabilities affect SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. All have been observed in active exploitation campaigns.

Technical Details:

  • CVE-2024-57726 (CVSS 9.9): SimpleHelp missing authorization, privilege escalation
  • CVE-2024-57728 (CVSS 7.2): SimpleHelp path traversal, arbitrary file upload and code execution
  • CVE-2024-7399 (CVSS 8.8): Samsung MagicINFO 9 Server path traversal, code execution
  • CVE-2024-7400 (CVSS 8.1): D-Link DIR-823X router vulnerability (details undisclosed)
  • Response: Federal agencies required to patch by May 202612

Government Responses

CISA and NCSC Report on FIRESTARTER Backdoor

Summary:
CISA, in collaboration with the UK’s National Cyber Security Centre (NCSC), reported that a federal civilian agency’s Cisco Firepower device was compromised with a new malware backdoor named FIRESTARTER. The malware survived security patches and is believed to be part of a widespread campaign by an advanced persistent threat (APT) actor. The attackers exploited a now-patched vulnerability (CVE-2025-20333, CVSS 9.9) in Cisco ASA software, allowing remote code execution as root.

Key Details:

  • Malware: FIRESTARTER
  • Target: Cisco Firepower devices running ASA software
  • CVE: CVE-2025-20333 (CVSS 9.9)
  • Impact: Persistent backdoor, remote access and control
  • Response: CISA and NCSC issued joint analysis and mitigation guidance12

Miscellaneous

GlassWorm v2 Malware in Fake VS Code Extensions

Summary:
Security researchers identified 73 malicious or sleeper Visual Studio Code extensions on the Open VSX repository, part of a persistent information-stealing campaign dubbed GlassWorm v2. Six extensions were confirmed as malicious, while others acted as sleeper packages to build trust before potentially delivering malware in future updates. Over 320 artifacts have been linked to this campaign since December 2025.

Key Details:

  • Malware: GlassWorm v2
  • Target: Visual Studio Code users (Open VSX repository)
  • Impact: Information theft, potential for widespread compromise
  • Response: Malicious extensions removed, ongoing monitoring1

Source List

This week’s cybersecurity landscape was marked by sophisticated supply chain attacks, the discovery of advanced malware predating Stuxnet, and a continued focus on patching critical vulnerabilities. Government agencies remain vigilant, issuing timely advisories and collaborating internationally to counter persistent threats. Organizations are urged to review their security postures, prioritize patching, and remain alert to evolving attack vectors.

© 2026 Senthorus Blog