14 Cyber Security News Worth Your Attention from Last Week of April

As I do every week, I spent a few hours reviewing 17 cyber security news portals, handpicking the most interesting articles from the last week of April and summarizing them—so you can quickly catch up on only the most interesting cyber news.

This week, I’ve also included two long-form articles — not breaking news, but thoughtful deep dives I found especially insightful. Consider them this week’s recommended reads if you want to go beyond the headlines.

1. AI Code Hallucinations Increase the Risk of ‘Package Confusion’ Attacks

Word count: ~1,350 words | Estimated reading time: 6–7 minutes

Summary AI coding assistants are increasingly generating fake software package names, making it easier for attackers to carry out package confusion attacks that insert malicious code into legitimate apps. Researchers found that nearly 20% of AI-generated code dependencies pointed to non-existent libraries—creating a repeatable vulnerability that could poison the software supply chain as AI-generated code becomes the norm.

Key Details

• A study of 576,000 AI-generated code samples found 440,000 references to fake packages (19.7% of dependencies).
• Many hallucinated package names appeared repeatedly, meaning attackers can predict them and create malicious packages that get pulled into real software.
• Open-source models hallucinated more (21%) than commercial models (5%)

Next Steps

• Enforce package verification: Require developers to manually verify all AI-suggested dependencies before using them.
• Use private package registries: Limit dependency sources to trusted, internally managed repositories.
• Monitor for repeated hallucination patterns: Identify frequently hallucinated package names that could become prime targets for attackers.

Read more on Wired

2. Employee Monitoring App Leaks 21 Million Screenshots in Real Time

Word count: ~500 words | Estimated reading time: 2-3 minutes

Summary The WorkComposer employee monitoring app accidentally exposed over 21 million real-time screenshots of workers’ devices on the open web. These images included emails, chats, passwords, and sensitive business data. The breach highlights how surveillance tools, meant to track productivity, can turn into major security and privacy risks—impacting both company security and employee rights. Cybernews contacted the company, and access has now been secured.

Key Details

• The leak stemmed from an unsecured Amazon S3 bucket, making the data accessible to anyone online.
• Some screenshots captured login pages, API keys, and financial documents, increasing the risk of fraud and corporate espionage.
• The real-time nature of the breach allowed attackers to potentially monitor unfolding business activities.
• WorkComposer’s case follows a pattern: other apps like WebWork have leaked millions of employee screenshots in previous incidents.

Read more on Cybernews

3. AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk

Word count: ~3,000 words | Estimated reading time: 12–14 minutes

Oligo Security revealed AirBorne, a set of 23 vulnerabilities in Apple’s AirPlay protocol and SDK, allowing attackers to take over Apple and third-party devices through zero-click and wormable remote code execution (RCE) attacks. Apple has patched all affected devices and software, but the larger risk lies with tens of millions of third-party speakers, TVs, and CarPlay devices that support AirPlay and are often updated less reliably, leaving a massive attack surface exposed.

Key Details

• AirBorne flaws allow attackers to escalate from local network access to device takeover and malware propagation.
• Two CVEs (2025-24252, 2025-24132) can be combined to create wormable exploits requiring no user interaction.
• Vulnerabilities span Macs, iPhones, CarPlay systems, and AirPlay SDK-powered IoT devices.
• Some attack paths allow eavesdropping, device hijacking, and even remote logout of users in corporate environments.
• Oligo’s responsible disclosure led to 17 CVEs and broad collaboration with Apple’s security team.

Next Steps

• Update Apple devices immediately
• Audit third-party AirPlay devices: Identify and assess risk from third-party AirPlay-enabled hardware, especially in business environments.
• Restrict AirPlay access where it’s not needed

Read more and get the CVE info at oligo.security

4. Scattered Spider Suspected in Major M&S Cyberattack

Word count: ~600 words | Estimated reading time: ~3 minutes

British retailer Marks & Spencer (M&S) suffered a major cyberattack linked to the Scattered Spider group—the same hackers behind the high-profile 2023 MGM Resorts breach. The attack disrupted payments, online orders, and supply chains, wiping £650 million from M&S’s market value. Investigators believe the attackers gained access months earlier, underscoring how long-term, stealthy intrusions can escalate into crippling ransomware attacks.

