WEEKLY TOP TEN: April 13, 2026, 16:00 GMT
- WordPress Ninja Forms Plugin Actively Exploited For RCE
Attackers are exploiting a vulnerability in the Ninja Forms File Upload plugin for WordPress (CVE-2026-0740), enabling unauthenticated file uploads that can lead to remote code execution. The flaw affects internet-facing sites using the plugin, providing a low-barrier entry point for opportunistic attackers. This incident highlights the persistent risk of plugin ecosystems in CMS platforms. Organizations should inventory WordPress plugins, apply updates immediately, and scan for web shells or unauthorized uploads, as exploitation is already occurring in the wild. - Adobe Reader Zero-Day Exploited Via Malicious PDFs
A zero-day vulnerability in Adobe Reader is being exploited through specially crafted PDF files that require minimal user interaction. Attackers use the flaw to fingerprint systems, steal data, and potentially escalate to full system compromise via further exploitation chains. The campaign has been active since late 2025 and continues to target users with themed lures. The lack of an immediate patch increases risk exposure. Organizations should restrict PDF handling from untrusted sources and monitor for suspicious PDF-related processes and outbound connections. - Healthcare Provider Disruption Following Cyberattack
A Massachusetts hospital experienced operational disruption after a cyberattack forced it to divert ambulances and delay services. While patient care continued, the incident highlights how cyber incidents directly impact healthcare delivery. The attack underscores the fragility of healthcare IT systems and the need for robust contingency planning. Security leaders should prioritize resilience strategies, including system segmentation, backup validation, and incident response drills tailored to clinical environments where downtime has immediate real-world consequences. - Snowflake Customer Accounts Hit In Token Theft Campaign
Snowflake reported suspicious activity affecting customer accounts tied to a third-party integration compromise. Attackers leveraged stolen authentication tokens to access multiple downstream environments, leading to a broader data-theft campaign across organizations using the platform. The incident demonstrates how SaaS ecosystems amplify risk when integrations are compromised. Rather than exploiting Snowflake directly, attackers targeted trust relationships and reused credentials. Security teams should rotate tokens, audit third-party integrations, and strengthen identity monitoring across cloud services to prevent similar supply chain-style attacks. - APT28 Targets Routers In DNS Hijacking Campaign
Threat group APT28 has been exploiting vulnerable routers to hijack DNS traffic and intercept user credentials. The campaign uses adversary-in-the-middle techniques to redirect traffic and harvest sensitive information. The activity targets small office and home office devices that often lack strong security controls. This highlights the continued risk posed by unmanaged edge infrastructure. Organizations should enforce firmware updates, secure DNS configurations, and treat network devices as critical assets within their security posture. - U.S. Disrupts Russian Router Botnet Used For Espionage
The U.S. Department of Justice conducted a coordinated operation to dismantle a botnet of compromised routers linked to Russian intelligence operations. The infrastructure was used for DNS hijacking and credential theft campaigns. This takedown reflects increased collaboration between legal and cybersecurity entities to counter nation-state threats. However, it also highlights the scale of insecure network devices globally. Organizations should audit router configurations and replace or patch vulnerable hardware to mitigate similar risks. - Phishing Campaign Abuses Google Storage to Deliver RAT
Attackers are leveraging Google cloud storage services to host malicious payloads and distribute the Remcos remote access trojan through phishing emails. By using trusted infrastructure, the campaign improves delivery success rates and evades traditional detection mechanisms. This reflects a broader trend of attackers abusing legitimate platforms. Organizations should strengthen email security controls, inspect downloads from cloud services, and monitor network traffic for command-and-control activity. - French Email Provider Data Leak Exposes Millions Of Records
A French email provider, Alinto, exposed around 40 million SMTP records after leaving an Elasticsearch database publicly accessible online. The leak included email metadata such as sender and recipient addresses, IP data, and location details tied to organizations including L’Oréal, Renault, DHL, and multiple French government agencies. Although email content was not disclosed, the exposed metadata enables attackers to map communication patterns and relationships, increasing the risk of targeted phishing and social engineering. Researchers warned that such data can reveal sensitive operational insights and significantly expand the attack surface across both corporate and government environments. - Windows “BlueHammer” Zero-Day Leak Raises Risk of Exploitation
Proof-of-concept exploit code for a Windows privilege escalation vulnerability known as “BlueHammer” was publicly released by a researcher. The flaw allows attackers with local access to escalate privileges to SYSTEM level, increasing the impact of initial compromise. Public disclosure without a patch raises the likelihood of rapid weaponization. Security teams should monitor endpoints for abnormal privilege escalation activity and ensure detection tools are tuned to identify exploitation techniques associated with the vulnerability. - Bitcoin Depot Reports $3.6M Theft From Corporate Wallets
Bitcoin Depot disclosed a breach resulting in the theft of approximately $3.6 million from its digital wallets. The attack targeted operational wallet infrastructure rather than blockchain-level weaknesses, reinforcing that crypto platforms remain high-value targets for financially motivated attackers. While details on the intrusion vector remain limited, the incident emphasizes the importance of securing wallet access, enforcing strong authentication controls, and monitoring transaction anomalies. Organizations in the cryptocurrency sector should review wallet segmentation strategies and incident response readiness.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.
