Weekly Threat Intelligence Roundup: Vercel Breach, Bitwarden Supply-Chain Attack, and Critical Microsoft Patch
Check Point's weekly threat report details a Vercel breach via compromised OAuth tokens, a Bitwarden supply-chain attack, and critical out-of-band patches from Microsoft for ASP.NET Core.
Check Point Research has released its weekly Threat Intelligence Bulletin for April 27, 2026, covering a wide range of active attacks, breaches, and critical vulnerabilities. The report highlights a security incident at Vercel, a frontend cloud platform, linked to a compromise at Context.ai. Stolen OAuth tokens enabled unauthorized access through a connected app, exposing employee information, internal logs, and a subset of environment variables. Vercel stated that the most sensitive secrets were not included in the breach.
In a separate supply-chain attack, Bitwarden, a popular password manager, disclosed that a malware-tainted CLI release (version 2026.4.0) was published to npm on April 22. The malicious release was downloaded by 334 developers during a brief window, potentially exposing credentials after a hijacked GitHub account was abused. Bitwarden confirmed that vault data remained unaffected, but the incident underscores the growing risk of supply-chain compromises targeting developer tools.
Microsoft issued out-of-band fixes for CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core rated 9.1 on the CVSS scale. The bug affects Data Protection versions 10.0.0 to 10.0.6 and could allow attackers to forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments. The patch is available immediately, and administrators are urged to apply it as soon as possible.
Apple also released fixes for CVE-2026-28950, a Notification Services vulnerability in iOS and iPadOS that retained deleted alerts and allowed recovery of sensitive message previews. The flaw affected many iPhone and iPad models and could enable forensic access with device possession, potentially allowing law enforcement agencies to access incoming messages from encrypted messaging apps.
Active exploitation was reported for CVE-2026-33626, a high-severity server-side request forgery (SSRF) vulnerability in LMDeploy, an open-source toolkit for deploying large language models. Attackers began exploiting the flaw within 13 hours of disclosure, abusing the image loader to reach cloud metadata, probe internal services, and support lateral movement. Additionally, end-of-life D-Link DIR-823X routers are being targeted by CVE-2025-29635, a remote code execution flaw exploited to deploy a Mirai-based botnet for DDoS attacks. No patches are expected for the affected models.
The report also covers a coordinated malvertising campaign abusing Google Ads to impersonate major cryptocurrency platforms like Uniswap, Morpho, and Ledger. The operation uses Google-hosted redirect pages, cloaking, and cloned sites to deploy wallet drainers, seed phrase theft pages, and fake extensions, resulting in at least $1.27 million stolen. Other incidents include a data breach at France Titres, the French authority for identity documents, and a breach at UK Biobank involving de-identified health data of 500,000 volunteers.
Check Point Research also analyzed The Gentlemen ransomware-as-a-service operation, which emerged in 2025 and offers encryptors for multiple platforms. The report details its underground recruitment, leak site model, and use of SystemBC proxy infrastructure. Additionally, researchers mapped a Mustang Panda espionage campaign targeting India's banking sector and South Korean policy circles, deploying the updated LOTUSLITE backdoor via HDFC-themed help files and fake banking pop-ups.