Best of CybersecurityApril 2026

  1. 1
    Article
    Avatar of bleepingcomputerBleepingComputer·4w

    New npm supply-chain attack self-spreads to steal auth tokens

    A new self-propagating supply chain attack has been discovered in the npm ecosystem, targeting packages from Namastex Labs. The malware, found in 16 compromised packages, steals developer credentials including npm publish tokens, API keys, SSH keys, cloud service credentials, CI/CD secrets, and cryptocurrency wallet data from browsers. Once it finds npm publish tokens on a compromised system, it injects itself into every package that token can publish and republishes them with an incremented version number, enabling recursive worm-like spread. It also targets PyPI if Python credentials are found, making it a multi-ecosystem threat. Developers using the listed package versions should remove them immediately, rotate all secrets, and audit CI/CD pipelines for indicators of compromise.

  2. 2
    Video
    Avatar of fireshipFireship·5w

    A rich hacker just penetrated 31 WordPress plugins...

    A supply chain attack compromised 31 WordPress plugins after an attacker purchased them via Flippa, inserted a dormant backdoor, and later activated malicious payloads that modified core WordPress files including wp-config.php. The command-and-control domain was resolved through an Ethereum smart contract, making it resilient to takedowns. The attack bypassed normal security suspicion by arriving as a routine plugin update. The post also covers Cloudflare's new Mdash project, a WordPress-compatible alternative built on Astro that sandboxes plugins using dynamic workers and capability-based bindings to prevent the kind of full-privilege access that makes WordPress plugins dangerous.

  3. 3
    Video
    Avatar of fireshipFireship·6w

    Claude Mythos is too dangerous for public consumption...

    Anthropic has announced Claude Mythos, an unreleased AI model they claim is too dangerous for public release due to its ability to discover critical security vulnerabilities. During internal testing, Mythos reportedly found a 16-year-old FFmpeg bug, a 27-year-old OpenBSD null pointer vulnerability, browser sandbox escapes in major browsers, and a Linux kernel bit-flip exploit enabling root access. In response, Anthropic launched Project Glass Wing, a controlled-access initiative giving select large companies access to Mythos to patch critical software before adversaries can exploit it. However, skeptics note the vulnerability discoveries required massive parallel compute runs costing tens of thousands of dollars, and some benchmarks were run against stripped-down test environments rather than real-world targets. The video concludes that Mythos is likely a genuine improvement over current models but almost certainly not an existential threat.

  4. 4
    Article
    Avatar of udhamugjdzaay9lointosAngel Santiago·6w

    Stop Prompting: Use the Design-Log Method to Build Tools Predictably and Reliably

    The Design-Log Methodology addresses the 'context wall' problem in AI-assisted development by maintaining a version-controlled ./design-log/ folder with markdown documents capturing design decisions before any code is written. A practitioner shares how adopting this approach transformed their cybersecurity tool development workflow: instead of large prompts and back-and-forth corrections, they write a design log first, have the AI ask clarifying questions, freeze the design before implementation, and log any deviations. Four core rules guide the process: read before you write, design before implementation, immutable history, and Socratic questioning. The result is more reliable, auditable, and architecturally consistent AI-generated code, especially valuable when building security-sensitive tools.

  5. 5
    Video
    Avatar of lowlevellearningLow Level Learning·7w

    No, Seriously. AI is REALLY Good at Hacking Now

    A researcher used Claude AI to write a fully functional exploit for a FreeBSD kernel vulnerability (CVE-2026-4747) involving a stack-based buffer overflow in the RPC daemon. In under 20 prompts, the AI devised a return-oriented programming (ROP) chain that changes page permissions on the BSS segment to make it executable, writes shellcode into it, and spawns a root shell via a kernel thread — all while cleanly exiting the kthread to avoid a kernel panic. The author argues this signals a coming wave of AI-accelerated exploitation and that the cybersecurity landscape is about to change dramatically.

  6. 6
    Article
    Avatar of tcTechCrunch·4w

    Unauthorized group has gained access to Anthropic’s exclusive cyber tool Mythos, report claims

    An unauthorized group has reportedly gained access to Mythos, Anthropic's exclusive AI-powered cybersecurity tool, through a third-party vendor environment. The group, connected via a Discord channel focused on unreleased AI models, guessed the model's online location based on Anthropic's known URL patterns and has been using it regularly since the day of its public announcement. Anthropic is investigating but says there is no evidence its own systems were impacted. Mythos was released exclusively to select vendors including Apple under Project Glasswing, specifically to prevent misuse by bad actors.

  7. 7
    Video
    Avatar of techlinkedTechLinked·6w

    That's Enough, YouTube.

    A tech news roundup covering several stories: YouTube serving 90 non-skippable ads (later called a bug) and raising Premium prices by up to $4/month; CPUID's website being hacked to serve malware targeting Chrome passwords for ~6 hours; France's government plan to switch from Windows to Linux and open-source alternatives; Keychron releasing CAD source files for 83 keyboards and mice on GitHub; OpenAI reportedly finalizing a restricted-release AI product similar to Anthropic's; the first conviction under the 2025 Take It Down Act for AI-generated non-consensual deepfakes; BlackBerry patent trolling via an Irish firm suing Brother printers; and Honor's Mouse Buds Pro combining a travel mouse with built-in earbuds.

  8. 8
    Video
    Avatar of techlinkedTechLinked·4w

    China Doesn’t Want Our Money

    A tech news roundup covering China's directive for top tech companies to reject US investments without government approval, Meta laying off 8,000 employees (10% of workforce) while committing $135B to data centers, Microsoft offering voluntary buyouts to ~8,700 senior employees, Apple patching an iOS vulnerability that allowed the FBI to recover deleted Signal messages via push notification databases, Microsoft enabling IT admins to uninstall Copilot from enterprise devices, a ransomware negotiator pleading guilty to secretly aiding the Black Cat hacking group, and Sony's AI ping-pong robot becoming the first machine to beat a professional player under official tournament rules.

See all Cybersecurity archives