← Back to Blog
Security Briefing5 min read2026-04-13

Security Briefing, April 13 2026: CPUID Trojanized Downloads, Adobe Zero-Day, Smart Slider Backdoor, Marimo RCE, and Chrome DBSC

The pattern is getting harder to ignore: trusted update paths are soft targets, exploitable windows are measured in hours, and defensive gains only matter if teams deploy them before attackers pivot.


Top line: One software-utility breach, one actively exploited document-reader flaw, one poisoned plugin update channel, one notebook-service RCE weaponized almost immediately, and one browser hardening move that directly targets session theft.


1. CPUID turned an official download path into malware delivery

The Hacker News reported that attackers compromised CPUID’s website logic and replaced some download URLs for CPU-Z and HWMonitor with malicious installers that delivered STX RAT. Signed original binaries may have remained intact, but that barely helps when the delivery path in front of them is compromised.


2. Adobe had to patch an exploited Acrobat Reader bug

Adobe shipped emergency fixes for CVE-2026-34621 after exploitation was observed in the wild. Reader and Acrobat remain high-value targets because they sit on almost every enterprise endpoint and touch untrusted files every day.


3. Smart Slider 3 Pro showed how update infrastructure becomes the payload

Nextend’s Smart Slider 3 Pro update channel was hijacked long enough to distribute an attacker-authored build containing a backdoor. This is the nightmare version of plugin trust: the compromise is not a typo-squat, it is the official mechanism your admins expect to be safe.


4. Marimo’s RCE was exploited in under 10 hours

Sysdig observed exploitation of CVE-2026-39987 less than 10 hours after disclosure. The vulnerable WebSocket endpoint handed attackers an unauthenticated shell on exposed notebook environments. That is another reminder that internet-facing developer tooling no longer gets a comfortable patch weekend.


5. Chrome DBSC is the rare defensive story worth operationalizing fast

Google’s rollout of Device Bound Session Credentials on Windows is important because it targets one of the most common post-infection outcomes: stolen web sessions. It is not a silver bullet, but it does raise the cost of commodity infostealer campaigns.


What security teams should do today

  1. Reclassify official update channels as monitored attack surface.
  2. Move same-day patching to the default for exposed tools and readers.
  3. Add plugin and utility downloads to software-supply-chain detections.
  4. Reduce public exposure of developer and notebook services.
  5. Accelerate browser hardening that shrinks session-theft payoff.

Sources tracked for this briefing: The Hacker News coverage published April 10 to April 12, 2026 on CPUID, Adobe Acrobat Reader, Smart Slider 3 Pro, Marimo, and Chrome DBSC.

Find the weak trust path before attackers do

KENSAI helps teams identify exposed services, brittle update flows, and risky software dependencies before they become incident timelines.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team