Check Point Weekly Threat Report Highlights Booking.com, McGraw-Hill, and EssentialPlugin Breaches
Check Point's weekly threat intelligence report details multiple high-profile breaches, including Booking.com, McGraw-Hill, and EssentialPlugin, alongside active exploits for Apache ActiveMQ and Splunk.
Check Point Research has released its weekly threat intelligence report for the week of April 20, 2026, detailing a series of significant breaches and active exploits. The report covers incidents at Booking.com, McGraw-Hill, EssentialPlugin, and Basic-Fit, as well as active exploitation of vulnerabilities in Apache ActiveMQ, Splunk, and Microsoft Defender.
Booking.com confirmed unauthorized access to customer reservation data, exposing names, email addresses, phone numbers, physical addresses, and booking details. The company reset reservation PINs and notified affected users, but the breach creates a heightened risk of phishing attacks targeting travelers.
McGraw-Hill disclosed a data breach affecting approximately 13.5 million accounts after attackers accessed its Salesforce environment. Exposed data includes names, email addresses, phone numbers, and physical addresses, though no payment card information was reportedly compromised. The breach followed an extortion attempt.
EssentialPlugin, a WordPress plugin development firm, suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation. WordPress.org has closed the affected plugins, but infections may persist on sites that have not yet cleaned their installations.
Basic-Fit, Europe's largest gym chain, reported a breach that exposed bank account details and personal data for approximately one million members across six countries. The attackers accessed a franchise-wide system used to track club visits, though passwords and identity documents were not affected.
On the vulnerability front, CISA warns of active exploitation of CVE-2026-34197, a high-severity code injection flaw in Apache ActiveMQ with a CVSS score of 8.8. Apache has addressed the issue in versions 5.19.4 and 6.2.3. Splunk released fixes for CVE-2026-20204, a high-severity vulnerability allowing low-privileged users to achieve remote code execution. Microsoft patched three actively exploited Defender zero-days—dubbed BlueHammer, RedSun, and UnDefend—that allow local privilege escalation and denial of service.
The report also highlights AI-driven threats, including a lone hacker who weaponized Claude Code and GPT-4.1 to breach nine Mexican government agencies, accessing 195 million taxpayer records and 220 million civil records. Additionally, a phishing campaign impersonating Anthropic's Claude AI uses a fake installer to sideload PlugX malware.
Check Point's report underscores the breadth of current threats, from supply chain attacks and credential theft to AI-powered intrusions and critical infrastructure targeting. Organizations are urged to apply patches promptly, monitor for indicators of compromise, and remain vigilant against evolving phishing and malware campaigns.