Threat Radar — Top 10 Cyber Threats

CrowdStrike 2026: 89% YoY increase in AI-enabled attacks; eCrime breakout time 29 minutes (fastest: 27 seconds). 48% of security professionals identify agentic AI as top 2026 attack vector (Dark Reading poll). Microsoft April 2026: threat actor abuse of AI accelerating from tool to full cyberattack surface — adversaries weaponising agentic frameworks for autonomous recon, credential testing, and infrastructure rotation. First documented fully autonomous AI-orchestrated attack (Sep 2025): AI agent handled 80–90% of attack lifecycle without human control. Cascading multi-agent failure case: compromised procurement agent approved $3.2M in fraudulent orders before detection (Galileo AI/Barracuda, Apr 2026).

US deepfake-related fraud losses tripled to $1.1B in 2025 (from $360M in 2024); projected $40B by 2027 (Deloitte). 72% of business leaders cite AI-enabled fraud as top operational challenge (Experian 2026). Experian warns of AI-powered emotionally intelligent bots sustaining dozens of simultaneous scam relationships. $25.6M Arup deepfake video-call heist remains landmark case. WEF March 2026: AI-fuelled cyber fraud now a global roadmap priority.

Five major supply-chain attacks in Q1 2026. North Korean actors spread 1,700+ malicious packages across npm, PyPI, Go, and Rust ecosystems (Hacker News, Apr 2026). Axios npm (100M weekly downloads) compromised by UNC1069 — WAVESHAPER.V2 backdoor deployed (Google GTIG, Apr 2026). TeamPCP multi-phase campaign affected 60+ npm packages between Feb–Mar 2026, hitting LiteLLM (3.4M daily PyPI downloads), Trivy, KICS, Telnyx — harvesting cloud credentials and CI/CD secrets via incomplete credential rotation (Datadog, Mar 2026). 36+ malicious npm packages exploited Redis/PostgreSQL for persistent implants. Attackers gaining trusted maintainer accounts rather than typosquats (Zscaler ThreatLabz, Apr 2026).

Over 7,500 organisations listed on leak sites in 2025 (+58% YoY); US attacks up 50% to 5,010 incidents (Recorded Future/Verizon 2026). 80% of ransomware attacks now leverage AI tools in some capacity. 57 new ransomware groups and 27 new extortion groups emerged in 2025. Median ransom paid jumped from $12.7K to $59.6K; mean recovery cost $1.53M; 64% of organisations refuse to pay. 87.6% of claims involve double extortion (encryption + exfiltration). Ransomware in 44% of all data breaches; 88% of SMB breaches. Top groups: Qilin, Akira, Clop, DragonForce, LockBit 5.0. Pure data extortion without encryption accelerating (StationX/BlackFog/VikingCloud, Apr 2026).

Unit 42 2026: identity loopholes drive nearly 90% of all investigations. AiTM attacks increased 146% YoY with ~40,000 incidents detected daily. Starkiller phishing suite (Mar 2026) proxies real login pages via headless Chrome to bypass MFA in real time. Tycoon 2FA dismantled by Microsoft/Europol (early 2026) but successor platforms continue — accounted for 62% of phishing volume before takedown (30M+ fraudulent emails/month). >90% of credential compromises expected to involve automated phishing kits by end of 2026. SpyCloud 2026: 8.6B stolen session cookies recaptured; 84% of compromised accounts had MFA enabled. Token theft now dominant identity vector — AI-powered kits run real-time session hijacking at human speed (WorkOS/Hacker News, Apr 2026).

Cloud misconfigurations cause 99% of security failures — avg 43 misconfigurations per account; 490% YoY spike in public SaaS attacks (CheckRed 2026). 100% of analysed companies operate SaaS environments with embedded AI; 80% of incidents involve PII/customer data. IBM X-Force 2026: cloud risk defined by identity exposure, weak admin practices, insecure integrations, and limited telemetry. Google Cloud Threat Horizons H1 2026: attackers deploying cryptominers in GKE instances within 1 hour of creation. Shadow AI added $670K to average breach cost; 50% of companies experienced AI-related data exposure. SaaS-to-SaaS OAuth chains create lateral movement invisible to perimeter controls (CheckRed/IBM/Google, Apr 2026).

Q-Day timeline accelerating sharply: three papers in three months have rewritten quantum resource estimates — what once required 20M qubits now potentially requires <100K under newer architectures (Quantum Insider, Mar 2026). Expert probability of cryptographically relevant QC in 10 years: 28–49% — highest ever recorded. 2026 designated "Year of Quantum Security" by FBI/NIST/CISA. Google sets 2029 internal PQC migration deadline; Pentagon 2030; UK NCSC three-phase: 2028/2031/2035; EU 18-nation statement targets CNI by 2030. >50% of web traffic through Cloudflare now uses PQ key agreement. NSA CNSA 2.0 mandates quantum-safe national security systems by Jan 2027. Canada mandates PQC plans from Apr 2026 (Quantum Insider/NCSC/NIST, Apr 2026).

Ivanti EPMM zero-days CVE-2026-1281/1340 (CVSS 9.8) exploited since July 2025 — state-linked exploitation confirmed 6 months before disclosure; widespread exploitation began immediately post-patch. Fortinet FortiClient EMS CVE-2026-35616 (CVSS 9.1) actively exploited from 31 Mar 2026 — watchTowr detected exploitation 4 days before Fortinet advisory; CISA KEV catalog added 6 Apr; 2,000+ exposed instances (Shadowserver). Enterprise edge and endpoint software confirmed as highest-risk zero-day battleground (CyberNewsCentre, 9 Apr 2026). Window between disclosure and mass exploitation collapsed to hours. Edge devices from Barracuda, Citrix, Fortinet, Ivanti, Palo Alto, SonicWall under sustained nation-state and eCrime campaigns (Unit42/watchTowr/Tenable, Apr 2026).

FBI confirms Salt Typhoon hacked 200+ companies across 80 countries (Aug 2025); Dec 2025: intrusions detected in US House committees. Volt Typhoon maintains 5+ year persistence in US energy, water, and transport CNI — rapidly rebuilt botnet after 2024 disruption. Feb 2026: Senator Cantwell demands AT&T/Verizon CEO testimony; Mandiant assessment reports still withheld. US House Oversight hearing concludes federal agencies need "proactive cybersecurity strategy" against state-sponsored threats. FBI IC3 2025 report: US cybercrime losses hit $21B — CNI threats intensifying. CISA counter-advisory AA25-239A targets Chinese actors worldwide. Finland flags Russian/Chinese cyber espionage targeting government and CNI. BRICKSTORM malware actively deployed against VMware vSphere (Congress.gov/CISA/FBI, Apr 2026).

Insider risk costs hit $19.5M per organisation annually — up 123% since 2018 (Proofpoint 2026). Only 10% report zero incidents (down from 17%); 20+ incidents per year doubled. 60% of organisations express high concern over AI-amplified insider risk; 73% of IT staff say AI creates invisible exfiltration paths. Fastest data exfiltration cases in 2026 occur 4× quicker than prior year — one intrusion achieved exfiltration within 4 minutes of access. 39.7% of all AI interactions involve sensitive data, often unintentionally (Cyberhaven Labs). Only 20% confident they can detect AI-related insider incident before significant damage. Gurucul 2026: "AI became an insider" — shadow AI added $670K to avg breach cost (IBM/Proofpoint/Cyberhaven, Apr 2026).