In partnership with
☀️ Good morning. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
A browser-in-the-browser phishing campaign is wiping out YouTube channels, CISA adds a SharePoint zero-day and a 17-year-old Excel bug, attackers are turning automation tools into malware delivery systems, a critical Nginx UI flaw grants root access, and ransomware takes down Europe's automotive pricing infrastructure.
🔥 Top Stories
01 — Fake YouTube Copyright Strikes Are Hijacking Google Accounts — And They're Nearly Impossible to Spot
Identity Theft
A phishing campaign is targeting YouTube creators with fake DMCA copyright notices that know your channel name, subscriber count, and latest video. When victims click to contest the strike, a fake "Browser-in-the-Browser" Google login appears inside the webpage — every keystroke goes straight to attackers. Traditional URL verification doesn't catch it because the fake window is a graphical element, not a real browser popup. Credentials harvested, channel gone, Google ecosystem compromised — often before the victim realizes anything happened.
Vulnerabilities
Following Microsoft's April Patch Tuesday — 169 vulnerabilities patched in a single drop — CISA immediately added two to the KEV catalog. CVE-2026-32201: a SharePoint Server spoofing zero-day enabling session hijacking and lateral movement into M365 tenants. Patch by April 28. CVE-2009-0238: a 17-year-old Excel RCE bug from 2009 that's back in active use — likely targeting air-gapped or legacy industrial systems that haven't seen a patch since the Windows 7 era. Threat actors don't need new exploits when the old ones still work.
03 — Attackers Are Using n8n Webhooks as a Malware Delivery Pipeline
Cyber Attacks
Since October 2025, a campaign dubbed "n8mare" has been abusing n8n — a legitimate workflow automation tool — to host, verify, and deliver malware payloads including Lumma Stealer and Agent Tesla. The attack works because n8n is trusted: security filters whitelist its domains, and webhooks from it pass through cleanly. The workflow even checks if victims are real humans before serving the payload, bypassing sandbox detection. A critical RCE flaw (CVE-2026-21858) was patched in November — but Cisco Talos reports a second wave is now hitting unpatched self-hosted instances.
04 — Critical Nginx UI Flaw Gives Attackers Unauthenticated Root Access — CVSS 9.8
Vulnerabilities
CVE-2026-33032 in Nginx UI — a popular open-source web interface for managing Nginx servers — allows unauthenticated attackers to bypass login entirely and execute commands with root privileges. The flaw is in how the tool handles MCP integrations. Automated scanners are already probing port 9000 for exposed instances. Patch immediately: update to Nginx UI v2.3.4 or higher, and if you can't patch today, put it behind a VPN or strict IP allowlist. This is not the official Nginx product — it's a third-party management layer that runs with elevated system permissions.
05 — Ransomware Hits Autovista Group, Cutting Off Vehicle Pricing Data Across Europe
Ransomware
Autovista Group — the company behind Eurotax, Glass's, and Schwacke, which provide the standard vehicle valuation data for European dealerships and insurers — has confirmed a ransomware attack that has taken core systems offline. Car dealerships can't price trade-ins. Insurance adjusters can't process total-loss claims. Fleet managers can't operate. One attack on a data monopoly becomes a continent-wide operational freeze. Research from Halcyon puts the broader context: 44% of automotive companies reported a ransomware incident in the past year.
📊 By The Numbers
169 — Vulnerabilities patched in Microsoft's April Patch Tuesday — the largest single drop this year
9.8 — CVSS score for the Nginx UI flaw — near-perfect criticality, unauthenticated RCE
17 — Years old: the Excel CVE CISA just added to its active exploitation catalog
44% — Share of automotive companies that reported a ransomware attack in the past year
⚡ The Signal
Yesteday's stories share one thread: attackers are living inside the tools you've already decided to trust.
A fake login window that renders inside a real browser. Malware delivered through n8n — a tool your IT team whitelisted. A management interface running with root permissions that wasn't on your threat model. A 17-year-old Excel bug that nobody checked for because it was "solved" in 2009. A data provider so embedded in European automotive infrastructure that hitting it once stops an entire continent.
None of these required a zero-day. None of them required nation-state resources. Each one exploited the gap between what you're watching and what you've assumed was safe. The consistent lesson: your attack surface isn't just your systems — it's every tool, service, and automation layer connected to them.
🔍 What You May Have Missed
Microsoft awards $2.3M in its Zero Day Quest bug bounty — The largest payout in the program's history — 1,261 vulnerabilities reported across AI and cloud infrastructure during a live hacking event. The scale of what was found before attackers found it is both reassuring and sobering.
Netgear secures FCC exemption as foreign router ban takes effect — With TP-Link and other foreign-made routers facing federal restrictions, Netgear has been granted a rare exemption — signaling a quiet but significant reshaping of home and SMB network infrastructure.
Fiverr contests claims of data exposure via public search engines — Reports surfaced that freelancer profile data was indexed in ways that exposed sensitive details. Fiverr disputes the severity. Worth watching if your team uses the platform for contractor sourcing.
📅 What to Watch
SharePoint CVE-2026-32201 patch deadline — April 28 — federal mandate, but private sector should treat it the same
n8n self-hosted instances — if your team runs n8n, verify you're on v1.121.0 or higher and audit active webhooks
Autovista recovery timeline — if it drags past late April, expect a valuation backlog rippling through European automotive markets
Nginx UI port 9000 exposure — run a quick scan to confirm you have no public-facing instances before attackers find them first
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Every headline satisfies an opinion. Except ours.
Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.