Today's security brief highlights active exploitation of vulnerabilities in WordPress plugins and Splunk Enterprise, alongside a widespread botnet infecting D-Link routers. Additionally, a new ransomware variant prioritizes recent files for encryption, and a major supply chain attack is linked to North Korean hackers.

AryStinger Botnet Infects Thousands of D-Link Routers — A new botnet, AryStinger, has compromised over 4,000 outdated D-Link routers, turning them into proxies for malicious traffic. Read more →
Hackers Exploit Gravity SMTP WordPress Plugin Bug — Threat actors are actively exploiting CVE-2026-4020, a medium-severity information disclosure flaw in the Gravity SMTP WordPress plugin (100,000 installations), to extract sensitive data like API keys. Read more →
New Prinz Eugen Ransomware Prioritizes Recent Files — A new ransomware operation named 'Prinz Eugen' focuses on encrypting recently modified files and notably leaves no ransom note on compromised systems. Read more →
Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers — Microsoft attributes the Mastra AI supply chain attack, which compromised over 140 npm packages, to the North Korean hacking group Sapphire Sleet (BlueNoroff). Read more →
Klue OAuth Breach Victim List Grows, Icarus Claims Attack — Market intelligence platform Klue confirmed a security incident where OAuth tokens for customer Salesforce environments were stolen, with the "Icarus" extortion group claiming responsibility. Read more →
CISA Adds Splunk Enterprise Flaw to KEV Catalog — CISA has added CVE-2026-20253, a critical Splunk Enterprise missing authentication vulnerability, to its Known Exploited Vulnerabilities Catalog, urging federal agencies to patch by Sunday. Read more →
CISA Warns of FortiBleed Credential Exposure — CISA has urged Fortinet customers to harden their devices against "FortiBleed," a campaign that has exposed credentials for approximately 74,000 Fortinet devices, including firewalls and VPNs. Read more →
Unpatchable 'usbliter8' Exploit for Apple A12/A13 SecureROM — Researchers have published 'usbliter8,' an unpatchable exploit achieving arbitrary code execution in the SecureROM of Apple's A12 and A13 chips, requiring physical access. Read more →