Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

State of (in)security - Week 16, 2026
published: April 20, 2026
Week 16 of 2026 saw 17 advisories and 22 incidents, with 16.7 million individuals impacted, driven largely by the McGraw-Hill Salesforce misconfiguration breach (13.5M) alongside major ransomware, phishing, and third-party compromises affecting healthcare, finance, and tech sectors. Key vulnerabilities included actively exploited zero-days in Microsoft products, critical flaws in Cisco, Fortinet, SAP, and Adobe, and a systemic RCE risk in the MCP protocol.
Take action: This week third party libraries and AI are the focus: If you're using Claude Code, update immediately to the latest version and stop using authentication helpers. Instead, set the ANTHROPIC_API_KEY environment variable directly. If you use Axios in your applications, start planning an update to version 1.15.0 or later. Make sure your nginx-ui instances are isolated from the internet and accessible from trusted networks only.
Payouts King Ransomware Uses QEMU Virtual Machines to Evade Security
published: April 18, 2026
Payouts King ransomware uses QEMU virtual machines to bypass endpoint security and establish hidden backdoors on compromised systems. The campaign exploits vulnerabilities in Citrix and SolarWinds to gain initial access before exfiltrating sensitive Active Directory data.
Take action: Attackers are hiding malicious activity inside virtual machines (using QEMU) to bypass your security tools. Think of it as a criminal operating from inside a room your cameras can't see. Audit your systems for unauthorized QEMU installations, enforce MFA on every remote access solution without exception, and train your staff to never install remote access tools like QuickAssist based on requests from "IT" over Teams or chat. Always verify through a known, official channel first.
State of (in)security - Week 15, 2026
published: April 13, 2026
During the week of April 6–13, 2026, there were 9 vulnerability advisories and 23 data breach/incident events, up from 20 the prior week affecting over 41,500 known individuals across sectors like IT, healthcare, and government, with malware/ransomware and third-party compromises as the leading causes. Major events included several actively exploited zero-days (e.g., Adobe Reader, Chrome), major breaches at organizations like LAPD (7.7 TB leaked) and a Chinese supercomputing center (10 PB), and multiple ransomware attacks disrupting healthcare and other critical services.
Take action: Update your Adobe Acrobat and Reader immediately because attackers are already using this flaw to take over computers through simple PDF files. If you cannot patch right away, use a browser-based PDF viewer as a temporary safety measure and disable Javascript in your Adobe Acrobat and Reader.
Citizen Lab Exposes Webloc: Penlink's Global Ad-Based Geolocation Surveillance System Tracking Hundreds of Millions of Mobile Devices
published: April 10, 2026
A Citizen Lab investigation reveals a surveillance system Webloc, now sold by U.S.-based Penlink, exploits mobile advertising data and app SDKs to track the locations and behaviors of up to 500 million devices globally, providing warrantless access to military, intelligence, and law enforcement agencies across multiple countries. The report also exposes related tools including Trapdoor, a phishing and device-exploitation platform, and documents widespread civil liberties violations, GDPR concerns, and links to spyware vendor Quadream.
Take action: Every app on your phone has a hidden advertising ID that acts like a digital name tag, letting surveillance companies track your every move. Go to your phone settings right now: on iPhone go to Settings > Privacy > Tracking and disable "Allow Apps to Request to Track", on Android go to Settings > Privacy > Ads and delete your advertising ID. While you're there, go to Location Services and switch every app's location access to "Never". At most, enable "While Using" if you (not the app) absolutely need it like navigation.
State of (in)security - Week 14, 2026
published: April 6, 2026
During the week of March 30–April 6, 2026, cybersecurity activity included 11 vulnerability advisories (featuring actively exploited zero-days in Citrix, Fortinet, and TrueConf) and 20 incidents dominated by ransomware/malware (5), third-party compromises (3), and heavily hitting healthcare (6) and tech (4). At least 178,530 individuals are affected, led by the DocketWise breach exposing 116,000 immigration client records.
Take action: This week, focus on patching critical and actively exploited flaws in Cisco and Fortinet. Hackers love these systems, because they can't really be isolated from the internet - they are designed to be visible.
