Weekly Cyber Threat Digest: April 27th – Major Breaches, AI Exploits, and Critical Patches

Introduction

This week's cyber threat landscape has been marked by a series of high-profile breaches targeting cloud platforms, identity authorities, health research organizations, and password managers. Simultaneously, new AI-driven attack tools and critical software vulnerabilities have emerged, demanding immediate attention from security teams. Below, we break down the most significant incidents and patches reported as of April 27th.

Weekly Cyber Threat Digest: April 27th – Major Breaches, AI Exploits, and Critical Patches — Source: research.checkpoint.com

Top Attacks and Breaches

Vercel and Context.ai – OAuth Token Compromise

Frontend cloud platform Vercel disclosed a security incident linked to a compromise at Context.ai. Stolen OAuth tokens enabled unauthorized access through a connected application, exposing employee information, internal logs, and a subset of environment variables. Vercel stated that the most sensitive secrets were not included in the breach. The incident highlights risks associated with third-party integrations and token management.

France Titres Data Breach

France Titres, the French authority for identity and registration documents, detected a data breach on April 15. The incident may have exposed names, birth dates, email addresses, login IDs, and some physical addresses and phone numbers. A hacker has offered purported agency data for sale on the dark web. Affected individuals should monitor for identity theft and phishing attempts.

UK Biobank Breach – Health Data on Sale

The UK Biobank, a major research organization, confirmed a breach after de-identified health data on 500,000 volunteers was advertised for sale on Chinese marketplaces. Officials said the listings were removed and believed unsold, but as a precaution, access was suspended, the research platform was shut down, and download limits were imposed. The incident raises concerns about the security of genomic and health datasets.

Bitwarden Supply-Chain Attack via npm

Popular password manager Bitwarden suffered a supply-chain attack after a malware-tainted CLI release was published to npm on April 22. Version 2026.4.0 was installed by 334 developers during a brief window, potentially exposing credentials. A hijacked GitHub account was abused to push the malicious package, but Bitwarden confirmed vault data remained unaffected. Developers who installed the version should rotate credentials immediately.

AI-Related Threats

Unauthorized Access to Anthropic's Claude Mythos Preview

Researchers flagged unauthorized access to Anthropic’s Claude Mythos Preview, an unreleased AI cyber model, through a third-party vendor environment. A small Discord group reportedly used shared contractor accounts, API keys, and predictable URLs to reach the system. Anthropic stated it is investigating and has not seen impact to core systems. This incident underscores the risks of sharing credentials and predictable URL patterns in cloud environments.

AI-Assisted Exploitation: Bissa Scanner

Researchers observed Bissa Scanner, an AI-assisted exploitation platform using Claude Code and OpenClaw, designed for mass scanning, exploitation, and credential harvesting. The operation focused on exploiting the React2Shell vulnerability (CVE-2025-55182), scanning millions of targets, confirming over 900 compromises, and collecting tens of thousands of exposed environment files. This marks a worrying evolution in automated cyberattacks leveraging AI.

Google Antigravity IDE – Prompt Injection to RCE

Researchers highlighted a prompt-injection exploit chain in Google’s Antigravity agentic IDE that enabled sandbox escape and remote code execution. The flaw abused a file search tool that ran before security checks, letting attackers convert a benign prompt into system compromise, even in Secure Mode. Google has patched the vulnerability. Users are advised to update immediately.

Critical Vulnerabilities and Patches

Microsoft Out-of-Band Fix for ASP.NET Core Flaw (CVE-2026-40372)

Microsoft issued out-of-band fixes for CVE-2026-40372, a critical ASP.NET Core privilege escalation flaw rated 9.1. A bug in Data Protection versions 10.0.0 to 10.0.6 could let attackers forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments. Patching is strongly recommended for any affected web applications.

Apple Fixes Notification Services Bug (CVE-2026-28950)

Apple released fixes for CVE-2026-28950 in iOS and iPadOS, a Notification Services bug that could allow attackers to leak sensitive data. The vulnerability was patched in recent updates. Users should ensure their devices are running the latest operating system versions.

Conclusion

The week of April 27th highlights the evolving threat landscape: from supply-chain attacks on trusted tools like Bitwarden to AI-powered exploitation platforms and critical patch gaps. Organizations should prioritize reviewing third-party access, updating software, and monitoring for unusual activity. For a deeper dive, download our full Threat Intelligence Bulletin.

Tags: