Coverage: April 26 – 28, 2026 · Sources: NVD, CISA KEV, Exploit-DB, The Hacker News, SecurityWeek, SentinelOne, EndorLabs, DFIR Report, HelpNetSecurity, Veracode, Harvard Berkman Klein
CVE-2026-40372 — ASP.NET Core Data Protection Privilege Escalation
CRITICAL
Microsoft issued an emergency out-of-band patch for a critical cryptographic regression in ASP.NET Core DataProtection (versions 10.0.0–10.0.6). The HMAC validation tag is computed over the wrong bytes and then discarded, allowing a padding oracle attack to forge authentication cookies, antiforgery tokens, and OpenID Connect state. Successful exploitation grants SYSTEM privileges on Linux and macOS ASP.NET Core deployments. Affected applications that ran the vulnerable version may still have attacker-issued tokens in circulation even after patching — key ring rotation is required. CVSS: 9.1.
Update DataProtection NuGet to 10.0.7 and rotate key ring immediately.
CVE-2026-32202 — Windows Shell Zero-Click NTLMv2 Theft — APT28 Actively Exploiting
HIGH
Microsoft confirmed active exploitation of CVE-2026-32202 on April 27, 2026. This Windows Shell protection mechanism failure enables zero-click NTLMv2 credential theft via auto-parsed LNK files. When a malicious shortcut triggers UNC path resolution, Windows automatically initiates an SMB connection to the attacker's server, sending the victim's Net-NTLMv2 hash — enabling NTLM relay attacks and offline hash cracking. Linked to APT28 (Fancy Bear) exploit chain targeting Ukraine and EU nations. This is an incomplete fix for CVE-2026-21510, which APT28 weaponized in December 2025. CVSS: 4.3 (real-world impact significantly higher).
Apply Patch Tuesday. Block outbound port 445. Enable SMB signing. Block LNK attachments.
CVE-2026-25874 — Hugging Face LeRobot Unauthenticated RCE (UNPATCHED)
CRITICAL
Critical unauthenticated RCE in Hugging Face LeRobot robotics platform (24K GitHub stars). The async inference pipeline uses pickle.loads() to deserialize data over unauthenticated gRPC channels without TLS. Any network-reachable attacker can send a crafted pickle payload via SendPolicyInstructions, SendObservations, or GetActions gRPC calls to execute arbitrary OS commands. LeRobot services run with elevated privileges and access internal networks, GPU compute, and sensitive datasets — making this a high-impact lateral movement vector. Currently UNPATCHED. Fix planned in version 0.6.0. CVSS: 9.3.
Block gRPC port externally. Bind to localhost only. Rotate all credentials on host.
Bitwarden CLI Supply Chain Attack — Shai-Hulud Worm via Checkmarx GitHub Actions Compromise
CRITICAL
Attackers compromised Checkmarx's GitHub Actions CI/CD pipeline and pivoted to publish malicious @bitwarden/cli@2026.4.0 to npm on April 22. The package was live for 90 minutes and downloaded by 334+ developers. The malicious payload is a self-propagating npm worm (Shai-Hulud: The Third Coming) that: (1) harvests CI secrets — SSH keys, AWS/Azure/GCP credentials, GitHub tokens, AI provider keys (Anthropic, OpenAI, DeepSeek, Mistral, HuggingFace), and MCP configuration files; (2) exfiltrates via HTTPS with GitHub dead-drop fallback using RSA-signed command delivery; (3) self-propagates by abusing discovered npm tokens to infect packages the victim can publish. The malware specifically targets AI coding assistant configurations including MCP-related files.
Rotate all CI/cloud/AI secrets. Audit GitHub Actions history. Scan shell RC files.
Comment-and-Control — Zero-Click Prompt Injection Against Claude Code, Gemini CLI, Copilot Agent
HIGH
Confirmed zero-click prompt injection attack pattern works against all three major AI coding agents in GitHub Actions. Crafted PR titles and HTML comments hijack agent execution, triggering bash commands that exfiltrate API keys and GITHUB_TOKEN. Anthropic partial fix (blocked 'ps' tool only); Google added guardrail prompts; GitHub classified as architectural limitation. Rated CVSS 9.4 by the security community. The root architectural issue — AI agents having bash, git push, and API call tools in the same runtime as untrusted input — remains unresolved across all three vendors. Any AI agent that ingests untrusted GitHub data (PR titles, issue comments, code diffs) with access to production secrets is vulnerable.
