Global Cyber Attack Tracker

2026-04-17 CRITICAL Nation-State ● Active

ZionSiphon — OT Malware Designed to Sabotage Water Treatment Systems

Newly discovered operational technology malware ZionSiphon specifically targets water treatment and desalination plants. It can raise chlorine levels to dangerous concentrations via a hardcoded "IncreaseChlorineLevel()" function and manipulate hydraulic pressures to cause infrastructure failure. The malware propagates via USB drives disguised as svchost.exe. Darktrace researchers found an encryption logic flaw that currently prevents execution, but warn a fixed variant could be weaponised imminently.

OT/ICS Water Treatment Israel-targeted USB Propagation Critical Infrastructure

Impact: No confirmed execution yet; if weaponised — mass civilian poisoning risk; Darktrace issued emergency advisory to water utilities globally

BleepingComputer CISA Water Sector

2026-04-16 CRITICAL AI/LLM Attack ● Active

MCP Tool Poisoning — CVE-2026-2241 Exploited Across 3,000+ AI Agent Deployments

A critical vulnerability in the MCP tool-call response parser allows malicious MCP servers to inject hidden instructions into AI agent context windows. Actively exploited to exfiltrate API keys, cloud credentials, and secrets from agentic CI/CD pipelines. Any AI agent that connects to an untrusted or compromised MCP server is vulnerable. CISA added to Known Exploited Vulnerabilities catalog.

CVE-2026-2241 MCP Context Injection CI/CD API Keys 3,000+ deployments

Impact: 3,000+ AI agent deployments affected; cloud credentials and API keys exfiltrated; CISA KEV listed; emergency patches issued by major agentic framework vendors

CISA KEV The Hacker News

2026-04-14 CRITICAL Zero-Day ● Patched

Microsoft April 2026 Patch Tuesday — 167 Flaws, 2 Zero-Days Including Exploited SharePoint Bug

Microsoft's April 2026 Patch Tuesday addressed 167 vulnerabilities including 8 Critical flaws. Two zero-days were patched: a SharePoint Server spoofing vulnerability actively exploited in the wild, and a publicly disclosed flaw. Additional critical patches cover Office RCE bugs triggerable via preview pane and a Microsoft Defender privilege escalation to SYSTEM level.

Patch Tuesday SharePoint Zero-Day Office RCE Defender Priv-Esc 167 CVEs 8 Critical

Impact: SharePoint zero-day actively exploited pre-patch; Office RCE triggerable via preview pane with no clicks; SYSTEM privilege escalation via Defender — patch immediately

BleepingComputer MSRC Advisory

2026-04-13 CRITICAL Data Breach ● Investigating

Oracle Cloud Identity Breach — 6M Enterprise Tenant Credentials Exposed

Oracle confirmed unauthorised access to its Identity Cloud Service (IDCS) affecting approximately 6 million enterprise tenant records. Compromised data includes SSO tokens, hashed passwords, and SAML signing certificates — the keys to enterprise SSO across thousands of downstream systems. The threat actor listed a sample dataset on BreachForums before Oracle confirmed the breach.

Oracle Cloud IDCS SSO Tokens SAML Certs 6M tenants BreachForums

Impact: 6M enterprise tenant credentials exposed; SAML signing cert compromise enables broad SSO impersonation; downstream system access risk across all Oracle Cloud customers

BleepingComputer Krebs on Security

2026-04-09 HIGH Nation-State ● Investigating

Scattered Spider — SIM-Swap Campaign Hits 14 US Financial Institutions

The Scattered Spider threat group returned with a coordinated SIM-swap and social engineering campaign targeting 14 US financial institutions. Attackers bypassed MFA on privileged admin accounts by convincing telecoms to reassign victim phone numbers. $22M in fraudulent wire transfers confirmed. FBI issued emergency alerts to financial sector CISOs.

Scattered Spider SIM-Swap Social Engineering Finance USA $22M fraud

Impact: 14 US financial institutions hit; $22M in confirmed fraudulent wire transfers; MFA bypassed via SIM-swap on privileged accounts

BleepingComputer FBI IC3 Alert

2026-04-08 HIGH Zero-Day ● Patched

Windows CLFS Zero-Day — CVE-2026-29824 Exploited by Ransomware Affiliates

Microsoft disclosed a privilege escalation zero-day in the Windows Common Log File System (CLFS) driver actively exploited by ransomware affiliates to achieve SYSTEM-level access after initial compromise. The vulnerability enables local privilege escalation from standard user to SYSTEM in seconds. Patch released as part of April Patch Tuesday — estimated 900,000+ unpatched Windows endpoints at time of disclosure.

