Cybersecurity

Cybersecurity startup Rilian has secured $17.5 million in combined seed and seed extension funding to advance its AI-native security orchestration platform. The McLean, VA-based company, founded in 2024, aims to bolster cyber defense for government, critical infrastructure, and law enforcement organizations through its Caspian platform. This investment, led by 8VC, First In, and Tamarack Global, will enable Rilian to further develop its autonomous capabilities across diverse and complex operational environments.

Israeli startup Copperhelm has officially emerged from stealth mode, announcing $7 million in seed funding to advance its innovative agentic cloud security platform. This significant investment, led by TLV Partners, will fuel the development and market expansion of a platform designed to autonomously monitor, investigate, and remediate threats within large enterprise cloud environments using AI agents. Founded by a team with deep expertise from Unity, McAfee, and RSA, Copperhelm aims to redefine cloud security with its real-time, context-aware approach.

A critical supply chain attack has compromised the popular Bitwarden CLI NPM package, specifically version 2026.4.0, leading to the potential theft of multi-cloud secrets and GitHub tokens from affected systems. This incident, linked to ongoing campaigns against the open source software ecosystem and potentially prior Checkmarx compromises, highlights a sophisticated threat targeting development environments and critical infrastructure. With over 250,000 monthly downloads, the compromise of Bitwarden's CLI presents a significant risk to enterprises relying on the platform for secure credential management.

Cloudsmith, a Belfast-based artifact management platform, has secured $72 million in Series C funding, bringing its total investment to $124 million. This significant capital injection will fuel its mission to secure the increasingly complex software supply chains, particularly those generated by AI agents and large language models (LLMs). The platform offers critical capabilities such as detecting vulnerabilities, blocking malicious code, and providing a chain of custody for vital software packages and ML models.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical directive, ordering all federal agencies to patch a zero-day Microsoft Defender vulnerability, CVE-2026-33825 (BlueHammer), by May 7. This high-severity privilege escalation flaw has been actively exploited in attacks, allowing low-privileged local actors to gain SYSTEM access on Windows systems. The mandate comes after a security researcher publicly disclosed the flaw and proof-of-concept exploit code, highlighting concerns over Microsoft's disclosure process.

A newly identified, China-backed advanced persistent threat (APT) group dubbed GopherWhisper has been uncovered by ESET, revealing a sophisticated campaign leveraging custom Go-based malware and an array of legitimate communication platforms. Active since at least 2023, this group is exploiting services like Microsoft 365 Outlook, Slack, and Discord for command-and-control, and File.io for data exfiltration, compromising dozens of government entities worldwide. ESET researchers managed to access GopherWhisper's C2 communications, providing unprecedented insight into their operations and confirming attribution.

The United Kingdom's National Cyber Security Centre (NCSC-UK) and a coalition of ten international partners have issued a stark warning: China-nexus hackers are increasingly leveraging vast botnets of compromised Small Office/Home Office (SOHO) and Internet of Things (IoT) devices to conduct stealthy cyber operations. This joint advisory highlights a significant shift in state-sponsored threat tactics, moving away from individually procured infrastructure towards extensive networks of hijacked consumer devices to obscure their origins and evade traditional defenses. These sophisticated proxy networks, including identified botnets like Raptor Train and KV-Botnet, pose a profound challenge to national security.

Hackers have severely compromised the software supply chain of Checkmarx KICS, an open-source security scanner, by injecting malicious code into its official Docker images and VS Code/Open VSX extensions. This sophisticated attack allowed the exfiltration of critical developer credentials, including GitHub tokens, cloud access keys for AWS, Azure, and GCP, npm tokens, and SSH keys from compromised development environments. The stolen data was then covertly transmitted to imposter Checkmarx domains, highlighting a serious breach in trust for a tool designed to enhance code security.

Trigona ransomware has re-emerged with a significant tactical shift, now deploying a custom-built, proprietary data exfiltration tool named "uploader_client.exe" to steal sensitive data from compromised networks. This sophisticated command-line utility employs parallel uploads and TCP connection rotation after 2GB of traffic, specifically designed for enhanced speed and evasion. Observed in recent March attacks, this move indicates a deliberate effort by attackers to maintain a lower profile by sidestepping public tools that typically trigger security defenses.

Hackers are actively exploiting a critical vulnerability, CVE-2026-3844, in the widely used Breeze Cache WordPress plugin, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution. This severe flaw, rated 9.8 CVSS, has already seen over 170 exploitation attempts and impacts more than 400,000 active installations globally, underscoring an immediate threat to a vast segment of web infrastructure.

A recent incident saw the official Bitwarden CLI npm package briefly compromised, distributing a malicious version designed to steal developer credentials by exploiting a GitHub Action in the company's CI/CD pipeline. While Bitwarden quickly removed the rogue package and confirmed no end-user vault data was at risk, the attack successfully targeted crucial developer access keys over a 1.5-hour window. This event, linked to a prior supply chain incident by Checkmarx, highlights a persistent vulnerability within the software distribution ecosystem.

A newly identified threat activity cluster, UNC6692, is leveraging sophisticated IT helpdesk impersonation via Microsoft Teams to deploy a custom modular malware suite known as SNOW. This elaborate attack chain first involves an email bombing campaign to overwhelm targets, followed by the threat actors offering fake support to senior-level employees through external Teams chats, ultimately leading to the execution of SNOW malware via a phishing link and AutoHotkey script.