Today’s signal is blunt: social engineering is getting more patient, session theft is getting quieter, and trust anchors from login kits to code-signing to TLS libraries are all under pressure at once.
Top line: One major phishing-kit takedown, one North Korean social-engineering chain, one supply-chain containment move from OpenAI, one quieter infostealer model, and one nasty certificate-validation bug in software that reaches deep into embedded estates.
The FBI and Indonesian National Police disrupted the W3LL phishing operation, seized infrastructure, and detained the alleged developer. The kit reportedly helped criminals target more than 17,000 victims in 2023 to 2024 and supported over $20 million in attempted fraud, largely by stealing Microsoft 365 credentials and session cookies through adversary-in-the-middle flows.
Researchers linked APT37 to a campaign that used fake Facebook personas, Messenger chats, and Telegram follow-up to persuade targets to install a trojanized PDF viewer. The infection chain delivered RokRAT, abused a compromised legitimate website for command traffic, and hid a later-stage payload inside an image file.
OpenAI said a GitHub Actions workflow in its macOS app-signing path pulled the poisoned Axios package. The company reported no evidence of user-data exposure or certificate theft, but still revoked and rotated the signing certificate, with older app versions losing update support and default macOS trust after May 8, 2026.
BleepingComputer reported that the new Storm infostealer steals browser databases, cookies, wallet data, and tokens, then decrypts and restores sessions on attacker-controlled infrastructure instead of locally. That matters because it removes one of the classic endpoint signals defenders learned to catch.
CVE-2026-5194 in wolfSSL weakens certificate verification by accepting digests smaller than they should be for several signature schemes. wolfSSL says the library is used in billions of devices and applications, especially embedded, IoT, industrial, and appliance environments, so the exposure is not just web servers.
Sources tracked for this briefing: The Hacker News and BleepingComputer coverage published on April 13, 2026, plus vendor and researcher advisories referenced in those reports.
KENSAI helps security teams find exposed identity paths, brittle software supply chains, and quietly risky internet-facing systems before they become incident reports.
Start Free Scan →Stay sharp.
🗡️ KENSAI Security Team