Week 15: The Collapse of the Patch Window
A nine-hour exploit turnaround on Marimo, Adobe Reader exploited since December, Russian SOHO router token harvesting at scale, and Anthropic's Claude Mythos redefines what automated vulnerability discovery looks like.
Overview
This week’s signal is dominated by three converging trends: the continued compression of vulnerability exploitation timescales, an unusually dense cluster of supply chain compromises spanning multiple package ecosystems, and state-sponsored actors demonstrating increasingly sophisticated tradecraft against both enterprise and industrial control system targets. Anthropic’s announcement of Claude Mythos (Project Glasswing) adds a new variable to an already shifting equation around automated vulnerability discovery and the defender’s capacity to keep pace.
The breadth of activity is notable. We observed simultaneous campaigns by Russian military intelligence targeting SOHO routers for authentication token harvesting, Iranian-affiliated actors manipulating PLCs across US critical infrastructure, a hack-for-hire operation targeting journalists in the MENA region, and North Korean operators industrialising malicious package distribution at a scale of 1,700 packages across four ecosystems. These are not isolated events; they reflect the operational tempo of well-resourced adversaries operating across multiple domains concurrently.
Actively Exploited Vulnerabilities
CVE-2026-34621: Adobe Acrobat Reader Arbitrary Code Execution
Adobe released an emergency out-of-band patch for CVE-2026-34621 (CVSS 8.6), an arbitrary code execution vulnerability in Acrobat Reader that has been under active exploitation since at least December 2025. EXPMON researcher Haifei Li described it as a “highly sophisticated PDF exploit.” The initial artifact (Invoice540.pdf) first appeared on VirusTotal on 28 November 2025, meaning the exploit was in the wild for approximately four and a half months before a patch was available. The gap between initial detection on VT and the patch release warrants scrutiny: it suggests either delayed vendor notification, delayed triage, or both.
The exploitation mechanism is significant because no user interaction beyond opening the PDF is required. In environments where PDFs are routinely processed by automated pipelines (document management systems, email attachment scanning, invoice processing), the attack surface extends beyond individual endpoints. Organisations should audit not just their Reader deployment versions but any system that renders or parses PDF content.
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 (The Hacker News)
- Adobe Patches Reader Zero-Day Exploited for Months (SecurityWeek)
CVE-2026-1340: Ivanti EPMM Code Injection (CISA KEV)
CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities catalogue on 8 April. This is a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Ivanti products continue to feature disproportionately in KEV additions; this is the fourth Ivanti-related KEV entry since January, a pattern that reflects both the product’s deployment prevalence in government networks and persistent architectural weaknesses in the product line.
CVE-2026-39987: Marimo Pre-Authentication RCE
CVE-2026-39987 (CVSS 9.3) is a pre-authentication remote code execution vulnerability in Marimo, an open-source Python notebook environment for data science. Sysdig reported that a working exploit was developed and deployed in the wild within nine hours of disclosure. The attacker built the exploit directly from the advisory. This is consistent with the broader trend Cisco Talos discussed this week in “The Collapse of the Patch Window”: the time between vulnerability disclosure and weaponisation is now measured in hours, not days, and certainly not the weeks that most patch management cycles assume.
For any internet-facing service running Marimo, the window for orderly patching effectively did not exist. The exploit was used for credential theft, suggesting it was incorporated into an existing operational workflow rather than being opportunistic.
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure (The Hacker News)
- Critical Marimo Flaw Exploited Hours After Public Disclosure (SecurityWeek)
Chrome 147: 60 Vulnerabilities, Two Critical
Google released Chrome 147, patching 60 vulnerabilities including two critical flaws in the WebML component worth a combined $86,000 in bug bounty rewards. Separately, Google shipped Device Bound Session Credentials (DBSC) in Chrome 146, which cryptographically binds authentication cookies to the device, rendering stolen session cookies unusable. This is a significant architectural mitigation against the infostealer malware class that has dominated credential theft for the past 18 months.
