Daily Threat Intelligence Brief - April 3, 2026
Executive Summary
- Chrome zero-day (CVE-2026-5281): 4th Chrome zero-day of 2026, added to CISA KEV April 1. Federal patch deadline: April 15
- Two CVSS 10.0 Azure vulns: Azure Kubernetes Service (CVE-2026-33105) and Azure AI Foundry (CVE-2026-32213) both allow unauthenticated privilege escalation
- LiteLLM supply chain attack: Compromised PyPI package (95M monthly downloads) cascades to Mercor ($10B AI startup); dubbed "the SolarWinds of AI"
- VoidLink: First fully AI-designed advanced malware framework identified by Check Point, built using Claude 3.5 Sonnet by a solo operator
- Apple DarkSword: Emergency iOS 18.7.7 patch for Turkish/Russian exploitation toolkit; one-click browser compromise
- MLflow RCE (CVE-2026-0545): CVSS 9.1 unauthenticated remote code execution in widely-used ML platform
- 97% of enterprises expect a major AI agent security incident within 12 months
- Autonomous jailbreak agents achieve 97% success rate across all model combinations (Nature Communications)
- Prompt injection up 340% YoY: indirect injection now accounts for 80%+ of attempts
Critical Vulnerabilities
CVE-2026-5281: Google Chrome Zero-Day (ACTIVELY EXPLOITED)
Use-after-free vulnerability in Chrome's Dawn WebGPU implementation. This is the fourth Chrome zero-day patched in 2026. Added to CISA KEV on April 1, 2026. Federal agencies must patch by April 15.
- CVSS: High
- Exploitation: Confirmed active in the wild
- Scope: All Chromium-based browsers (Edge, Brave, Opera, Vivaldi)
- Patch: Chrome 146.0.7680.177/178 (Windows/macOS), 146.0.7680.177 (Linux)
- Action: Patch immediately across all Chromium browsers
CVE-2026-33105: Azure Kubernetes Service (CVSS 10.0)
Critical improper authorization flaw in Microsoft AKS allowing unauthenticated privilege escalation over the network. Published April 3, 2026.
- CVSS: 10.0 (Critical)
- Impact: Full AKS cluster compromise from unauthenticated network position
- Action: Review AKS configurations; apply Microsoft mitigations
CVE-2026-32213: Azure AI Foundry (CVSS 10.0)
Critical improper authorization vulnerability in Azure AI Foundry. Privilege escalation in AI infrastructure means attackers can tamper with models, training data, and inference pipelines at scale.
- CVSS: 10.0 (Critical)
- Impact: Full privilege escalation in Azure AI Foundry environments
- Action: Audit Azure AI Foundry access controls immediately
CVE-2026-0545: MLflow Unauthenticated RCE (CVSS 9.1)
Authentication bypass in mlflow/mlflow allowing unauthenticated clients to interact with FastAPI job endpoints, leading to remote code execution. Published April 3, 2026.
- CVSS: 9.1 (Critical)
- Impact: Unauthenticated RCE on MLflow servers
- Action: Upgrade MLflow; restrict network exposure
CVE-2026-21858: n8n AI Workflow Platform (CVSS 10.0)
Unauthenticated RCE in n8n allows attackers with access to web forms to leak internal server files and achieve full platform takeover.
- CVSS: 10.0 (Critical)
- Action: Patch immediately; audit for compromise indicators
CVE-2026-33017: Langflow Code Injection (Active Exploitation)
Critical Langflow vulnerability exploited in the wild within 20 hours of disclosure. CISA added to KEV catalog; federal remediation mandated by April 8. This is the AI equivalent of a Log4Shell-class event for the LLM toolchain.
CISA Emergency Directive 26-03: SD-WAN
Federal agencies ordered to inventory SD-WAN systems, apply mitigations, and assess for compromise based on CVE-2026-20127 and CVE-2022-20775. Multiple ICS advisories also released April 1-2.
Vendor Advisories
Apple: iOS 18.7.7 Emergency Update (DarkSword Exploit)
Apple issued a rare backport security update to protect older devices against the DarkSword exploitation toolkit. The exploit compromises devices simply by visiting a malicious website and affects iOS 18.4 through 18.7.
- Attribution: Linked to Turkish surveillance vendor PARS Defense and a suspected Russian espionage group
- Malware families deployed: GhostBlade, GhostKnife, GhostSaber
- Impact: One-click browser-based compromise of iPhones and iPads
- Action: Update to iOS 18.7.7 or iOS 26.4. Enable Lockdown Mode for high-risk users
Microsoft: Secure Boot Certificate Deadline
Microsoft's Secure Boot certificate updates reach their April 2026 deadline. Systems without updated 2023 certificates risk boot failures.
