Your AI tools are now the supply chain

Shai-Hulud Full Anatomy: Bun Runtime Drop, GitHub Dead-Drop C2, New Unit 42 IOCs

• Unit 42 published the full Shai-Hulud breakdown revealing @bitwarden/cli@2026.4.0's three-stage architecture: Stage 1 (bw_setup.js) downloads the Bun JavaScript runtime at install time to execute the main payload outside Node's standard module resolution; Stage 2 (bw1.js) obfuscates via string-table rotation with a seeded ASCII shuffle cipher plus embedded gzip/Base64 payloads. (Previously: Issue #16 confirmed Dependabot as the root-cause vector and the audit.checkarks.cx C2 typosquat — the Bun runtime drop and dead-drop C2 mechanism are new technical detail.)
• The worm discovers C2 by querying GitHub's public search API for commits matching LongLiveTheResistanceAgainstMachines:* in repo helloworm00/hello-world (helloworm00@proton.me); secondary C2 repos follow the naming pattern <dune-word>-<dune-word>-<3digits> with description "Checkmarx Configuration Storage." Exfil is AES-256-GCM encrypted and pushed as commits to a repo created under the victim's own stolen token — indistinguishable from normal developer activity in monitoring tools.
• New Unit 42 IOCs: attacker IPs 94.154.172.43 and 91.195.240.123; commit SHA bc544f455d7c06c8a1f3446160a6d9a4a8236b11. Hunt for format-results in GitHub Actions workflow artifact logs and unexpected bun process execution on developer endpoints; anti-detection controls include Russian locale killswitch and PID-based lock files.
• Lapsus$ posted Checkmarx as a BreachForums victim on April 24, claiming source code, employee databases, API keys, and MongoDB/MySQL credentials — the second confirmed Checkmarx data exposure in two months. (Previously: Issue #15 covered the April 22 KICS Docker Hub and VS Code extension attack, live ~84 minutes.)

---

AI Inference and Coding Tool RCEs: LMDeploy Exploited in 13 Hours, Gemini CLI, Cohere No-Patch

• CVE-2026-33626 (CVSS 7.5) in LMDeploy ≤0.12.0 — unauthenticated SSRF in load_image() — was first exploited 12h31m after the advisory with no public PoC; the attacker probed AWS IMDS, Redis, MySQL, and internal admin interfaces in a single 8-minute session while rotating between vision-language models to evade per-model anomaly scoring. Upgrade past v0.12.0; block outbound from inference containers; enforce IMDSv2; rotate cloud credentials on any internet-exposed deployment since April 22.
• GHSA-wpqr-6v78-jr5g — a critical RCE in @google/gemini-cli and its companion GitHub Action — was published to the GitHub Advisory Database in the past 24 hours, achieved via workspace trust and tool allowlisting bypasses in automated CI/CD workflows. Full technical detail is not yet public; patch to the latest @google/gemini-cli and pin the GitHub Action by commit SHA immediately.
• CVE-2026-5752 (CVSS 9.3) in Cohere's Terrarium is a JavaScript prototype chain traversal in Pyodide/WebAssembly achieving root code execution on the host Node.js process, escaping the Docker sandbox with no user interaction beyond local access. CERT/CC VU#414811 confirms; the project is unmaintained and no patch will ship. Disable user code submission, network-segment, and block public access if your stack uses Terrarium to run AI-generated code.