CVE-2026-29824 CVSS 8.8 Windows CLFS Privilege Escalation Ransomware 900k+ endpoints

Impact: Exploited pre-patch by ransomware affiliates for SYSTEM privileges; 900,000+ unpatched endpoints at disclosure; patched in April Patch Tuesday KB5082200

BleepingComputer MSRC Advisory

2026-04-02 CRITICAL Ransomware ● Active

NightLock Ransomware — 47 Hospitals in 72 Hours

The NightLock ransomware group coordinated simultaneous attacks on 47 healthcare organisations across North America and Europe, leveraging stolen credentials from the January NationalID breach. Encrypted patient records system-wide, forced emergency diversions, and demanded a combined $50M ransom with threat of 3.8M patient record exposure.

Healthcare USA Canada UK Germany $50M ransom

Impact: 47 hospitals, 3.8M patient records threatened, emergency diversions, FDA & HHS emergency response activated

BleepingComputer HHS Breach Portal

2026-04-01 HIGH Compliance ● Published

NIST CSF 2.1 Released — AI Risk Controls Now Mandatory

NIST officially released Cybersecurity Framework 2.1, introducing a new Governance function tier and expanded controls for AI/ML risk management. Organisations using AI in critical decisions must implement new risk assessment controls under GOVERN 2.0. Major compliance programme updates required across all enterprise sectors.

NIST Compliance AI Risk SOC 2 ISO 27001

Impact: All enterprises using AI in critical processes must update compliance programmes; federal contractors face new mandate

NIST Official CISA Guidance

2026-03-21 CRITICAL Zero-Day ● Patched

Critical Chrome Zero-Day — CVE-2026-1847 (V8 RCE)

A critical zero-day in Chrome's V8 JavaScript engine was actively exploited by state-sponsored actors targeting financial institutions globally. Remote code execution via malicious web pages required no user interaction beyond visiting a site. Google issued an emergency out-of-band patch within 48 hours.

CVE-2026-1847 CVSS 9.4 Chrome V8 Finance Government

Impact: Credential and session token theft at financial institutions; Google emergency patch — update to 124.0.6367.82+

NVD / CVE The Hacker News

2026-03-05 CRITICAL AI/LLM Attack ● Patched

Microsoft Copilot EchoLeak — Zero-Click Prompt Injection

A zero-click prompt injection vulnerability in Microsoft Copilot for M365 silently exfiltrated sensitive documents from OneDrive, SharePoint, and Teams via trusted Microsoft domains. No user action required — malicious content embedded in shared documents triggered automatic data exfiltration at scale.

Prompt Injection Microsoft 365 Zero-Click OneDrive Teams $200M+ impact

Impact: $200M+ estimated business impact Q1 2026; government agencies suspended M365 Copilot; SEC inquiry opened

MSRC Advisory Wired Security

2026-03-12 HIGH Zero-Day ● Investigating

CVE-2025-48757 — 170+ AI-Generated Apps Missing Row-Level Security

AI-generated applications built via Lovable shipped without Row-Level Security enabled on Supabase backends. One exposed instance leaked 13,000 users' data. Password reset tokens were accessible to anonymous users, enabling full account takeovers across 170+ applications.

CVE-2025-48757 CVSS 8.9 AI-Generated Code Supabase RLS 13k users

Impact: 170+ apps affected; 13,000+ users' PII exposed; full account takeovers demonstrated; FTC investigation opened

NVD / CVE Wired Security

2026-02-10 CRITICAL AI/LLM Attack ● Contained

Supabase MCP Data Leak — Prompt Injection via AI Agent

A prompt injection attack via a support ticket tricked an AI agent (Cursor + MCP integration) into dumping an entire Supabase SQL database — including OAuth tokens and session credentials. The service_role key bypassed all row-level security controls, exposing the full database to the attacker.

Prompt Injection MCP Supabase Cursor OAuth Tokens service_role

Impact: Full database dumped; OAuth tokens and session credentials exposed; service_role key exploited to bypass RLS

The Hacker News Supabase Security

2026-02-18 HIGH Compliance ● Ongoing

India Blocks Supabase — Section 69A IT Act Shutdown

The Indian government ordered ISPs to block Supabase under Section 69A of the IT Act. Production applications relying on Supabase broke overnight. Thousands of startups scrambled for workarounds. India — the 4th largest tech market — went dark in under 24 hours.

India Section 69A Supabase Regulatory $100M+ impact

Impact: Thousands of production apps down in India; $100M+ estimated economic impact on SaaS ecosystem

TechCrunch India Economic Times

2026-02-25 CRITICAL AI/LLM Attack ● Investigating

AI Model Poisoning — Financial Sector LLM Compromise

Backdoored fine-tuned LLM models distributed via Hugging Face targeted financial institutions that adopted open-source models for fraud detection. Poisoned models introduced systematic blind spots for specific fraud patterns, allowing attackers to bypass AI-powered fraud systems undetected for months.

Model Poisoning Hugging Face Finance Fraud Detection $180M fraud

Impact: At least 3 major banks deployed poisoned models; ~$180M in undetected fraud attributed to compromised AI systems

Unit 42 Research Hugging Face Security

2026-01-07 CRITICAL Nation-State ● Contained

GridStrike — Volt Typhoon Pre-Positions Inside US Power Grid

CISA and FBI confirmed Volt Typhoon (China-linked) successfully pre-positioned malware inside OT systems of 6 US regional power utilities. No disruption was triggered — assessed as pre-positioning for escalation during future geopolitical conflict. Emergency Congressional briefing convened in closed session.

