It’s a Paper Trail for the week ending in April 26, 2026, and we’ll cover what happened last week in the Information Security space.

The Bottom Line

The perimeter that organizations think they’re defending is no longer where the attacks are coming in. Three converging themes defined the week: a coordinated wave of supply chain attacks targeting tools companies trust by default; AI compressing the window between a vulnerability appearing and an adversary weaponizing it; and early signs that AI is shifting the asymmetry toward defenders – giving security teams an optimistic outlook. Taken together, these are not IT problems but rather business continuity and governance problems.

Last Week, in Review

• A high-severity flaw in LMDeploy – an open-source toolkit used by AI developers to compress, deploy, and serve large language models – was under active exploitation in the wild fewer than 13 hours after its existence was publicly disclosed. [The Hacker News]
• Mozilla published a blog post announcing the release of Firefox 150 that included patches for 271 security vulnerabilities – every one of them identified by an early version of Anthropic’s Claude Mythos AI model during internal testing. While the Firefox team remediated the findings, the Firefox CTO came to an optimistic conclusion that defenders finally have a chance to win, decisively. [Mozilla, SecurityWeek, TechRepublic]
• Cisco Talos published its Q1 2026 incident response trends report that noted that 18% of the engagements in the quarter involved organizations with insufficient logging capabilities, affecting the investigation capability. [Cisco Talos] 

Pulse

Vercel – the cloud platform behind the Next.js framework used by tens of thousands of startups and engineering teams – disclosed a breach on April 20 after adversaries accessed its internal Google Workspace environment. The entry point was a third-party AI productivity tool called Context.ai, which a Vercel employee had signed up for using their corporate account and granted “Allow All” OAuth permissions. Context.ai had separately suffered a breach of its own AWS environment, and the compromised OAuth tokens from that incident gave adversaries a bridge straight into Vercel’s Google Workspace. Adversaries claimed to have stolen source code, API keys, environment variable credentials, and internal deployment data. Vercel confirmed the incident and, after working with Microsoft, GitHub, npm, and Socket, stated that its npm packages were not compromised. [Vercel, ContextAI, The Hacker News, SecurityWeek]

Forcepoint X-Labs found 10 distinct indirect prompt injection (IPI) payloads active in the wild – malicious instructions hidden inside publicly accessible web content that silently execute when an AI agent reads or processes that page. Unlike traditional attacks that require a human to interact with malicious content, IPI payloads are invisible to the human user: they sit in HTML comments, metadata fields, or body text and automatically coerce AI agents into carrying out adversary instructions as a direct consequence of agents doing their jobs. Such attacks may affect agents that browse web pages, index content for RAG pipelines, process HTML metadata, and take autonomous actions – making them a high-impact target. [Forcepoint, InfoSecurity]

Fix-it Frank

A supply chain attack compromised @bitwarden/cli v2026.4.0 via a hijacked GitHub Action, which allowed exfiltration of cloud credentials, CI/CD secrets, SSH keys, and AI API tokens to adversary-controlled infrastructure where bitwarden cli was in use. While Bitwarden’s vault and browser extensions were unaffected, the ~1.5-hour exposure window carried significant blast radius given ~250,000 monthly downloads and the package’s prevalent use in secrets-injection pipelines – a single compromised developer machine can propagate access laterally across every pipeline those credentials can reach. Any environment in which the Bitwarden npm package was updated to the affected version should treat credentials on impacted machines as compromised; all exposed credentials should be rotated, GitHub workflows audited for unauthorized changes, and affected systems upgraded to @bitwarden/cli@2026.4.1 or later with the version explicitly pinned. [BitWarden, The Hacker News, SecurityWeek, Socket, Endor Labs] 

Three coordinated supply chain attacks across npm, PyPI, and Docker Hub coincided with the Bitwarden incident, with AI API keys, MCP configuration files, and LLM provider tokens explicitly targeted alongside conventional cloud credentials. A self-propagating credential worm in pgserve (npm) autonomously re-injected and republished its payload across both npm and PyPI ecosystems; xinference on PyPI and Checkmarx’s KICS Docker images and VS Code extensions carried identical credential-stealing payloads the following day — the latter serving as a direct vector into the Bitwarden CLI compromise. Any environment that installed these packages during that window should treat all credentials as compromised and rotate immediately; the known C2 endpoint should be blocked at the proxy or DNS layer, and version pinning should be enforced across all CI/CD dependency installs. [GitGuardian, The Hacker News, The Register]

Oracle’s Q2 2026 Critical Patch Update delivers 481 patches across 241 CVEs and 28 product families, with the most acute exposure being CVE-2025-15467 – an unauthenticated remote code execution flaw in MySQL Enterprise Backup affecting versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. Oracle Communications received 139 patches including 93 for remotely unauthenticated vulnerabilities, and 8 of 12 Java SE patches are remotely exploitable. [Oracle, Qualys, SecurityWeek, Tenable]

The Fine Print

CISA had announced a series of virtual town halls organized by sector to gather additional input before finalizing CIRCIA – the law that will require an estimated 316,000 entities across 16 critical infrastructure sectors to report significant cyber incidents to CISA within 72 hours, and ransomware payments within 24 hours. Those town halls, originally scheduled March 9 through April 2, were postponed. [CISA] 

—

Paper Trail is a weekly briefing, not professional advice. Consult qualified professionals before acting on anything we report.

—

Thanks for tuning-in to this edition of Paper Trail. You can read it, hear it, or bookmark it – find every format at hackwithheart.com.