Hackers exploit Windows flaws posted online

April 18, 2026

Summary

Huntress said hackers used publicly posted Windows exploit code to breach at least one organization.

Why this matters

The case shows how public release of exploit code can speed the use of unpatched flaws in real-world attacks. Windows users and organizations may need to apply available updates quickly and monitor for guidance on the remaining vulnerabilities.

Hackers broke into at least one organization using Windows vulnerabilities published online over the past two weeks by a security researcher, according to cybersecurity firm Huntress.

Huntress said Friday in posts on X that its researchers saw attackers exploiting three Windows flaws dubbed BlueHammer, UnDefend, and RedSun. It was not clear who was targeted or who carried out the attack.

Of the three, Microsoft had patched only BlueHammer. It rolled out a fix for that flaw earlier this week.

Huntress said the attackers appeared to be using exploit code published online by a researcher who goes by Chaotic Eclipse.

Earlier this month, Chaotic Eclipse published on a blog what the researcher said was code to exploit an unpatched Windows vulnerability, and suggested a dispute with Microsoft prompted the disclosure.

Days later, Chaotic Eclipse published UnDefend, and earlier this week published RedSun. The researcher posted code for all three exploits on GitHub.

More top news

Asia

Japan expands southern defenses amid U.S. doubts

Japan’s defense budget reached a record $58 billion for fiscal 2026, with much of the increase tied to the shift.

Full story +

Japan is shifting more of its military posture to its southwest islands as it responds to what officials call its most challenging security environment since World War II.

In late March, Japan deployed long-range missiles to Kumamoto Prefecture on Kyushu’s southwest coast. Unlike earlier defense installations, the missiles could reach China. Since 2019, Tokyo has ranked Beijing as its top national security threat, ahead of North Korea and Russia.

Defense Minister Shinjiro Koizumi said at the time that “Japan faces the most severe and complex security environment in the post-war era” and must strengthen its “deterrence and responsiveness.”

The buildup, described by analysts as a “southern shield,” has included weapons systems, electronic warfare units, and air assets across southern Japan and the Nansei, or Ryukyu, Islands, which stretch from Kyushu to within 100 kilometers (62 miles) of Taiwan. Kazuto Suzuki of the Institute of Geoeconomics said “the defence posture has completely shifted towards the southwest.”

The islands are also part of the U.S.-led “First Island Chain,” a maritime strategy intended to limit Chinese military access to the Pacific.

The change has also expanded Japan’s interpretation of self-defense. A 2014 constitutional ruling allowed participation in allies’ “collective self-defence.” In 2022, Japan’s national security strategy added “counterstrike capabilities,” allowing it to respond if attacked. Tokyo is set to acquire 400 U.S.-made Tomahawk missiles.

Tokyo is expected to release the next phase of its national security strategy later this year, covering 2026 to 2030.
Personal Finance

Oil tops $106 as U.S., Iran dispute disrupts Hormuz

U.S. stocks fell overnight. The S&P 500 slipped 0.41%, and the Nasdaq Composite dropped 0.89%.

Full story +

Oil prices rose above $106 a barrel early Friday as tensions between the United States and Iran in the Strait of Hormuz disrupted shipping through one of the world’s main energy routes.

Brent crude, the international benchmark, stood at $106.80 at 01:00 GMT, up nearly 5% from its closing price on Wednesday, when it moved above $100 a barrel for the first time in two weeks.

Shipping in the strait, which typically carries about one-fifth of global oil and natural gas supplies, remained largely halted as Iran said it wanted authority to decide which vessels may pass and the United States blocked Iran’s maritime trade.
World

U.S. says Iran can play in 2026 World Cup

On Wednesday, an Iranian government spokesperson said the Ministry of Sports and Youth had made all necessary arrangements for the team’s participation.

Full story +

U.S. Secretary of State Marco Rubio said Washington had not told Iran’s national team it could not play in the 2026 FIFA World Cup, but said some accompanying personnel could be barred if they had ties to Iran’s Islamic Revolutionary Guard Corps.

“Nothing from the US has told them they can’t come,” Rubio told reporters.

“The problem with Iran would be not their athletes. It would be some of the other people they would want to bring with them, some of whom have ties to the IRGC. We may not be able to let them in, but not the athletes themselves,” Rubio said.

“They can’t bring a bunch of IRGC terrorists into our country and pretend that they are journalists and athletic trainers,” Rubio added.

Washington has designated the Islamic Revolutionary Guard Corps as a foreign terrorist organization. President Donald Trump, speaking alongside Rubio, said his administration “would not want to affect the athletes.”

The World Cup is set to begin June 11 in the United States, Mexico, and Canada. Iran’s participation had been questioned because all of its group-stage matches are scheduled to be played in the United States.
World

U.S. says it seized tanker tied to Iranian oil

The seizure followed a day of attacks in the Strait of Hormuz, where Iran targeted three cargo ships and captured two of them.

