Inferlume

Understood. From here forward: incidents referenced by name only, sources referenced by publication name only. No cluster labels, no registry codes anywhere in the report text.

FIELD 19 | IOC TYPES PRESENT

Confirmed artifact identifiers from BleepingComputer for the elementary-data PyPI Backdoor (3 indicators):

1. PyPI package version string: elementary-data==0.23.3 (confirmed malicious release published to PyPI)

2. Docker image tag: elementary-data:0.23.3 (confirmed malicious multi-architecture container build pushed to GitHub Container Registry)

3. Docker image tag: elementary-data:latest (confirmed malicious during the exposure window; reverted to clean build after 0.23.4 release)

Partial IOC types referenced in non-registry sources (hunting pivots only, not formally counted):

GlassWorm OpenVSX Sleeper Wave: OpenVSX extension identifiers and publisher names for 73 sleeper clones per Socket Security and The Hacker News. Invisible Unicode character patterns embedded in extension source JavaScript. Solana blockchain command and control communication indicators per Koi Security (non-registry).

Apache ActiveMQ CVE-2026-34197: HTTP POST request patterns to /api/jolokia/exec/ containing addNetworkConnector or addConnector operations with external URI parameters. Spring XML payload patterns fetched by the broker JVM from attacker-controlled hosts. Both documented by Horizon3.ai (non-registry).

Vercel and Context.AI OAuth Supply Chain: OAuth application client identifiers associated with the Context.AI integration in Google Workspace admin logs. Vercel API enumeration request patterns via the project environment variable endpoint. Both from Trend Micro and OX Security (non-registry).

Microsoft SharePoint CVE-2026-32201: Network-based spoofing request patterns exist but Microsoft and CISA have not published specific network indicator sets for this CVE as of report date.

ShinyHunters ADT and Medtronic: No network IOCs published by BleepingComputer or any registered source for the ADT or Medtronic intrusion infrastructure.

CISA KEV Expansion (SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X): No network IOCs published in registered sources beyond CVE identifiers.

FIELD 20 | IOC ENRICHMENT STATUS

Pending for all incidents.

elementary-data PyPI Backdoor: The three artifact identifiers are immediately actionable as detection pivots in dependency scanning tools, software composition analysis platforms, and container registry audits. No sandbox analysis, reputation scoring, or dynamic behavioral enrichment has been confirmed in any registered source. Enrichment pending full vendor disclosure from the PyPI security team or StepSecurity.

GlassWorm OpenVSX Sleeper Wave: Extension IDs and publisher names published by Socket Security and The Hacker News provide blocking pivots for IDE extension policy enforcement and OpenVSX blocklists. No hash-level or sandbox enrichment confirmed in any registered source. Enrichment pending from Socket Security full indicator release.

Apache ActiveMQ CVE-2026-34197, CISA KEV Expansion, Microsoft KEV Cluster, Vercel and Context.AI, ShinyHunters ADT and Medtronic: No network IOCs confirmed in any registered source. CISA KEV listings provide CVE-level exploitation confirmation but do not include network indicators. Enrichment not applicable at report time for these incidents.

Recommended action: Cross-reference non-registry sources directly. Socket Security for GlassWorm extension IDs. Horizon3.ai for Apache ActiveMQ Jolokia payload patterns. Trend Micro for Vercel OAuth artifacts. Apply source weighting appropriately when operationalizing indicators from non-registry sources. Do not treat non-registry indicator sets as authoritative without independent corroboration from a registered source.

FIELDS 21 TO 30

FIELD 21 | MITRE TECHNIQUES

No registered source explicitly maps any incident in this report to MITRE ATT&CK technique IDs.

The following mappings are behaviorally inferred based on attack mechanics described in source reporting. Each entry states its behavioral basis. None should be treated as source-confirmed ATT&CK mappings. MITRE D3FEND countermeasures are included where applicable.

Apache ActiveMQ CVE-2026-34197:
T1190 Exploit Public-Facing Application. Behavioral basis: authenticated HTTP POST to internet-exposed Jolokia JMX endpoint on port 8161, triggering Spring ResourceXmlApplicationContext instantiation from attacker-controlled URI.
T1059.007 Command and Scripting Interpreter, JavaScript and JVM. Behavioral basis: Spring bean factory method invoking Runtime.exec() over the JMX bridge to achieve OS command execution inside the broker JVM process.
D3FEND countermeasure: D3-NTF Network Traffic Filtering to block external access to the Jolokia endpoint. D3-SCF Service Call Filtering to restrict BrokerService MBean exec operations via Jolokia access policy.

CISA KEV Expansion (SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X):
T1190 Exploit Public-Facing Application. Behavioral basis: all three product families expose network-accessible management or administration interfaces exploited via unauthenticated or low-privilege requests.
T1505.003 Server Software Component, Web Shell. Behavioral basis: Samsung MagicINFO 9 CVE-2024-7399 permits arbitrary file write as SYSTEM via path traversal, creating conditions directly suitable for web shell deployment on the signage server.
T1059.004 Command and Scripting Interpreter, Unix Shell. Behavioral basis: D-Link DIR-823X CVE-2025-29635 is a command injection via POST to the /goform/ endpoint, executing shell commands on the device.
D3FEND countermeasure: D3-NTF Network Traffic Filtering to block external access to SimpleHelp and MagicINFO admin ports. D3-PA Process Ancestry Analysis to detect unexpected child process spawning from the MagicINFO service process.

