A insider executive selling zero-days to Russia, a fake Ledger app draining $9.5 million from App Store users, and a critical flaw in wolfSSL affecting billions of devices — the latest edition of Vulnerable U covers a landscape where the threats are as diverse as they are severe. From the Mythos-driven acceleration of vulnerability discovery to the mundane reality of healthcare ransomware fallout, here is the technical breakdown of what matters this week.
Building a “Mythos-Ready” Security Program
The Cloud Security Alliance has published guidance on preparing for the era of AI-driven vulnerability discovery. The key insight is not about hype, but about velocity: time-to-exploitation is collapsing toward same-day weaponization, and complex exploit chains — once the domain of a small number of elite researchers — are becoming increasingly accessible.
The report recommends using LLMs for vulnerability discovery and remediation, accelerating teams with coding agents, and preparing for more incidents. The real takeaway is not about any single tool, but about the trajectory: if Anthropic proved this capability is possible, it will show up everywhere. Nation-state actors with unlimited resources will eventually have access to the same capabilities. Organizations that build the muscle now — process, tooling, and culture — will be the ones that keep up.
Kraken Insider Extortion: The Help Desk as Attack Vector
Cryptocurrency exchange Kraken is dealing with an active effort by threat actors to recruit insiders at crypto companies, gaming companies, and telecoms — especially through third-party contractors and BPOs. Attackers gained access to approximately 2,000 accounts’ worth of data including balances, account information, and wallet IDs. Once access was established, extortion began with video evidence of what the help desk employee could see. Kraken refused to pay and is working with law enforcement, but the incident underscores a growing trend: the help desk is increasingly the path of least resistance for threat actors.
FBI Signal Extraction: The Endpoint is the Weak Point
News that the FBI extracted Signal messages from a suspect — even after the app was deleted — caused predictable alarm. However, Signal itself is not broken. End-to-end encryption protects messages in transit, not once they reach the endpoint device. The interesting technical detail is that message content persisted in notification logs and push notification databases outside the app itself. This is a reminder that endpoint compromise bypasses even the strongest encryption protocols.
OpenAI macOS Apps Caught in Axios Supply Chain Attack
OpenAI is rotating its macOS signing certificates and forcing app updates after being caught in the Axios supply chain attack from late March. North Korean hackers (UNC1069) social-engineered the lead maintainer of Axios, hijacked his accounts, and pushed malicious code — live for only three hours, but with a blast radius of over 100 million weekly downloads. OpenAI’s GitHub workflow downloaded the malicious version, though timing and setup likely prevented certificate theft. The root cause was a misconfigured GitHub workflow, now fixed. Users of OpenAI’s macOS apps must update before May 8 or the apps will stop working.
Trenchant Exec Sold Zero-Days to Russia
Peter Joseph Williams, a top executive at cybersecurity firm Trenchant, pleaded guilty to stealing and selling zero-days to a Russian broker. The case is remarkable for its brazenness: Williams was not recruited — he reached out to the Russian buyer himself, created an anonymous email account, and initiated the relationship. While the FBI was investigating, he continued selling. While his company was investigating, he was put in charge of the investigation and let a subordinate take the fall. Prosecutors say the exploits could potentially access millions of devices worldwide. The mental health defense (anxiety, burnout, depression) was undercut by evidence of luxury cars, expensive travel, a $1.5 million house, and approximately $1.3 million in proceeds from the deal.
Fake Ledger Live App Drains $9.5M from App Store
A fake Ledger Live application made it through Apple’s App Store review process and proceeded to drain $9.5 million in cryptocurrency from 50 victims over a few days in early April. Users downloaded what they believed was the legitimate Ledger app, entered their seed phrases, and watched their wallets get emptied across Bitcoin, Ethereum, Solana, and other chains. Three victims lost over $1 million each. Apple has since pulled the application. Critically, Ledger does not offer a macOS app through the App Store — only via their website — which is exactly the gap exploited. The same group pulled a similar stunt on the Microsoft Store in 2023 for $768,000.
Adobe PDF Zero-Day: Exploited for Months
Adobe patched CVE-2026-34621, a zero-day vulnerability in Acrobat DC, Reader DC, and Acrobat 2024 affecting both Windows and macOS. The flaw allows attackers to deploy malware simply by getting a target to open a malicious PDF file. Security researcher Haifei Li identified the bug when a malicious PDF was uploaded to his scanner — the first sample appeared on VirusTotal in November 2025, meaning the vulnerability was exploited in the wild for at least four months before patching.
wolfSSL Critical Flaw: Forged Certificates on 5 Billion Devices
A critical vulnerability in wolfSSL (CVE-2026-5194) allows attackers to bypass certificate verification by exploiting weak hash validation in ECDSA and other signature algorithms. The flaw permits forged certificates with smaller-than-allowed digests to pass verification checks, enabling malicious servers to masquerade as legitimate ones. wolfSSL is the second most deployed TLS library after OpenSSL, powering approximately 5 billion devices worldwide including IoT, industrial control systems, aerospace, and military equipment. The fix was released in wolfSSL 5.9.1 on April 8. Discovery credit goes to Nicholas Carlini at Anthropic, likely using Claude-based vulnerability research tools.
Microsoft Zero-Day Drama: RedSun and BlueHammer
A disgruntled security researcher has publicly released proof-of-concept code for two Windows zero-days — RedSun and BlueHammer — following a dispute with Microsoft’s bug bounty program. BlueHammer was released earlier this month, and RedSun followed. Huntress has confirmed exploit activity in the wild. Both vulnerabilities can be used for privilege escalation to SYSTEM-level access. The incident highlights the tension between vulnerability disclosure processes and researcher relations.
Rockstar Games Breach: Snowflake Analytics, Not Source Code
Early reports of a Rockstar Games data breach claimed anti-cheat source code was stolen. Those claims were walked back. What was actually compromised was Snowflake analytics data — in-game revenue, purchase metrics, player behavior, and support analytics — exposed through a third-party environment. Rockstar confirmed the breach as limited and non-material with no impact on players. A reminder that early breach narratives are almost always wrong.
Análise baseada no Vulnerable U Newsletter #164, por Matt Johansen (@mattjay). Pesquisa e adaptação: N00TROP1C — NULLTROPIC, 2026.
Deixe um comentário