Microsoft: MFA Enforcement for Partner Center
Full MFA enforcement for all Partner Center API calls began April 1, 2026. Calls without MFA are now blocked.
AI Security Threats
LiteLLM Supply Chain Attack: "The SolarWinds of AI"
TeamPCP compromised LiteLLM (95M monthly PyPI downloads) by stealing maintainer credentials and pushing malicious versions 1.82.7 and 1.82.8 containing credential-stealing payloads. Used .pth files for silent auto-execution. Self-propagating npm worm "CanisterWorm" hit 64+ packages downstream.
- Cascade: Mercor ($10B AI startup training models for OpenAI, Anthropic, DeepMind) confirmed breach. Lapsus$ claims 4TB data theft from Mercor
- Impact: Single compromised AI routing library cascaded through the entire AI development ecosystem
- Action: Audit all LiteLLM deployments; check for versions 1.82.7/1.82.8
VoidLink: First Fully AI-Designed Malware Framework
Check Point Research identified VoidLink as the first evidence of a fully AI-designed and built advanced malware framework. Built using Claude 3.5 Sonnet, it includes custom loaders, implants, rootkit modules, and 30+ plugins. A single operator built a functional implant in under a week.
- Significance: A solo operator using AI built what previously required a coordinated team
- Status: Operationally capable, not just proof-of-concept
Autonomous Jailbreak Agents: 97% Success Rate
A Nature Communications study found that large reasoning models can function as autonomous jailbreak agents, achieving a 97.14% overall jailbreak success rate across all model combinations. Any safety guardrail relying solely on prompt-level filtering is effectively defeated.
Prompt Injection Surges 340% YoY
Wiz Research tracked a 340% year-over-year increase in documented prompt injection attempts. Indirect injection (via documents, emails, web pages) now accounts for 80%+ of attempts. Cisco found prompt injection weaknesses in 73% of audited production AI deployments.
EchoLeak: Zero-Click Exfiltration via Microsoft 365 Copilot
Researchers demonstrated a zero-click attack that exfiltrates corporate data from Microsoft 365 Copilot. A specially crafted email, requiring no user interaction, causes Copilot to autonomously execute actions that leak sensitive information.
- Attack type: Indirect prompt injection, zero-click
- Impact: Autonomous data exfiltration without user action
AI Memory Poisoning: 90%+ Attack Success
Researchers achieved 90%+ attack success rates against GPT-5 mini and Claude Sonnet 4.5 through poisoned memory entries that persistently hijack agent workflows. A single poisoned memory entry can compromise all future interactions.
MCP Server Attack Surface Explosion
Model Context Protocol servers accumulated 95 CVEs in 2025 (near zero before that), with injection attacks accounting for over 60%. MCP security flaws cannot simply be "patched away" due to architectural design issues.
35 CVEs from AI-Generated Code in March
At least 35 new CVEs in March 2026 were the direct result of AI-generated code, up from 6 in January and 15 in February. Projections estimate 2,800-3,600 AI-related CVEs for the full year.
Agentic AI: The Defining Attack Surface of 2026
- 97% of enterprise leaders expect a material AI-agent-driven security incident within 12 months
- 88% reported confirmed or suspected AI agent security incidents in the past year
- 87% agree AI agents with legitimate credentials pose greater insider threat risk than human employees
- Only 14.4% deploy agents with full security/IT approval
- Harvard Business Review argues AI agents share behavioral characteristics with malware: autonomous execution, persistence, privilege escalation, lateral movement
- OWASP Top 10 for Agentic Applications published, covering goal hijack, tool misuse, identity abuse
- Non-human identities outnumber human users 100:1 in enterprise environments
AI-Powered Threats in the Wild
Hive0163 Deploys AI-Generated "Slopoly" Malware
IBM X-Force documented threat group Hive0163 using AI-assisted "Slopoly" malware for persistent access during ransomware attacks. The "sloppy" quality of the code did not prevent operational effectiveness.
Google Identifies Five "Just-in-Time AI" Malware Families
Google identified PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, five malware families using real-time AI generation to create polymorphic payloads that adapt to victim environments, defeating signature-based detection.
Microsoft: "AI as Tradecraft"
Microsoft Security documented how threat actors have moved AI from experimentation to routine operational use. IBM X-Force observed a 44% increase in attacks exploiting public-facing applications, driven partly by AI-enabled vulnerability discovery.
AI Social Engineering Tops Threat Rankings
ISACA survey: 63% of professionals now rank AI-driven social engineering as the top cyber threat, surpassing ransomware for the first time. Average financial loss: $4.4M per incident.
Threat Actor Activity
Operation TrueChaos: Chinese-Nexus APT
Check Point Research disclosed a supply-chain attack targeting Southeast Asian government entities via a zero-day in TrueConf video conferencing (CVE-2026-3502). Attackers compromised a centrally managed TrueConf server and distributed malicious updates deploying the Havoc C2 framework.
