DJBSEC's CyberNews 2026-04-29

Created in April 29, 2026

2026   ·   Daily News   ·   News

Today’s daily news covers the following categories: Vulnerability Nation-State/APT Privacy Malware Threat Intelligence

LiteLLM SQL Injection Vulnerability Actively Exploited

Vulnerability A critical SQL injection vulnerability in LiteLLM, the popular open-source AI model gateway and proxy, has been found under active exploitation in the wild. The flaw allows unauthenticated attackers to manipulate backend database queries, potentially exposing sensitive configuration data including API keys for connected AI services. LiteLLM is widely used by organizations to route and manage requests across multiple large language model providers, making the attack surface particularly broad. Security researchers urge organizations running self-hosted LiteLLM instances to apply patches immediately and audit database access logs for signs of compromise. This incident underscores the growing risk of supply chain vulnerabilities in AI infrastructure tooling as enterprise AI adoption accelerates. Read More

New Sandworm Tradecraft Uses SSH Over Tor Tunnel for Stealthy C2

Nation-State/APT Russia’s Sandworm threat group, linked to GRU military intelligence, has been observed employing a novel command-and-control technique that tunnels SSH connections over the Tor anonymity network. The approach allows the group to blend malicious traffic with legitimate encrypted network activity, making detection and attribution significantly harder for defenders. Researchers believe the tactic is being used in ongoing operations targeting critical infrastructure and government networks in Europe and Ukraine. The technique represents an evolution of Sandworm’s tradecraft, building on the group’s long history of using open-source tools repurposed for offensive operations. Organizations are advised to monitor for unusual SSH activity and unexpected Tor process execution on their networks. Read More

Companies Hit With Record Privacy Fines in 2025, Gartner Reports

Privacy A new Gartner report reveals that global corporate privacy fines reached record levels in 2025, driven largely by aggressive enforcement of GDPR in Europe and expanding data protection laws across Asia and the Americas. Regulators issued several multi-hundred-million-dollar penalties against major technology and financial services firms for unlawful data processing, inadequate consent mechanisms, and failure to honor subject access requests. The report notes that repeat offenders faced compounding penalties as regulators demonstrated a willingness to escalate enforcement against companies slow to remediate violations. Privacy compliance has now become a board-level risk issue at most large enterprises, with organizations investing heavily in data governance programs to reduce exposure. Gartner analysts predict enforcement activity will continue to intensify through 2026 as more jurisdictions finalize comprehensive privacy legislation. Read More

Gemini CLI Found Vulnerable to Remote Code Execution

Vulnerability Google’s Gemini CLI, a command-line interface tool for interacting with Gemini AI models, has been found to contain a remote code execution vulnerability that could allow attackers to run arbitrary commands on a developer’s machine. The flaw can be triggered through maliciously crafted input or prompt injection techniques, where an attacker controls content that the CLI processes. Given that developer tools often run with elevated privileges and have broad file system access, exploitation could result in complete host compromise. Google has been notified and is working on a patch, but the vulnerability highlights the emerging threat surface introduced by AI-integrated developer tooling. Developers are advised to exercise caution when using the CLI against untrusted data sources or repositories until a fix is available. Read More

82 Chrome Extensions Caught Harvesting and Selling User Data

Privacy Security researchers have identified 82 malicious Google Chrome browser extensions that were secretly collecting sensitive user data and selling it to third-party data brokers. The extensions, which collectively had millions of installs, used obfuscated code to harvest browsing history, search queries, form data, and in some cases authentication cookies. Despite Google’s review process, the extensions managed to stay in the Chrome Web Store for extended periods by initially appearing legitimate and only activating malicious behavior after gaining a large user base. Google has since removed the identified extensions, but researchers warn that the pattern of abuse is recurring and difficult to fully prevent through automated review alone. Users are strongly encouraged to audit their installed extensions and limit permissions granted to browser add-ons. Read More

UNC6692 Leverages Social Engineering and Cloud Services for Malware Delivery

Malware A newly tracked threat cluster designated UNC6692 is using sophisticated social engineering combined with abuse of legitimate cloud platforms to deliver malware to targeted organizations. The group poses as trusted vendors or IT support personnel to convince victims to execute payloads hosted on services such as OneDrive, Dropbox, or Google Drive, effectively bypassing perimeter security controls that block traditional malware delivery vectors. Once inside, UNC6692 deploys a modular backdoor that communicates over encrypted channels to attacker-controlled cloud infrastructure, further complicating detection. The group has targeted organizations across financial services, government, and defense contracting sectors primarily in North America and Western Europe. Defenders are advised to enforce strict controls on cloud storage access and to train employees to verify unexpected file sharing or software installation requests through out-of-band channels. Read More

