Here are today’s top cybersecurity stories for Wednesday, April 1, 2026.
Clop Ransomware Targets Gladinet CentreStack File Servers Using Zero-Day Exploit in Active Extortion Campaign
The Clop data extortion group is actively targeting internet-exposed Gladinet CentreStack file servers through an unpatched vulnerability identified as a zero-day, following the group’s established playbook of exploiting enterprise file transfer platforms before organizations apply fixes. Researchers identified more than 200 internet-facing CentreStack instances as potential targets. Gladinet released emergency security updates and organizations running CentreStack should apply patches immediately and audit file transfer activity logs for anomalous access. BleepingComputer
Google Patches Fourth Chrome Zero-Day of 2026: CVE-2026-5281 Use-After-Free in Dawn WebGPU Component
Google released an emergency update for Chrome on April 1, 2026, patching CVE-2026-5281, a use-after-free flaw in Dawn, the cross-platform WebGPU implementation used across all Chromium-based browsers. Google confirmed an exploit for the vulnerability exists in the wild. The patched versions are 146.0.7680.177/178 for Windows and macOS and 146.0.7680.177 for Linux. This is the fourth actively exploited Chrome zero-day of 2026, following three previous patches in February and March. Users and administrators should update immediately. BleepingComputer
Apple Adds Terminal Paste Warning in macOS Tahoe 26.4 to Block ClickFix Social Engineering Attacks
Apple introduced a new defensive feature in macOS Tahoe 26.4, released March 30, 2026, designed to block ClickFix-style attacks by intercepting commands pasted into the Terminal application before execution. When a pasted command matches malware delivery patterns, macOS displays a “Possible malware, Paste blocked” warning. A “Paste Anyway” option allows legitimate use. ClickFix attacks trick users into pasting malicious commands by presenting fake browser errors, captchas, or IT alerts. The feature was not documented in Apple’s official release notes and was first reported after the release candidate build became available. BleepingComputer
Operation TrueChaos: Chinese-Nexus Actors Exploit TrueConf Zero-Day CVE-2026-3502 in Government Supply Chain Attack
Check Point Research published findings attributing a supply chain attack against government entities in Southeast Asia to a Chinese-nexus threat actor. The campaign, named Operation TrueChaos, exploits CVE-2026-3502 (CVSS 7.8) in the TrueConf Windows client, a video conferencing application used in government and enterprise environments. The flaw sits in TrueConf’s update mechanism, which does not verify the integrity of fetched update packages, allowing an attacker with server access to distribute a tampered update to all connected endpoints. The campaign delivered the Havoc post-exploitation framework. TrueConf v8.5.3 contains the fix. The Hacker News | Check Point Research
RoadK1ll: New Node.js WebSocket Implant Turns Compromised Hosts Into Silent Network Relay Points
Blackpoint Cyber researchers published analysis of RoadK1ll, a purpose-built lateral movement implant designed to pivot between network segments without triggering standard detection methods. The Node.js tool establishes an outbound WebSocket connection from an infected machine to attacker-controlled infrastructure, converting the compromised host into a relay for TCP connections to internal systems. RoadK1ll places no inbound listener on the victim machine, avoiding open-port detection, and its outbound traffic blends with normal browser and web application activity. The implant functions exclusively as a pivot point rather than a traditional remote access tool. BleepingComputer | Blackpoint Cyber
strongSwan CVE-2026-25075: 15-Year-Old Integer Underflow in EAP-TTLS Plugin Allows Unauthenticated VPN Crash
An integer underflow flaw tracked as CVE-2026-25075 in the EAP-TTLS authentication plugin of strongSwan VPN software allows an unauthenticated remote attacker to crash the IKE daemon by sending a malformed attribute-value pair. The vulnerability affects all strongSwan versions from 4.5.0 through 6.0.4, spanning 15-plus years of releases. Its CVSS score is 7.5. Deployments using EAP-TTLS for authentication require an upgrade to strongSwan 6.0.5 to address the flaw. Deployments not using EAP-TTLS are not affected. SecurityWeek
FBI Confirms Salt Typhoon Telecom Espionage Is ‘Still Very Much Ongoing’ Across 200-Plus Organizations Worldwide
A senior FBI cyber official confirmed at the CyberTalks 2026 conference Salt Typhoon, the Chinese state-linked group behind large-scale U.S. telecommunications infrastructure compromises beginning in 2024, remains active against both private and public sector organizations globally. The FBI has previously confirmed the group compromised at least 200 companies across 80 countries. Officials noted the threat is difficult to eliminate given the technological fragmentation and scale of global telecommunications networks. CyberScoop
Ukrainian Hacker Charged with Providing Technical Support to Russian Hacktivist Groups
A Ukrainian national faces criminal charges in the United States for providing technical support and infrastructure to Russian state-affiliated hacktivist organizations engaged in cyberattacks against Western targets. Charging documents allege the individual provided tooling and operational assistance to groups aligned with Russia’s government despite being a citizen of a country under Russian military attack. The case highlights the recruitment of foreign nationals as operational support resources for Russian cyber operations. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
