Security news.
Today's security landscape is dominated by critical vulnerabilities in widely-used platforms, active exploitation campaigns, and law enforcement actions against major threat actors. GitHub, Hugging Face, and Windows all face unpatched or newly-exploited critical flaws, while supply chain attacks continue to proliferate through developer tools.
Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Git Push
Authenticated users can achieve remote code execution on GitHub.com and GitHub Enterprise Server with a single "git push" command (CVSS 8.7).
Critical Unpatched Hugging Face LeRobot RCE Flaw (CVE-2026-25874)
Untrusted data deserialization in the robotics platform allows unauthenticated remote code execution (CVSS 9.3).
CISA Adds Two Known Exploited Vulnerabilities to KEV Catalog
CVE-2024-1708 (ConnectWise ScreenConnect path traversal) and CVE-2026-32202 (Windows Shell spoofing) are actively exploited in the wild.
GlassWorm Campaign Returns with 73 OpenVSX "Sleeper" Extensions
Over 70 cloned VS Code extensions in the Open VSX marketplace are designed to distribute self-propagating malware after updates.
Vimeo Confirms Data Breach via Anodot Supply Chain Attack
Customer and user data was accessed without authorization following the breach of Anodot, a data anomaly detection platform; ShinyHunters group is demanding ransom.
Checkmarx Confirms LAPSUS$ Leaked Stolen GitHub Repository Data
The threat group published data from Checkmarx's private GitHub repository obtained via the March 23 supply chain attack.
US Charges Scattered Spider Member Arrested in Finland
A 19-year-old dual US-Estonian citizen faces federal charges for his role in the notorious Scattered Spider hacking collective.
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
The spoofing vulnerability (CVSS 4.3) is being actively exploited in the wild; patch available via April Patch Tuesday.