- Chrome 147 Patches 60 Vulnerabilities (SecurityWeek)
- Google Rolls Out Cookie Theft Protections in Chrome (SecurityWeek)
Supply Chain Compromise
litellm PyPI Package (v1.82.8)
A supply chain compromise was identified in the litellm Python package at version 1.82.8. The published wheel contained a malicious .pth file (litellm_init.pth, 34,628 bytes) that is automatically executed by the Python interpreter on every startup, without requiring any explicit import. This is a particularly insidious delivery mechanism because .pth files are processed during interpreter initialisation, meaning any Python process on an affected system executes the payload, not just those that import litellm. As Schneier noted, the remediation path requires the boring but essential work: SBOMs, SLSA, SigStore. None of these are widely adopted in the AI/ML ecosystem.
- Python Supply-Chain Compromise (Schneier on Security)
CPUID Compromise: CPU-Z and HWMonitor
Threat actors compromised the CPUID website (cpuid.com) and replaced download links for CPU-Z and HWMonitor with trojanised executables delivering STX RAT. The compromise lasted approximately 19 hours (9 April 15:00 UTC to 10 April 10:00 UTC). This is a watering-hole attack targeting hardware enthusiasts, system administrators, and overclockers who use these tools for hardware diagnostics. The limited window suggests either rapid detection or a smash-and-grab operation where the attackers prioritised initial access volume over persistence.
Smart Slider 3 Pro: Update System Hijacked
Unknown actors compromised the update infrastructure for Smart Slider 3 Pro, a WordPress and Joomla plugin with over 800,000 active installations. The hijacked update (version 3.5.1.35) deployed multiple backdoors. This attack vector, poisoning the update channel of a legitimate plugin, is particularly dangerous because CMS administrators are trained to apply updates promptly. The same behaviour that mitigates vulnerability exposure becomes the delivery mechanism.
North Korean Package Ecosystem Campaign: 1,700 Packages
The Contagious Interview campaign attributed to North Korean operators expanded to 1,700 malicious packages across npm, PyPI, Go, and Rust registries. The packages impersonate legitimate developer tooling while functioning as malware loaders. The scale of this operation is industrial: maintaining 1,700 packages across four distinct ecosystems requires significant operational investment in infrastructure, social engineering (developer personas), and ongoing maintenance to avoid automated takedown. This is not opportunistic; it is a sustained programme.
GlassWorm: Zig Dropper Targeting Developer IDEs
The GlassWorm campaign introduced a new Zig-compiled dropper designed to infect all integrated development environments on a developer’s machine. The payload was distributed via a malicious Open VSX extension masquerading as WakaTime, a popular coding activity tracker. The choice of Zig as the dropper language is notable because it produces binaries with minimal runtime dependencies and an unusual signature profile, making static analysis less effective for detection engines trained primarily on C/C++ and Go compiled malware.
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs (The Hacker News)
State-Sponsored Activity
Russian Military Intelligence: SOHO Router Token Harvesting
Microsoft Threat Intelligence and Krebs on Security independently reported on Forest Blizzard (GRU Unit 26165) compromising SOHO routers to harvest Microsoft Office authentication tokens. The campaign exploits known vulnerabilities in older router firmware to modify DNS settings, redirecting authentication traffic through attacker-controlled infrastructure. Microsoft documented over 18,000 affected networks. The attack does not deploy malware on the router itself; it modifies DNS resolution to redirect OAuth token exchanges, making it invisible to endpoint detection. The technique is an adversary-in-the-middle attack at the network layer, below the visibility of most EDR deployments.
This is operationally significant because the compromise persists across device reboots (DNS settings survive firmware restarts on most consumer routers) and affects every device on the network, not just the router itself. Remediation requires firmware updates and manual DNS reconfiguration on affected devices.
- SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks (Microsoft Security Blog)
- Russia Hacked Routers to Steal Microsoft Office Tokens (Krebs on Security)
Russian Military Intelligence: PRISMEX Malware Suite
Trend Micro documented a fresh spear-phishing campaign by the same Russian military intelligence unit deploying a previously undocumented malware suite codenamed PRISMEX. The tooling combines steganography for payload delivery, COM hijacking for persistence, and legitimate cloud services for command and control. The use of steganography suggests the operators are investing in detection evasion at the network layer, hiding C2 traffic within apparently benign image transfers. Targets include Ukrainian government entities and NATO allied organisations.