LinkedIn Scans Your Browser Extensions at Scale; Who's Telling You, and Why, Is Complicated
published: April 3, 2026
Research published on browsergate.eu reports that LinkedIn silently scans visitors' Chromium-based browsers for over 6,000 installed extensions, revealing indicators of sensitive personal data like religion, health, politics, and job-search activity. The findings were independently confirmed, though the "BrowserGate" investigation behind the disclosure was funded by a data scraper company Teamfluence, a company with a direct commercial dispute with LinkedIn over extension-blocking practices.
Take action: Switch to Firefox for LinkedIn, or use a separate Chrome profile with no extensions installed when visiting the site. And load up on all ad and script blocker extensions you can find, like Ublock Origin, Ublock Lite, Privacy Badger...
State of (in)security - Week 13, 2026
published: March 30, 2026
During the week of March 23–30, 2026, cybersecurity incidents surged to 32 (up from 14 the prior week), impacting over 14.6 million individuals, with malware/ransomware as the leading cause (11 incidents) and healthcare and government as the most targeted sectors. The week also saw 16 vulnerability advisories, including critical zero-days in F5 BIG-IP and Telegram alongside supply chain attacks and breaches affecting organizations from the European Commission to major healthcare providers.
Take action: Treat AI browser extensions as extremely dangerous high-privilege agents. If you use the Claude Chrome Extension, make sure it's updated to version 1.0.41 or higher immediately! Older versions allow attackers to silently hijack your browser session and access your email, documents, and chat history without any clicks. Review what permissions the extension has and stay alert for suspicious sites that may have exploited this before the patch.
State of (in)security - Week 12, 2026
published: March 23, 2026
During the week of March 16–23, 2026, there were 17 vulnerability advisories and 14 data breach/incident events. Social engineering, phishing, and unauthorized access are the leading causes impacting nearly 9 million individuals across government, healthcare, and tech sectors. Key threats included actively exploited zero-days in Chrome, SharePoint, and iPhones, a major supply chain attack on Aqua Security's Trivy scanner. Major incidents are the 5-million-record Companies House data leak and a paralyzing ransomware attack on Foster City.
Take action: If you use Trivy, trivy-action, or setup-trivy in your pipelines, this is urgent and important! Treat all secrets that ran through affected pipelines as compromised: rotate them now and investigate logs for all systems where those secrets may have given access. Then immediately pin to the known safe versions GitHub Actions to full commit SHA hashes instead of version tags, since tags can be silently rewritten to point to malicious code.
State of (in)security - Week 11, 2026
published: March 16, 2026
During the week of March 9–16, 2026, the cybersecurity landscape saw 22 advisories and 16 incidents including ransomware, data breaches, and actively exploited vulnerabilities in products like SolarWinds, Ivanti, and Salesforce. Over 3.3 million individuals impacted, largely by a single Cal AI breach exposing 3 million records. Malware/ransomware and software vulnerability exploits were the leading causes, hitting sectors from healthcare and finance to consulting and food & beverage.
Take action: If you use AI platforms and chatbots, remember that they are just web applications and have a bunch of other possible flaws. Make sure databases, API endpoints, and system prompts are locked down with proper authentication, access controls, and integrity monitoring, not left exposed as an afterthought. Regularly audit your AI infrastructure for basic web application flaws like exposed APIs, SQL injection, and missing authentication, because even the most advanced AI tools can be undone by classic, well-known security mistakes.
Escalating Cyber Attack Techniques Targeting Organizations During the 2026 Middle East Conflict
published: March 11, 2026
The February 28, 2026 Middle East military conflict has triggered a surge in cyber operations: 149 hacktivist attacks across 16 countries in just three days spanning VPN/firewall exploitation, AI-enhanced phishing, wiper malware, and DDoS campaigns targeting organizations of all sizes and sectors globally.
Take action: Treat the cyberattacks around the Middle-East conflict as a real emergency: patch all your systems, expecially internet-facing systems (especially VPNs and firewalls). Enforce multi-factor authentication everywhere, verify your backups are offline and working, and do not trust any unexpected messages on Telegram, WhatsApp, SMS, or email. If you have any industrial or OT devices, make sure they are isolated from the internet and accessible from trusted networks only, remove all default credentials, and segment them from the rest of your network immediately.