Here are today’s top cybersecurity stories for Tuesday, April 14, 2026.
CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency added six vulnerabilities to its Known Exploited Vulnerabilities catalog, citing confirmed active exploitation. The flaws span Fortinet FortiClient EMS (CVE-2026-21643, CVSS 9.1 SQL injection), Adobe Acrobat Reader (CVE-2020-9715), Microsoft Exchange Server (CVE-2023-21529 deserialization RCE), Microsoft Windows Common Log File System (CVE-2023-36424 privilege escalation), Windows task host link resolution (CVE-2025-60710 privilege escalation), and Microsoft Visual Basic for Applications (CVE-2012-1854 insecure library loading). Federal civilian agencies must remediate all six by April 27, 2026. The Hacker News
FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M in Fraud
The FBI Atlanta Field Office and Indonesian authorities seized the infrastructure of the W3LL phishing-as-a-service platform and arrested its alleged developer. W3LL offered ready-made phishing kits capable of bypassing multi-factor authentication for approximately $500 per month, and was used to target more than 17,000 victims and facilitate over $20 million in fraud attempts between 2023 and 2024. The action marks the first joint U.S.-Indonesia enforcement operation targeting a phishing kit developer. The Hacker News | BleepingComputer
108 Malicious Chrome Extensions Steal Google and Telegram Data from 20,000 Users
Researchers at Socket identified 108 Chrome extensions sharing a common command-and-control server at 144.126.135[.]238, collectively installed on approximately 20,000 browsers. The extensions harvest Google OAuth2 identity tokens, exfiltrate Telegram Web session cookies every 15 seconds, and silently open arbitrary URLs on browser launch. They were published under five distinct developer identities, disguised as games, translation tools, and social media enhancers. Russian-language comments appear in the source code. Affected users should remove any listed extensions and log out of all active Telegram Web sessions from the Telegram mobile app. The Hacker News
New Storm Infostealer Bypasses Chrome App-Bound Encryption With Server-Side Decryption
A new infostealer named Storm has appeared on underground markets at under $1,000 per month. Unlike traditional stealers, Storm ships stolen browser credentials to attacker-controlled servers for decryption, circumventing Google’s App-Bound Encryption introduced in Chrome 127 in July 2024. The malware harvests saved passwords, session cookies, credit card data, browsing history, and crypto wallet contents, and pulls session data from Telegram, Signal, and Discord. A single compromised browser session gives operators authenticated access to SaaS platforms and cloud environments without triggering password-based alerts. BleepingComputer
Critical wolfSSL Flaw CVE-2026-5194 Allows Forged Certificates Across 5 Billion Devices
A critical vulnerability in the wolfSSL lightweight TLS library allows attackers to force affected devices to accept forged certificates for malicious servers. CVE-2026-5194, discovered by Nicholas Carlini of Anthropic, stems from improper verification of hash algorithm and size when validating ECDSA signatures. The flaw affects multiple algorithms including ECDSA, DSA, ML-DSA, Ed25519, and Ed448, and impacts wolfSSL installations in IoT sensors, routers, industrial control systems, automotive systems, and aerospace equipment — collectively more than five billion applications and devices worldwide. The flaw was patched in wolfSSL version 5.9.1, released April 8. BleepingComputer
Basic-Fit Data Breach Exposes Information of One Million Gym Members Across Six Countries
European fitness chain Basic-Fit disclosed a data breach affecting approximately one million members in Belgium, France, Germany, Luxembourg, the Netherlands, and Spain. Compromised data includes names, email addresses, physical addresses, phone numbers, dates of birth, and bank account details. No passwords or identity documents were accessed. The company states unauthorized access was detected and stopped within minutes by automated monitoring, and no member data has been observed for sale online to date. BleepingComputer | SecurityWeek
ShinyHunters Leaks Rockstar Games Data as Anodot Snowflake Extortion Deadline Expires
ShinyHunters followed through on its April 14 ransom deadline, releasing data stolen from Rockstar Games via the third-party SaaS platform Anodot, whose Snowflake authentication tokens were compromised. The group claims access to nearly 80 million records including internal analytics, online service monitoring data, support metrics, and business intelligence tied to GTA Online and Red Dead Online. Rockstar confirmed “a limited amount of non-material company information was accessed in connection with a third-party data breach” and stated GTA 6’s November 19, 2026 release date remains unchanged. Help Net Security | BleepingComputer
Fake Claude Website Delivers PlugX Remote Access Trojan via DLL Sideloading
Researchers at Malwarebytes identified a rogue website impersonating Anthropic’s Claude AI service, distributing the PlugX remote access trojan. The site presents a fake “pro version” installer that deploys a VBScript dropper, which silently copies a malicious DLL alongside a legitimate G DATA antivirus updater, then uses DLL sideloading to execute PlugX in the background while installing the real Claude application as cover. PlugX has historical ties to Chinese state-linked espionage operations, though researchers note its source code has circulated in underground forums, expanding the potential attacker pool. Malwarebytes
Stay tuned for today’s in-depth analysis posts.
