Check Point Weekly Threat Report: LAPD Breach, ChipSoft Ransomware, and Multiple Zero-Days
Check Point's latest threat intelligence bulletin details a major LAPD data breach, a ransomware attack on Dutch healthcare vendor ChipSoft, and active exploitation of critical vulnerabilities in Ivanti, Adobe, and Fortinet.
Check Point Research has released its weekly threat intelligence report for April 13, 2026, covering a wide range of active cyberattacks, vulnerabilities, and threat actor campaigns. The report highlights a significant data breach at the Los Angeles Police Department, a ransomware attack disrupting Dutch hospitals, and multiple zero-day vulnerabilities being exploited in the wild.
The Los Angeles Police Department disclosed a data breach involving a digital storage system used by the L.A. City Attorney's Office. The exposure included 7.7 terabytes and more than 337,000 files, containing personnel records, internal affairs material, and unredacted personal information. The breach underscores the ongoing risk to sensitive government data.
In the healthcare sector, ChipSoft, a Dutch vendor of the HiX platform used by hospitals across the Netherlands, suffered a ransomware attack that forced it to disable patient and provider services. Multiple hospitals disconnected from its systems, disrupting operations. ChipSoft warned that the threat actor may have gained unauthorized access to patient data. The Qilin ransomware group claimed responsibility for an attack on German political party Die Linke, forcing the party to shut down its IT infrastructure in late March. Qilin threatens to leak stolen sensitive employee and party information.
On the vulnerability front, CISA warns of active exploitation of Ivanti CVE-2026-1340, a critical code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution. The vulnerability carries a CVSS score of 9.8 and affects multiple versions. Adobe Reader is affected by an actively exploited zero-day that uses malicious PDF files to invoke privileged features on fully updated systems, enabling local data theft. Researchers said the activity has run since at least December 2025, using Russian-language oil and gas lures.
Marimo maintainers released a fix for CVE-2026-39987, a critical remote code execution flaw in the Marimo Python notebook that allowed attackers to open a terminal without authentication. Exploitation was observed within hours of disclosure against internet-exposed instances. Fortinet fixed CVE-2026-35616, a critical improper access control flaw in FortiClient EMS that enables unauthenticated code or command execution. The issue has been actively exploited in the wild, prompting an emergency hotfix.
Check Point also reported on AI-related threats, including GrafanaGhost, an attack against Grafana’s AI components that can silently exfiltrate enterprise data via indirect prompt injection and image URL validation bypass. Researchers also outlined AI Agent Traps, a framework describing six web-based attack classes that can manipulate autonomous AI agents through malicious content.
The report further details a coordinated software supply chain campaign that planted 36 malicious npm packages impersonating Strapi plugins. The packages executed on installation to search for secrets, maintain command and control, and in some cases enable Redis remote code execution. Additionally, researchers linked Storm-1175, a financially motivated group associated with Medusa ransomware, to high-velocity exploitation of n-day and zero-day flaws, heavily impacting healthcare, education, finance, and services.