CISA added a TrueConf flaw to its Known Exploited Vulnerabilities Catalog on 06-04-2026 and required federal agencies to remediate it after reporting linked the issue to active attacks against government targets, including activity tied to Southeast Asia [AMER]. For DFIR teams, the operational lesson is that collaboration platforms and their update paths now merit the same urgent scoping, log preservation, and retrospective hunt activity traditionally reserved for VPNs and perimeter appliances (Source: CISA, 06-04-2026).

Fortinet issued an emergency PSIRT advisory on 06-04-2026 for CVE-2026-35616 in FortiClient EMS, warning the management platform was already being exploited and publishing fixed versions and mitigation guidance, while Singapore’s CSA separately amplified the risk [APAC]. Incident responders should treat exposed EMS servers as priority assets because unauthenticated code execution on management infrastructure can quickly become a credential, persistence, and lateral-movement investigation rather than a single-host patching exercise (Source: Fortinet PSIRT, 06-04-2026).

CERT-EU published its detailed assessment of the European Commission cloud breach and said TeamPCP abused an AWS API key stolen via the Trivy supply-chain compromise, with data from at least 29 other Union entities potentially exposed after the 2026-03-24 intrusion [EMEA]. The case matters to investigators because it publicly connects software provenance, cloud access abuse, victim scoping, and downstream leak activity into a documented attribution chain that other public-sector responders can study and reuse (Source: CERT-EU, 03-04-2026).

Italy’s Uffizi Galleries said on 03-04-2026 that a cyberattack first detected on 01-02-2026 did not result in stolen data or ransom payment, rebutting local reporting that had suggested a far deeper compromise of museum systems and physical-security plans [EMEA]. For investigators, the significance is procedural: restoration evidence, backup validation, and public communications can materially reshape the understanding of an incident when external reporting outruns what forensic scoping can actually support (Source: Reuters, 03-04-2026).

A cyberattack disrupted the Patriot Regional Emergency Communications Center in Massachusetts, affecting non-emergency and business phone lines for multiple municipalities while 9-1-1 service remained up and alternate notification procedures were activated on 03-04-2026 [AMER]. This matters because even partial outages at a regional dispatch hub can complicate evidence collection, continuity decisions, and public communications at the exact moment responders need clarity, resilient telephony, and synchronized incident command (Source: The Record, 03-04-2026).

Russia experienced a broad outage on 06-04-2026 that hit banking apps, ATMs, and metro payments across several regions, with local reporting and officials differing on whether the disruption stemmed from cyberattack activity, traffic blocking, or other network interference [EMEA]. For resilience planners, the incident is a reminder that payment and transport dependencies can fail in cyber-like ways even before attribution is settled, making disciplined timeline reconstruction and service-impact mapping essential from the first hour (Source: The Record, 06-04-2026).

Hasbro disclosed on 01-04-2026 that it was investigating unauthorized access detected on 28-03-2026, had brought in outside cybersecurity specialists, and had taken some systems offline while it determined the scale and business impact of the event [AMER]. The incident is notable because early containment in a complex consumer-products enterprise can affect manufacturing, licensing, and back-office workflows at once, forcing responders to balance preservation, restoration, and third-party coordination under uncertainty (Source: Reuters, 01-04-2026).

Microsoft Threat Intelligence said on 06-04-2026 that Storm-1175, a China-based financially motivated actor associated with Medusa ransomware, is exploiting vulnerable web-facing assets and can move from initial access to ransomware deployment in as little as a day [AMER]. The report matters because it compresses defenders’ response window and reinforces that patch latency, web-shell hunting, and identity telemetry must be handled together when high-tempo intrusion activity overlaps with extortion operations (Source: Microsoft Threat Intelligence, 06-04-2026).

