WEEKLY TOP TEN: April 27, 2026, 16:00 GMT
- Bitwarden CLI Backdoored in Checkmarx Supply Chain Attack
On April 22, 2026, the Bitwarden CLI npm package, version 2026.4.0, was compromised for roughly 93 minutes as part of the ongoing Checkmarx TeamPCP supply chain campaign. Attackers abused a GitHub Actions workflow in Bitwarden’s CI/CD pipeline to publish a malicious release containing credential-harvesting code in a file named bw1.js. The payload targeted GitHub and npm tokens, SSH keys, shell history, and cloud credentials from AWS, Azure, and GCP environments. Bitwarden confirmed no vault data was compromised, revoked access, deprecated the malicious package, and released a clean version 2026.4.1. A CVE is being issued for the incident. - Vercel Breached via Context AI Third-Party OAuth Supply Chain Attack
Cloud hosting platform Vercel disclosed a breach on April 19–20, 2026, traced to a compromised third-party AI tool, Context.ai, used by a Vercel employee. An attacker exploited OAuth tokens stolen from Context.ai to hijack the employee’s Google Workspace account, gaining access to internal Vercel environments and non-sensitive customer credentials. ShinyHunters claimed to have stolen source code and database keys, listing the data for $2 million on BreachForums. Investigation revealed that a Lumma Stealer infection of a Context.ai employee in February 2026 likely initiated the chain. Vercel has engaged Mandiant, notified law enforcement, and urged customers to rotate credentials. - Cisco Catalyst SD-WAN Manager Bugs Added to CISA KEV Catalog
Three vulnerabilities in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20128, CVE-2026-20133, and CVE-2026-20122, were added to CISA’s Known Exploited Vulnerabilities catalog on April 21, 2026, with federal agencies given four days to patch. Two of the three flaws, an information disclosure bug and an arbitrary file overwrite vulnerability, were already under active exploitation as of March 2026. The platform, formerly known as vManage, centrally manages SD-WAN deployments for large enterprises and can oversee up to 6,000 edge devices in a cluster. Cisco patched all three vulnerabilities in late February 2026 and has urged customers to apply updates immediately given the scope of potential network exposure. - Critical Breeze Cache WordPress Plugin Flaw Under Active Exploitation
Attackers are actively exploiting CVE-2026-3844, a critical vulnerability with a CVSS score of 9.8, in the Cloudways Breeze Cache plugin for WordPress. The flaw stems from missing file-type validation in the fetch_gravatar_from_remote function, allowing unauthenticated attackers to upload arbitrary files to the server, potentially enabling remote code execution and full site takeover. Over 170 attack attempts were detected by Wordfence researchers across a plugin with more than 400,000 active installations. The vulnerability only affects sites with the “Host Files Locally – Gravatars” feature enabled. Cloudways released a patched version, 2.5.5, and administrators are urged to update immediately. - Microsoft Defender Zero-Day CVE-2026-33825 Exploited as BlueHammer
The BlueHammer vulnerability in Microsoft Defender, tracked as CVE-2026-33825, has been exploited as a zero-day since at least April 10, 2026. Publicly disclosed by a disgruntled researcher known as Chaotic Eclipse on April 2, the flaw is a time-of-check to time-of-use race condition in Defender’s signature update mechanism that allows low-privileged users to gain SYSTEM privileges. Huntress researchers observed the exploit deployed alongside two other unpatched Windows zero-days, RedSun and UnDefend, in hands-on-keyboard intrusion activity. Microsoft patched CVE-2026-33825 in its April 2026 Patch Tuesday update. CISA subsequently added the flaw to its Known Exploited Vulnerabilities catalog. - Bluesky Recovers from Iran-Linked 313 Team DDoS Attack
Bluesky confirmed it was fully restored on April 20, 2026, following a roughly 24-hour distributed denial-of-service attack that began April 15 by flooding the platform’s API with junk traffic, cutting off feeds, notifications, and search for millions of users. The Iran-linked hacktivist group 313 Team claimed responsibility and days later launched a similar but shorter attack against Mastodon. Bluesky confirmed no private user data was accessed, as the DDoS attack was designed to disrupt service rather than breach servers. The 313 Team is known for short-term disruption campaigns rather than data theft and has previously targeted Bahrain government websites and other social platforms. - CrowdStrike LogScale Critical Path Traversal Vulnerability Disclosed
CrowdStrike disclosed a critical vulnerability, tracked as CVE-2026-40050, affecting self-hosted deployments of its LogScale log management platform on April 24, 2026. The unauthenticated path traversal flaw resides in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without any credentials. CrowdStrike confirmed that Next-Gen SIEM customers are unaffected and that SaaS-hosted LogScale customers were protected through network-layer mitigations applied on April 7, 2026. The flaw was discovered internally through continuous product testing, and the company reports no evidence of exploitation in the wild. Self-hosted LogScale customers must urgently upgrade to a patched version. - Itron Discloses Cybersecurity Breach Via SEC 8-K Filing
U.S. utility technology giant Itron, Inc. disclosed a cybersecurity incident via a Form 8-K filing with the Securities and Exchange Commission on April 22, 2026, reporting that an unauthorized third party gained access to certain internal corporate systems on April 13, 2026. The company activated its incident response plan, engaged external advisors, and notified law enforcement. Itron confirmed that no unauthorized activity was observed in customer-hosted portions of its systems, a critical distinction given the company’s role in smart energy, water, and city infrastructure. Operations continued largely unaffected due to contingency plans and backups. No ransomware group has claimed responsibility and the scope of the breach remains under investigation. - CISA Adds Cisco Catalyst, Zimbra, PaperCut, and TeamCity Flaws to KEV
CISA expanded its Known Exploited Vulnerabilities catalog on April 21, 2026, adding six flaws affecting Cisco Catalyst SD-WAN Manager, Kentico Xperience, PaperCut NG/MF, Synacor Zimbra Collaboration Suite, Quest KACE Systems Management Appliance, and JetBrains TeamCity. Federal agencies were given deadlines of April 23 and May 4, 2026, depending on the severity of each flaw. The PaperCut vulnerability was previously weaponized by Clop and LockBit ransomware operators in 2023, while the JetBrains TeamCity flaw was rapidly exploited after disclosure to deploy backdoors on build servers. The Cisco SD-WAN flaws carry high exploitation risk given the platform’s central role in managing enterprise network infrastructure. - Oracle Patches 450 Vulnerabilities in April 2026 Critical Patch Update
Oracle released its April 2026 Critical Patch Update on April 22, 2026, issuing 481 new security patches across 28 product families and addressing approximately 450 unique CVEs. More than 300 of the fixes target remotely exploitable, unauthenticated flaws, making this one of Oracle’s largest patch releases in recent history. Oracle Communications received the highest number of fixes at 139, followed by Financial Services Applications with 75 patches, 59 of which address remote unauthenticated vulnerabilities. Fusion Middleware also received 59 patches covering 46 remotely exploitable flaws. The update follows Oracle’s emergency patch released in March 2026 for a critical remote code execution vulnerability in Identity Manager.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.