Vercel Breached via Context.ai; Apache ActiveMQ Flaw Added to KEV; MS Defender Zero-days Exploited

Vercel, the cloud platform-as-a-service (PaaS) company known for creating and maintaining the Next.js framework, published a security bulletin on April 19 disclosing a security incident. An attacker took over a Vercel employee's Google Workspace account through a compromise in a third-party OAuth application made by Context.ai, a supplier of enterprise AI agents, and then escalated access to internal Vercel systems. Vercel CEO Guillermo Rauch stated on social media that while "Vercel stores all customer environment variables fully encrypted at rest," the attacker's unauthorized access included "non-sensitive" environments and variables. The company has implemented additional security measures and monitoring, and is working with "Mandiant, additional cybersecurity firms, industry peers, and law enforcement," as well as working directly with Context.ai to investigate the scope of compromise. Vercel has contacted individuals whose Vercel credentials were compromised in the attack, and recommends users set Deployment Protection to "Standard" or higher, rotate Deployment Protection Tokens and environment variables and designate secrets as "sensitive," and review recent deployments and the activity log. A concurrent report from Hudson Rock assesses that a February 2026 Lumma infostealer attack on Context.ai may have precipitated this breach. Both Hudson Rock and Vercel recommend all users of Context.ai in Google Workspace search for the malicious app ID in the Google Admin Console's API controls and immediately revoke access before initiating incident response.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a 13-year-old vulnerability in Apache ActiveMQ Classic to the Known Exploited Vulnerabilities (KEV) catalog. The improper input validation / code injection vulnerability (CVE-2026-34197) affects Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The issue was discovered by researchers at Horizon3, who wrote that the flaw allows "an attacker [to] invoke a management operation through ActiveMQ’s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands, ... [and that] the vulnerability requires credentials, but default credentials (admin:admin) are common in many environments." Apache ActiveMQ, an open-source Java message broker, debuted in 2004. Horizon3 researchers were able to use Anthropic's Claude AI assistant to detect the vulnerability, which was "hiding in plain sight for 13 years." US Federal Civilian Executive Branch (FCEB) agencies have until Thursday, April 20 to mitigate the issue.

Three zero-day vulnerabilities in Microsoft Defender are reportedly being actively exploited. An individual has recently posted proof-of-concept exploits for all three. Researchers at Huntress say they are "observing the use of [the individual's] BlueHammer, RedSun, and UnDefend exploitation techniques." BlueHammer and RedSun are local privilege escalation vulnerabilities; UnDefend could be exploited to cause denial-of-service conditions and block definition updates. The PoC exploit for BlueHammer was released on April 3, and Microsoft addressed the vulnerability in its Patch Tuesday release last week, describing it (CVE-2026-33825) as being due to insufficient granularity of access control, and giving it a severity rating of Important. PoC exploits for RedSun and UnDefend were released on April 16.

Social media platform Bluesky reported on April 16, 2026 that "intermittent app outages" starting the night before were the result of a distributed denial-of-service (DDoS) attack, which the company was working to mitigate. Users experienced intermittent interruption of feeds, notifications, threads, and search functions. Additional updates state that the attacks are ongoing, but the application has remained stable since 9pm PDT on April 16, and there has been no evidence of unauthorized access to private user data. The company has not confirmed attribution nor other details of the attack, and promises additional updates.

During the week of April 13, 2026, Europol's Operation PowerOFF carried out four arrests, took down 53 domains, issued 25 search warrants, and sent over 75,000 warnings against users of platforms offering distributed-denial-of-service (DDoS) attacks for hire. Authorities from 21 countries seized booter services infrastructure, which disrupted DDoS-for-hire operations and yielded information on over three million users of the service. Domains taken offline included "Quantum-stress, Stresse, Unknownstresser, Vacstresser, dreams-stresser, Mythicalstress and others," according to documents from the US Department of Justice (DoJ). Operation PowerOFF has been ongoing since 2018.

Financial institutions conducting business within the state of New York faced a deadline last week for attesting to their adoption of multifactor authentication and affirming that they are keeping accurate inventories of their IT assets, including an up-to-date list of devices and plans for end-of-life management for those devices. The April 15, 2026 deadline is the last of several requirements established by 2023 amendments to New York's Cybersecurity Rule. Cybersecurity requirements already implemented include a 72-hour window for reporting cybersecurity incidents, improved vulnerability management practices, and stronger governance.

Later this week, researchers at Forescout will present their findings on vulnerabilities in serial-to-IP converters at Black Hat Asia in Singapore. Forescout notes that "in 2015, an attack against Ukrainian power companies intentionally corrupted the firmware of several vulnerable serial-to-IP servers, rendering electrical substations inoperable and causing power outages." The researchers' findings are based on analysis of "firmware from five major vendors [that turned up] outdated components, n-day vulnerabilities and a lack of binary hardening similar to those in less critical devices, ... [and] an in-depth analysis of several devices from two major vendors often used in healthcare and OT environments," finding 23 new vulnerabilities. Among those are eight vulnerabilities in Lantronix EDS3000PS and EDS5000, which the US Cybersecurity and Infrastructure Security Agency (CISA) described in a March 10, 2026 Industrial Control Systems (ICS) Advisory. Forescout also found 12 vulnerabilities in Silex SD-330AC; Silex has published an associated security advisory.

24-year-old Tyler Robert Buchanan, who was arrested in June 2024 and charged five months later in connection with cybercrime by the Scattered Spider hacking group, has pleaded guilty in California court to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. According to the US Department of Justice (DoJ), Buchanan and co-conspirators conducted cyber intrusions and stole virtual currency, defrauding "at least a dozen companies and their employees as well as individual victims throughout the U.S." The group's tactics included SMS phishing that led to the compromise of company systems and the theft of "confidential work product, intellectual property, and PII such as account access credentials, names, email addresses, and telephone numbers." The group also conducted SIM swapping to take over targeted mobile devices, bypassing two-factor authentication and allowing access to accounts including virtual currency wallets. "Buchanan admitted in his plea agreement that the scheme involved the theft of at least $8 million worth of virtual currency assets from individual victims located throughout the United States." One co-conspirator is already serving a 10-year sentence in US federal prison and will pay $13 million in restitution, and three other defendants have yet to be sentenced. Buchanan's sentencing hearing will take place on August 21, 2026, and the statutory maximum for his charges is 22 years in federal prison.

The location of a Dutch navy vessel was exposed for roughly 24 hours after a postcard containing a Bluetooth tracker was sent to the ship. The Dutch Ministry of Defense had posted instructions for sending mail to sailors and soldiers; journalist Just Vervaart took advantage of that information to send the gadget embedded in the postcard. The tracker reportedly remained active for a day. Dutch Defense officials say the device was detected and disabled during mail sorting. While packages sent to members of the Dutch armed forces are routinely scanned, envelopes were not. The Ministry says it is changing that policy and will now ban cards containing batteries.

France's Interior Ministry has disclosed a that cybersecurity incident affecting the country's National Agency for Secure Documents (ANTS) may have compromised personal information. ANTS processes passport, national identity card, residence permit, and driver's license applications. The Ministry says the incident, which was detected on Wednesday, April 15, may affect both personal and professional accounts on the ANTS portal.