Cisco Talos disclosed a large-scale credential-harvesting operation by UAT-10608 that uses automated scanning and exploitation of React2Shell-exposed applications, then exfiltrates secrets and credentials through the actor’s Nexus Listener framework [AMER]. For threat hunters, the value is the campaign’s repeatable pattern: exposed web flaws quickly become identity compromise, so application telemetry, credential hygiene, and downstream account monitoring must be triaged as one connected investigation (Source: Cisco Talos, 02-04-2026).

SecurityWeek reported on 06-04-2026 that researchers uncovered 36 malicious npm packages posing as Strapi plugins and targeting the Guardarian ecosystem with shell execution, credential theft, and attempts to abuse Redis, Docker, and related assets [EMEA]. The supply-chain lesson is practical: niche admin ecosystems and plugin markets remain attractive intrusion paths because plausible extensions can slip into production-adjacent workflows long before formal security review catches them (Source: SecurityWeek, 06-04-2026).

No additional credible updates in the last 72h.

The FCC announced on 03-04-2026 that its Enforcement Bureau proposed a $4.5 million forfeiture against Voxbeam for apparently routing foreign traffic from a provider not listed in the Robocall Mitigation Database, a rule designed to blunt scam and spoofed voice abuse [AMER]. For cyber and fraud professionals, the action shows communications-security enforcement increasingly rests on provenance and trusted interconnection controls, not just spam filtering or consumer complaint volumes after the fact (Source: FCC, 03-04-2026).

Cambodia’s parliament passed its first dedicated cybercrime law on 03-04-2026, creating new penalties for online scams, money laundering, unauthorized data collection, and scam-centre recruitment as international scrutiny of the country’s fraud compounds intensified [APAC]. The law matters because it gives authorities a clearer legal basis to target not only front-line operators but also the financial, recruitment, and data-handling layers that keep industrial cyber-enabled fraud running (Source: Reuters, 03-04-2026).

NCSC updated its Cyber Essentials resources on 06-04-2026 to preview requirement changes that will be adopted on 27-04-2026, giving organizations and assessors advance visibility into the next round of baseline UK security-control expectations [EMEA]. This matters because compliance drift often begins before formal enforcement or assessment dates, so early review helps teams realign scope, evidence collection, supplier questionnaires, and remediation priorities before certification conversations turn adversarial (Source: NCSC, 06-04-2026).

ENISA announced on 03-04-2026 that it had opened a public consultation on the draft candidate EU Digital Identity Wallet certification scheme, part of the work to support certified wallets across member states by the end of 2026 [EMEA]. For compliance and assurance teams, the development is important because digital identity security is moving toward formalized EU-level controls and certification language rather than fragmented national or vendor-specific trust models (Source: ENISA, 03-04-2026).

ETSI announced OpenCAPIF Release 4 on 02-04-2026, adding visibility-control features, revised certificate architecture, and security fixes aligned with 3GPP Release 19 for API exposure and access-management use cases in telecom environments [EMEA]. The standards relevance is straightforward: more consistent API discovery, certificate handling, and access governance can reduce bespoke security workarounds that often become long-term compliance and interoperability liabilities across large service ecosystems (Source: ETSI, 02-04-2026).

Reuters reported on 01-04-2026 that WhatsApp said about 200 users, mostly in Italy, were tricked into installing a counterfeit version of the app embedded with spyware, with Meta linking the campaign to an Italian surveillance company [EMEA]. The incident matters because fake-client distribution remains an effective bridge from consumer trust to targeted surveillance, showing how brand abuse and mobile sideloading risks can still bypass stronger app-store and platform protections (Source: Reuters, 01-04-2026).

SecurityWeek reported on 03-04-2026 that T-Mobile clarified a recent breach filing involved an isolated insider incident by a single vendor employee who improperly accessed one customer’s information, rather than a broad external compromise of customer systems [AMER]. Even at small scale, the event is useful for breach practitioners because insider misuse through third-party access can trigger the same regulatory, trust, and evidence-preservation obligations as a much larger perimeter-based data incident (Source: SecurityWeek, 03-04-2026).