Executive summary
This week’s developments for partners and clients: breaches, vulnerabilities, research, threat actor activity, and mitigation guidance.
Key takeaways
- Threat actors deploy malicious document sharing and meeting invites as phishing lures to distribute ScreenConnect remote access tool
- A Vercel security incident claimed by fake ShinyHunters group resulted in possible supply-chain compromise
- CISA issued urgent warnings about critical SD-WAN vulnerabilities actively exploited to compromise network infrastructure
- Updated guidance released regarding Defender vulnerabilities (Nightmare-Eclipse) with known wild exploitation
- Bitwarden npm package distribution compromised in supply chain attack, potentially exposing users to malware or credential theft
- Critical serial-to-IP converter flaws bypass security controls and enable unauthorized operational technology access
1. Phishing Lures Use Meeting Invites to Drop ScreenConnect RAT
Summary
Phishing domains mimicking Teams, Zoom, Adobe, and Docusign serve ScreenConnect RAT payloads through fake invites and shared links.
Category
Threat Actor Activities
Industry
Multiple (primarily North America and Europe)
Sources
https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/
https://www.netcraft.com/blog/remote-access-delivery-via-fake-meetings
https://www.huntress.com/blog/uptick-bomgar-exploitation
Analyst comments
OSec observed threat actors using phishing sites mimicking popular meeting applications and services to serve RMM software for command-and-control activities. This likely relates to known exploitation active since February. Analyzed sites impersonate Zoom, Teams, Google Meet, Docusign, and Adobe Reader.
Research indicates initial access primarily through phishing emails containing fake meeting invites or document-sharing links. These lures redirect users to download malicious files disguised as installers claiming software is outdated. Upon execution, a preconfigured ScreenConnect version installs with attacker-controlled callback locations establishing C2 connectivity.
The cluster consistently uses Shock Hosting (ASN395092) for network infrastructure. Phishing landing pages utilize various PHP endpoints, predominantly invite.php and download.php, the latter serving malicious RMM payloads.
Callback domains typically used screenconnect[.]com with custom company names. Public sources and malware data show increased ScreenConnect submissions with notable spikes April 18-21. Broader RMM tool exploitation is increasing, with recent reports noting compromised Bomgar instances in active attacks.
Actionable guidance
- Detect differing RMM software versions or installations not attributable to administrator activity; treat with elevated urgency
- Restrict software installation for non-IT users by blocking .exe and .msi downloads unless explicitly required
- Restrict local administrator privileges to prevent RMM-based privilege escalation and credential access
- Block Shock Hosting ASN to reduce attack success likelihood with minimal operational disruption
2. Vercel Breach Claimed by Fake ShinyHunters Group
Summary
Vercel experienced a security breach after third-party AI tool Context.ai was compromised, allowing attackers to access an employee’s Google Workspace and some internal systems and non-sensitive data.
Category
Supply Chain Risk
Industry
Technology
Sources
https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
https://vercel.com/docs/environment-variables/sensitive-environment-variables
https://www.reddit.com/r/webdev/comments/1sqy1k4/holy_crap_vercel_got_hacked_rotate_your_keys_if/
Analyst comments
Vercel experienced a breach through compromised third-party AI tool Context.ai, leading to attacker access of an employee’s Google Workspace and limited internal systems and non-sensitive data. The attacker demonstrated significant technical skill with rapid, effective infrastructure movement. Sensitive environment variables remained uncompromised due to secure storage methods.
Vercel collaborated with cybersecurity firms and law enforcement. The company rotated credentials and keys, finding no evidence of package repository tampering. However, exposed repository credentials may now be stale. This likely affects customers using Vercel who haven’t rotated environment keys, particularly those storing secrets in unmarked environment variables.
Actionable guidance
- Organizations using Vercel must immediately rotate keys, especially if secrets are in unmarked environment variables
- Create inventory or SBOM (Secure Bill of Materials) and implement enhanced monitoring of Vercel and Next.js packages
- Investigate OAuth applications matching identified IoCs; may warrant incident response activation
3. CISA Flags SD-WAN Flaws as Actively Exploited in Attacks
Summary
Cisco Catalyst SD-WAN vulnerabilities CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128 were added to CISA’s Known Exploited Vulnerabilities catalog.
