Weekly Cyber Threat Digest: April 27th – Major Breaches, AI Exploits, and Critical Patches
Introduction
This week's cyber threat landscape has been marked by a series of high-profile breaches targeting cloud platforms, identity authorities, health research organizations, and password managers. Simultaneously, new AI-driven attack tools and critical software vulnerabilities have emerged, demanding immediate attention from security teams. Below, we break down the most significant incidents and patches reported as of April 27th.
Top Attacks and Breaches
Vercel and Context.ai – OAuth Token Compromise
Frontend cloud platform Vercel disclosed a security incident linked to a compromise at Context.ai. Stolen OAuth tokens enabled unauthorized access through a connected application, exposing employee information, internal logs, and a subset of environment variables. Vercel stated that the most sensitive secrets were not included in the breach. The incident highlights risks associated with third-party integrations and token management.
France Titres Data Breach
France Titres, the French authority for identity and registration documents, detected a data breach on April 15. The incident may have exposed names, birth dates, email addresses, login IDs, and some physical addresses and phone numbers. A hacker has offered purported agency data for sale on the dark web. Affected individuals should monitor for identity theft and phishing attempts.
UK Biobank Breach – Health Data on Sale
The UK Biobank, a major research organization, confirmed a breach after de-identified health data on 500,000 volunteers was advertised for sale on Chinese marketplaces. Officials said the listings were removed and believed unsold, but as a precaution, access was suspended, the research platform was shut down, and download limits were imposed. The incident raises concerns about the security of genomic and health datasets.
Bitwarden Supply-Chain Attack via npm
Popular password manager Bitwarden suffered a supply-chain attack after a malware-tainted CLI release was published to npm on April 22. Version 2026.4.0 was installed by 334 developers during a brief window, potentially exposing credentials. A hijacked GitHub account was abused to push the malicious package, but Bitwarden confirmed vault data remained unaffected. Developers who installed the version should rotate credentials immediately.
AI-Related Threats
Unauthorized Access to Anthropic's Claude Mythos Preview
Researchers flagged unauthorized access to Anthropic’s Claude Mythos Preview, an unreleased AI cyber model, through a third-party vendor environment. A small Discord group reportedly used shared contractor accounts, API keys, and predictable URLs to reach the system. Anthropic stated it is investigating and has not seen impact to core systems. This incident underscores the risks of sharing credentials and predictable URL patterns in cloud environments.
AI-Assisted Exploitation: Bissa Scanner
Researchers observed Bissa Scanner, an AI-assisted exploitation platform using Claude Code and OpenClaw, designed for mass scanning, exploitation, and credential harvesting. The operation focused on exploiting the React2Shell vulnerability (CVE-2025-55182), scanning millions of targets, confirming over 900 compromises, and collecting tens of thousands of exposed environment files. This marks a worrying evolution in automated cyberattacks leveraging AI.
Google Antigravity IDE – Prompt Injection to RCE
Researchers highlighted a prompt-injection exploit chain in Google’s Antigravity agentic IDE that enabled sandbox escape and remote code execution. The flaw abused a file search tool that ran before security checks, letting attackers convert a benign prompt into system compromise, even in Secure Mode. Google has patched the vulnerability. Users are advised to update immediately.
Critical Vulnerabilities and Patches
Microsoft Out-of-Band Fix for ASP.NET Core Flaw (CVE-2026-40372)
Microsoft issued out-of-band fixes for CVE-2026-40372, a critical ASP.NET Core privilege escalation flaw rated 9.1. A bug in Data Protection versions 10.0.0 to 10.0.6 could let attackers forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments. Patching is strongly recommended for any affected web applications.
Apple Fixes Notification Services Bug (CVE-2026-28950)
Apple released fixes for CVE-2026-28950 in iOS and iPadOS, a Notification Services bug that could allow attackers to leak sensitive data. The vulnerability was patched in recent updates. Users should ensure their devices are running the latest operating system versions.
Conclusion
The week of April 27th highlights the evolving threat landscape: from supply-chain attacks on trusted tools like Bitwarden to AI-powered exploitation platforms and critical patch gaps. Organizations should prioritize reviewing third-party access, updating software, and monitoring for unusual activity. For a deeper dive, download our full Threat Intelligence Bulletin.
Related Articles
- Checkmarx Under Siege: A Deep Dive into the Recent Supply-Chain Attacks
- Defending Against Edge Decay: A Practical Guide to Securing the Perimeter in Modern Attacks
- 7 Critical Insights Into Spirit Airlines' Collapse After Fuel Prices Soared
- 6 Key Insights Into GitHub’s Swift Response to a Critical Git Push RCE Vulnerability
- How Apple Scrambled to Meet MacBook Neo Demand: A Supply Chain Survival Guide
- Cybercriminals Exploit Hugging Face and ClawHub in New Social Engineering Campaign
- Week 19 Cybersecurity Recap: Two Major Cases You Need to Know
- Multi-Stage Cyber Attacks: The 'Final Fantasy Bosses' That Keep Security Teams Up at Night