Supply Chain Campaign Targets Security Tools and Vendors

Threat Intelligence A sophisticated supply chain attack campaign has been identified targeting cybersecurity vendors and the tools they produce, aiming to compromise security products as a stepping stone into customer networks. Attackers infiltrated development pipelines and inserted malicious code into software updates distributed to downstream enterprise customers, a technique reminiscent of the SolarWinds and 3CX incidents. The campaign is notable for specifically targeting security software, which typically operates with deep system access and elevated trust, making it an especially high-value vector. Researchers have not yet publicly attributed the campaign but describe the tradecraft as consistent with a sophisticated nation-state actor. Organizations are urged to verify the integrity of security tool updates through code-signing validation and to monitor for unexpected behaviors from security agent processes. Read More

Chinese National Linked to Silk Typhoon and HAFNIUM Extradited to Face US Charges

Nation-State/APT A Chinese national identified as Xu Zewei has been extradited to the United States to face federal charges related to his alleged role in cyberattacks attributed to the Silk Typhoon threat group, also previously known as HAFNIUM. Silk Typhoon is a Chinese state-sponsored hacking group notorious for exploiting vulnerabilities in internet-facing enterprise software, including the 2021 mass exploitation of Microsoft Exchange Server zero-days that compromised tens of thousands of organizations worldwide. The indictment alleges Xu conducted reconnaissance, maintained persistent access, and exfiltrated sensitive data from government agencies, defense contractors, and research institutions. The extradition marks a rare instance of a Chinese cyber operative being brought to trial in the US and signals continued efforts by the Department of Justice to hold state-linked hackers accountable. China has denied the allegations and condemned the extradition as politically motivated. Read More

AI Coding Agent Accidentally Deletes Production Data During Automated Task

Threat Intelligence An AI coding agent deployed to automate software maintenance tasks caused a significant incident when it interpreted an ambiguous instruction and proceeded to delete production data it identified as redundant. The event highlights the risks of granting autonomous AI agents write access to live systems without robust guardrails and human-in-the-loop checkpoints. The agent had been instructed to clean up old files in a repository and, lacking sufficient context, extended that logic to a connected production database, resulting in hours of service disruption and data recovery efforts. Security and DevOps professionals are drawing attention to the incident as a cautionary tale about the need for principle-of-least-privilege policies to apply to AI agents just as they do to human users. Industry groups are calling for standardized safety frameworks governing the scope and permissions granted to autonomous AI systems in production environments. Read More

Microsoft Confirms Active Exploitation of Critical Windows Vulnerability

Vulnerability Microsoft has confirmed that a critical vulnerability in the Windows operating system is being actively exploited in targeted attacks, prompting urgent calls for organizations to prioritize patching. The flaw affects a core Windows component and allows attackers with initial access to escalate privileges or execute code in a highly privileged context, significantly easing the path to full system compromise. Microsoft released an out-of-band security update and strongly urged customers not to wait for the next scheduled Patch Tuesday cycle to apply the fix. Threat intelligence teams have observed the vulnerability being leveraged in post-exploitation activity following initial access obtained through phishing or exposed remote services. Organizations running unpatched systems are advised to apply the update immediately and to review endpoint detection logs for indicators of compromise associated with the exploit chain. Read More

OilRig APT Conceals C2 Configuration to Evade Detection

Nation-State/APT The Iranian state-sponsored threat group OilRig, also tracked as APT34, has adopted new techniques to conceal its command-and-control configuration data, complicating efforts by security researchers and defenders to analyze and disrupt their infrastructure. The group is now encrypting and fragmenting C2 configuration details within legitimate-looking files or registry keys, making static analysis and automated detection significantly less effective. OilRig has long been known for targeting government, energy, and telecommunications organizations across the Middle East and beyond, often maintaining persistent access for espionage purposes. The updated evasion techniques suggest the group has been actively refining its toolset in response to increased public reporting and takedown efforts by the security community. Threat hunters are advised to focus on behavioral detection of unusual outbound connection patterns rather than relying solely on signature-based identification of known C2 indicators. Read More



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • DJBSEC's CyberNews 2026-06-01
  • DJBSEC's CyberNews 2026-05-29
  • DJBSEC's CyberNews 2026-05-28
  • DJBSEC's CyberNews 2026-05-27
  • DJBSEC's CyberNews 2026-05-26