Category
Known Exploited Vulnerabilities
Industry
Public Sector, Government Administration, Multiple
Sources
https://www.reddit.com/r/sysadmin/comments/1rm660l/cisco_catalyst_sd_wan_just_got_hit_with_active/
https://www.vulncheck.com/blog/cisco-sd-wan-manager-vulns
https://www.darkreading.com/vulnerabilities-threats/fake-pocs-risks-cisco-sd-wan
Analyst comments
CISA mandated that government agencies secure systems against actively exploited Catalyst SD-WAN Manager vulnerabilities. Exploited vulnerabilities include:
| CVE | Description | CVSS |
|---|---|---|
| CVE-2026-20122 | Cisco Catalyst SD-WAN Manager API File Overwrite | 5.4 (Medium) |
| CVE-2026-20128 | Cisco Catalyst SD-WAN Manager DCA User Takeover | 7.5 (High) |
| CVE-2026-20133 | Cisco Catalyst SD-WAN Manager API Information Disclosure | 7.5 (High) |
Public honeypot data shows exploitation spikes two months ago, primarily March 3-20. CVE-2026-20128 and CVE-2026-20122 exploitation began March 5, 2026. Cisco PSIRT advisories updated this week reflecting current exploitation and CVE-2026-20133 addition, likely exploited in earlier attacks.
Actionable guidance
- Apply vendor patches immediately
- Implement geoblocking, as exploitation IPs traced to Russia-based sources
- Examine web logs for .dca file navigation attempts and suspicious “viptela-reserved-dca” user logins if compromise suspected
- Immediately isolate confirmed compromise hosts and trigger incident response investigation
- Review activity within March 1 to April 1 timeframe based on honeypot data
- Expect multiple threat actors actively exploiting across regions
4. UPDATE: Trio of Local Windows Defender Bugs Exploited in the Wild
Summary
Threat actors exploited recently disclosed bugs from security researcher Nightmare-Eclipse, including two local privilege escalation (LPE) and one Denial of Service (DoS) proof-of-concept targeting Defender.
Updated April 27th, 2026 with new in-the-wild exploitation data.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.huntress.com/blog/nightmare-eclipse-intrusion
Internal OSec Research
Analyst comments
Security researcher NightMare-Eclipse disclosed three Windows bugs affecting Microsoft Defender. Two vulnerabilities (BlueHammer and RedSun) result in local privilege escalation; the third (UnDefend) causes Defender denial of service. All three have been exploited in the wild according to security researcher reports.
BlueHammer is the only vulnerability with available patches (released April Patch Tuesday as CVE-2026-33825). RedSun and UnDefend currently lack patches. Public PoC code exists and in-the-wild exploitation is confirmed. No specific threat actor attribution available, though multiple groups likely exploited disclosed vulnerabilities.
Both LPE vulnerabilities generate EICAR-related detections before full execution, serving as exploitation indicators. Known post-exploitation activity includes typical reconnaissance consistent with common threat actor behavior. All Windows versions likely affected, with greater risk to Windows 10 and 11 workstations.
New in-the-wild exploitation data
Threat actors targeting Fortinet devices also use these vulnerabilities in attack chains, observed following Fortigate SSL VPN compromise. Recorded indicators:
212.232.23[.]69 - Singapore - AS215381 ROCKHOSTER PRIVATE LIMITED
179.43.140[.]214 - Switzerland - AS51852 Private Layer INC
78.29.48[.]29 - Russia - AS8369 Intersvyaz-2 JSC
staybud.dpdns[.]org - Used for proxy tunneling traffic over 443
Attackers also exploit ActiveMQ vulnerabilities (CVE-2026-34197) recently added to CISA KEV catalog. While threat actors attempted all three vulnerabilities (RedSun, BlueHammer, and UnDefend), reported attempts were unsuccessful.
Actionable guidance
- Keep Microsoft Defender and Windows systems updated with latest protections and hotfixes
- Look for disabled Defender instances or EICAR detections in protection history if compromise suspected
- Focus investigation on events involving TieringServiceEngine.exe binary
- Check for other indicators like credential reuse, phishing activity, or exploitation methods
- Isolate confirmed compromised hosts through formal incident response procedures
- Block newly identified malicious network locations
5. Checkmarx Supply Chain Attack Impacts Bitwarden npm Distribution Path
Summary
Bitwarden CLI version 2026.4.0 was compromised in the Checkmarx supply chain attack, incorporating malicious code harvesting sensitive data. Only users installing during a brief window were affected; no vault or production data was compromised.