Vercel and Context.AI OAuth Supply Chain:
T1195.002 Supply Chain Compromise, Compromise Software Supply Chain. Behavioral basis: OAuth trust relationship between Context.AI and a Vercel employee's Google Workspace exploited as a lateral movement path without requiring exploitation of a vulnerability in Vercel's own infrastructure.
T1528 Steal Application Access Token. Behavioral basis: Lumma Stealer exfiltrated OAuth tokens from the Context.AI employee machine, which were then used to impersonate the service and access downstream systems.
T1199 Trusted Relationship. Behavioral basis: the attacker leveraged a legitimate third-party OAuth integration granted broad Google Drive read scope to pivot from Context.AI into Vercel's internal environment.
D3FEND countermeasure: D3-UA User Account Analysis to monitor OAuth app authorization scope changes. D3-OAA OAuth Authorization Analysis to detect unusual third-party app permissions.

GlassWorm OpenVSX Sleeper Wave:
T1195.002 Supply Chain Compromise, Compromise Software Supply Chain. Behavioral basis: GlassWorm plants malicious code in extensions distributed through trusted IDE marketplaces, targeting developer workstations and downstream CI/CD pipelines.
T1552.001 Unsecured Credentials, Credentials in Files. Behavioral basis: GlassWorm payloads target developer credential stores, SSH keys, and cryptocurrency wallet files accessible on developer workstations.
T1564.001 Hide Artifacts, Hidden Files and Directories. Behavioral basis: GlassWorm uses invisible Unicode characters to conceal malicious code within otherwise visible extension source files, evading visual code review.
T1071.001 Application Layer Protocol, Web Protocols. Behavioral basis: GlassWorm uses Solana blockchain-backed command and control communication, routing attacker instructions through legitimate blockchain infrastructure to evade domain-based detection.
D3FEND countermeasure: D3-SBV Software Binary Attestation to verify extension integrity against publisher signatures. D3-PA Process Ancestry Analysis to detect abnormal child process chains spawned from IDE processes.

elementary-data PyPI Backdoor:
T1195.002 Supply Chain Compromise, Compromise Software Supply Chain. Behavioral basis: attacker injected malicious code into the elementary-data release pipeline via GitHub Actions script injection triggered by a pull request comment.
T1552.004 Unsecured Credentials, Private Keys. Behavioral basis: the infostealer payload targets cloud credentials, SSH keys, database passwords, and API tokens accessible to the elementary-data process during pipeline execution.
T1059.004 Command and Scripting Interpreter, Unix Shell. Behavioral basis: the GitHub Actions workflow executed attacker-controlled shell code after script injection via a malicious pull request comment.
T1553.002 Subvert Trust Controls, Code Signing. Behavioral basis: the attacker forged a signed GitHub commit and tag for version 0.23.3 using an exfiltrated GITHUB_TOKEN, making the malicious release appear as a legitimate signed build.
D3FEND countermeasure: D3-SBV Software Binary Attestation to validate PyPI package signatures against trusted build provenance. D3-SCF Service Call Filtering to restrict GitHub Actions token scopes and permitted operations.

Microsoft KEV Cluster (SharePoint, Excel, Defender, TCP/IP, Active Directory):
T1565.002 Data Manipulation, Transmitted Data. Behavioral basis: CVE-2026-32201 SharePoint spoofing enables an attacker to view and modify sensitive SharePoint content via improper input validation without requiring privilege escalation.
T1566.001 Phishing, Spearphishing Attachment. Behavioral basis: CVE-2009-0238 Excel legacy RCE exploits maliciously crafted document attachments to execute code on the recipient's system.
T1068 Exploitation for Privilege Escalation. Behavioral basis: CVE-2026-33825 Microsoft Defender EoP abuses the signature update process to escalate a local user to SYSTEM integrity level.
T1210 Exploitation of Remote Services. Behavioral basis: CVE-2026-33827 Windows TCP/IP unauthenticated RCE and CVE-2026-33826 Windows Active Directory authenticated RCE both present network-reachable exploitation surfaces. No confirmed active exploitation at report date.
D3FEND countermeasure: D3-SBV Software Binary Attestation for Defender update package verification. D3-PA Process Ancestry Analysis to detect SYSTEM shells spawned from MsMpEng.exe. D3-NTF Network Traffic Filtering to restrict inbound TCP/IP and LDAP attack surface.

ShinyHunters ADT and Medtronic:
T1566.004 Phishing, Spearphishing Voice. Behavioral basis: ShinyHunters compromised an ADT employee's Okta SSO account via voice phishing (vishing), social engineering the employee or helpdesk to provide or reset credentials.
T1078 Valid Accounts. Behavioral basis: after vishing, ShinyHunters used legitimately obtained Okta SSO credentials to access ADT's Salesforce instance without exploiting a technical vulnerability.
T1530 Data from Cloud Storage. Behavioral basis: ShinyHunters accessed and exfiltrated PII from ADT's Salesforce CRM instance using the compromised identity, targeting customer records at scale.
D3FEND countermeasure: D3-MFA Multi-Factor Authentication hardening to require phishing-resistant MFA for SSO access. D3-UA User Account Analysis to detect unusual Salesforce export or bulk data access patterns.

FIELD 22 | MITRE TACTICS

All inferred from behavioral basis. No registered source confirmed MITRE tactic mappings explicitly.

Initial Access: T1190, T1195.002, T1566.001, T1566.004, T1199
Execution: T1059.007, T1059.004
Persistence: T1505.003
Privilege Escalation: T1068
Defense Evasion: T1564.001, T1553.002
Credential Access: T1528, T1552.001, T1552.004
Discovery: [NOT CONFIRMED in registered sources for any incident]
Collection: T1530, T1565.002
Command and Control: T1071.001
Impact: [NOT CONFIRMED in registered sources for any incident]

FIELD 23 | CONFIDENCE SCORE

Overall report confidence score: 78 (weighted across all incidents)

Scoring applied per the registered source confidence framework: authoritative sources (CISA, NVD) base 90; elevated sources (CrowdStrike) base 75; standard sources (BleepingComputer, The Hacker News, SecurityWeek) base 55; supplemental non-registry sources add contextual depth but reduce confidence where they serve as the primary or sole basis for a finding. Single source claims below 40.