Key Details

• Hackers allegedly stole M&S’s NTDS.dit (Active Directory database) as early as February, enabling password cracking and lateral movement.
• The DragonForce encryptor was used against VMware ESXi hosts, consistent with ransomware tactics.
• Service outages included contactless payment failures, halted Click & Collect orders, and paused online sales. Customers also reported empty shelves and stock shortages, suggesting supply chain disruptions.

Next Steps

• Segment critical systems: Limit lateral movement by isolating different systems.
• Review incident response plans to account for dwell-time threats where attackers remain undetected for months before launching ransomware.

Read more at HackRead

5. UK Bans SIM Farms to Tackle Telecoms Crime and Cyber Fraud

Word count: ~900 + 670 words | Estimated reading time: 5–6 minutes

The UK has become the first country in Europe to ban the supply and possession of SIM farms—devices that allow criminals to automate scam texts and fraud at scale. The new law makes it illegal to use, possess, or supply SIM farms without a legitimate reason, with offenders facing fines without a upper limit in England and Wales, and up to £5,000 in Scotland and Northern Ireland. Previously, only fraudulent activity itself was illegal, leaving a loophole for owning or selling SIM farms.

Key Details

• Fraud rose 19% last year and now accounts for over 40% of reported crime in England and Wales.
• Vodafone UK blocked over one billion scam messages since 2023, including 73.5 million in early 2025.

Read more from Cyber Magazine and UK Gov

6. WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors

Word count: ~1,200 words | Estimated reading time: 5–6 minutes

A large-scale phishing campaign is tricking WooCommerce and WordPress users into installing a fake security patch that deploys a backdoor and hidden admin accounts. The attack stands out for its massive scale and evolved social engineering tactics, including convincing fake CVE alerts and cloned websites. The malware gives attackers full control over compromised sites and reflects a growing sophistication in WordPress-targeted campaigns.

Key Details

• Attackers use phishing emails and a spoofed WooCommerce website to distribute the malicious plugin.
• The fake patch creates hidden administrator accounts and installs web shells for remote control.
• Malware hides itself and can turn sites into botnets, ad servers, or ransomware targets.

Read more from Patchstack and The Hacker News

7. Indian Court Orders Action to Block Proton Mail Over AI Deepfake Abuse Allegations

Word count: ~800 words | Estimated reading time: 3–4 minutes

A court in India has ordered the government to block Proton Mail after it was allegedly used to send abusive emails containing AI-generated deepfakes. The case highlights growing pressure on encrypted services over misuse concerns. However, Proton Mail remains accessible because the court order requires the government to initiate a blocking process under Section 69A of India’s IT Act, which has not yet been completed.

Key Details

• Under Swiss law, Proton Mail is forbidden from responding directly to requests from foreign governments (like India).
• For the block to take full effect, India would need to submit a request through Swiss authorities, who would then instruct Proton Mail if approved.
• There is no public evidence that India has successfully used this process with Proton Mail in previous cases, including a 2024 bomb threat incident — suggesting it is unlikely to proceed successfully now.

Read more on The Hacker News

8. Meta Launches LlamaFirewall Framework to Stop AI Jailbreaks, Injections, and Insecure Code

Word count: ~400 words | Estimated reading time: ~2 minutes

Meta has launched LlamaFirewall, an open-source framework that helps developers secure AI applications from prompt injection, jailbreaks, and insecure code generation. Developers can integrate LlamaFirewall into their apps to scan user inputs before sending them to the AI model and review outputs before delivering them to users. The tools provide real-time checks for prompt attacks, hijacked goals, and unsafe code, reflecting growing industry concern about LLM security.

