13th April – Threat Intelligence Report

This week's threat intelligence report documents significant cyber incidents including a 7.7TB data breach at the Los Angeles Police Department exposing 337,000+ files, a ransomware attack on Dutch healthcare vendor ChipSoft disrupting hospital services, and a $3.6M Bitcoin theft from Bitcoin Depot. Critical vulnerabilities in Ivanti Endpoint Manager (CVSS 9.8), Adobe Reader, Marimo, and FortiClient EMS are being actively exploited in the wild. Threat actor Storm-1175 linked to Medusa ransomware is conducting rapid n-day and zero-day exploitation. AI-specific threats emerged including GrafanaGhost prompt injection attacks and AI Agent Traps framework enabling manipulation of autonomous agents. A supply chain campaign planted 36 malicious npm packages targeting Strapi plugins. Education remains the most targeted sector, with organizations averaging 1,995 weekly attacks. Immediate patching and endpoint protection are critical.

For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, […] The post 13th April – Threat Intelligence Report appeared first on Check Point Research .

This week's threat intelligence report documents significant cyber incidents including a 7.7TB data breach at the Los Angeles Police Department exposing 337,000+ files, a ransomware attack on Dutch healthcare vendor ChipSoft disrupting hospital services, and a $3.6M Bitcoin theft from Bitcoin Depot. Critical vulnerabilities in Ivanti Endpoint Manager (CVSS 9.8), Adobe Reader, Marimo, and FortiClient EMS are being actively exploited in the wild. Threat actor Storm-1175 linked to Medusa ransomware is conducting rapid n-day and zero-day exploitation. AI-specific threats emerged including GrafanaGhost prompt injection attacks and AI Agent Traps framework enabling manipulation of autonomous agents. A supply chain campaign planted 36 malicious npm packages targeting Strapi plugins. Education remains the most targeted sector, with organizations averaging 1,995 weekly attacks. Immediate patching and endpoint protection are critical. For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, […] The post 13th April – Threat Intelligence Report appeared first on Check Point Research . For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information. ChipSoft, a Dutch healthcare software vendor whose HiX platform is used by hospitals across the Netherlands, has suffered a ransomware attack that forced it to disable patient and provider services. Multiple hospitals disconnected from its systems, disrupting operations, and the company warned that the threat actor may have gained unauthorized access to patient data. Ransomware group Qilin has taken responsibility for a cyber-attack targeting German political party Die Linke, which forced the party to shut down its IT infrastructure in late March. The party said membership databases were unaffected, while Qilin threatens to leak stolen sensitive employee and party information. Check Point Endpoint and Threat Emulation provide protection against these threats ( Ransomware.Wins.Qilin*) Bitcoin Depot, a US cryptocurrency ATM operator with more than 25,000 kiosks and checkout locations, has disclosed a cyberattack that allowed attackers to steal credentials tied to digital asset settlement accounts. The attackers transferred more than 50 BTC worth more than $3.6M from company-controlled wallets before access was blocked. AI THREATS Researchers identified GrafanaGhost, an attack against Grafana’s AI components that can silently exfiltrate enterprise data by chaining indirect prompt injection with image URL validation bypass. The technique can expose financial, infrastructure, and customer information in the background, and Grafana has already addressed the weakness. Researchers outlined AI Agent Traps, a framework describing six web-based attack classes that can manipulate autonomous AI agents through malicious content. The methods can inject hidden instructions, poison reasoning, corrupt memory, and steer tool use, showing how web pages can turn agent workflows into attack surfaces. Researchers measured a growing AI supply chain risk, finding that third-party API routers for AI models can hijack agent tool calls to alter commands and steal credentials. In testing, several routers injected malicious code, abused intercepted cloud keys, and even triggered wallet theft from a researcher environment. VULNERABILITIES AND PATCHES CISA warns of active exploitation of Ivanti CVE-2026-1340, a critical code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution and full compromise of affected servers. The vulnerability carries a CVSS score of 9.8, affects multiple 12.5 through 12.7 releases, and has been exploited in the wild. Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Code Injection (CVE-2026-1340)) Adobe Reader is affected by an actively exploited zero-day that uses malicious PDF files to invoke privileged features on fully updated systems, enabling local data theft. Researchers said the activity has run since at least December 2025, uses Russian-language oil and gas lures, and may also enable further compromise. Marimo maintainers released a fix for CVE-2026-39987, a critical remote code execution flaw in the Marimo Python notebook that allowed attackers to open a terminal without authentication and run commands. Exploitation was observed within...