Here are today’s top cybersecurity stories for Tuesday, April 28, 2026.
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
Microsoft has updated its advisory for CVE-2026-32202, a Windows Shell spoofing vulnerability patched in April 2026 Patch Tuesday, to confirm active exploitation in the wild. The flaw stems from an incomplete fix for CVE-2026-21510 and allows zero-click credential theft via auto-parsed LNK files. APT28 combined this flaw with CVE-2026-21513 in attacks against Ukraine and EU countries beginning in December 2025. Organisations running Windows should verify the April patch has been applied.
The Hacker News
APT28 Deploys PRISMEX Malware Against Ukraine and NATO Allies
Russia-linked APT28 (Fancy Bear) is running an active spear-phishing campaign deploying a new malware suite called PRISMEX against Ukraine and NATO partner countries. The campaign targets central government bodies, defence, rail logistics, maritime transportation, and ammunition supply chain organisations across at least eight countries. PRISMEX combines steganography, COM hijacking, and cloud-service abuse for command-and-control, and in at least one incident included a destructive wiper capability. The campaign has been active since September 2025 and is rapidly weaponising newly disclosed vulnerabilities.
The Hacker News
GlassWorm Returns With 73 OpenVSX Sleeper Extensions — Six Already Activated
Researchers have identified 73 malicious “sleeper” extensions on the Open VSX marketplace linked to the GlassWorm campaign, with six already activating to deploy malware. The extensions impersonate popular tools including Monochromator, AutoAntigravity, IronPLC, VS Code Pets, HTML-validate, and Version Lens. Once activated, they download malicious .vsix payloads via GitHub releases and run heavily obfuscated code at runtime. Developers using affected extensions are advised to rotate all secrets and clean their environments immediately.
BleepingComputer
Medtronic Confirms ShinyHunters Breach Exposing Over 9 Million Records
Medical device maker Medtronic has confirmed a breach of its corporate IT systems after ShinyHunters claimed the theft of over 9 million records on April 17. The stolen data includes personally identifiable information from patients and associated individuals. Medtronic states the breach did not affect products, patient safety, operations, or financial systems. ShinyHunters subsequently removed Medtronic from its leak site. The full scope of the breach remains under investigation.
BleepingComputer
Microsoft Entra ID Agent ID Administrator Role Allowed Service Principal Takeover
Silverfort disclosed a design flaw in Microsoft Entra ID’s Agent ID Administrator role — introduced for AI agent identity lifecycle management — that allowed users with that role to take over arbitrary service principals, including those holding elevated directory permissions. The vulnerability created a privilege escalation path to broader tenant control. Silverfort reported the flaw on March 1, 2026, and Microsoft deployed a fix across all cloud environments on April 9. Organisations should audit users assigned the Agent ID Administrator role.
The Hacker News
Robinhood Account Creation Flaw Abused to Send Phishing Emails From Legitimate Servers
Threat actors exploited an input validation flaw in Robinhood’s account creation flow to inject HTML into the platform’s legitimate onboarding emails. Recipients received convincing “Unrecognized Device Linked to Your Account” messages sent from Robinhood’s own servers, bypassing SPF, DKIM, and DMARC checks. Robinhood confirmed no systems or accounts were breached and has removed the Device field from onboarding emails to close the flaw. The incident illustrates the risk of email injection attacks exploiting legitimate email infrastructure.
BleepingComputer
CISA April 28 Deadline: Over 1,370 SharePoint Servers Still Unpatched for CVE-2026-32201
The CISA deadline for federal agencies to patch the actively exploited SharePoint spoofing vulnerability CVE-2026-32201 fell today, yet over 1,370 internet-facing SharePoint servers remain unpatched according to Shadowserver Foundation scanning data. The pre-authentication flaw requires no credentials and allows spoofing attacks against on-premises SharePoint 2016, 2019, and Subscription Edition. Microsoft released the patch on April 14. Non-federal organisations running on-premises SharePoint should treat this as an urgent priority.
Cyber Security News
Microsoft Exchange Online to Block Legacy TLS for POP and IMAP Starting July 2026
Microsoft has announced it will retire TLS 1.0 and 1.1 support for POP3 and IMAP4 connections to Exchange Online between July 1 and December 31, 2026. Connections that do not support TLS 1.2 or higher will fail with no fallback. While most modern email clients are already compliant, legacy line-of-business applications, archiving scripts, ticketing platforms, and monitoring systems are common users of older TLS versions. Exchange Online administrators should audit POP and IMAP clients before the July deadline.
BleepingComputer
Push Security Report: Browser-Based Attacks Now Drive Major Breaches
A new report from Push Security documents the rise of browser-based attack techniques — including adversary-in-the-middle phishing, ClickFix variants, malicious OAuth app grants, malicious browser extensions, credential stuffing, and session hijacking — as primary vectors in major breaches. Tycoon 2FA accounted for 59% of detected AITM campaigns in the research period. An emerging variant called ConsentFix extends ClickFix techniques to OAuth grant flows, enabling identity compromise without malware installation.
Push Security
Stay tuned for today’s in-depth analysis posts.