Iranian PLC Exploitation: CISA Advisory AA26-097A
CISA published advisory AA26-097a detailing Iranian-affiliated actors exploiting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers across US critical infrastructure. The advisory describes PLC disruptions resulting from manipulation of project files and HMI/SCADA displays, causing operational disruption and financial loss. BleepingComputer reported nearly 4,000 US industrial devices remain exposed. The attack TTPs include direct interaction with PLC project files, which means the adversary has sufficient understanding of the control logic to modify it meaningfully, not just disrupt it. This is a qualitative step beyond simple denial-of-service against OT systems.
- Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure (CISA)
- Nearly 4,000 US industrial devices exposed to Iranian cyberattacks (BleepingComputer)
LucidRook: Targeting Taiwanese NGOs
Cisco Talos identified a previously undocumented threat cluster (UAT-10362) conducting spear-phishing campaigns against Taiwanese non-governmental organisations and universities. The malware, dubbed LucidRook, is a Lua-based stager that embeds a Lua interpreter and Rust-compiled libraries within a DLL to download and execute second-stage payloads. The hybrid Lua/Rust architecture is unusual and suggests operators prioritising rapid prototyping (Lua) with performance-critical components compiled in Rust. The targeting of NGOs and academic institutions in Taiwan is consistent with intelligence collection objectives related to cross-strait relations.
- New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations (Cisco Talos)
Hack-for-Hire: MENA Journalist Targeting
Access Now, Lookout, and SMEX documented a hack-for-hire campaign with suspected ties to the Indian government targeting journalists, activists, and government officials across the Middle East and North Africa. Two of the identified targets were prominent Egyptian journalists and government critics. The campaign underscores the normalisation of commercial surveillance and hack-for-hire operations as a tool of state influence.
Research
Google Project Zero: Pixel 9 Zero-Click Exploit Chain
Project Zero published a three-part series documenting a complete zero-click exploit chain for the Pixel 9. The chain begins with a vulnerability in the Dolby Unified Decoder (Part 1), which is triggered when Google Messages automatically transcribes incoming audio attachments without user interaction. The researchers then exploited a hardware driver (/dev/bigwave, a custom AV1 decoding accelerator on the Pixel SoC) accessible from the sandboxed mediacodec SELinux context to escape the sandbox (Part 2). Part 3 discusses the broader implications for Android’s attack surface, noting that AI-powered features like automatic transcription have substantially expanded the zero-click attack surface by requiring media decoding before user interaction.
The research introduces two tools: one for systematically mapping accessible device drivers from sandboxed contexts (DriverCartographer), and another for evaluating the effectiveness of the sandbox boundary. The practical recommendation is that audio transcription, which creates a decode-before-user-interaction requirement, should be considered a security-critical path and fuzzed accordingly.
- Part 1: Decoding Dolby (Google Project Zero)
- Part 2: Cracking the Sandbox with a Big Wave (Google Project Zero)
- Part 3: Where do we go from here? (Google Project Zero)
Windows Administrator Protection Bypasses
James Forshaw at Project Zero published two posts detailing bypasses of Windows 11 25H2’s Administrator Protection feature. The first post provides an overview of the feature’s architecture and one of nine bypasses found during the insider preview: exploiting how the system creates an isolated admin context. The second post focuses specifically on UI Access, a longstanding mechanism that allows accessibility applications to interact across security boundaries. Forshaw demonstrates that the pre-existing UI Access attack surface that was already problematic for UAC translates directly to bypasses of Administrator Protection. Five of the nine reported bypasses share this root cause. All issues have been fixed, but the pattern is instructive: bolting a new security boundary onto a system with deep-rooted assumptions about trust between UI components is architecturally difficult.
- Bypassing Windows Administrator Protection (Google Project Zero)
- Bypassing Administrator Protection by Abusing UI Access (Google Project Zero)
AWS Bedrock AgentCore: Agent God Mode and Sandbox Escape
Unit 42 published two complementary pieces on Amazon Bedrock AgentCore. “Agent God Mode” describes how overly broad IAM permissions in the default AgentCore configuration enable privilege escalation and data exfiltration. The companion piece, “Escaping the AWS AgentCore Sandbox,” demonstrates DNS tunneling and credential exposure from within the sandbox’s network isolation mode. Together, these findings illustrate a recurring pattern in AI agent infrastructure: the tension between granting agents sufficient permissions to be useful and constraining them sufficiently to be secure. The DNS tunneling technique for sandbox escape is worth studying as it will likely recur in other agentic AI platforms.
