The common thread today is simple: attackers keep winning wherever defenders quietly outsource trust, whether that trust sits in a WordPress plugin, an npm package, or a collaboration platform everyone assumes is normal.
Top line: Three stories matter this morning: a real WordPress website takeover path is being exploited in the wild, a trusted developer tool distribution path got poisoned, and a China-linked espionage cluster keeps showing how legitimate cloud services make excellent cover for attacker communications.
Attackers are actively exploiting CVE-2026-3844 in the Breeze Cache WordPress plugin. The bug stems from missing file-type validation in the fetch_gravatar_from_remote function and can let an unauthenticated attacker upload arbitrary files. If the “Host Files Locally - Gravatars” add-on is enabled, that can become remote code execution and full site compromise. The plugin has more than 400,000 active installs, and Wordfence has already seen exploitation activity.
The malicious @bitwarden/cli npm package version 2026.4.0 was available for a short window on April 22 and contained malware designed to steal developer secrets. Researchers say it harvested npm and GitHub tokens, SSH keys, and cloud credentials, then exfiltrated data through attacker-controlled GitHub repositories. Bitwarden says vault data and production systems were not impacted, but any environment that installed the poisoned package during the exposed window should be treated as compromised.
The Checkmarx KICS supply-chain breach hit Docker images and developer extensions, while ESET’s GopherWhisper report shows a China-linked threat cluster using Outlook, Slack, Discord, and Microsoft Graph API for command-and-control against government targets. These are different campaigns, but the lesson is identical: attackers are hiding inside normal developer and collaboration workflows because defenders still give them too much implicit trust.
Bottom line: Bottom line: the attackers are not just exploiting software bugs, they are exploiting default trust. That is why today’s fixes need to include patching, secret rotation, and much harder scrutiny of the services your teams already rely on every hour.
KENSAI helps teams surface exposed attack paths across web apps, developer tooling, identity, and cloud systems before small trust failures become expensive breaches.
Free Scan →Stay sharp.
🗡️ KENSAI Security Team