← Back to Blog
Security Briefing 4 min read 2026-04-11

Security Briefing, April 11 2026: CPUID Supply-Chain Attack, Exposed Rockwell PLCs, Payroll Piracy, Marimo RCE, and Gmail E2EE on Mobile

This morning’s signal is ugly and familiar: trusted tools, exposed industrial control systems, stolen sessions, and near-instant weaponization. The one bright spot is that secure-by-default email is finally getting a little more practical on mobile.


Top line: One software supply-chain breach, one OT exposure warning, one payroll theft campaign, one developer-tool RCE exploited in under 10 hours, and one defensive win from Google.


1. CPUID’s download chain was poisoned

Attackers compromised a secondary CPUID API for roughly six hours and swapped official website download links so CPU-Z and HWMonitor users were redirected to a trojanized HWiNFO installer. Researchers said the malware was multi-stage, heavily obfuscated, and likely focused on information theft. CPUID says its signed original binaries were not modified, but the trust boundary already broke, which is the part that matters.


2. Nearly 4,000 U.S. Rockwell PLCs are still exposed online

Federal agencies warned that Iran-linked actors have been targeting Rockwell Automation and Allen-Bradley PLCs since March, causing disruption and manipulating HMI and SCADA displays. Censys then counted 5,219 exposed hosts globally, with 3,891 in the United States. That is not just a bad metric. It is a standing invitation.


3. Storm-2755 is stealing salaries, not just inbox access

Microsoft says Storm-2755 used adversary-in-the-middle Microsoft 365 phishing pages, session cookie theft, hidden inbox rules, and direct-deposit social engineering to reroute payroll for Canadian employees. The important lesson is blunt: legacy MFA does not save you when attackers steal the authenticated session.


4. Marimo CVE-2026-39987 was exploited almost immediately

Sysdig observed exploitation of the pre-auth Marimo remote code execution flaw within 9 hours and 41 minutes of public disclosure. The bug sat in the /terminal/ws WebSocket endpoint, which skipped authentication and handed attackers an interactive shell on exposed instances. This is the new normal: disclosure-to-exploitation windows are collapsing.


5. Gmail end-to-end encryption finally reaches mobile

Google says Gmail end-to-end encryption is now available on Android and iOS for enterprise users, letting teams read and compose protected messages on mobile without extra tools. It does not solve identity compromise or endpoint theft, but it does reduce the usual excuse that secure email is too awkward for real workflows.


What security teams should do today

  1. Audit trusted software distribution paths.
  2. Isolate or remove internet-exposed OT assets.
  3. Harden payroll and HR identity flows.
  4. Patch internet-facing developer tools on disclosure day.
  5. Expand secure mobile messaging for sensitive teams.

Sources tracked for this briefing: BleepingComputer, The Hacker News, and federal-agency or vendor reporting published on April 10 to April 11, 2026.

Cut the time attackers count on

KENSAI helps teams find exposed internet-facing systems, weak identity flows, and dangerous software supply-chain gaps before they turn into incidents.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team