Threat Briefing: April 10, 2026

The threat landscape is converging fast. AI-enabled attacks, like the prt-scan campaign, allow adversaries to sweep hundreds of open-source repositories and exploit misconfigured CI/CD pipelines at scale. Ransomware groups such as Storm-1175 are weaponizing zero-day vulnerabilities within hours of disclosure, outpacing defenders before patches can deploy.

Meanwhile, state-linked actors are intensifying attacks on critical infrastructure, and fraud-as-a-service ecosystems are industrializing financial crime through automation and social engineering.

The pattern is clear: threats are faster, more scalable, and more interconnected than ever. Organizations must respond by challenging trust assumptions, accelerating patch cycles, hardening identity controls, and investing in cross-sector collaboration.

• AI-Powered Attacks Are Exploiting Open-Source Supply Chains – A campaign dubbed “prt-scan” used AI-assisted automation to make over 450 exploit attempts across GitHub repositories, successfully compromising at least two NPM packages. Attackers targeted misconfigured CI/CD pipelines using GitHub Actions workflows that execute with full repository permissions, a risk that scales rapidly with automation. Developers should audit their GitHub security configurations now. Dark Reading
• Ransomware Groups Are Outpacing Traditional Patch Cycles – Storm-1175 is deploying Medusa ransomware within 24 hours of vulnerability disclosure, locking networks and stealing data before organizations can respond. Active since 2023, the group has exploited over 16 distinct flaws across the education and healthcare sectors in the UK, US, and Australia. Traditional patching timelines are no longer sufficient. HackRead
• Iranian Actors Are Targeting U.S. Critical Infrastructure – FBI-flagged Iranian cyber actors are compromising internet-exposed operational technology, particularly programmable logic controllers in energy and water systems, causing data manipulation and operational disruption. The attacks are escalating alongside broader US-Iran-Israel geopolitical tensions. Organizations should remove PLCs from public internet exposure and enforce multi-factor authentication immediately. The Hacker News
• Fraud Has Become an Industrialized Global Enterprise – INTERPOL’s 2026 Global Financial Fraud Threat Assessment finds that criminal networks now operate fraud-as-a-service platforms, enabling low-skilled actors to run sophisticated phishing and social engineering schemes at scale. Fraud is increasingly linked to money laundering, human trafficking, and terrorism financing. Financial institutions need a coordinated, cross-sector response, not just better detection tools. BankInfoSecurity
• Device-Code Phishing Is Bypassing MFA at Scale – Since March 2026, attackers have been running 10 to 15 phishing campaigns daily using a kit called EvilTokens, which exploits Microsoft’s device-code authentication flow to silently bypass MFA and access corporate email accounts. Finance teams are the primary target. Organizations should restrict or block device-code authentication where possible and invest in employee awareness training. The Register