Key Details

• Three main tools: PromptGuard 2 (blocks prompt injections), Agent Alignment Checks (detects goal hijacking), and CodeShield (prevents unsafe code output).
• Available for everyone

Read more from The Hacker News, and Meta and more from Meta

9. ‘Digital Twins’ Bring Simulated Security to the Real World

Word count: ~620 words | Estimated reading time: 3 minutes

Security teams are using digital twins—virtual copies of real-world systems—to simulate attacks, test patches, and assess risks without touching production environments. Companies like Trellix and Backslash Security apply this approach to model attacker behavior, triage alerts, and test software changes safely.

Read more from Dark Reading.

10. Tech Giants Propose Standard for End-of-Life Security Disclosures

Word count: ~610 words | Estimated reading time: 3 minutes

A coalition of major tech companies — including Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat — has introduced the draft OpenEoX standard to streamline how vendors disclose end-of-life (EoL) information for software and hardware. The proposal aims to address inconsistent, hard-to-track EoL notices that increase security risks by leaving organizations unaware of when products stop receiving patches or support.

Key Details

• The OpenEoX framework creates a shared, machine-readable data format for EoL notices.
• It defines four lifecycle checkpoints: General Availability, End of Sales, End of Security Support, and End of Life.
• The data format can be integrated into SBOMs, security advisories, and supply chain tools.
• The coalition seeks public feedback before pushing the draft toward a full OASIS technical standard.

Read more at Security Week

11. China’s Secret Weapon? How EV Batteries Could Be Weaponized to Disrupt America

Word count: ~2,290 words | Estimated reading time: 10–11 minutes

Security experts warn that Chinese-made EV batteries—widely used in vehicles, infrastructure, and the US power grid—could serve as tools for espionage, data collection, or even sabotage. Batteries manufactured by CATL, the world’s largest battery maker, have been found to include cloud-connected management systems that could allow remote access or data exfiltration. 

Key Details

• CATL supplies nearly 40% of the global EV market, including batteries for Tesla, BMW, Ford, and the US energy grid.
• Security researchers confirmed CATL’s battery management systems connect to the CATL cloud, enabling two-way communication.
• Risks include data collection, remote shutdown or disruption, and potential for malware delivery.
• Similar patterns seen with other Chinese technology firms, echoing national security concerns around Huawei.
• US military and critical infrastructure operators have already begun removing some CATL battery systems.

Read more at Security Week

12. Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

Word count: ~820 words | Estimated reading time: 3–4 minutes

Researchers have revealed that the Model Context Protocol (MCP) — a framework that lets AI models connect to external tools and data sources and take actions on behalf of users — can be both a powerful feature and a serious security risk. 

By sneaking malicious instructions into things like emails or tool descriptions, attackers can trick AI models into doing harmful tasks, such as forwarding sensitive emails or running unauthorized actions. 

Interestingly, the same technique can also be flipped for good, letting defenders use prompt injection to monitor or block risky AI behavior.

Key Details

• Typical kill chain: attacker hides instruction → AI reads it → AI activates a connected tool via MCP → action occurs (e.g., forwarding sensitive data).

Read more at The Hacker News

Long form Articles that are Worth the Time

1. Microsoft Claims Steady Progress Revamping Security Culture (Dark Reading, April 2025)

Word count: ~2,030 words | Estimated reading time: 8–9 minutes

The article offers a rare inside look at how one of the world’s largest tech companies is tackling the hardest challenge in security today: cultural change.

If you’re working on shifting from "compliance-driven" to "culture-driven" security or need real-world examples to support that strategy, this read is worth the time.

Read more

2. The Tech That Safeguards the Conclave’s Secrecy (WIRED, April 23, 2025)

Word count: ~980 words | Estimated reading time: 4 minutes

The piece in Wired offers a fascinating glimpse into how the Vatican blends physical security and counter-surveillance technology to protect one of the world’s most sensitive decision-making processes — the papal conclave. It’s a thought-provoking case study in layered security, insider threat prevention, and controlling information flows in high-risk environments. 

Read more on Wired.