FIELD 24 | RECORD STATUS

Active. Monitoring required across multiple deadline tracks.

Apache ActiveMQ CVE-2026-34197: Active. Federal patch deadline 30 April 2026, 48 hours from report publication. Over 6,400 internet exposed instances confirmed unpatched. Status will move to Resolved when CISA confirms agency compliance or when deadline passes.

CISA KEV Expansion (SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X): Active. Federal deadline 8 May 2026. D-Link DIR-823X is EOL with no patch forthcoming; decommission actions ongoing for affected organizations.

Microsoft SharePoint CVE-2026-32201 and CVE-2009-0238: Active. Federal deadline elapsed at report publication (28 April 2026). Over 1,300 internet exposed SharePoint servers confirmed still unpatched as of 21 April 2026. Continued active exploitation confirmed.

Microsoft Defender CVE-2026-33825: Active but mitigating. Patch auto-deployed via Defender platform update 4.18.26030.3011. Air-gapped environments require manual action.

GlassWorm OpenVSX Sleeper Wave: Active. Wave 2 ongoing. Six of 73 sleeper extensions confirmed activated and delivering malware. OpenVSX moderation response status not confirmed in registered sources.

elementary-data PyPI Backdoor: Partially resolved. Clean version 0.23.4 published. Malicious 0.23.3 remains in environments that have not yet updated or rotated credentials. Incident response actions ongoing for affected organizations.

ShinyHunters ADT and Medtronic: Active. ADT breach confirmed and disclosed. Medtronic investigation ongoing. BreachForums listing for ADT data remains active. Regulatory and legal proceedings anticipated.

Vercel and Context.AI OAuth Supply Chain: Active. BreachForums listing at $2 million active as of report date. Vercel customer environment variable exposure scope confirmed. OAuth trust chain risk unmitigated for organizations that have not audited third-party app authorizations.

FIELD 25 | CH1 EXECUTIVE OVERVIEW

Chapter 1: Executive Overview

Today's threat picture is dominated by compounding software supply chain risk across the developer ecosystem, concurrent critical vulnerability exploitation with imminent federal deadlines, and a confirmed data extortion campaign against two major US organizations. No single threat actor is responsible for the full picture; the risk this brief communicates is systemic across tooling, infrastructure, and identity layers simultaneously.

Intelligence Quality
Core findings for the Apache ActiveMQ, SharePoint, and CISA KEV expansion incidents are supported by authoritative government sources and carry confidence scores above 90. The GlassWorm, elementary-data, and Vercel incidents rely primarily on standard and non-registry sources and carry moderate confidence. ShinyHunters attribution is well corroborated by victim statements and independent breach notification services. MITRE mappings across all incidents are behaviorally inferred, not source-confirmed.

Incident 1: GlassWorm OpenVSX Sleeper Extensions (Severity: High)
The GlassWorm campaign has returned with a second wave of 73 cloned sleeper extensions on the OpenVSX marketplace. The extensions appear legitimate at installation and are later updated to deliver malware targeting developer credentials and cryptocurrency wallet data. At least six of the 73 have already been activated in live environments. Prior GlassWorm activity has compromised more than 433 components across GitHub, npm, VS Code, and OpenVSX since October 2025, using invisible Unicode character obfuscation and Solana blockchain-backed command and control to evade standard detection.
Risk decision: Escalate. Developer environments are active attack surfaces and infected extensions can propagate malicious code into production artifacts and downstream customer environments.

Incident 2: elementary-data PyPI Backdoor (Severity: High)
An attacker exploited a GitHub Actions script injection weakness to forge a signed release of the elementary-data data observability package, version 0.23.3, pushing an infostealer to both PyPI and GitHub Container Registry. The package has over 1.1 million monthly downloads and is deeply embedded in dbt-based analytics pipelines. Any environment that installed version 0.23.3 or deployed containers from that tag must be treated as potentially compromised, with cloud credentials, SSH keys, and database passwords considered exposed. A clean version 0.23.4 is now available.
Risk decision: Escalate. Immediate dependency audit and credential rotation required for any organization running dbt-native data stacks.

Incident 3: Apache ActiveMQ CVE-2026-34197 (Severity: Critical, 48-Hour Federal Deadline)
Apache ActiveMQ's Jolokia JMX management interface contains a code injection vulnerability allowing authenticated attackers to execute arbitrary operating system commands on the broker by supplying an attacker-controlled Spring XML configuration URI. CISA has added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of 30 April 2026, two days from this report. Over 6,400 internet exposed instances remain unpatched. The flaw existed in the codebase for 13 years before its discovery.
Risk decision: Escalate immediately. Patch or remove Jolokia endpoint access before the April 30 deadline. Treat as Priority 1 for any organization running Apache ActiveMQ Classic.

Incident 4: CISA KEV Expansion: SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X (Severity: Critical, May 8 Deadline)
CISA added four CVEs to the KEV catalog on 24 April 2026 covering SimpleHelp remote support software (CVE-2024-57726, CVSS 9.9, and CVE-2024-57728), Samsung MagicINFO 9 Server (CVE-2024-7399, CVSS 8.8), and the end-of-life D-Link DIR-823X router (CVE-2025-29635, CVSS 7.5). All carry confirmed active exploitation. The D-Link device will not receive a patch; CISA requires organizations to discontinue use immediately.
Risk decision: Escalate. Patch SimpleHelp and Samsung MagicINFO 9 before May 8. Replace D-Link DIR-823X immediately with a supported device.

Incident 5: Microsoft SharePoint CVE-2026-32201 and Excel CVE-2009-0238 KEV (Severity: Critical, Federal Deadline Elapsed)
CISA confirmed active exploitation of SharePoint spoofing vulnerability CVE-2026-32201 and added it to the KEV catalog with an April 28 federal deadline that has elapsed at this report's publication. Over 1,300 internet exposed SharePoint servers remain unpatched. CVE-2009-0238, a legacy Microsoft Excel RCE carrying a CVSS of 9.3, was added to the same KEV batch. Successful SharePoint exploitation enables unauthorized viewing and modification of sensitive collaboration content without requiring privilege escalation.
Risk decision: Escalate. Any unpatched internet-facing SharePoint instance is actively targeted. Patch or take offline immediately.

Incident 6: ShinyHunters ADT and Medtronic Extortion (Severity: High for Affected Organizations and Peer Sectors)
ShinyHunters compromised ADT via voice phishing against an Okta SSO account, then used the resulting access to exfiltrate personal data on 5.5 million individuals from Salesforce. The group claims a separate theft of 9 million records from Medtronic; Medtronic has confirmed system access while the scope of personal data exposure remains under investigation. These incidents demonstrate that SSO platforms and CRM applications are now primary targets for large-scale PII extortion, requiring no exploit of a technical vulnerability.
Risk decision: Monitor and escalate for organizations with similar identity and SaaS footprints. Review Okta and Salesforce access controls. Conduct vishing awareness and helpdesk social engineering training immediately.

Incident 7: Vercel and Context.AI OAuth Supply Chain (Severity: High, Lower Confidence)
A Lumma Stealer infection at Context.AI led to OAuth token exfiltration, which the attacker used to access a Vercel employee's Google Workspace and enumerate customer environment variables. Stolen data is listed on BreachForums at $2 million. Confidence on this incident is lower than others in this brief due to reliance on non-registry primary sources.
Risk decision: Escalate for Vercel customers. Audit Google Workspace OAuth authorizations and rotate all non-sensitive environment variable secrets immediately.

Priority Order for Defenders Today:

1. Apache ActiveMQ CVE-2026-34197: patch or restrict Jolokia access before 30 April 2026.

2. Microsoft SharePoint CVE-2026-32201: patch or isolate internet-facing instances immediately, federal deadline has elapsed.

3. CISA KEV Expansion: patch SimpleHelp and Samsung MagicINFO 9 before May 8; replace D-Link DIR-823X now.

4. GlassWorm: freeze new extension installs; audit extension inventories in developer and CI environments.

5. elementary-data: identify all 0.23.3 deployments and rotate all exposed credentials now.

6. ShinyHunters: review Okta and Salesforce access controls; harden vishing defenses.

7. Vercel and Context.AI: audit OAuth third-party app authorizations; rotate environment variable secrets.

FIELD 26 | CH2 THREAT EXPOSURE ANALYSIS

Chapter 2: Threat Exposure Analysis

GlassWorm: Multi-Ecosystem Supply Chain Compromise via Sleeper Extensions

What is happening: GlassWorm is an evolving malware campaign that has systematically targeted developer extension ecosystems since October 2025, beginning with VS Code Marketplace and expanding to OpenVSX, GitHub, and npm. The campaign's latest wave introduces 73 cloned sleeper extensions that install as apparently benign tools and receive later updates activating malicious payloads. At least six of these extensions have already been activated to deliver credential-stealing and cryptocurrency-wallet-targeting malware. Prior waves compromised over 433 components across multiple ecosystems by hijacking legitimate extensions and repository infrastructure, using invisible Unicode characters to hide malicious logic inside visible source code, and using Solana blockchain infrastructure as command and control to route attacker instructions through a channel that evades domain-based network detection.

Strategic risk context: Developer workstations and CI/CD infrastructure function as the upstream entry point into downstream customer environments and signed production artifacts. A single infected extension installed in a build agent can inject malicious code into multiple software products, propagating the compromise to downstream users without any of those users taking a direct action. Organizations without strict extension allow-listing and provenance verification face elevated risk that their own codebases, signing keys, and distribution channels could be co-opted into further supply chain attacks.

Severity and business impact: If GlassWorm gains persistent access to developer credentials and repositories, attackers can silently introduce backdoors into software that ships to customers, leading to large-scale incident response obligations, regulatory scrutiny, and remediation costs that extend well beyond the initial workstation compromise. Because this campaign targets developers rather than a specific industry vertical, the blast radius spans software vendors, SaaS providers, financial technology teams, and internal enterprise engineering organizations simultaneously.

Confidence: 65. BleepingComputer and The Hacker News reporting is consistent across multiple waves. Non-registry sources (Socket Security, VicOne, Koi Security, Aikido, OpenSourceMalware) provide corroborating technical detail on infrastructure traits, payload behaviors, and extension lists. No CISA advisory or T1 vendor research organization has published a formal analysis of GlassWorm within the reporting window.

elementary-data: PyPI and Docker Supply Chain Backdoor in a Data Observability Tool

What is happening: An attacker exploited a GitHub Actions script injection weakness to forge a signed release of the elementary-data package. The attack was triggered by posting a malicious comment on an open pull request, causing the CI workflow to execute attacker-controlled shell code, exfiltrate the GITHUB_TOKEN, and forge a signed commit and release tag for version 0.23.3. The release pipeline then built and pushed a malicious PyPI package and a corresponding multi-architecture Docker image with tags 0.23.3 and latest, embedding an infostealer targeting developer credentials, cloud API keys, SSH keys, and database passwords. A clean version 0.23.4 replaced the malicious build after discovery.

