France builds its own digital future.

France pushes digital sovereignty. Adobe rushes an Acrobat Reader patch. Booking.com confirms a targeted breach. SAP fixes a critical SQL injection bug. A sanctions-dodging fraud network resurfaces. ViperTunnel infiltrates U.S. and U.K. firms. GlassWorm spreads across developer tools. Researchers dissect Predator spyware’s kernel engine. A lawsuit challenges AI transcription in hospitals. Ted Shorter from Keyfactor unpacks quantum computing at scale. On our Threat Vector segment, David Moulton and ⁠Elad Koren⁠ pull back the curtain on agentic-first security. Preparing for post-quantum perils.

Today is Tuesday April 14th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

France leads the EU toward digital sovereignty. 

France is accelerating efforts to reduce reliance on U.S. technology across its public sector, with all government ministries required to submit plans by this fall outlining how they will shift toward European or open-source alternatives. The Interministerial Directorate for Digital Affairs (DINUM) has already begun migrating from Microsoft Windows to Linux and replacing foreign videoconferencing tools with the domestic Visio platform. Officials describe the initiative as part of a broader strategy to strengthen “digital sovereignty” and regain control over data, infrastructure, pricing, and vendor risk.

Although DINUM itself is small, the directive signals a government-wide shift affecting areas such as workstations, antivirus, artificial intelligence, databases, virtualization, and collaboration tools. France has also moved tens of thousands of health insurance staff onto domestic platforms including Tchap and France Transfert. The effort reflects a wider European trend, with Denmark, Germany, and Austria pursuing similar transitions amid concerns about dependence on U.S. providers.

Adobe issues an emergency patch for Acrobat Reader. 

Adobe has issued an emergency security update for Acrobat Reader to address CVE-2026-34621, a zero-day vulnerability exploited in attacks since at least December. The flaw allows malicious PDF files to bypass sandbox protections and access privileged JavaScript APIs, enabling arbitrary code execution and theft of local files simply by opening a document. The issue was identified by EXPMON founder Haifei Li after analysis of a suspicious sample, with additional attacks reported using Russian-language oil and gas lures. Adobe initially rated the flaw critical before lowering its severity score and released patches for affected Windows and macOS versions. With no mitigations available, users are advised to update immediately.

Booking.com warns customers of a targeted data breach. 

Booking.com has notified customers of a targeted data breach involving unauthorized access to portions of its reservation records. Exposed information may include names, email addresses, phone numbers, postal addresses, and booking details, though the company says payment data was not affected. Booking.com reported it detected and contained the activity, reset booking-related PIN codes, and warned users to watch for suspicious communications impersonating hotels or support staff. Security experts caution that access to real reservation details could enable highly convincing phishing, smishing, or vishing attacks. The company has not disclosed how the breach occurred or how many users were impacted. Given its large global user base, analysts say the lack of detail increases risk, and customers should treat unexpected booking-related messages with caution.

SAP patches a critical SQL injection flaw. 

SAP released 20 security notes in its April 2026 Patch Day update, including fixes for a critical SQL injection flaw, CVE-2026-27681, affecting Business Planning and Consolidation and Business Warehouse. The bug could allow low-privileged users to execute arbitrary SQL and access or alter sensitive financial data. SAP also patched a high-severity authorization issue in ERP and S/4HANA, alongside multiple medium- and low-severity vulnerabilities across several products. No active exploitation has been reported. Users are advised to apply updates promptly.

An Asian fraud network dodges global sanctions. 

Triad Nexus, a large cybercrime operation linked to Asian organized crime, has continued global fraud activity despite sanctions, according to Silent Push. Active since at least 2020, the group has caused more than $200 million in losses through cryptocurrency investment scams known as “pig butchering,” along with brand impersonation and phishing campaigns. After U.S. sanctions targeted its infrastructure partner Funnull, Triad Nexus shifted tactics using front companies, cloud services, account mules, and infrastructure laundering to maintain operations. The group now geo-fences U.S. users and is expanding into Spanish, Vietnamese, and Indonesian markets. It also continues relying on bulletproof hosting and hundreds of rotating domains to evade detection while targeting major financial institutions and global brands with convincing cloned websites.

The ViperTunnel backdoor targets U.S. and U.K. businesses. 

ViperTunnel, a newly identified backdoor discovered by InfoGuard, has been found inside networks of U.S. and U.K. businesses and is being used to maintain persistent access later sold to ransomware groups such as RansomHub. Often deployed after FAKEUPDATES (SocGholish) infections, the tool hides inside a standard Python module that automatically executes malicious code. Disguised as a system file and protected with multiple encryption layers, it establishes a covert SOCKS5 proxy over port 443 to blend into normal traffic. Researchers link the malware to UNC2165, associated with EvilCorp. Its evolving modular design and early Linux indicators suggest possible future cross-platform targeting.

GlassWorm expands its operations. 

GlassWorm has expanded from malicious npm packages into a broader software supply chain operation targeting GitHub, npm, Visual Studio Code ecosystems, and developer browser extensions, according to Aikido Security. In its latest activity, attackers distributed a fake OpenVSX extension impersonating WakaTime that deployed a Zig-compiled binary dropper with full system access outside the JavaScript sandbox. The malware scans for IDEs such as VS Code, Cursor, and VSCodium, then installs additional malicious extensions across them and removes installation traces. The second-stage payload communicates with a Solana-based command-and-control infrastructure, steals data, and installs a persistent remote access trojan, including a malicious Chrome extension. Researchers advise treating affected systems as compromised and rotating exposed credentials immediately.

Researchers unpack Predator spyware’s kernel exploitation engine. 

Predator spyware uses a previously unreported kernel exploitation engine to achieve deep system access on iPhones running iOS versions prior to 17, according to new reverse-engineering research from Jamf. The framework relies on a kernel read and write primitive called FDGuardNeonRW, which repurposes ARM NEON vector registers as a covert channel to access kernel memory. This enables Predator to bypass protections such as Pointer Authentication Codes by locating signing gadgets inside Apple’s JavaScriptCore framework and using a precomputed cache of signed pointers for fast hook execution. Additional components support remote function execution across processes, transfer kernel privileges between helper modules, and resolve Objective-C methods despite address randomization. The toolkit supports 21 iPhone models through the A16 generation. Researchers say the architecture highlights the growing sophistication of commercial spyware post-exploitation techniques and their ability to undermine hardware-level defenses.

A class action targets hospital use of AI transcription. 

A proposed federal class action lawsuit alleges Sutter Health and MemorialCare Medical Foundation violated privacy laws by using an AI documentation tool from Abridge AI to record patient-clinician conversations without informed consent. Plaintiffs claim the system captured sensitive medical details, including symptoms, diagnoses, medications, and mental health disclosures, then transmitted transcripts outside clinical environments for processing. The lawsuit alleges violations of California privacy statutes, medical confidentiality rules, unfair business practices laws, and a federal wiretapping law. Abridge’s “ambient clinical documentation” platform automates note-taking during appointments, addressing physician workload tied to electronic records. Legal experts say organizations adopting such tools must ensure clear notice, opt-out options, and appropriate data governance, and may require HIPAA business associate agreements if vendors retain recordings or transcripts.

 

Preparing for post-quantum perils. 

It’s World Quantum Day, and while it’s unlikely you’ll find the perfect greeting card for your favorite Quantum engineer at the local Hallmark Store, the folks at QuSecure gently suggested that organizations stop staring at the quantum horizon like amateur astronomers waiting for a comet and start migrating to post-quantum cryptography now. The company argues the real risk is not guessing when quantum computers will break today’s encryption, but how long it takes to replace that encryption once everyone agrees they will. Recent signals from Google, Cloudflare, and India, all pointing toward 2029 migration timelines, reinforce the message that the clock is already ticking, even if no one agrees exactly when midnight arrives.

QuSecure says large enterprises often need up to a decade to complete migration, which makes “wait and see” less strategy and more procrastination with paperwork. It also warns that inventory exercises without pilot deployments waste time, and that crypto-agility is becoming essential as threats evolve faster. In short, the future may be uncertain, but the migration backlog is very real.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.