Implement OIDC for API keys. Set read-only GITHUB_TOKEN. Allowlist agent tools.
CVE-2026-35603 — Claude Code Windows Privilege Escalation via Untrusted Config Path
HIGH
Privilege escalation (CWE-426) in Claude Code on Windows prior to version 2.1.75. The application loads system-wide configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or permissions. Because ProgramData is writable by non-admin users by default and the ClaudeCode subdirectory was not pre-created, any low-privileged local user on a shared Windows system can plant a malicious config file that is auto-loaded for all users launching Claude Code. Enables arbitrary code execution on shared developer workstations, CI runners, and enterprise Windows environments. Patched in Claude Code 2.1.75.
Update Claude Code to 2.1.75. Lock down C:\ProgramData\ClaudeCode permissions on shared systems.
Forcepoint — 10 Indirect Prompt Injection Payloads Confirmed Active in the Wild
HIGH
Forcepoint X-Labs confirmed 10 verified indirect prompt injection (IPI) payloads actively operating on publicly accessible web infrastructure. Payloads include: financial fraud instructions embedded for AI payment agents (PayPal, Stripe), data destruction commands (rm -rf /), API key theft, and attribution hijacking. Google CommonCrawl data shows a 32% increase in malicious injection content between Nov 2025 and Feb 2026. Evidence of shared injection templates across multiple domains indicates organized tooling. Any AI agent that browses web content without enforcing a strict data-instruction boundary is exposed — including RAG pipelines, coding assistants with web access, and deployment automation agents.
Enforce tool separation: web-reading agents must not have shell or payment access.
APT28 — Active Three-CVE Exploit Chain Against Ukraine and EU (Windows Shell + MSHTML + NTLMv2)
CRITICAL
Russia's APT28 (Fancy Bear / Forest Blizzard) is actively exploiting a three-stage attack chain via malicious LNK files against targets in Ukraine and EU nations. Chain: CVE-2026-21510 (Windows Shell RCE, patched Feb 2026) + CVE-2026-21513 (MSHTML SmartScreen bypass) + CVE-2026-32202 (residual zero-click NTLMv2 hash theft, confirmed exploited April 27). APT28 uses the Windows Shell namespace parsing mechanism to load a DLL from a remote UNC path, triggering an automatic SMB authentication handshake that exfiltrates the victim's Net-NTLMv2 hash. Campaign began December 2025 targeting national security, defense, and government entities across the EU.
Apply Patch Tuesday. Block SMB outbound. Enable SMB signing. Block LNK attachments.
Bissa Scanner — AI-Assisted Mass Exploitation Platform with 900+ Confirmed Compromises
HIGH
DFIR Report exposed a large-scale credential harvesting operation using "Bissa Scanner," an AI-assisted platform that embedded Claude Code and OpenClaw autonomous agents in the attack workflow for orchestration and troubleshooting. Primary exploit: CVE-2025-55182 (React2Shell, CVSS 10.0). Over 900 confirmed compromises with 13,000+ files exfiltrated to a public S3 bucket. Stolen credentials span every major AI provider (Anthropic, OpenAI, Google, Mistral, DeepSeek, HuggingFace), cloud platforms (AWS, Azure, GCP), payment services, and databases. Linked to Telegram operator @BonJoviGoesHard. This is the first documented use of Claude Code as part of a mass exploitation operation — functioning as an engineering harness, not a direct attack tool.
Patch CVE-2025-55182. Rotate AI API keys. Block .env web access. Audit S3 uploads.
Bitwarden CLI / Checkmarx Supply Chain — 334+ Developer CI Secrets and AI API Keys Exposed
HIGH
The Bitwarden CLI supply chain attack (Shai-Hulud worm via compromised Checkmarx GitHub Actions) exposed CI/CD secrets from 334+ developers during the 90-minute window on April 22. The malware specifically targeted AI provider API keys (Anthropic, OpenAI, DeepSeek, Mistral, HuggingFace), MCP configuration files, GitHub PATs, cloud credentials, and SSH keys. The self-propagating worm component means secondary infections may have spread through packages published by affected developers — extending the blast radius beyond the initial 334 victims. Bitwarden confirmed vault data was not compromised, but the targeted AI API keys are high-value for threat actors operating AI-powered attack pipelines.