Strategic risk context: elementary-data is a dbt-native data observability tool with over 1.1 million monthly downloads used by data and analytics engineers running modern cloud-based data stacks. Compromising this package gives attackers direct access to CI/CD pipelines and data processing environments that handle sensitive cloud credentials and configuration files underpinning data integrity across analytics platforms. The use of a forged signed release means standard provenance checks would not have flagged the malicious version.

Severity and business impact: Any organization that installed elementary-data 0.23.3 or deployed containers built from the compromised image tags must treat those environments as potentially compromised. Cloud account takeover, data exfiltration, and pipeline integrity loss are all plausible downstream consequences. Even where immediate exploitation did not occur, incident response and credential rotation will impose significant operational disruption on affected data engineering teams.

Confidence: 65. BleepingComputer and StepSecurity (non-registry) describe consistent attack mechanics. The artifact IOCs (version strings and Docker tags) are directly actionable. No T1 registered source has independently confirmed this incident within the reporting window.

Apache ActiveMQ CVE-2026-34197: Pre-Auth-Adjacent RCE via Jolokia JMX Bridge

What is happening: Apache ActiveMQ Classic exposes a JMX-over-HTTP management interface via the Jolokia endpoint at /api/jolokia/ on the web console (default port 8161). The default Jolokia access policy permits unrestricted exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector. An attacker who can reach this endpoint and authenticate (default credentials admin:admin are widespread in unmanaged deployments) can supply a discovery URI containing a brokerConfig parameter pointing to an attacker-controlled URL. The ActiveMQ VM transport layer fetches that URL and instantiates it as a Spring ResourceXmlApplicationContext, processing all singleton bean definitions before any BrokerService validation occurs. This allows arbitrary OS command execution via Runtime.exec() embedded in Spring bean factory methods. The flaw existed in the ActiveMQ codebase for 13 years and was identified by a researcher using AI-assisted static analysis. Fixed in Apache ActiveMQ Classic 5.19.4 and 6.2.3.

Strategic risk context: Apache ActiveMQ is one of the most widely deployed open source message brokers globally, used in enterprise integration, microservices, and financial services transaction processing. Internet exposure of the management interface is a common misconfiguration. Over 6,400 instances remain unpatched and internet-accessible as of BleepingComputer reporting within the window. The CISA KEV listing with a 48-hour federal deadline signals active exploitation is confirmed and adversaries are actively scanning for and attempting to exploit vulnerable instances.

Severity and business impact: Full operating system command execution in the context of the ActiveMQ service account. In environments where the broker runs with elevated or administrative privileges, this translates directly to full system compromise. Downstream risk includes ransomware pre-staging, lateral movement to message queue consumers, and integrity compromise of business-critical transaction processing pipelines.

Confidence: 92. CISA KEV authoritative confirmation, NVD record confirmed, BleepingComputer and The Hacker News corroboration. No conflicts across sources.

CISA KEV Expansion: SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X

What is happening: CISA added four CVEs to the KEV catalog on 24 April 2026 covering three products. CVE-2024-57726 (CVSS 9.9) and CVE-2024-57728 in SimpleHelp remote support software represent a missing authorization flaw enabling unauthenticated server actions and a companion path traversal flaw. CVE-2024-7399 (CVSS 8.8) in Samsung MagicINFO 9 Server allows an unauthenticated attacker to write arbitrary files as SYSTEM via path traversal, enabling web shell deployment. CVE-2025-29635 (CVSS 7.5) in the D-Link DIR-823X is a command injection via POST to /goform/ on an end-of-life device that will receive no patch. CISA's language for the D-Link is unambiguous: discontinue use immediately.

Strategic risk context: SimpleHelp is widely deployed as a remote support and helpdesk access platform; exploitation enables persistent attacker access to every endpoint managed through that platform, making it an effective ransomware pre-staging vector. Samsung MagicINFO 9 is present in healthcare, retail, and critical infrastructure facilities where digital signage hardware is connected to internal networks. D-Link DIR-823X EOL devices are common in home office and SMB environments, particularly in regions where device refresh cycles are slow.

Confidence: 90. CISA KEV authoritative confirmation for all four CVEs. SecurityWeek and The Hacker News provide consistent corroborating reporting.

Microsoft April 2026 KEV Cluster: SharePoint Spoofing, Legacy Excel RCE, Defender EoP, TCP/IP and AD RCE

What is happening: Microsoft's April 14, 2026 Patch Tuesday addressed 167 vulnerabilities. CVE-2026-32201 (SharePoint Server spoofing, CVSS 6.5) was exploited as a zero day before the patch was released and has been added to the CISA KEV with an April 28 federal deadline. Over 1,300 internet exposed SharePoint servers remain unpatched as of reporting within the window. CVE-2009-0238 (Excel legacy RCE, CVSS 9.3) was added to the same KEV batch, reflecting continued active use of document-based attack chains. CVE-2026-33825 (Microsoft Defender EoP, CVSS 7.8) allows a local user to reach SYSTEM by abusing the Defender signature update process; the fix is auto-deployed in platform version 4.18.26030.3011 but requires manual action in air-gapped environments. CVE-2026-33827 (Windows TCP/IP RCE, CVSS 8.1) exploits a race condition for unauthenticated remote code execution at high attack complexity with no user interaction. CVE-2026-33826 (Windows Active Directory RCE, CVSS 8.0) requires authentication but carries low complexity with no user interaction. Neither TCP/IP nor AD RCE CVEs have confirmed active exploitation at report date.

