← Back to Blog
Security Briefing4 min read2026-04-12

Security Briefing, April 12 2026: Webloc Surveillance, Crypto Fraud Crackdown, Marimo RCE, Exposed Rockwell PLCs, and Chrome 147

This morning’s pattern is brutally clear: location exhaust, stolen money, exposed industrial systems, and patch windows collapsing toward zero. The only sane response is faster hardening.


Top line: One mass-surveillance revelation, one fraud-enforcement sweep, one pre-auth developer-tool RCE exploited in hours, one ugly OT exposure warning, and one browser patch train that should not wait until Monday.


1. Webloc shows how ad-tech exhaust becomes state surveillance

Citizen Lab said the Webloc platform, now sold by Penlink after the Cobwebs merger, used advertising-derived location data to help law enforcement and intelligence customers track roughly 500 million devices globally. That matters because it turns ordinary app telemetry into a stealth surveillance layer with very weak user visibility.


2. Investigators identified more than 20,000 crypto fraud victims

A coordinated law-enforcement operation led by the U.K. National Crime Agency identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. The story is not just fraud volume. It is how effectively criminal infrastructure can scale across borders before victims even know where to report.


3. Marimo CVE-2026-39987 was exploited in under 10 hours

Sysdig observed attackers exploiting the Marimo pre-auth remote code execution flaw less than 10 hours after disclosure. The vulnerable /terminal/ws WebSocket endpoint could hand an unauthenticated attacker an interactive shell on exposed notebook environments. Advisory-to-exploit windows are basically gone for anything internet-facing.


4. Thousands of U.S. Rockwell PLCs are still exposed online

BleepingComputer reported that Iran-linked targeting of U.S. critical infrastructure overlaps with a very real OT exposure problem: nearly 4,000 internet-reachable Rockwell and Allen-Bradley PLCs in the United States, with more than 5,000 exposed globally. An exposed controller is not a theoretical risk. It is an invitation.


5. Chrome 147 closed 60 vulnerabilities, including two critical bugs

SecurityWeek reported that Chrome 147 fixed 60 security issues, including two critical flaws in the browser’s WebML component. Routine browser patching is boring until it is the difference between a blocked exploit chain and a bad Monday.


What security teams should do today

  1. Audit mobile-data and ad-tech exposure, not just malware exposure.
  2. Rehearse fraud-escalation paths before the next wallet-drain case hits support.
  3. Patch exposed developer tools on disclosure day, not in the next sprint.
  4. Treat internet-exposed OT as an emergency backlog item, not technical debt.
  5. Push browser updates fast and verify they actually landed.

Sources tracked for this briefing: Citizen Lab reporting summarized by The Hacker News, BleepingComputer, and SecurityWeek coverage published on April 10 to April 11, 2026.

Cut the time attackers count on

KENSAI helps teams find exposed internet-facing systems, weak identity flows, and dangerous software supply-chain gaps before they turn into incidents.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team