Here are today’s top cybersecurity stories for Wednesday, April 8, 2026.
FBI and International Partners Disrupt APT28 FrostArmada Router DNS Hijacking Campaign
The FBI executed a court-authorized operation to dismantle FrostArmada, a Russia-linked APT28 campaign that compromised thousands of MikroTik and TP-Link SOHO routers and redirected DNS traffic to attacker-controlled servers to steal Microsoft 365 authentication tokens. At peak activity in December 2025, more than 18,000 routers across 120 countries were pulled into the network, and Microsoft confirmed over 200 organizations and 5,000 consumer devices affected. Authorities reset DNS configurations on compromised devices and collected forensic evidence during the operation. BleepingComputer | Krebs on Security | NCSC
CISA Advisory AA26-097A: Iranian Actors Exploit Internet-Exposed PLCs Across US Critical Infrastructure
CISA issued Advisory AA26-097A warning that Iranian-affiliated cyber actors have exploited internet-facing Rockwell Automation and Allen-Bradley programmable logic controllers across US government, water and wastewater, and energy sector networks since at least March 2026. Attackers extracted project files and manipulated HMI and SCADA displays, causing operational disruption and financial losses at several victim sites. CISA urges operators to isolate PLCs behind firewalls, enforce MFA, and remove direct internet access from OT systems. CISA | CyberScoop | The Hacker News
Flowise CVE-2025-59528 CVSS 10.0 Under Active Exploitation — 12,000+ Instances Exposed
Attackers are exploiting CVE-2025-59528, a maximum-severity remote code execution vulnerability in Flowise, the open-source platform used to build custom LLM applications and AI agent pipelines. The flaw exists in the CustomMCP node’s unsafe JavaScript evaluation, allowing unauthenticated attackers to execute arbitrary code and gain full system access. VulnCheck detected the first in-the-wild exploitation from a Starlink IP address, and between 12,000 and 15,000 Flowise instances remain exposed online. Users should upgrade to version 3.1.1 or later immediately. BleepingComputer | The Hacker News
North Korean UNC1069 Spreads 1,700 Malicious Packages Across npm, PyPI, Go, and Rust
Security Alliance (SEAL) research confirms North Korean threat actor UNC1069 — overlapping with BlueNoroff and Sapphire Sleet — has distributed more than 1,700 malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist since January 2025. The packages impersonate legitimate developer tooling and function as malware loaders enabling espionage, credential theft, and financial fraud across Windows, macOS, and Linux. SEAL blocked 164 UNC1069-linked domains between February 6 and April 7, 2026, many impersonating Microsoft Teams and Zoom meeting links as ClickFix-style lures. The Hacker News
Docker CVE-2026-34040 CVSS 8.8 Enables AuthZ Plugin Bypass and Host Filesystem Takeover
A high-severity vulnerability in Docker Engine, tracked as CVE-2026-34040 (CVSS 8.8), allows attackers with restricted Docker API access to bypass AuthZ authorization plugins by padding container creation requests above 1 MB, causing the request body to be dropped before reaching the plugin. The flaw is an incomplete fix for CVE-2024-41110, first disclosed in July 2024, and requires a single HTTP request with no elevated privileges to exploit. Successful exploitation leads to a privileged container with host filesystem access and the ability to extract cloud service credentials. Users should update Moby to version 29.3.1 or later. The Hacker News
ICS Patch Tuesday: Siemens, Schneider Electric, Moxa, and Mitsubishi Electric Release April Advisories
Industrial control system vendors Siemens, Schneider Electric, Moxa, and Mitsubishi Electric published their April ICS Patch Tuesday security advisories, addressing vulnerabilities across OT products deployed in manufacturing, energy, utilities, and critical infrastructure environments. Organizations running affected systems should review each vendor’s advisory and apply patches following their OT change control and risk management procedures. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