Strategic risk context: SharePoint is the collaboration backbone for thousands of enterprises globally. Active exploitation of a spoofing vulnerability against over 1,300 exposed servers means attackers can exfiltrate and manipulate sensitive internal documents and workflows without triggering availability-based alerts. The re-addition of a 2009 Excel RCE to the KEV catalog is a persistent reminder that legacy document-based phishing chains remain operationally active and that attachment-based delivery of malicious Excel files continues to achieve exploitation in current environments.

Confidence: 90 for SharePoint CVE-2026-32201 and CVE-2009-0238 (CISA KEV authoritative). 78 for Defender CVE-2026-33825 (CrowdStrike elevated, BleepingComputer corroboration). 75 for TCP/IP and AD RCE CVEs (CrowdStrike elevated, no exploitation confirmed).

ShinyHunters: Extortion Campaign Against ADT and Medtronic

What is happening: ShinyHunters used voice phishing to compromise an ADT employee's Okta SSO account. Using those credentials, the group accessed ADT's Salesforce CRM instance and exfiltrated personal data on 5.5 million individuals including names, phone numbers, addresses, dates of birth, and the last four digits of SSNs or Tax IDs for a subset. Have I Been Pwned independently confirmed the dataset. Separately, ShinyHunters claimed theft of 9 million records from Medtronic. Medtronic confirmed that hackers accessed certain corporate IT systems but the scope of personal data exposure remains under investigation.

Strategic risk context: These incidents confirm that SSO platforms and SaaS CRM applications are now primary attack targets for mass PII extortion. The attack required no zero-day vulnerability and no novel exploit. A single successful vishing call against a helpdesk or employee sufficed to unlock access to millions of customer records. For organizations running Okta and Salesforce with large PII datasets, the attack pattern from the ADT breach is directly replicable against their environments today.

Severity and business impact: For ADT and Medtronic, the incidents carry immediate regulatory notification obligations, litigation exposure, and reputational damage. ADT's confirmed exposure of partial SSN and Tax ID data for a subset of 5.5 million individuals creates significant risk of downstream identity fraud for affected individuals. For peer organizations, the primary takeaway is not a new exploit to patch but a process failure to remediate: weak vishing defenses and insufficient MFA enforcement on SSO access to high-value SaaS platforms.

Confidence: 70. BleepingComputer reporting, corroborated by direct victim statements from ADT and Medtronic and independent Have I Been Pwned dataset confirmation. Medtronic data scope remains under investigation, contributing minor uncertainty.

Vercel and Context.AI OAuth Supply Chain

What is happening: A Lumma Stealer infection at Context.AI, a third-party AI productivity tool, led to OAuth token exfiltration from an employee machine. The attacker used the stolen OAuth token to access a Vercel employee's Google Workspace, to which Context.AI had been granted broad Google Drive read scope. From there, the attacker accessed Vercel internal systems and enumerated environment variables for a subset of customer projects. Vercel's non-sensitive environment variables were not encrypted at rest, enabling the attacker to retrieve secrets in plaintext. The dataset was listed for sale on BreachForums at $2 million.

Strategic risk context: This incident demonstrates how OAuth trust relationships between AI productivity tools and enterprise platforms create invisible lateral movement paths that bypass perimeter defenses entirely. The attack required no exploitation of a Vercel vulnerability; it exploited the delegated trust that Vercel's employee had granted to a third-party tool. As AI-adjacent productivity tools proliferate in enterprise environments, each OAuth integration represents a potential pivot point into corporate infrastructure.

Confidence: 52. Primary sources are non-registry (Trend Micro, OX Security, Vercel self-disclosure). Attribution is unconfirmed. Lumma Stealer identification is from Trend Micro only. BreachForums listing corroborates exfiltration but does not confirm actor identity.

FIELD 27 | CH3 OPERATIONAL RESPONSE

Chapter 3: Operational Response

GlassWorm: Immediate Response and Containment

Containment priorities:

1. Freeze new extension installs: halt all new OpenVSX and VS Code extension installations in production-adjacent developer and CI/CD environments until extension inventories are audited against known GlassWorm-associated publishers and the 73 sleeper extension list published by Socket Security and The Hacker News.

2. Audit existing extensions: export extension lists from all developer IDEs and CI build agents. Cross-reference against GlassWorm-associated publisher names and suspicious clone identifiers from non-registry research reports. Flag any extension from an unverified publisher installed in the last six months.

3. Isolate compromised hosts: any developer workstation found running confirmed or suspected GlassWorm extensions should be isolated from the network, imaged for forensic preservation, and rebuilt from known-good baselines. Rotate all credentials, tokens, and SSH keys that were accessible on the host.

Security hardening actions:
Implement extension allow-listing for critical developer environments permitting only approved, internally vetted extensions. Enforce EDR policies on developer machines tuned to detect abnormal browser-based credential file access, wallet database reads, SOCKS proxy creation, and hidden remote access tool activity consistent with GlassWorm payload behavior as described in VicOne analysis.

Internal security coordination:
Notify application security, DevOps, and CI/CD platform owners. Require confirmation that extension inventories have been audited across all build tooling domains. Brief legal and compliance teams if internal artifact signing keys or distribution pipelines are found to have been accessed.

elementary-data PyPI Backdoor: Immediate Response and Containment

Containment priorities:

1. Identify impacted workloads: search all dependency manifests, lock files, Dockerfiles, and CI job definitions for elementary-data==0.23.3 or image tags 0.23.3 and latest pulled during the exposure window. Any workload or pipeline that pulled from these identifiers must be treated as potentially compromised.

