April 8, 2026 • 12 min read
IT Security Roundup: GPU Rowhammer Escalation, Iranian PLC Attacks, and the $21 Billion Cybercrime Epidemic
GPUBreach: GPU Rowhammer Attacks Achieve Full Root Shell Access
Critical Vulnerability
Academic researchers have demonstrated a groundbreaking hardware-level attack that uses Rowhammer bit-flips in GDDR6 GPU memory to achieve full CPU privilege escalation. The technique, dubbed GPUBreach, works by corrupting GPU page tables to gain arbitrary GPU memory read/write access, then chaining that into a full system compromise by exploiting memory-safety bugs in the NVIDIA driver. The result is a root shell — complete control of the host machine — initiated entirely from an unprivileged process.
What makes GPUBreach particularly concerning is that it operates even on consumer-grade hardware, unlike earlier Rowhammer attacks that required specialised equipment. The research, led by Gururaj Saileshwar at the University of Toronto, represents a significant evolution beyond previous GPU-focused Rowhammer research, which had largely been limited to data corruption rather than full privilege escalation. The findings challenge the assumption that GPU memory isolation provides a meaningful security boundary.
Iranian State Hackers Breach US Critical Infrastructure via PLC Attacks
Nation-State Threat
Federal agencies have issued urgent warnings after Iranian-linked hackers were discovered manipulating programmable logic controllers and SCADA systems across multiple US critical infrastructure sectors. The attackers targeted internet-exposed Rockwell/Allen-Bradley PLCs, triggering actual operational disruptions rather than mere reconnaissance. The campaign represents a significant escalation from previous Iranian cyber operations, which had largely focused on IT network penetration rather than direct operational technology manipulation.
The alerts from CISA, the FBI, and the NSA stress that organisations running exposed industrial control systems should immediately audit their OT network perimeters and implement network segmentation between IT and OT environments. The incident underscores the growing convergence of IT and OT threat landscapes and the inadequacy of air-gap assumptions in modern industrial environments.
FBI: Americans Lost a Record $21 Billion to Cybercrime Last Year
United States
The FBI’s Internet Crime Complaint Centre has revealed that US victims lost nearly $21 billion to cyber-enabled crimes last year — a figure that shatters all previous records. The losses were driven primarily by investment scams, business email compromise schemes, tech support fraud, and data breaches. The bureau notes that the actual figure is likely significantly higher, as many victims never report their losses due to embarrassment or a belief that law enforcement cannot help.
The staggering total comes at a time when the White House is seeking to slash CISA’s funding by $707 million in the FY2027 budget, a move that cybersecurity professionals argue would severely weaken the nation’s ability to defend against the very attacks driving these losses. The contrast between rising victim costs and proposed funding cuts has become a flashpoint in the broader debate about government cybersecurity investment.
North Korean Hackers Flood Package Registries with 1,700 Malicious Packages
Supply Chain Attack
The North Korea-linked Contagious Interview campaign has massively expanded its scope, publishing malicious packages across five programming language ecosystems: npm, PyPI, Go, Rust, and PHP’s Packagist. According to Socket security researcher Kirill Boychenko, the packages impersonate legitimate developer tooling whilst functioning as malware loaders, extending the campaign’s established playbook into a coordinated cross-ecosystem supply chain operation.
The malicious packages — including npm’s dev-log-core and logger-base, PyPI’s logutilkit and fluxhttp, and Go packages hosted under deceptive GitHub usernames — are designed to fetch platform-specific second-stage payloads carrying infostealer and remote access capabilities. The campaign underscores the critical importance of supply chain security auditing and the growing sophistication of state-sponsored attacks on the software development pipeline.
Docker CVE-2026-34040: Critical Authorization Bypass Permits Host Access
Vulnerability
Docker Engine maintainers have disclosed a high-severity vulnerability (CVSS 8.8) that could allow attackers to bypass authorization plugins under specific circumstances. The flaw, CVE-2026-34040, stems from an incomplete fix for CVE-2024-41110 — the maximum-severity Docker vulnerability from July 2024. Using a specially crafted API request, an attacker can force the Docker daemon to forward requests to an authorization plugin without the request body, causing the plugin to permit actions it would otherwise deny.
