Microsoft patches actively exploited Defender zero-days

Microsoft has begun rolling out urgent security updates for two Microsoft Defender vulnerabilities that are already being actively exploited in zero-day attacks. The flaws, tracked as CVE-2026-41091 and CVE-2026-45498, impact the Microsoft Malware Protection Engine and Defender Antimalware Platform, potentially allowing attackers to gain SYSTEM-level privileges or trigger denial-of-service conditions on unpatched Windows devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue and ordered federal agencies to secure affected systems within two weeks due to the active threat posed by exploitation in the wild.

Microsoft says the latest updates should install automatically for most users, but organisations are still being urged to verify that Defender updates and malware definitions are being applied correctly across all endpoints and servers. The warning follows separate guidance around the recently disclosed YellowKey BitLocker zero-day, reinforcing concerns around the continued targeting of core Windows security technologies by threat actors.

GitHub breach linked to malicious VS Code extension

GitHub has confirmed that the breach affecting roughly 3,800 internal repositories originated from a malicious version of the Nx Console Visual Studio Code extension, distributed during last week’s wider TanStack npm supply-chain attack. The incident highlights the growing scale and sophistication of software supply-chain threats targeting developers and CI/CD environments.

The compromised extension reportedly stole credentials and secrets linked to platforms including GitHub, AWS, Kubernetes, Docker and npm. GitHub says the attack began after an employee installed the poisoned extension, allowing threat actors to gain unauthorised access to internal repositories. The company has since rotated critical secrets and secured affected systems while continuing its investigation.

The campaign has been linked to the TeamPCP cybercrime group, which has previously been associated with attacks targeting developer ecosystems such as PyPI, npm, Docker and GitHub. Security researchers warn the incident demonstrates how trusted developer tools and extensions are increasingly becoming high-value attack vectors. Organisations are being urged to tighten extension governance, review CI/CD credential exposure, and strengthen monitoring around developer environments and third-party software dependencies.

AI-driven cyber incidents rise across Canadian businesses

New research has revealed that one in three Canadian businesses experienced a cyber incident in the past year that they believe involved artificial intelligence, highlighting the growing role AI is playing in modern cyber threats. Phishing attacks were among the most commonly reported methods, reflecting how threat actors are increasingly using AI to improve the scale and sophistication of social engineering campaigns.

The survey found that AI adoption among Canadian mid-market organisations has surged to 83%, with a further 14% actively exploring the technology. At the same time, 57% of businesses reported suffering at least one cyber incident over the last 12 months, while supplier-related attacks and third-party exposure also continued to rise.

Researchers warned that AI-related cyber risk is no longer limited to internal systems, with supply chain weaknesses now representing a major concern for organisations and insurers alike. The findings also show growing investment in cybersecurity, incident response planning and cyber insurance as businesses attempt to strengthen resilience against increasingly advanced AI-enabled threats.

Global cyberattacks surge as ransomware and GenAI risks intensify

Cyberattacks continued to escalate globally throughout April 2026, with organisations facing an average of 2,201 attacks per week according to new research from Check Point Software Technologies. The report highlights rising ransomware activity, increased targeting of critical sectors, and growing concerns around sensitive data exposure linked to GenAI usage in enterprise environments.

Latin America remained the most targeted region globally, while Africa continued to experience sustained pressure despite a year-on-year decline in attack volume. In EMEA, Angola and Nigeria recorded the highest number of attacks per organisation, with South Africa averaging 1,777 attacks per week. Education remained the most targeted industry worldwide, followed by government and telecommunications.

The report also warned that GenAI adoption is creating new exposure risks, with one in every 28 enterprise AI prompts containing highly sensitive information. Meanwhile, ransomware incidents rose again in April, driven by groups such as Qilin and DragonForce, reinforcing concerns around operational disruption, supply chain exposure and evolving cybercriminal tactics.

Security researchers warn that organisations must strengthen governance, visibility and proactive threat management as attackers increasingly combine automation, ransomware and AI-enabled techniques to scale their operations.

NYC Health + Hospitals breach impacts 1.8 million patients

NYC Health + Hospitals has disclosed that a major cyberattack impacting its systems exposed sensitive information belonging to at least 1.8 million people, making it one of the largest healthcare data breaches reported this year. The attackers reportedly had access to the organisation’s network from November 2025 until February 2026 following the compromise of a third-party vendor.

According to the healthcare provider, stolen data includes medical records, insurance details, billing information, government-issued identification documents and highly sensitive biometric data such as fingerprint and palm print scans. The breach also reportedly exposed precise geolocation information linked to uploaded identity documents, raising additional privacy concerns for affected individuals.

Healthcare organisations continue to remain prime targets for cybercriminals due to the vast amount of sensitive personal and medical information they store. The incident also highlights the growing risks associated with third-party suppliers and interconnected healthcare ecosystems, where a single vendor compromise can create widespread downstream exposure.

Security experts warn that breaches involving biometric data are especially serious because unlike passwords or financial details, fingerprints and palm prints cannot simply be replaced once compromised.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.