2. Rotate all exposed secrets: immediately rotate cloud credentials, SSH keys, database passwords, and API tokens that were accessible to any elementary-data process or pipeline running version 0.23.3. Do not wait for forensic confirmation of exfiltration before rotating. Assume exposure.

3. Rebuild from clean images: rebuild all affected containers and virtual machines from known-good images using elementary-data 0.23.4 or later. Verify package signatures and checksums from PyPI against the official project release provenance.

Security hardening actions:
Review all GitHub Actions workflows for script injection exposure via user-controlled input fields, including pull request titles, body text, and comments, and ensure those inputs are never interpolated directly into shell commands. Enforce least-privilege scoping and short-lived expiry for all CI tokens to minimize blast radius from any future GITHUB_TOKEN exfiltration.

Internal security coordination:
Engage data engineering and platform teams directly. Ensure they understand that a credential rotation and environment rebuild is required regardless of whether active exploitation has been confirmed in their specific environment. Coordinate with SecOps to monitor cloud API activity for anomalous access patterns from accounts whose credentials may have been in scope.

Apache ActiveMQ CVE-2026-34197: Isolation and Patch Prioritization (April 30 Deadline)

Containment priorities:

1. Inventory all ActiveMQ instances: identify every Apache ActiveMQ Classic deployment running versions before 5.19.4 or between 6.0.0 and 6.2.3. Check activemq.xml for web console and Jolokia enablement.

2. Block Jolokia externally: immediately apply firewall or ACL rules denying inbound connections to the Jolokia endpoint (/api/jolokia/) from all untrusted networks. If the Jolokia endpoint is not required for production operations, disable it entirely in activemq.xml.

3. Restrict Jolokia MBean exec operations: in jolokia-access.xml, deny exec operations on org.apache.activemq type=Broker brokerName=* for all non-administrative principals. This is a compensating control only; patching remains mandatory.

4. Patch before April 30: apply Apache ActiveMQ Classic 5.19.4 or 6.2.3 before the CISA KEV federal deadline. For private sector organizations: treat this as a Priority 1 patch with no exceptions.

Tactical actions (post-containment, within 72 hours):
Review broker logs for POST requests to /api/jolokia/exec/ containing addNetworkConnector or addConnector with external URI parameters. Check for outbound HTTP or HTTPS GET requests from the ActiveMQ JVM process (java.exe or activemq service PID) to external hosts, particularly fetching XML or configuration files. Rotate all ActiveMQ administrative credentials regardless of whether exploitation activity is confirmed in logs.

CISA KEV Expansion: SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X (May 8 Deadline)

Containment priorities:

1. SimpleHelp: apply the latest vendor patch immediately. Restrict access to the SimpleHelp server administration interface by IP allowlist. Audit all session logs for unauthorized or anomalous administrative actions.

2. Samsung MagicINFO 9: patch to the fixed version immediately. Audit all web-accessible file directories on the server for unexpected files with executable extensions (.jsp, .php, .aspx) indicative of web shell upload via CVE-2024-7399. Isolate from the corporate LAN until patching is complete where immediate remediation is not possible.

3. D-Link DIR-823X: no patch will be released. Decommission and replace immediately. There is no compensating control that makes continued use of this device acceptable. CISA mandates discontinue use.

Microsoft KEV Cluster: SharePoint Patching, Defender Update Enforcement, Excel Policy

Containment priorities:

1. SharePoint CVE-2026-32201: apply Microsoft's April 2026 Patch Tuesday update for SharePoint Server 2016, 2019, and Subscription Edition immediately. Federal deadline has elapsed. For instances that cannot be patched immediately, remove internet exposure via firewall rules or reverse proxy restriction until remediation is complete.

2. Excel CVE-2009-0238: enforce email attachment policies blocking .xls and .xlsb file types from external senders. Ensure Protected View is enabled for all externally sourced Office documents. Confirm the April 2026 Patch Tuesday update has been applied on all Windows endpoints.

3. Defender CVE-2026-33825: verify Defender Antimalware Platform version using Get-MpComputerStatus and confirming AMProductVersion is 4.18.26030.3011 or higher. Manually distribute to air-gapped or update-restricted environments that have not received automatic deployment.

4. Windows TCP/IP CVE-2026-33827 and Active Directory CVE-2026-33826: apply April 2026 Patch Tuesday updates. No active exploitation confirmed at report date but the attack surface (unauthenticated network-reachable RCE for TCP/IP, low-complexity authenticated AD RCE) warrants prompt patching given adversary interest in these primitives.

ShinyHunters ADT and Medtronic: Identity Hardening Actions for Peer Organizations

Containment priorities (pattern-focused, for organizations with similar identity and SaaS profiles):

1. Harden Okta SSO: enforce phishing-resistant MFA (FIDO2 or hardware token) for all users with access to CRM or data-intensive SaaS platforms. Remove SMS and voice call as MFA fallback options for high-privilege accounts.

2. Restrict Salesforce and CRM access: review data export and bulk access permissions in Salesforce. Apply IP-based access restrictions and session policies requiring continuous identity verification for high-volume data operations.

3. Enhance vishing defenses: update security awareness training and internal helpdesk verification protocols to include voice phishing and impersonation scenarios consistent with the ADT attack chain. Implement a callback verification process for any request to change SSO credentials, reset MFA, or grant new access.

