IT & CYBERSECURITY April 13, 2026 • 8 min read

This week’s cybersecurity landscape highlights significant threats across multiple vectors, from supply chain compromises to actively exploited vulnerabilities. Critical flaws in enterprise software, including Fortinet and open-source tools, are being exploited in the wild. Supply chain attacks through software distributors and SaaS integrators demonstrate the expanding attack surface. Meanwhile, surveillance technology revelations underscore privacy concerns around advertising-based tracking systems.

CPUID Breach Distributes STX RAT via Trojanized Downloads

MALWARE

Unknown threat actors compromised CPUID, the website hosting popular hardware monitoring tools CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. The breach lasted approximately 19 hours from April 9 at 15:00 UTC to April 10 at 10:00 UTC, during which malicious download URLs replaced legitimate software installers.

Attackers distributed a remote access trojan called STX RAT through the compromised downloads. According to CPUID, the breach occurred through a compromised secondary feature API that caused the main site to randomly display malicious links. The attack did not impact CPUID’s signed original files.

Kaspersky identified multiple malicious domains used in the attack, including cahayailmukreatif.web[.]id, pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev, transitopalermo[.]com, and vatrobran[.]hr.

Marimo RCE Flaw Exploited Within 10 Hours of Disclosure

VULNERABILITY

A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, was exploited within 10 hours of public disclosure according to findings from Sysdig. The vulnerability, tracked as CVE-2026-39987 with a CVSS score of 9.3, affects all versions prior to and including 0.20.4.

The vulnerability is a pre-authenticated remote code execution flaw. According to Marimo maintainers, the terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing unauthenticated attackers to obtain a full PTY shell and execute arbitrary system commands.

Unlike other WebSocket endpoints that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks running mode and platform support before accepting connections, completely skipping authentication verification. The issue has been addressed in version 0.23.0.

Fortinet Patches Actively Exploited CVE-2026-35616

CRITICAL VULNERABILITY

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient Enterprise Management Server (EMS) that has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 with a CVSS score of 9.1, has been described as a pre-authentication API access bypass leading to privilege escalation.

The vulnerability is classified as an improper access control flaw affecting the FortiClient EMS. On April 6, 2026, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild and elevating its priority across federal and enterprise environments.

The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to secure FortiClient EMS instances against this actively exploited vulnerability by Friday, April 10, 2026. Fortinet rushed out emergency patches while warning that hackers are actively targeting the flaw.

Law Enforcement Used Webloc to Track 500 Million Devices

SURVEILLANCE

Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. According to a report published by Citizen Lab, the tool was developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023.

The Webloc system leverages advertising data to track device locations across the globe, raising significant privacy concerns about the use of commercial advertising networks for surveillance purposes. The system’s capabilities enable tracking of mobile devices without court orders or traditional warrants.

Identified U.S. customers include Immigration and Customs Enforcement (ICE), the U.S. military, Texas Department of Public Safety, DHS West Virginia, NYC district attorneys, and various police departments in Los Angeles, Dallas, Baltimore, Tucson, Durham, and smaller cities and counties across the United States.

Snowflake Customers Hit in Data Theft Attacks After SaaS Breach

DATA BREACH

Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. The incident demonstrates the expanding attack surface as organizations increasingly rely on third-party SaaS integrators to connect their systems and services.

Attackers exploited the compromised integrator to gain unauthorized access to Snowflake customer environments, stealing sensitive data through legitimate authentication tokens. The breach highlights the risks inherent in third-party supply chains, where a single compromised service can grant access to multiple downstream organizations.

Snowflake has been working with affected customers to investigate the scope of the breach and mitigate further data loss. The incident underscores the importance of implementing robust third-party risk management practices and monitoring for unauthorized access through integration channels.

ZY Media Productions

IT • Music • Technology