The first week of April brought some of the most consequential cybersecurity headlines of the year so far.
A months-long nation-state operation culminated in one of the largest crypto heists in DeFi history, Iran-linked actors ramped up pressure on organizations across the Middle East and beyond, and supply chain threats continued targeting the developer tools organizations trust most. Here's what you need to know.
Explore this content with AI:
ChatGPT | Perplexity | Claude | Google AI Mode | Grok
North Korea drains $285 million from Drift Protocol in 12-minute heist
Solana-based decentralized exchange Drift has revealed that the April 1, 2026 attack resulting in the theft of $285 million was the culmination of a months-long, meticulously planned social engineering operation undertaken by North Korean state-sponsored hacking group UNC4736 — also tracked as AppleJeus, Citrine Sleet, and Gleaming Pisces — that began in the fall of 2025.
The attack did not exploit a smart contract vulnerability. Instead, attackers manufactured an entirely fictitious token with a small amount of seeded liquidity and wash trading, manipulated Drift's oracles into treating it as legitimate collateral, and used pre-signed durable nonce transactions to drain the protocol's vaults across 31 withdrawals in roughly 12 minutes. The DRIFT governance token fell over 40% and the protocol's total value locked collapsed from approximately $550 million to under $250 million. A dozen Solana protocols with Drift dependencies paused operations.
Why it matters: This was not a technical exploit in the traditional sense — it was a governance attack executed through sustained human manipulation. North Korean operatives spent six months cultivating real professional relationships, attending industry events, and depositing their own funds to build credibility before weaponizing that access. No smart contract audit would have caught this. For any organization operating with multi-signature governance structures or relying on trusted external collaborators, this case is a clear signal that vetting, behavioral monitoring, and strict transaction verification protocols need to extend well beyond the code itself.
Read more at The Hacker News
Iran-linked actors run coordinated password-spraying campaign against Microsoft 365
An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E., carried out in three distinct attack waves on March 3, March 13, and March 23, 2026. According to Check Point, the campaign impacted more than 300 organizations in Israel and over 25 in the U.A.E., with additional activity observed against targets in Europe, the United States, the United Kingdom, and Saudi Arabia. Targeted sectors include government entities, municipalities, technology, transportation, and energy sector organizations.
Why it matters: The regularity of the attack waves — spaced exactly ten days apart — suggests a deliberate, systematic cadence rather than opportunistic targeting. Cloud identity environments remain one of the most actively contested attack surfaces in 2026, and this campaign underscores that geopolitical escalation translates directly into increased cyber risk for private-sector organizations operating anywhere near the conflict zone. Conditional access policies, MFA enforcement, and anomalous login monitoring are not optional.
Read more at The Hacker News
CISA orders emergency patch for actively exploited FortiClient EMS flaw
Fortinet issued an emergency advisory on April 6 for CVE-2026-35616 in FortiClient EMS, warning the management platform was already being actively exploited and publishing fixed versions and mitigation guidance.
CISA ordered federal agencies to secure FortiClient Enterprise Management Server instances against the actively exploited vulnerability by Friday, April 11.
Why it matters: Unauthenticated code execution on management infrastructure is among the most dangerous vulnerability classes an organization can face. Compromise at the management layer can quickly become a credential, persistence, and lateral movement incident rather than a single-host patching exercise. Organizations running FortiClient EMS — whether federal agencies or not — should treat this as urgent.
Read more at BleepingComputer
LiteLLM supply chain attack turns developer machines into credential harvesting operations
The TeamPCP threat actor compromised LiteLLM packages versions 1.82.7 and 1.82.8 on PyPI, injecting infostealer malware that activated when developers installed or updated the package. The malware targeted plaintext secrets already sitting on disk — SSH keys, API tokens, and cloud credentials — turning developer endpoints into systematic credential harvesting operations.
The compromise has since been tied to a broader set of incidents: CERT-EU's detailed assessment of the European Commission cloud breach found that TeamPCP abused an AWS API key stolen via the Trivy supply-chain compromise, with data from at least 29 Union entities potentially exposed.
Why it matters: Developer machines are among the richest targets in any organization's environment — they hold credentials to virtually every system a team touches. A malicious package that activates on install requires no user interaction beyond a routine update. Organizations should audit their PyPI dependencies for exposure to the affected LiteLLM versions, rotate any secrets that may have passed through compromised environments, and treat software supply chain hygiene with the same urgency as perimeter security.
Read more at The Hacker News
Google patches Chrome's fourth zero-day of 2026
Google patched CVE-2026-5281, a use-after-free bug in Dawn (WebGPU), marking the fourth Chrome zero-day exploited in the wild in 2026. The fix was pushed to versions 146.0.7680.177/178 for Windows, macOS, and Linux. All four Chrome zero-days patched so far this year — including flaws in CSSFontFeatureValuesMap, Skia, and V8 — were confirmed exploited in attacks before patches shipped.
Why it matters: Four browser zero-days actively exploited before a patch existed — in the first quarter of the year alone — speaks to how aggressively threat actors are targeting the browser as an attack surface. Chrome's auto-update mechanism helps, but enterprise environments with delayed patch rollouts or managed browser configurations need to treat these updates as critical deployments, not routine maintenance.
Read more at DEV Community
Hasbro discloses cyberattack, systems taken offline
Hasbro disclosed on April 1 that it was investigating unauthorized access detected on March 28, had brought in outside cybersecurity specialists, and had taken some systems offline while it determined the scale and business impact of the incident.
Why it matters: Consumer products companies are not the typical headline target in cybersecurity news, but the interconnected nature of modern enterprise operations — manufacturing, licensing, logistics, and back-office workflows all running on shared infrastructure — means a breach at any point can cascade quickly. The early containment response is notable, but the full scope of this incident remains under investigation.
Read more at Reuters
Final thoughts
This week's stories share a common thread: the most damaging attacks rarely rely on a single novel exploit. They combine patience, trust manipulation, supply chain access, and governance weaknesses into multi-layered operations that are difficult to detect until significant damage is done. The Drift heist took six months to execute. The LiteLLM compromise piggybacked on a trusted open-source tool. Defenders who focus exclusively on perimeter hardening and patch cycles will miss these vectors entirely.
Security posture in 2026 has to account for who you trust, what they have access to, and how you would know if that trust was being abused.
.png)