Vercel and Context.AI: OAuth Audit and Secrets Rotation

Containment priorities:

1. Audit Google Workspace OAuth authorizations: review all third-party app authorizations in Google Workspace Admin console. Revoke any authorization granted to Context.AI or to AI productivity tools with Google Drive, Gmail, or broader Workspace access scopes. Apply this review to all tools not on an approved application list.

2. Rotate Vercel environment variables: for any project hosted on Vercel, rotate all secrets, API keys, database credentials, and cloud provider credentials stored as environment variables, particularly those not flagged as Sensitive in the Vercel dashboard, which were not encrypted at rest.

3. Review Vercel deployment logs: examine API access logs for anomalous environment variable enumeration requests between February and April 2026.

Security hardening actions:
Move all production secrets to a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, or equivalent) rather than platform-native environment variable storage. Enforce OAuth app allowlisting policies that prevent Workspace users from authorizing third-party applications without IT security review and approval.

FIELD 28 | CH3 INCIDENT TIMELINE

Chapter 3: Incident Timelines

GlassWorm OpenVSX Sleeper Wave:
October 2025: GlassWorm campaign begins targeting OpenVSX and VS Code Marketplace with initial waves of malicious extension activity.
Early 2026 (approximate): Prior GlassWorm waves accumulate compromises across more than 433 components spanning GitHub, npm, VS Code, and OpenVSX.
26 to 27 April 2026: Socket Security identifies 73 new cloned sleeper extensions on OpenVSX. At least six are confirmed activated and delivering malware. BleepingComputer and The Hacker News publish reporting within the 24-hour window.
28 April 2026 (report date): Wave 2 active. OpenVSX moderation response status not confirmed in registered sources.

elementary-data PyPI Backdoor:
Approximately 26 to 27 April 2026: Attacker posts malicious pull request comment triggering GitHub Actions script injection. GITHUB_TOKEN exfiltrated. Malicious version 0.23.3 forged, signed, and pushed to PyPI and GitHub Container Registry with Docker tags 0.23.3 and latest.
Shortly after discovery: Clean version 0.23.4 published to PyPI. Docker latest tag reverted to clean build.
27 to 28 April 2026: BleepingComputer and StepSecurity publish reporting within the window.
28 April 2026 (report date): Incident partially resolved at the package level. Credential rotation and environment rebuilds ongoing for affected organizations.

Apache ActiveMQ CVE-2026-34197:
6 April 2026: Horizon3.ai (non-registry) discloses CVE-2026-34197. NVD record created.
7 April 2026: Canadian Centre for Cyber Security issues advisory AV26-330.
8 April 2026: Researcher publishes account of using AI-assisted static analysis to discover the 13-year-old flaw.
Approximately 16 April 2026: CISA adds CVE-2026-34197 to the KEV catalog. Federal remediation deadline set for 30 April 2026.
28 April 2026 (report date): Over 6,400 internet exposed instances remain unpatched. Deadline T minus 48 hours.
30 April 2026: CISA KEV federal remediation deadline.

CISA KEV Expansion: SimpleHelp, Samsung MagicINFO 9, D-Link DIR-823X:
CVE assignment dates range from 2024 to 2025, reflecting original vulnerability discovery timelines across the three products. Active exploitation confirmed in CISA intelligence prior to KEV listing.
24 April 2026: CISA adds CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, and CVE-2025-29635 to the KEV catalog. Federal remediation or discontinuation deadline set for 8 May 2026.
26 to 27 April 2026: cybersecurity-help.cz and SecurityWeek publish coverage.
28 April 2026 (report date): Deadline T minus 10 days.
8 May 2026: CISA KEV federal remediation deadline.

Microsoft April 2026 Patch Tuesday KEV Cluster:
14 April 2026: Microsoft releases April 2026 Patch Tuesday covering 167 CVEs. CVE-2026-32201 and CVE-2026-33825 included. CVE-2026-32201 was exploited as a zero day before this patch.
Approximately 21 April 2026: BleepingComputer reports over 1,300 unpatched internet exposed SharePoint servers remain under active attack.
Approximately 25 April 2026: CISA adds CVE-2026-32201 and CVE-2009-0238 to the KEV catalog. Federal deadline set for 28 April 2026.
26 April 2026: CrowdStrike publishes April 2026 Patch Tuesday analysis covering CVE-2026-33827 and CVE-2026-33826.
28 April 2026 (report date): SharePoint federal KEV deadline elapsed. Active exploitation ongoing.

Vercel and Context.AI OAuth Supply Chain:
Approximately February 2026: Context.AI employee infected with Lumma Stealer. OAuth tokens exfiltrated from the employee's machine. Source: Trend Micro (non-registry).
Approximately March 2026: Attacker uses stolen OAuth token to access a Vercel employee's Google Workspace. Internal Vercel system enumeration begins. Source: Trend Micro (non-registry).
Approximately 19 April 2026: Vercel publishes security bulletin. Breach attributed to Context.AI OAuth chain.
Approximately 19 April 2026: BreachForums listing of stolen Vercel customer environment variable data published at $2 million. Source: OX Security (non-registry).
28 April 2026 (report date): BreachForums listing active. Customer secret rotation ongoing.

ShinyHunters ADT and Medtronic:
Date not confirmed in registered sources: ShinyHunters conducts vishing attack against ADT employee's Okta SSO account. Salesforce exfiltration of 5.5 million individual records follows.
Approximately 27 to 28 April 2026: ADT publicly confirms breach. Medtronic confirms system access. BleepingComputer and Have I Been Pwned independently confirm the ADT dataset. ShinyHunters' dual extortion claims published.
28 April 2026 (report date): ADT investigation active. Medtronic data scope investigation ongoing. Regulatory notifications anticipated.