- Cracks in the Bedrock: Agent God Mode (Unit 42)
- Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox (Unit 42)
Cloudflare: BPF Symbolic Execution for Malware Analysis
Cloudflare published a technical deep-dive on applying symbolic execution and the Z3 theorem prover to BPF bytecode for automated malware trigger packet generation. The technique reduces analysis time for network-triggered malware from hours of manual reverse engineering to seconds of automated constraint solving. This has immediate practical applications for SOC teams analysing malware that uses kernel-level packet filters to gate C2 communication.
- From bytecode to bytes: automated magic packet generation (Cloudflare Blog)
macOS ClickFix: AI-Assisted Multi-Platform Attack
ANY.RUN documented a ClickFix variant targeting macOS endpoints with AMOS (Atomic macOS Stealer). The campaign uses AI-generated lure content and social engineering to deliver the payload. This is consistent with the broader shift towards macOS as a viable target platform: as Apple devices make up an increasing share of corporate endpoints, particularly among executives and developers, the return on investment for macOS-targeted malware justifies the development cost.
AI and Security
Anthropic Claude Mythos (Project Glasswing)
Anthropic announced Project Glasswing, a programme providing a preview of the Claude Mythos model to a restricted set of partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, and others) for vulnerability discovery. Anthropic claims the model has identified thousands of high-severity vulnerabilities across major systems, including OS and browser flaws, with some exploits developed autonomously. Multiple independent analyses were published this week: Wiz Research and Cloud Security Alliance both assessed implications for defensive operations, while Qualys examined the “Vulnpocalypse” scenario where AI-driven vulnerability discovery outpaces human capacity to remediate.
The immediate operational impact for most organisations is negligible: the model is restricted to vetted partners. The strategic signal, however, is important. If automated discovery at this scale becomes accessible, the assumption that defenders have a meaningful patch window collapses entirely, which connects directly to the Marimo nine-hour exploitation timeline observed this same week.
- Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems (The Hacker News)
- Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever (Wiz Research)
- Anthropic’s Mythos is Here: Defending from the Vulnpocalypse (Cloud Security Alliance)
Grafana AI Bug: Prompt Injection Leaking User Data
Dark Reading reported on a Grafana vulnerability where an attacker-controlled web page could inject instructions into an AI assistant, causing it to return sensitive user data to an external server. The attack vector is indirect prompt injection: the AI ingests content from a page that contains hidden instructions. This is a concrete example of the attack class that security researchers have warned about since 2023, now manifesting in production software used by operations teams.
- Grafana Patches AI Bug That Could Have Leaked User Data (Dark Reading)
Policy and Industry
Post-Quantum Cryptography: Google and Cloudflare Target 2029
Both Google and Cloudflare independently announced 2029 as their target date for full post-quantum cryptography migration. Schneier’s assessment: the timeline is sensible not because quantum computing is imminent, but because cryptographic migrations inherently take years. Cloudflare’s post notes that “recent advances in quantum hardware and software have accelerated the timeline on which quantum attack might happen.” The convergence of two major infrastructure providers on the same target date creates pressure for the rest of the industry to follow.
- Google Wants to Transition to Post-Quantum Cryptography by 2029 (Schneier on Security)
- Cloudflare targets 2029 for full post-quantum security (Cloudflare Blog)
Hong Kong Key Disclosure Law
Hong Kong enacted legislation empowering police to compel disclosure of encryption keys, extending even to individuals transiting through the airport. The practical implications for organisations with employees travelling through Hong Kong are non-trivial: any device carried through the jurisdiction is subject to compelled key disclosure. Travel policies should be reviewed. Temporary devices or hardware security modules that support key destruction should be considered for sensitive roles.
- Hong Kong Police Can Force You to Reveal Your Encryption Keys (Schneier on Security)
New Mexico Meta Ruling: Implications for Encryption
Schneier highlighted a New Mexico court ruling against Meta that may establish precedent for treating encryption as a “design choice that enables harm.” The ruling used Meta’s 2023 decision to add end-to-end encryption to Messenger as evidence against the company, arguing that encryption made it harder for law enforcement to access evidence of crimes against minors. If this “design choices create liability” framework gains traction, it has broad implications for any service that implements end-to-end encryption.