Category
Supply Chain Risk
Industry
Technology, Financial and Fintech, Public Sector and Government Administration
Sources
https://www.aikido.dev/blog/shai-hulud-npm-bitwarden-cli-compromise
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
Analyst comments
Bitwarden CLI was compromised in a Checkmarx supply chain attack, with malicious code in bw1.js introduced through a compromised GitHub Action. Affected version @bitwarden/cli 2026.4.0 contained a malicious preinstall hook triggering automatically during npm installation.
Malicious files bw_setup.js and bw1.js employ credential harvesting with worm-like propagation behavior. The malware steals sensitive data including SSH keys, cloud credentials, and npm tokens, exfiltrating to a fake Checkmarx domain. Bitwarden removed the malicious package and initiated remediation, confirming no compromised vault or production data evidence.
The supply chain incident likely causes further downstream disruption. Stolen credentials from recent campaigns will identify and access additional GitHub or package repositories for continued exploitation. These attacks typically pre-position for major organization compromise.
Attribution points to Team PCP and Checkmarx compromise; however, code found includes “Shai-Hulud: The Third Coming” string pointing to earlier supply-chain compromise campaigns. Malware behavior aligns more closely with Shai Hulud tactics while Team PCP associated domains suggest collaboration or overlap. The objective steals credentials and secrets:
- SSH
- Git
- Npm
- Env
- Bash and shell history
- AWS, GCP
- Claude, MCP
Malicious commits included strings “LongLiveTheResistanceAgainstMachines” or “beautifulcastle” along with “gh auth token” shell commands checking for active Github CLI tokens.
Actionable guidance
The compromise occurred April 22nd (approximately 5:57 PM – 7:30 PM ET) with an exploitation window of 90-93 minutes. While potentially limited exposure, substantial time existed to infect multiple users, packages, and repositories.
- Check primary exfiltration points for suspicious traffic if compromise suspected
- Confirmed exposure victims must immediately rotate all credentials and secrets
- Monitor repositories, packages, and accounts for unauthorized changes
- Target individual developers primarily, but typically pre-positions for larger organization compromise
- Implement SBOM inventory and management to audit changes and updates
- Maintain safelist of approved packages and libraries for developer projects
- Ensure MFA controls for sensitive accounts, passwords, or secrets if not already in place
6. Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
Summary
Serial-to-IP converters bridging legacy serial equipment to modern networks contain serious security flaws identified by Forescout Technologies enabling remote attacks, including device takeover, data tampering, and Denial of Service.
Category
Critical Vulnerabilities
Industry
Manufacturing, Healthcare, Energy, Logistics and Shipping, and environments with heavy IoT/OT use
Sources
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
https://www.silex.jp/support/security-advisories/2026-001
https://www.forescout.com/resources/bridgebreak-report/
https://www.dragos.com/blog/poland-power-grid-attack-electrum-targets-distributed-energy-2025
Internal OSec Research
Analyst comments
Serial-to-IP converters bridging legacy serial equipment to modern Ethernet/IP networks suffer numerous vulnerabilities collectively known as BRIDGE:BREAK, exploitable for OS command injection, remote code execution, and firmware tampering. These devices, used across industrial, healthcare, and energy sectors, expose critical infrastructure to threats from internet-exposed systems and local network vulnerabilities.
Researchers found 20 new vulnerabilities impacting vendors like Silex and Lantronix, potentially severely disrupting operations through data tampering and denial-of-service conditions.