Volt Typhoon China-linked OT/ICS Energy Grid USA CISA AA26-007A

Impact: Classified scope; NERC CIP compliance review ordered for all grid operators; national security emergency declared

CISA Advisory Krebs on Security

2026-01-22 CRITICAL Data Breach ● Investigating

NationalID Breach — 2.1 Billion Records Leaked (Largest Ever)

The largest data breach in history: 2.1 billion records including Social Security Numbers, biometric hashes, passport data, and full financial history leaked from a major identity verification aggregator. Data appeared for sale on the RAMP darknet forum within 72 hours of exfiltration.

2.1B records SSN Biometrics USA EU India RAMP Forum

Impact: 2.1B individuals globally; FTC emergency response; class action filings in 14 jurisdictions; identity theft surge

Have I Been Pwned Krebs on Security

2025-12-04 CRITICAL Zero-Day ● Patched

Microsoft Exchange Zero-Day — CVE-2025-49742 (SSRF + RCE)

A critical SSRF-to-RCE chain in Microsoft Exchange Server was exploited by multiple threat actors before the patch was available. Unauthenticated attackers could execute arbitrary code on Exchange servers. Estimated 35,000+ Exchange servers globally compromised before patching.

CVE-2025-49742 CVSS 9.1 Exchange Server SSRF RCE 35k servers

Impact: 35,000+ Exchange servers compromised globally; several government agencies breached; CISA Emergency Directive ED-25-08 issued

MSRC Advisory CISA Directive

2025-12-11 HIGH Ransomware ● Contained

SkyBridge Casino Group — LockBit 4.0 Ransomware Attack

LockBit 4.0 encrypted SkyBridge Casino Group's operations across 18 properties in 3 countries. Customer PII, financial records, and surveillance footage were threatened for public release. Operations were offline for 5 days including hotel check-in, gaming floors, and payment systems.

LockBit 4.0 Hospitality USA Macau Singapore $40M ransom

Impact: $40M ransom demand; 11M customer records exposed; 5-day operational outage across 18 properties

BleepingComputer Wired Security

2025-11-03 CRITICAL Ransomware ● Contained

MedChain Ransomware — 230 Hospitals Encrypted, 12 Deaths Linked

Coordinated ransomware attack on MedChain Health Systems by VenomSec (BlackCat/ALPHV successor) encrypted patient records across 230 hospitals. Emergency care diversions were initiated system-wide. 12 patient deaths have been attributed to care disruptions. HHS launched a formal investigation.

VenomSec Healthcare USA Canada UK $95M ransom 4.2M records

Impact: 230 hospitals; $95M ransom demand; 4.2M patient records at risk; 12 deaths linked to care disruption; HHS investigation

HHS Breach Portal BleepingComputer

2025-11-19 HIGH Supply Chain ● Removed

npm Supply Chain Attack — "node-oauth2-proxy" Package Backdoor

Malicious versions of the widely-used npm package `node-oauth2-proxy` (versions 3.2.1–3.2.4) were published by a compromised maintainer account. The package contained a reverse shell payload that activated during CI/CD builds. Downloaded 180,000+ times before detection by Snyk researchers.

npm Supply Chain Lazarus suspected CI/CD 180k downloads

Impact: Thousands of CI/CD pipelines exposed; credential theft from build environments; tech and finance sectors primarily affected

Snyk Research The Hacker News

2025-10-08 CRITICAL Nation-State ● Ongoing

Salt Typhoon Telecom Espionage — 9 US Carriers Compromised

US intelligence confirmed Salt Typhoon (China-linked APT) compromised at least 9 major US telecommunications carriers, intercepting lawful wiretap infrastructure (CALEA) and collecting metadata on millions of calls including communications of senior government officials and political figures.

Salt Typhoon China-linked Telecom CALEA AT&T Verizon 9 carriers

Impact: US CALEA wiretap infrastructure compromised; national security implications; Senate Intelligence Committee hearings convened

CISA AA25-289A Krebs on Security

2025-10-15 CRITICAL Zero-Day ● Patched

Fortinet FortiOS SSL-VPN Zero-Day — CVE-2025-32756 (RCE)

A critical remote code execution vulnerability in Fortinet FortiOS SSL-VPN was exploited in the wild before the patch was available. Attackers deployed custom malware implants on compromised FortiGate devices, establishing persistent access. Thousands of government agencies and enterprises were affected globally.

CVE-2025-32756 CVSS 9.6 Fortinet SSL-VPN FortiOS Government

Impact: Thousands of FortiGate devices compromised globally; government agencies affected; malware implants deployed on network perimeter devices

Fortinet PSIRT CISA KEV