- New Mexico’s Meta Ruling and Encryption (Schneier on Security)
Microsoft Cloud Security: Federal Assessment
ProPublica reported that federal cybersecurity evaluators found significant security control deficiencies in Microsoft’s cloud offerings during a late 2024 assessment. Given the US government’s substantial concentration of workloads on Microsoft platforms, the findings raise questions about systemic risk from infrastructure monoculture. The specific deficiencies have not been publicly enumerated.
- On Microsoft’s Lousy Cloud Security (Schneier on Security)
Notable Incidents
FortiGate CVE-2025-59718 Exploitation
Rapid7’s incident response team published findings from an engagement involving exploitation of CVE-2025-59718 against a FortiGate appliance. The vulnerability, disclosed by Fortinet in December 2025, is an SSO login bypass via improper cryptographic signature verification. Rapid7 notes that after initial exploitation, attackers maintained a low-profile posture, systematically compromising additional firewalls before pivoting to internal hosts. The report includes specific detection opportunities.
Storm-2755: Payroll Diversion Attacks
Microsoft DART documented Storm-2755, a financially motivated actor compromising Canadian employee accounts to redirect salary payments. The technique involves gaining access to HR/payroll portals and modifying direct deposit information. This is a low-sophistication, high-impact attack that bypasses most security controls by targeting business processes rather than technical infrastructure.
- Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees (Microsoft Security Blog)
Webloc: Advertising-Based Geolocation Surveillance
Citizen Lab revealed that law enforcement agencies in Hungary, El Salvador, and the United States have used Webloc, an advertising-based geolocation surveillance system developed by Israeli company Cobwebs Technologies (now Penlink), to track 500 million devices. The system abuses the advertising technology ecosystem’s real-time bidding infrastructure to obtain precise location data without requiring warrants or cooperation from device manufacturers.
Hims Telehealth Breach
Threat actors breached Hims, a telehealth platform, exposing protected health information relating to hair loss, weight management, and erectile dysfunction treatments. The categorical sensitivity of this data creates specific extortion and social engineering risk vectors that distinguish it from typical PII breaches.
- Hims Breach Exposes the Most Sensitive Kinds of PHI (Dark Reading)
$280M Drift Cryptocurrency Theft
The Record reported that the $280 million theft from Drift cryptocurrency exchange involved North Korean operators who spent six months establishing trust through a fictitious quantitative trading company. The operation began with an approach at a cryptocurrency conference. This is consistent with the social engineering tradecraft documented in previous North Korean cryptocurrency operations but at a significantly higher financial scale.
- ‘It reads like a spy novel’: $280 million theft from Drift involved North Korean fake companies, cutouts (The Record)
ICS/OT Advisories
| CVE | Product | CVSS | Summary |
|---|---|---|---|
| CVE-2025-13926 | Contemporary Controls BASC 20T | 9.8 | Reliance on untrusted inputs enables full PLC reconfiguration, file transfer, and RPC execution |
| CVE-2026-4436 | GPL Odorizers GPL750 | 8.6 | Missing authentication allows remote Modbus register manipulation, directly affecting gas odorant injection rates |
| CVE-2025-14815/14816 | Mitsubishi Electric GENESIS64, ICONICS Suite | 8.8 | Local attacker can extract SQL Server credentials for data disclosure, tampering, or DoS |
The GPL Odorizers vulnerability deserves particular attention: successful exploitation directly affects physical safety by manipulating gas odorant injection rates, meaning too little odorant could result in undetectable gas leaks.
- Contemporary Controls BASC 20T (CISA)
- GPL Odorizers GPL750 (CISA)
- Mitsubishi Electric GENESIS64 and ICONICS Suite (CISA)
TeamPCP Supply Chain Campaign: Update 007
The SANS Internet Storm Center published the seventh update to their ongoing tracker of the TeamPCP supply chain campaign. Key developments this week: Cisco source code was stolen via a Trivy-linked breach path, Google GTIG now tracks the campaign as UNC6780, and the CISA KEV deadline arrived with no standalone advisory issued. The absence of a CISA advisory despite KEV inclusion is unusual and may indicate ongoing coordination with affected vendors.
- TeamPCP Supply Chain Campaign: Update 007 (SANS ISC)
214 articles from 48 feeds were processed for the week of 7-13 April 2026. This bulletin covers items with the highest operational relevance. Published every Friday at securitea.tech.