Check install timestamp. Rotate all CI/cloud/AI secrets. Audit GitHub repos and Actions history.
Checkmarx GitHub Actions Compromise — CI/CD Pipeline Attack Vector Confirmed
MEDIUM
Checkmarx confirmed on April 22, 2026 that their public GitHub Actions (ast-github-action, DockerHub KICS image, VS Code extension, Developer Assist extension) were compromised. The malware exfiltrated data to checkmarx[.]cx and to repositories created in victims' GitHub accounts. Organizations using Checkmarx SAST tools in CI/CD pipelines may have had GitHub tokens, cloud credentials, and code artifacts exposed. The same malware infrastructure, embedded payload structure, and credential harvesting method were identified in both the Checkmarx and Bitwarden attacks, suggesting the same threat actor (TeamPCP / Shai-Hulud campaign).
Rotate Checkmarx pipeline secrets. Pin Actions to commit SHAs. Block checkmarx[.]cx IOC.
[CRITICAL] CVE-2026-25874 · CVSS 9.3
Hugging Face LeRobot (versions up to 0.4.3) · Published: Apr 28, 2026
Unauthenticated RCE via unsafe pickle deserialization over gRPC in LeRobot's async inference pipeline. No patch available — fix planned in v0.6.0. Bind gRPC port to localhost immediately.
[CRITICAL] Comment-and-Control · CVSS 9.4 (community)
Claude Code Security Review, Gemini CLI Action, GitHub Copilot Agent · Published: Apr 16, 2026
Cross-vendor zero-click prompt injection via GitHub PR titles and comments. Exfiltrates API keys and GITHUB_TOKEN from CI/CD pipelines. Architectural issue unresolved across all three vendors — implement OIDC and tool allowlisting.
[HIGH] CVE-2026-35603
Anthropic Claude Code (versions prior to 2.1.75 on Windows) · Published: Apr 17, 2026
Privilege escalation via untrusted config path in C:\ProgramData\ClaudeCode. Low-privileged attacker can backdoor all users on shared Windows system. Patch: update to Claude Code 2.1.75.
[HIGH] CVE-2026-33626 · CVSS 7.5
LMDeploy (versions up to 0.12.0) · Published: Apr 20, 2026
Server-Side Request Forgery in LMDeploy's vision-language module exploited in the wild within 13 hours of disclosure. Attackers used it to reach AWS IMDS, Redis, MySQL, and DNS exfiltration endpoints. Patch: upgrade to LMDeploy 0.12.3.
[HIGH] Forcepoint IPI-in-Wild
All AI agents consuming untrusted web content · Published: Apr 23, 2026
10 confirmed indirect prompt injection payloads live on the web targeting AI agents with shell/payment access. Financial fraud, data destruction (rm -rf /), and API key theft payloads confirmed active. Enforce tool separation and data-instruction boundaries.
[MEDIUM] CVE-2026-39417 · CVSS 4.6
MaxKB AI Assistant (versions 2.7.1 and below) · Published: Apr 13, 2026
Incomplete patch bypass allows MCP-based RCE via workflow creation API. Attacker can omit the optional mcp_source field to bypass the prior fix and inject arbitrary commands. Patch: upgrade MaxKB to 2.8.0.
Threat Intelligence
Bissa Scanner: First Documented Use of Claude Code as Attacker Engineering Harness
The DFIR Report's Bissa Scanner exposure marks a documented first: an attacker embedded Claude Code in a mass exploitation operation (900+ confirmed compromises) as an operator-side engineering tool for codebase understanding, troubleshooting, and workflow orchestration. Claude Code transcripts showed the operator using it to read scanner code, understand lease flows, and troubleshoot misses in the credential harvesting pipeline. This confirms a new threat model: AI coding assistants as force multipliers for attackers, lowering the technical bar for large-scale exploitation while accelerating the attacker's development cycle. Anthropic's trust and safety teams have been notified.