Silex vulnerabilities:
- CVE-2026-32955 – SD-330AC Ver.1.42: Stack overrun in authenticated login redirect URL; memory corruption/unintended actions possible; CVSS 8.8 HIGH
- CVE-2026-32956 – SD-330AC Ver.1.42: Heap overrun in unauthenticated login redirect URL; memory corruption/unintended actions possible; CVSS 9.8 CRITICAL
- CVE-2026-32957 – SD-330AC Ver.1.42: File upload restriction bypass; unauthenticated arbitrary file upload to temporary memory; CVSS 5.3 MEDIUM
- CVE-2026-32963 – SD-330AC Ver.1.42: Reflected XSS on system status page; malicious JavaScript injection via web page links; CVSS 6.1 MEDIUM
- CVE-2026-32958 – SD-330AC Ver.1.42: Hardcoded firmware signing key; tampered firmware accepted as legitimate; CVSS 6.5 MEDIUM
- CVE-2015-5621 – SD-330AC Ver.1.42: DoS via net-snmp vulnerability; SNMP agent can be prematurely terminated; CVSS 7.5 HIGH
- CVE-2026-32959 – SD-330AC / AMC Manager Ver.5.0.2: Encryption using constant keystream; man-in-the-middle interception of config data; CVSS 5.9 MEDIUM
- CVE-2026-32960 – SD-330AC / AMC Manager Ver.5.0.2: Authentication bypass via credential reuse; unauthenticated admin privilege escalation; CVSS 6.5 MEDIUM
- CVE-2026-32961 – SD-330AC / AMC Manager Ver.5.0.2: Heap overrun via unvalidated data length; potential DoS or remote code execution; CVSS 5.3 MEDIUM
- CVE-2026-32965 – SD-330AC / AMC Manager Ver.5.0.2: No admin password enforcement; attacker can set password and gain admin privileges; CVSS 7.5 HIGH
- CVE-2026-32962 – SD-330AC Ver.1.42: Unauthenticated product settings tampering via Serial Device Server Setup; CVSS 5.3 MEDIUM
- CVE-2024-24487 – SD-330AC Ver.1.42: Unauthenticated product restart via Serial Device Server Setup; DoS possible; CVSS 5.3 MEDIUM
- CVE-2026-32964 – SD-330AC Ver.1.42: Config injection via Serial Device Server Setup; arbitrary entries insertable into system config files; CVSS 6.5 MEDIUM
Lantronix vulnerabilities:
- CVE-2025-67034 – EDS5000 2.1.0.0R3: OS command injection via SSL credential deletion “name” parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67035 – EDS5000 2.1.0.0R3: OS command injection on SSH Client/Server pages via delete actions; root execution; CVSS 7.2 HIGH
- CVE-2025-67036 – EDS5000 2.1.0.0R3: OS command injection via Log Info page filename parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67037 – EDS5000 2.1.0.0R3: OS command injection via tunnel kill “tunnel” parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67038 – EDS5000 2.1.0.0R3: OS command injection via unsanitized username in failed auth logging; root execution; CVSS 9.8 CRITICAL
- CVE-2025-67039 – EDS3000PS 3.1.0.0R2: Authentication bypass on management pages via URL suffix + “admin” header; CVSS 9.8 CRITICAL
- CVE-2025-70082 – EDS3000PS 3.1.0.0R2: Admin password changeable without current password knowledge; chainable with auth bypass; CVSS 2.7 LOW
- CVE-2025-67041 – EDS3000PS 3.1.0.0R2: OS command injection via unsanitized TFTP client host parameter; root execution; CVSS 7.2 HIGH
Current wild exploitation status is unknown. Report data confirms over 8000 Lantronix devices publicly exposed via Shodan, while only four Silex Technology devices confirmed through exposed FTP ports and banner information. Threat actors may prioritize Lantronix devices due to significantly higher exposure. Publicly available vendor research provides sufficient detail for threat actors to develop or execute exploits short-term.
Historically, threat actors leveraged these devices targeting critical infrastructure, notably Poland’s power grid. Over the past year, hacktivist groups increasingly focused on disrupting OT technology, evidenced by Telegram channel and social media discussions. Groups including noname057(16) and DDoSia volunteers, Z-Pentest-Alliance, Nullsechackers, and vulture_001 exploited OT systems and IP cameras since March. Many mentioned groups likely have direct or indirect Russia state-aligned agency links.
Actionable guidance
Both Lantronix and Silex released patches for affected devices. Given high-risk threat profile and targeted attack nature:
- Deny public internet access; restrict to internal networks or physical connections where feasible
- Minimize compromise risk, especially for manufacturing sectors with inconsistent or impossible patch management cycles
- Monitor all OT network-connected technology for suspicious activity, particularly across TFTP, web, and HMI interfaces
- Retain access logs and timestamps for auditable activity records supporting investigation confirmation
- Prioritize Lantronix device patching given exploitation simplicity and larger online attack surface
- Address most vulnerabilities involving OS command injection through TFTP ports and HTTP services
- Restrict unnecessary ports on these devices
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS