Australian Cyber Threat Briefing: Exploited Repositories, AI Risks, and Zero-Day Ransomware

As a senior penetration tester monitoring the evolving tactics of threat actors, it is clear that the attack surface for Australian organisations is expanding at an unprecedented rate. Over the last 24 hours up to 09 April 2026, the Australian threat landscape has seen aggressive moves by ransomware operators, the active exploitation of artificial intelligence workflows, and critical high-priority alerts from the Australian Cyber Security Centre (ACSC).

Here is our daily deep dive into the most pressing threats affecting Australian organisations across key sectors, including actionable intelligence on exploited web applications, APIs, cloud environments, and AI systems.

1. SaaS Providers, eCommerce, and FinTech: Supply Chain and API Threats

The Threat: The ACSC has re-issued a "High Alert" to Australian leaders regarding the active targeting of online developer code repositories. Threat actors are compromising authentication tokens and abusing valid tooling to scan for cryptographic secrets, alter public packages, and covertly migrate private repositories to public access. This poses a massive supply-chain risk for SaaS platforms and FinTechs processing critical eCommerce transactions. Exploited Vulnerabilities:

  • ActiveMQ Jolokia API (CVE-2026-34197): We are tracking an unauthenticated Remote Code Execution (RCE) vulnerability in Apache ActiveMQ, a middleware widely used in FinTech and eCommerce for message brokering. Attackers are abusing the Jolokia REST API to fetch remote configurations and run arbitrary OS commands.
  • Cloud Privilege Escalation: A recently addressed flaw in the Google Cloud Vertex AI Agent Engine allowed attackers to extract service agent credentials, enabling them to pivot across customer cloud projects and access sensitive storage and Artifact Registries.

2. Healthcare and Legal Services: High-Tempo Ransomware Operators

The Threat: The healthcare sector, alongside third-party service providers like legal firms handling highly sensitive data, remains in the crosshairs of rapid-deployment ransomware groups. Threat actor Storm-1175 has accelerated its operations, aggressively targeting internet-facing assets in Australia, the UK, and the US to deploy Medusa ransomware. Exploited Vulnerabilities: Storm-1175 operates high-velocity campaigns using a slew of zero-day vulnerabilities, including recent flaws in SmarterMail (CVE-2026-23760) and GoAnywhere MFT (CVE-2025-10035). Their time from initial access to ransomware deployment has shrunk to under 24 hours, highlighting the urgent need for robust external attack surface management.

3. Government and IoT: Regulatory Enforcement and Targeted Campaigns

The Threat: As of last month, Australia’s new mandatory smart device security rules are actively enforced under the Cyber Security Act 2024. This means IoT manufacturers are now legally accountable for baseline security, including banning default passwords and mandating vulnerability disclosure. Meanwhile, government networks continue to face highly sophisticated, targeted espionage. Exploited Vulnerabilities: The "TrueChaos" campaign has been observed exploiting a zero-day vulnerability (CVE-2026-3502) in on-premises communication update processes to push Havoc payloads into government networks across the Asia-Pacific region.

4. Education & EdTech: The Skills Gap and Sector Vulnerabilities

The Threat: The education sector continues to be heavily targeted by ransomware syndicates like Qilin, who only yesterday claimed a breach of Australian tech firm Seeing Machines. EdTech platforms must remain incredibly vigilant, particularly regarding student data privacy. However, there is positive news: the Cyber Battle Australia 2026 programme officially kicks off this month. This nationwide initiative aims to combat severe skills shortages by bringing practical, mission-based learning—covering web vulnerabilities, Linux fundamentals, and cryptography—to students across the country.

5. AI Systems: Weaponised Prompt Injection and Malicious Workflows

The Threat: Artificial Intelligence is no longer just a defensive tool; it is a direct attack vector. The ACSC has just released guidance on the cyber security impacts of Frontier AI models, warning organisations to aggressively review their security baselines. Exploited Vulnerabilities:

  • Flowise AI (CVE-2025-59528): Over the past 48 hours, we have seen the first in-the-wild exploitation of this critical flaw in Flowise (a UI for LangChain). Attackers are injecting arbitrary JavaScript code, compromising thousands of exposed AI workflows globally.
  • AI Code Editors ("NomShub"): We are tracking novel prompt injection vulnerabilities in autonomous developer tools where attackers use malicious repositories to execute shell commands within the developer's environment—effectively turning a prompt injection attack into an RCE.

Penetration Tester’s Recommendations

The attack surface is expanding rapidly across APIs, cloud architectures, and AI pipelines. Traditional vulnerability scanning is no longer sufficient to stop identity-based cloud pivoting or AI prompt injections. Australian organisations must adopt a proactive, "assume breach" mentality, enforce strict credential hygiene in code repositories, and continuously test internet-facing infrastructure against real-world adversary behaviour.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote