A critical IndexedDB vulnerability, tracked as CVE-2026-6770, has been discovered that allowed persistent user fingerprinting across sessions, even bypassing Tor Browser's 'New Identity' feature. This flaw uniquely leveraged the order of IndexedDB database names to link user activity across domains without cookies or shared storage, severely compromising privacy mechanisms in both standard and privacy-focused browsing. Mozilla has since patched the issue in Firefox 150, with Tor Project adopting the fix in Tor Browser 15.0.10, but the implications highlight a persistent challenge in browser security.

The U.S. Treasury Department has sanctioned prominent Cambodian Senator Kok An, labeling him a "scam center kingpin," along with 28 individuals and entities, as part of a "sweeping crackdown" on illicit cyberscam networks across Southeast Asia. This aggressive initiative, characterized by U.S. Attorney Jeanine Pirro as a "new theater of war" launched by the Trump administration against Chinese transnational organized crime, targets operations in Cambodia and Myanmar that have defrauded global victims of billions. The comprehensive effort includes asset freezes, criminal charges, and a warrant to shut down a major online recruitment channel on Telegram, aimed at dismantling operations linked to human trafficking and forced labor.

A newly disclosed critical vulnerability, dubbed Pack2TheRoot (CVE-2026-41651, CVSS 8.1), allows unprivileged users to effortlessly achieve root access on a wide range of Linux systems. This easily exploitable time-of-check time-of-use (TOCTOU) race condition in PackageKit's cross-distro package management layer impacts major distributions like Ubuntu, Debian, Fedora, RockyLinux, and RHEL (via Cockpit), potentially for the past 14 years. Attackers can leverage this flaw to install arbitrary RPM packages and scripts as root without authentication.

A recently discovered threat actor, tracked as UNC6692, is leveraging a sophisticated combination of email bombing and social engineering to deploy modular 'Snow' malware in targeted attacks. This campaign, observed in December 2025, involves impersonating IT support to trick victims into executing a fake mailbox repair utility, as reported by Google Threat Intelligence Group (GTIG). The sophisticated phishing leads to credential exfiltration, lateral movement, and the harvesting of sensitive data.

Microsoft has confirmed active exploitation of CVE-2026-32202, a zero-click Windows Shell spoofing flaw, for credential theft in the wild. This critical vulnerability, addressed in the latest Patch Tuesday, allows attackers to steal Net-NTLMv2 hashes via malicious LNK files, significantly increasing the risk of NTLM relay attacks. The flaw notably stems from an incomplete patch for a previously APT28-weaponized vulnerability, highlighting persistent threats from sophisticated adversaries.

A critical vulnerability within Microsoft Entra ID's 'Agent ID Administrator' role, designed for managing AI agent identities, enabled significant privilege escalation and the takeover of arbitrary service principals. Discovered by identity security platform Silverfort, the flaw allowed users assigned this role to become owners of any service principal and subsequently authenticate as that identity, granting expansive access far beyond AI-related operations. Microsoft swiftly addressed this serious issue, releasing a patch on April 9, 2026.

Malicious indirect AI prompt injection attempts surged by 32% between November 2025 and February 2026, according to new research from Google, signaling an escalating threat landscape for generative AI systems. While current attacks are largely low-sophistication and focus on data exfiltration, the increase highlights a growing trend of adversaries leveraging external data to subvert AI defenses and steal sensitive information like IP addresses and credentials.

Cybersecurity professionals are often on the back foot, reacting to exploits after they occur. A forthcoming webinar, hosted by BleepingComputer in collaboration with Flare and threat intelligence researcher Tammy Harper, aims to shift this paradigm by exploring how early warning signals on the dark web, forums, and Telegram can prevent attacks before they escalate. This proactive approach leverages often-overlooked threat actor chatter to provide a significant defensive advantage.

In a significant development for international cyber enforcement, Chinese national Xu Zewei has been extradited from Italy to the United States to face charges of cyberespionage. Xu is accused of operating as a contract hacker for China's Ministry of State Security (MSS) and being a key member of the notorious Silk Typhoon (Hafnium) APT group, responsible for exploiting Microsoft Exchange vulnerabilities and targeting critical COVID-19 research. This extradition marks a rare instance of a suspected state-sponsored cyber actor from China being brought to U.S. soil for prosecution.

Canadian authorities have achieved a significant breakthrough, arresting three individuals operating an "SMS blaster" device that mimicked legitimate cellular towers to deploy sophisticated phishing attacks, exposing an estimated 13 million mobile users. This marks the first documented instance of such rogue cellular base station technology being used by criminals in Canada, deceiving nearby phones into connecting to the fake towers to deliver fraudulent texts from seemingly trusted entities. The operation not only aimed to harvest sensitive personal information but also reportedly disconnected affected devices from crucial emergency services.

A new and urgent wave of the GlassWorm malware campaign is actively exploiting 73 extensions within the OpenVSX ecosystem, with six already activated and delivering malicious payloads. These initially benign "sleeper" extensions are designed to turn malicious post-update, bypassing initial security checks and highlighting a sophisticated supply chain attack strategy. This latest expansion follows GlassWorm's established pattern of targeting developer tools and repositories to steal sensitive data.

Online trading platform Robinhood recently became the target of a sophisticated phishing campaign that leveraged an HTML injection flaw within its own account creation process. This critical vulnerability allowed threat actors to embed malicious phishing messages directly into legitimate, SPF/DKIM-validated Robinhood emails, making it nearly impossible for users to discern the fraud. The campaign tricked users into believing their accounts had suspicious activity, prompting them to click on phishing links.