---

Active Exploitation and CISA KEV: Breeze Cache Webshells, Pack2TheRoot, May 8 Deadline

• CVE-2026-3844 (CVSS 9.8) in Breeze Cache ≤2.4.4 — unauthenticated PHP webshell upload via missing file type validation in fetch_gravatar_from_remote — is under active exploitation across 400,000+ WordPress sites; Wordfence blocked 170+ attempts within 24 hours of disclosure. Update to Breeze Cache 2.4.5+ immediately; audit for .php files in gravatar cache directories.
• CVE-2026-41651 (Pack2TheRoot) in PackageKit is a 12-year-old TOCTOU race condition — present since v1.0.2, November 2014 — enabling unprivileged users to reach root on default Ubuntu 22.04+, Debian Trixie 13.4, Fedora 43, and Rocky Linux 10.1. Directly relevant to CI/CD runners and containerized build environments; patch via distribution update.
• CISA added four CVEs with a May 8 federal deadline: CVE-2024-57726/57728 in SimpleHelp (CVSS 9.9, auth bypass + privilege escalation — MSP remote access platform with blast radius across all managed customer environments); CVE-2024-7399 in Samsung MagicINFO 9 Server (CVSS 8.8, path traversal to unauthenticated RCE); CVE-2025-29635 in D-Link DIR-823X (Mirai targeting, EOL — no patch available, replace hardware).
• CVE-2026-32201 (SharePoint spoofing) FCEB deadline is tomorrow, April 28: over 1,100 internet-facing servers remain unpatched with patches available for nearly two weeks; unauthenticated impersonation confirmed active in the wild. Apply April 2026 Patch Tuesday updates for SharePoint SE/2019/2016.

---

Breach Reports: BePrime MSSP Camera Feeds, ADT Leak Deadline Today, Itron 8-K

• Threat actors compromised BePrime (MSSP, Mexico) through privileged admin accounts with no MFA; stolen Cisco Meraki API keys gave control over 1,858 network devices and 2,600+ endpoints, with live surveillance feeds from Iberdrola, ArcelorMittal, Whirlpool, and Alsea published. A 12.6 GB dump includes plaintext credentials and security audit reports; BePrime issued legal threats against journalists in lieu of a transparent disclosure.
• ADT filed a SEC 8-K on April 24 confirming unauthorized cloud access detected April 20; ShinyHunters claimed 10 million customer records plus data on 1,500 employees with a leak deadline of today. Initial access chain: phishing → Okta SSO → lateral movement to Salesforce — the same playbook used against Aman Resorts and McGraw-Hill this month by the same cluster.
• Itron (utility metering vendor, NYSE: ITRI) filed a SEC 8-K disclosing unauthorized access to corporate IT systems, notified April 13; remediation confirmed complete with no customer-hosted environment compromise. Itron sits in the metering and grid-edge supply chain for hundreds of US and global utilities — treat as a third-party risk review trigger and pull integration access logs.

---

AI Code at Scale: Google at 75%, IPI +32%, ZDI +490%, New Patches and Tooling

• Alphabet CEO Sundar Pichai confirmed 75% of all new Google code is now AI-generated and reviewed by engineers — the largest-scale public confirmation of AI coding penetration at a major tech organization.
• Google threat intelligence detected a 32% increase in malicious indirect prompt injection detections between November 2025 and February 2026, with payloads embedded in websites, documents, and API responses targeting agents that browse or summarize content.
• ZDI submissions are up 490% year-over-year; HackerOne shut down the Internet Bug Bounty program on March 27, citing AI-driven submission volume; cURL paused its bounty in January after 2025 alone exceeded the prior two years combined. ZDI is now purchasing AI-generated reports to train filtering models.
• OpenClaw patched three new vulnerabilities in v2026.4.20: Gateway Configuration Security Bypass (prompt-injected models could alter sandbox policies and MCP server configs), Bundled Tools Policy Evasion, and a Workspace Credential Leak in v2026.4.5–v2026.4.20 (malicious workspace.env redirected API key traffic to attacker servers). Upgrade immediately. (Previously: Issue #16 covered separate RCE CVEs in 40K+ exposed instances — these are distinct, newly patched flaws.)
• BeyondTrust launched PathfinderAI and a Pathfinder MCP Server enabling natural-language identity risk queries across hybrid/cloud environments; the MCP Server allows external AI agents (Copilot, OpenAI, Claude) to query BeyondTrust privilege intelligence for attack path analysis. Available in Early Access for US customers.