AI Regulation
Harvard Berkman Klein: Agentic AI Capabilities Are Outpacing Regulatory Frameworks
A Harvard Berkman Klein cybersecurity panel found that agentic AI systems simultaneously function as defenders and high-value attack surfaces, with IBM data showing a 44% year-over-year increase in cyberattacks targeting AI-exposed applications. The panel referenced the November 2025 Anthropic breach (attackers used AI to scan Claude Code source code for vulnerabilities) as a bellwether event. Experts called for mandatory 72-hour incident reporting for AI-driven cyber incidents and enterprise AI security audits — with particular urgency given that phishing and social engineering attacks are now indistinguishable from legitimate communications due to LLM-generated content.
Supply Chain
Shai-Hulud Campaign: npm Worm Evolves to Specifically Target AI Coding Assistant Credentials
The third iteration of the Shai-Hulud npm worm — identified in the Bitwarden CLI compromise — has evolved to specifically target AI coding assistant configurations and MCP-related files alongside traditional CI/CD secrets. This marks a strategic shift in supply chain malware: threat actors now treat AI provider API keys (Anthropic, OpenAI, DeepSeek, HuggingFace, Mistral, Groq) as primary high-value targets, likely to fuel AI-powered attack pipelines like Bissa Scanner. The worm's self-propagating capability (abusing npm publish tokens) and GitHub dead-drop C2 architecture make attribution and containment significantly harder than traditional supply chain attacks.
01
DO NOW
Rotate all CI/cloud/AI API keys if you use Bitwarden CLI via npm
Check install date. If between April 22 5:57–7:30 PM ET: rotate npm tokens, GitHub PATs, AWS/Azure/GCP keys, and all AI provider API keys (Anthropic, OpenAI, DeepSeek, HuggingFace). Audit ~/.bashrc and ~/.zshrc for persistence. Run: npm uninstall -g @bitwarden/cli && npm install -g @bitwarden/cli@latest
02
DO NOW
Update ASP.NET Core DataProtection and rotate key ring
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7 — then rotate Data Protection key ring and revoke sessions issued April 14–21. Critical for any Linux/macOS ASP.NET Core app using DataProtection NuGet 10.0.0–10.0.6. CVSS 9.1.
03
DO NOW
Block LeRobot gRPC port and isolate from public network
CVE-2026-25874 (CVSS 9.3) is unpatched. Add firewall rule blocking external access to LeRobot PolicyServer gRPC port. Bind service to 127.0.0.1 only. Rotate all credentials on host. No patch available — network isolation is the only mitigation.
04
TODAY
Apply April 2026 Patch Tuesday updates — block outbound SMB port 445
Patches CVE-2026-32202 (APT28 active exploitation) and CVE-2026-40372. Block outbound port 445 at perimeter. Enable SMB signing via Group Policy. Block LNK file attachments in email gateway. Deploy Defender for Identity alerts on NTLMv2 hash theft.
05
THIS WEEK
Harden all AI coding agent CI/CD pipelines against Comment-and-Control
Move API keys to OIDC role assumption (no static secrets in GitHub). Set GITHUB_TOKEN to read-only. Pin all GitHub Actions to commit SHAs. Restrict claude-code-action to allowlist tools only. Add include_comments_by_actor filter. Deploy harden-runner in block mode. Update Claude Code to 2.1.75 on all Windows shared systems.
Primary Threat
Bitwarden CLI / Shai-Hulud Worm — AI API Keys Now Primary Supply Chain Target
The Bitwarden CLI supply chain attack represents a strategic evolution in npm supply chain malware: for the first time, AI provider API keys (Anthropic, OpenAI, DeepSeek, HuggingFace, Mistral, Groq) are explicitly the primary target — not just a side effect of credential theft. This is a direct feedback loop with the Bissa Scanner operation, where stolen AI API keys fuel autonomous exploitation pipelines capable of scanning millions of targets and converting them to high-value compromises. The self-propagating worm component means secondary victims extend well beyond the 334 confirmed initial downloads. Combined with the Comment-and-Control cross-vendor prompt injection (which also targets the same AI API keys from CI/CD pipelines), AI credentials have become the highest-value attack target in the developer ecosystem — and the most widely unprotected.