Full story +

The U.S. military on Thursday said it seized another tanker linked to Iranian oil smuggling, a day after Iran’s paramilitary Revolutionary Guard took control of two vessels in the Strait of Hormuz.

The Defense Department released video it said showed U.S. forces on the deck of the Guinea-flagged tanker Majestic X in the Indian Ocean.

“We will continue global maritime enforcement to disrupt illicit networks and interdict vessels providing material support to Iran, wherever they operate,” the Pentagon said.

Ship-tracking data showed the Majestic X between Sri Lanka and Indonesia, near where U.S. forces earlier seized the tanker Tifani. The vessel had been bound for Zhoushan, China.

The tanker was previously named Phonix and was sanctioned by the U.S. Treasury Department in 2024 for smuggling Iranian crude oil in violation of U.S. sanctions on Iran.

There was no immediate response from Iran.

On Tuesday, President Donald Trump extended a ceasefire while maintaining an American blockade of Iranian ports. It remained unclear whether talks previously hosted by Pakistan would resume.
World

Zelenskyy Says U.S. Arms Flow Continues as Harry Visits

He said Russian losses from the strikes had reached tens of billions of dollars.

Full story +

U.S. weapons deliveries to Ukraine have continued despite the war in Iran, and Ukrainian long-range strikes have kept targeting Russian oil production and industrial sites, President Volodymyr Zelenskyy said Thursday.

“Of course, we are hitting what is painful for Russia, and it is very painful,” Zelenskyy said in voice messages to reporters.

The claims could not be independently verified. Russian officials have reported attacks on infrastructure in regions more than 1,000 kilometers (600 miles) inside Russia.

As Russia continued its invasion, which began Feb. 24, 2022, Ukraine used domestically developed drones and missiles to strike Russian territory. Ukraine also used U.S.-made Patriot air defense systems against Russian missile attacks, Zelenskyy said.

Prince Harry arrived in Kyiv on Thursday for his third visit in a year and praised Ukraine in remarks at a security conference.

Earlier Thursday, a Russian drone attack killed three people and wounded 10 in Dnipro, according to Oleksandr Hanzha, head of the regional military administration. He said a 13-story building and an administrative building were damaged.

Russia’s Defense Ministry said its air defenses intercepted 154 Ukrainian drones over Russian regions, the annexed Crimean Peninsula, the Sea of Azov, and the Black Sea.

In Russia’s Krasnodar region, authorities said 276 firefighters were battling for a third day a fire at the Black Sea port of Tuapse caused by a Ukrainian drone attack earlier this week.

In the Samara region, Gov. Vyacheslav Fedorishchev said a drone attack on an industrial facility in Novokuybyshevsk killed one person. He also said drone debris struck a residential roof in Samara, injuring several people, with one hospitalized.

Ukrainian officials said strikes also hit oil infrastructure in Samara, Nizhegorodskaya, and Nizhny Novgorod regions, including the Gorky oil pumping station. A senior Security Service of Ukraine official, speaking anonymously because he was not authorized to comment publicly, said three oil tanks were damaged and a large fire broke out.
Europe

Ukraine says sea drone launched interceptor at Shahed

The force said it was the first successful use of that method against a Shahed drone.

Full story +

Ukraine said it used an unmanned seaborne vehicle to launch an interceptor drone that brought down a Russian Shahed drone, a method it described as a first.

On Sunday, Ukraine’s Unmanned Systems Forces said its 412th Brigade Nemesis intercepted a Shahed attack by launching a Sting drone from an unmanned surface vessel.

“Using surface drone carriers to deploy interceptor drones expands air defense options and creates an additional layer of protection for Ukrainian cities,” the Unmanned Systems Forces wrote on X.

Cheap, domestically produced drones have become increasingly important for both sides in the war since Russia invaded Ukraine in February 2022. The conflict has produced heavy battlefield casualties and shifted into a war of attrition, in which Russia has used Shahed drones, a domestically produced unmanned aerial vehicle based on an Iranian design.

Many Russian drone attacks target cities in southeastern Ukraine and are launched over the Black Sea, where Ukraine has limited traditional naval capabilities. Ukraine’s reported interception could strengthen defenses for cities such as Odesa against attacks coming from that direction.

The United States has also increased investment in lower-cost drones, looking to lessons from Ukraine. In conflict involving Iran, the United States has used more expensive systems, including Tomahawk cruise missiles and Patriot air defense missiles. A single Patriot missile costs about $4 million, while a full Patriot battery and launcher cost billions.
Business

American rejects United merger, weighs Alaska ties

On Wednesday, reports surfaced that American and Alaska were in early-stage talks to deepen their relationship, potentially by bringing Alaska into American’s transatlantic and transpacific joint business arrangements

Full story +

American Airlines Chief Executive Robert Isom said Thursday that a merger with United Airlines would be anti-competitive and harmful to customers, while signaling that partnerships, including potentially deeper ties with Alaska Airlines, could offer another path for growth.