- Attribution: Moderate confidence, Chinese-nexus threat actor
- Impact: Multiple government agencies in at least one Southeast Asian country compromised
CERT-UA Impersonation: 200,000+ Devices Compromised
Threat actors impersonating Ukraine's CERT-UA distributed the AGEWHEEZE RAT. Phishing sent to 1 million mailboxes, over 200,000 devices compromised across government, medical, security, and finance sectors.
Iranian Retaliatory Cyber Operations
Following February 2026 US-Israel strikes, security researchers tracked a surge of retaliatory operations from pro-Iranian groups including Handala Hack and Dark Storm Team, targeting Israeli telecom and Western organizations.
ALPHV/BlackCat Insider Guilty Pleas
Two US cybersecurity professionals, an incident response manager at Sygnia and a ransomware negotiator at DigitalMint, pleaded guilty to deploying ALPHV/BlackCat ransomware against five companies including three healthcare organizations. Maximum sentence: 20 years.
Ransomware & Data Breaches
| Target | Operator | Details |
|---|---|---|
| Nissan | Everest | Scope under investigation |
| Drift Protocol | Unknown | $285M drained from Solana DEX |
| Hasbro | TBD | SEC incident disclosure |
| HanseMerkur | DragonForce | 97GB financial data claimed |
| Die Linke | Qilin | IT systems outage, data leak threatened |
| Hims & Hers | N/A | Third-party breach, tickets stolen |
| Intellihartx | TBD | 500K+ patient records with SSNs |
Weekly metrics: 168 ransomware victims across 43 countries claimed by 31 operators, including 3 newly discovered groups. Sinobi ransomware (INC/Lynx successor) has grown to 215+ victims, now among the top 4 most active operators.
Regulatory & Policy
- Trump "Cyber Strategy for America" (March 6): Mandates AI for federal network defense while rolling back AI safety regulations
- California Gov. Newsom signs first-of-its-kind AI protection executive order (March 30), directly responding to federal rollbacks
- EU AI Act high-risk system rules deadline: August 2, 2026
- Cyber insurers now require AI red teaming documentation as a condition for coverage
Recommended Actions
Immediate (24-48 hours)
- Patch Chrome: CVE-2026-5281 actively exploited, all Chromium browsers affected
- Audit LiteLLM: Check for compromised versions 1.82.7/1.82.8; revoke API keys if exposed
- Patch n8n / Langflow: CVSS 10.0 and active exploitation respectively
- Update iOS: 18.7.7 or 26.4 to block DarkSword exploitation toolkit
- Review Azure AKS & AI Foundry: Two CVSS 10.0 vulns published today
Short-Term (This Week)
- Audit MLflow exposure: CVE-2026-0545 enables unauthenticated RCE
- Assess Microsoft 365 Copilot: Review email security in context of EchoLeak zero-click attack
- Implement MCP server hardening: 95 CVEs and growing; architectural mitigations required
- Review AI agent credentials: Non-human identities at 100:1 ratio need lifecycle management
Strategic
- Adopt OWASP Top 10 for Agentic Applications as baseline governance framework
- Implement AI supply chain monitoring: AI/ML tooling in vulnerability management scope
- Begin EU AI Act compliance planning for August 2026 deadline
- Document AI red teaming for cyber insurance renewal requirements
Sources
- Chrome Zero-Day CVE-2026-5281:The Hacker News
- Azure AKS CVE-2026-33105:TheHackerWire
- Azure AI Foundry CVE-2026-32213:TheHackerWire
- MLflow CVE-2026-0545:TheHackerWire
- Apple DarkSword Patch:MacRumors
- LiteLLM Supply Chain Attack:The Record
- LiteLLM Technical Analysis:Datadog Security Labs
- VoidLink AI Malware:Check Point Research
- Operation TrueChaos:Check Point Research
- Autonomous Jailbreak Agents:Nature Communications
- Prompt Injection Statistics:SQ Magazine
- AI Memory Poisoning:Adversa AI
- MCP Security:Dark Reading
- AI-Generated CVEs:Infosecurity Magazine
- Hive0163 Slopoly Malware:The Hacker News
- Just-in-Time AI Malware:SecurityWeek
- AI Social Engineering:Infosecurity Magazine
- 97% Expect AI Agent Incident:Security Boulevard
- AI Agents Act Like Malware:Harvard Business Review
- OWASP Top 10 Agentic Applications
- Cisco State of AI Security 2026
- CISA KEV Catalog
- April 2026 Data Breaches:SharkStriker
- Ransomware State 2026:BlackFog
- CERT-UA Impersonation:The Hacker News
- California AI Executive Order:Governor's Office
- International AI Safety Report 2026