{“lastseen”:”2026-04-16T20:14:58″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThe first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited — and the last few weeks have been firmly stamped with the \\”software supply chain compromise\\” label, with headlines surrounding incidents involving _Trivy_,_Checkmark_, _LiteLLM_, _telnyx_ and _axios_. This edition stays focused on vulnerability statistics, although you can view _Dave_ and _Nick ‘s_ Talos blogs for more information about these incidents.\\n\\nKnown Exploited Vulnerabilities (KEVs) stayed roughly in line with 2025 numbers — no dramatic spike, but no room for relief either.\\n\\n\\n\\nWhat _does_ stand out? Networking gear accounted for 20% of KEV-related vulnerabilities, and that number is expected to climb as the year progresses. If the trend from 2025 holds, this won’t be the high-water mark.\\n\\n\\n\\nPatch management remains one of the industry’s most persistent challenges, and I understand all the operational complexity that comes with it. That said, it still stings to come across CVEs with disclosure dates reaching back to 2009 — and roughly 25% of the CVEs we’re tracking date to 2024 or earlier. Old vulnerabilities don’t retire. They wait. It starts with visibility: Knowing what’s actually running in your environment is the prerequisite for everything else.\\n\\n\\n\\nOverall CVE counts increased in Q1, with March showing the sharpest climb. Whether that reflects improved disclosure pipelines, increased researcher activity, ora genuine uptick in vulnerability density, the trend line from 2025 hasn’t flattened — if anything, it’s still pointing up.\\n\\nUsing the keyword methodology described _here_, 121 CVEs with AI relevance were identified in Q1 — more than Q1 2025, though consistent with what adoption trends would predict. As AI components become more deeply embedded across the software stack, this number will keep climbing.\\n\\nGiven the recent developments with models like the Mythos preview and the industry teaming up in initiatives like _Project Glasswing_, I’m curious how the trajectory will change moving forward. If you haven’t read about it:\\n\\n _\\” During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.\\” -_ __Anthropic Frontier Red Team__\\n\\nThat’s a substantial capability jump in agentic coding and reasoning, which eventually needs to be implemented early in the development lifecycle. And as _Anthony_ points out, those capabilities will become available to adversaries. Read Cisco’s guidance on defending in the age of AI-enabled attacks for more.\\n\\nWill we see fewer CVEs or even more negative times-to-exploit (TTEs)?\\n\\nIt’s on us. Defenders need to get ahead of the adversaries, and at the same time, we need to pay attention to (sometimes decade-old) vulnerabilities.\\n\\n## The one big thing\\n\\nCisco Talos has _identified_ _a significant increase_ in the abuse of n8n, an AI workflow automation platform, to facilitate malicious campaigns including malware delivery and device fingerprinting. Attackers are weaponizing the platform’s URL-exposed webhooks to create phishing lures that bypass traditional security filters by leveraging trusted, legitimate infrastructure. By masking malicious payloads as standard data streams, these campaigns effectively turn productivity tools into delivery vehicles for remote access trojans and other cyber threats.\\n\\n### Why do I care?\\n\\nThe abuse of legitimate automation platforms exploits the inherent trust organizations place in these tools, which often neutralizes traditional perimeter-based security defenses. Because these platforms are designed for flexibility and seamless integration, they allow attackers to dynamically tailor payloads and evade detection through standard reputation-based filtering.\\n\\n### So now what?\\n\\nMove beyond static domain blocking and implement behavioral detection that alerts on anomalous traffic patterns directed toward automation platforms. Restrict endpoint communication with these services to only those explicitly authorized by the organization’s established internal workflows. Finally, utilize AI-driven email security solutions to analyze the semantic intent of incoming messages and proactively share indicators of compromise, such as specific webhook structures, with threat intelligence communities.\\n\\n## Top security headlines of the week\\n\\n**Adobe** **patches** **actively** **exploited** **zero-day** **that** **lingered for** **months** \\nAdobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it. (_Dark Reading_)\\n\\n**Fake Claude website distributes** **PlugX** **RAT** \\nA threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. (_SecurityWeek_)\\n\\n**Sweden blames Russian hackers for attempting \\”destructive\\”** **cyber attack** **on thermal plant** \\nSweden’s minister of civil defense said during a press conference on Wednesday that the attempted attack happened in early 2025 and attributed the incident to hackers with \\”connections to Russian intelligence and security services.\\” (_TechCrunch_)\\n\\n**FBI and Indonesian police dismantle W3LL phishing network behind $20M fraud attempts** \\nThe W3LL phishing kit, advertised for a fee of about $500, allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, allowing the attackers to seize control of their accounts. (_The Hacker News_)\\n\\n**Google API keys in Android apps expose Gemini endpoints to unauthorized access** \\nArmed with the key, an attacker could access private files and cached content, make arbitrary Gemini API calls, exhaust API quotas and disrupt legitimate services, and access any data on Gemini’s file storage. (_SecurityWeek_)\\n\\n## Can’t get enough Talos?\\n\\n** _More than pretty pictures: Wendy Bishop on visual storytelling in tech_** \\nFrom her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy talks about the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.\\n\\n** _PowMix botnet targets Czech workforce_** \\nCisco Talos discovered an ongoing malicious campaign affecting Czech workers with a previously undocumented botnet we call \\”PowMix.\\” It employs random beaconing intervals to evade the network signature detections.\\n\\n** _APTs: Different_** ** _objectives, similar access paths_** \\nAcross the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.\\n\\n## Upcoming events where you can find Talos\\n\\n * _PIVOTcon_ (May 6 – 8) Malaga, Spain\\n * _OffensiveCon_ (May 15 – 16) Berlin, Germany\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: VID001.exe \\nDetection Name: Win.Worm.Coinminer::1201**\\n\\n**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59** \\nMD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a \\nTalos Rep: https:\/\/talosintelligence.com\/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 \\nExample Filename: APQ9305.dll \\nDetection Name: Auto.90B145.282358.in02\\n\\n**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91** \\nMD5: 7bdbd180c081fa63ca94f9c22c457376 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91_ \\nExample Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe \\nDetection Name: Win.Dropper.Miner::95.sbx.tg**\\n\\n**SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55** \\nMD5: 41444d7018601b599beac0c60ed1bf83 \\nTalos Rep: https:\/\/talosintelligence.com\/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 \\nExample Filename: content.js \\nDetection Name: W32.38D053135D-95.SBX.TG\\n\\n**SHA256: 3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc** \\nMD5: d749e0f8f2cd4e14178a787571534121 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc_ \\nExample Filename: Unconfirmed 280575.crdownload.exe \\nDetection Name: W32.3C1DBC3F56-90.SBX.TG”,”published”:”2026-04-16T18:00:31″,”modified”:”2026-04-16T18:00:31″,”type”:”talosblog”,”title”:”The Q1 vulnerability pulse”,”source”:””,”references”:””,”id”:”TALOSBLOG:26CBE8FFE24A362B48C96418914D3580″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/the-q1-vulnerability-pulse\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-16T20:14:58″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nThe first quarter of 2026 passed faster than a misconfigured firewall rule gets…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-47523","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n