His comments came after United CEO Scott Kirby earlier this year raised the prospect of a tie-up with American to the Trump administration, as U.S. airlines faced tighter limits at congested hubs.

On American’s first-quarter earnings call, Isom said federal action to ease congestion at Chicago O’Hare International Airport would allow the airline to rebuild its schedule to about 500 daily departures.

The Federal Aviation Administration last week capped summer flights at O’Hare after airlines scheduled more service than the airport could handle, forcing carriers to reduce plans. Without those steps, O’Hare “would have likely been in a delay program for the very first flight of the day,” Isom said.

Isom said American would continue to compete with United in Chicago and said American remained open to opportunities if assets became available, but had nothing under consideration.
Business

Meta plans 10% job cuts, 6,000 roles left unfilled

Meta spent tens of billions of dollars on its metaverse efforts, including in AI to keep pace with competitors. Earlier this month, it introduced an overhauled AI product, Muse Spark.

Full story +

Meta planned to cut about 10% of its workforce, or roughly 8,000 employees, according to a Bloomberg report.

The company also planned not to fill 6,000 open roles. An internal memo, sent to employees Thursday and viewed by Bloomberg, said the cuts would begin May 20.

“We’re doing this as part of our continued effort to run the company more efficiently and to allow us to offset the other investments we’re making,” Chief People Officer Janelle Gale told employees, according to the memo. “This is not an easy tradeoff and it will mean letting go of people who have made meaningful contributions to Meta during their time here.”
Tech & Artificial Intelligence

Noscroll launches AI bot for personalized news digests

Startup Noscroll launched an artificial intelligence-powered service that reviews social feeds, news sites, and other online sources, then sends users text alerts and digests on topics they choose.

Full story +

Founder Nadav Hollander, formerly chief technology officer at OpenSea after selling his decentralized finance startup to the company in 2022, said he built Noscroll after spending time on X while between jobs.

“It’s phenomenally entertaining and really informative in ways you just don’t get from normal media,” Hollander told TechCrunch. “But it’s so toxic culturally, and it’s just very upsetting to read,” he said, comparing it to the nutritional equivalent of fast food. “You just feel terrible after it.”

Users start by texting Noscroll at (415) 718-4828, then connecting an X account. According to the company, that allows the service to access information such as likes, bookmarks, followed accounts, and followed posts.

Noscroll said its bot used multiple off-the-shelf AI models on the company’s infrastructure, with prompting customized to shape its responses. Users can tell the bot in natural language what topics they want to follow, what they do not want, and which sources to prioritize.

The service pulls from X, news sites, blogs, Reddit, Hacker News, Substack, research papers, local politics, and other sources, according to the company. It sends users text digests at a chosen frequency, from weekly updates to multiple alerts a day. The digests include links and brief AI-generated summaries. Users can also ask follow-up questions, add the bot to a group chat or Telegram group, and receive breaking-news alerts.

The company said the bot improves its recommendations over time based on user interests.

Noscroll cost $9.99 per month at launch. It offered a free sample digest and a seven-day trial, and users could cancel at any time.
Business

Porsche to add all-electric Cayenne coupe lineup

Prices start at $113,800 for the base model, $131,200 for the Cayenne S Coupe Electric, and $168,000 for the Cayenne Turbo Coupe Electric, not including a $2,350 delivery fee.

Full story +

Porsche will begin selling an all-electric Cayenne coupe in late summer, adding another electric sport utility vehicle to its lineup.

The four-door Cayenne Coupe Electric will arrive later this year alongside the Cayenne Electric, Cayenne S Electric, and Cayenne Turbo Electric. Porsche said the new model will not replace gasoline or hybrid Cayenne versions.

A Porsche spokesperson said the Cayenne coupe EV will be sold alongside other fuel variants well beyond 2030. That differs from the Porsche Macan compact SUV, which will be sold only as an EV after this year.

Porsche said the gas-powered Cayenne coupe, introduced in 2019, reached 20% of Cayenne sales within a year. The coupe variant now accounts for 40% of Cayenne sales, according to the company, and as much as 90% in some markets.

The Cayenne Coupe Electric will be offered in three versions: a base model, an S coupe, and a Turbo coupe.

All versions will include an 800-volt powertrain, air suspension, a revised roof design with a new windshield, an adaptive rear spoiler, a North American Charging Standard port, and a separate AC charging port.

Performance varies by model. The base coupe EV delivers up to 435 horsepower and 615 pound-feet of torque, with a top speed of 143 mph and a 0-to-60 mph time of 4.5 seconds.

The Turbo version produces up to 1,139 horsepower and 1,106 pound-feet of torque. It has a top speed of 162 mph and a 0-to-60 mph time of 2.4 seconds.