Organisations that depend on authorization plugins which inspect request bodies for access control decisions are particularly at risk. The disclosure is the second time a fix for the original 2024 vulnerability has proven insufficient, raising questions about the thoroughness of Docker’s patch development process. Users are urged to update immediately, especially in multi-tenant and shared-container environments.
Anthropic Unveils Claude Mythos: Breakthrough AI With Dual-Use Implications
AI Security
Anthropic has formally introduced Claude Mythos, a powerful new AI model that the company describes as a “step change” in capabilities — while simultaneously warning that it poses unprecedented cybersecurity risks. The model’s existence was first revealed through a data leak when an unsecured, publicly searchable data store exposed a draft blog post. Anthropic says Mythos drives Project Glasswing, a new initiative to secure critical software before advanced AI capabilities fall into the wrong hands.
The model’s unveiling highlights the growing tension between AI capability advancement and security. Anthropic’s unusually frank assessment of its own model’s dangers represents a departure from the typical industry approach of emphasising benefits whilst downplaying risks. Security researchers are now grappling with the implications: a model powerful enough to find software vulnerabilities at scale could be equally devastating in the hands of threat actors.
Chinese Storm-1175 Group Exploits Zero-Days for Rapid Medusa Ransomware Deployment
Ransomware
Microsoft’s Threat Intelligence team has linked a China-based threat actor known as Storm-1175 to the weaponization of zero-day vulnerabilities for rapid ransomware deployment. The group has demonstrated an exceptional ability to identify exposed perimeter assets and exploit previously undisclosed vulnerabilities, in some cases before public disclosure. Recent intrusions have heavily impacted healthcare, education, professional services, and finance sectors across Australia, UK, and US.
Storm-1175’s operational tempo is notably high, with the group capable of moving from initial access to data exfiltration and encryption within days. The group’s proficiency in leveraging both zero-day and N-day vulnerabilities makes them particularly dangerous, as traditional patch management cycles struggle to keep pace. Microsoft’s disclosure highlights the increasingly blurred lines between state-sponsored espionage and financially motivated cybercrime.
German Police Unmask REvil Ransomware Leader After Years-Long Investigation
Law Enforcement
German authorities have identified the leader of the notorious REvil ransomware operation, marking one of the most significant law enforcement victories against cybercrime syndicates in recent years. The suspect, accused of extorting more than $2 million as head of both the GandCrab and REvil operations, was unmasked following an extensive multi-year investigation involving international cooperation between European and American law enforcement agencies.
REvil was one of the most prolific ransomware-as-a-service operations in cybercrime history, responsible for attacks on major organisations including JBS Foods and Kaseya before the group was disrupted by international law enforcement actions in 2021. The identification of its leader sends a powerful message to ransomware operators that operational security can and will be defeated, even for the most technically sophisticated criminal enterprises.
ComfyUI Instances Hijacked Into Cryptomining Botnet in Mass Campaign
Cloud Security
Over 1,000 internet-exposed instances of ComfyUI, a popular platform for running Stable Diffusion AI image models, have been hijacked and enrolled into a cryptocurrency mining and proxy botnet. According to Censys security researcher Mark Ellzey, a purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager when no exploitable node is already present.
The compromised hosts are added to a cryptomining operation mining Monero via XMRig and Conflux via lolMiner, as well as a Hysteria V2 proxy botnet. Both components are centrally managed through a Flask-based command-and-control dashboard. The campaign exploits a common misconfiguration that allows remote code execution on unauthenticated ComfyUI deployments, highlighting risks of deploying AI tools without proper access controls.
Critical Ninja Forms WordPress Plugin Flaw Under Active Exploitation
WordPress
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress is being actively exploited by attackers. The flaw allows unauthenticated users to upload arbitrary files, which can lead to remote code execution on server. Given that Ninja Forms is one of the most widely used form plugins on WordPress — which itself powers over 40% of the web — the potential attack surface is enormous.
Website administrators running the affected plugin should immediately update to the latest patched version and audit their servers for signs of compromise. The active exploitation of this vulnerability follows a pattern seen increasingly across the WordPress ecosystem, where premium plugin vulnerabilities are rapidly weaponised once disclosed. The incident reinforces the importance of maintaining a rigorous update cadence and minimising the number of installed plugins.
ZY Media Productions
IT • Music • Technology