Hello, stay ahead with CISO Brief 🚀

🔒 Unit 42 demonstrates Zealot, a multi-agent LLM proof of concept that autonomously chained well-known cloud exploits in an isolated GCP sandbox. The system coordinated specialist agents to perform reconnaissance, exploit an SSRF vulnerability, steal metadata service credentials, impersonate service accounts and exfiltrate BigQuery data without step-by-step human prompts. The report emphasizes that AI acts as a force multiplier—accelerating exploitation of misconfigurations rather than inventing novel techniques—and urges defenders to harden metadata access, enforce least privilege and adopt machine-speed detection and response.

🔒 Forcepoint researchers have uncovered 10 distinct indirect prompt injection (IPI) payloads embedded in web content that instruct AI agents to perform malicious real‑world actions such as financial fraud, data destruction and API key exfiltration. The attacks poison pages so that browsing or summarizing agents ingest and execute attacker directives, often overriding prior safeguards. Forcepoint warns risk scales with AI privilege and highlights threats to agentic tools integrated into IDEs, payment flows and automation pipelines.

🔒 Microsoft will integrate Anthropic’s Mythos Preview into its Security Development Lifecycle, using the model alongside other advanced AI to surface vulnerabilities earlier in the software development process. The company says the move aims to strengthen and harden core products including Windows, Azure, and Microsoft 365 by improving automated detection and secure coding. Analysts note the shift signals frontier models moving from experimental tools into standard engineering workflows while raising dual-use concerns.

🛡️ ESET reports a previously undocumented China-aligned APT, tracked as GopherWhisper, has compromised Mongolian governmental systems with a modular suite of backdoors and loaders. The actor primarily uses tools written in Go and abuses legitimate services — including Discord, Slack, Microsoft 365 Outlook, and file[.]io — for command-and-control and data exfiltration. ESET found about 12 infected systems at one institution and telemetry from attacker-controlled Discord and Slack suggests additional victims. Message timestamps and Slack locale align with China Standard Time, supporting a China-aligned assessment.

🔐 The UK’s National Cyber Security Centre (NCSC) now recommends passkeys as the preferred sign-in method for consumers, advising passwords only when passkeys are unavailable. This follows a year of collaboration with the FIDO Alliance, observed improvements across the passkey ecosystem and successful NHS deployments. The NCSC also urges businesses to adopt passkeys as the default and to use single sign-on (SSO) where possible, with additional business guidance expected.

🔒 Vercel said it has identified an additional set of customer accounts compromised as part of an incident after expanding its indicators of compromise and reviewing network requests and environment‑variable read events. The company reported a small number of accounts showing prior compromise that predates this incident and may stem from social engineering, malware, or other methods, and confirmed it notified affected parties. Investigators traced the chain to a compromise of Context.ai that allowed takeover of a Google Workspace account and pivoting into Vercel; further analysis points to Lumma Stealer as a likely initial payload.

🔒 Apple released patches for iOS and iPadOS to fix a Notification Services logging flaw that could retain notifications marked for deletion. Tracked as CVE-2026-28950, the issue was addressed by improving data redaction so deleted alerts are no longer preserved. Affected models were fixed in iOS 26.4.2/iPadOS 26.4.2 and in iOS/iPadOS 18.7.8 for other devices. The update follows reporting that copies of Signal messages were forensically extracted from push notification storage.

⚠ Forescout's BRIDGE:BREAK study finds serial-to-Ethernet adapters widely shipped with outdated kernels and insecure open-source components, exposing industrial, healthcare, and retail equipment to attack. Researchers report firmware images averaged roughly 80 OSS components and nearly 2,500 known vulnerabilities with public exploits present. Manual analysis uncovered 22 new flaws in Lantronix and Silex devices enabling RCE, authentication bypass, firmware tampering, and device takeover. Vendors released patches; operators should patch, remove internet exposure, enforce strong credentials, segment networks, and monitor for misuse.

🔍 Claude Mythos Preview uncovered 271 security flaws in Firefox 148, all addressed in Firefox 150, prompting claims that the model can match human researchers in vulnerability discovery. Mozilla and security experts say Mythos closed significant gaps left by fuzzing and automation, though Anthropic is investigating reported unauthorized access to the model. Teams are urged to adopt continuous AI-assisted testing and treat models as privileged infrastructure.

🛡️ Security researchers at Socket and StepSecurity have identified malicious versions of pgserve and automagik published to the npm registry that execute a credential-harvesting payload during installation. The trojans collect tokens, SSH keys, cloud credentials (AWS, Azure, GCP), browser passwords and crypto wallet funds, and attempt to propagate by using any npm publish tokens found on infected machines. Stolen data is encrypted and exfiltrated to a decentralized ICP canister, chosen specifically to resist takedown. Developers are urged to rotate all credentials immediately, disable automatic postinstall scripts (npm config set ignore-scripts true), harden CI/CD egress and tighten token scopes.

🚀 At Google Cloud Next ’26, Google presented a unified stack to move AI into enterprise production, anchored by Gemini Enterprise as the connective tissue between data, people, and goals. Key launches include the Gemini Enterprise Agent Platform for building, scaling, governing, and optimizing agents, and the AI Hypercomputer with next-generation TPU 8 chips. Google also outlined the Agentic Data Cloud to ground agents in enterprise context, expanded security agents in Agentic Defense, Workspace Intelligence enhancements, and cross-cloud data capabilities to accelerate real-world deployment.

🔐 A tip‑line operator that handled anonymous reports for 35,000 U.S. schools suffered a major breach after an attacker exploited an XSS flaw in a LeverTip chat box and stole a staff session cookie via social engineering. The intruder exfiltrated 91 GB (≈8.3M tip records), some dating back decades, and offered the dataset for sale. Separately, Rockstar Games experienced a third‑party compromise that exposed partial data, including internal financial figures. Both incidents underscore failures in basic web hygiene, third‑party controls, and incident transparency.

🔒 Apple released out-of-band updates for iPhone and iPad to address a Notification Services flaw that could leave deleted notifications stored on the device. The bug, tracked as CVE-2026-28950, was patched on April 22, 2026 in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8. Apple says the issue was resolved through improved data redaction but provided no further technical details or confirmation of exploitation. Users are advised to install the updates promptly.

🧑‍💻 Amazon SageMaker Unified Studio now lets data workers create and manage multiple code spaces within a single project for IAM domains. Each space maintains its own persistent Amazon EBS volume and independent compute and storage settings, and can be paused, resumed, or connected to a local IDE while preserving files and session state. This enables parallel workstreams and isolated experiments with tailored runtimes and is available in all Regions where SageMaker Unified Studio is offered.

🔒 A new Mirai-based campaign is actively exploiting CVE-2025-29635, a command-injection RCE that affects D-Link DIR-823X routers, to enlist devices into a botnet. Akamai's SIRT observed the activity in March 2026 and found attackers downloading and executing a shell script that installs a multi-architecture Mirai variant called tuxnokill. The affected DIR-823X line reached end of life in November 2024 and is unlikely to receive a vendor patch. Users are advised to replace EoL devices, disable remote administration, change default passwords, and monitor for configuration changes.

🚀 Amazon has launched EC2 C8i-flex instances in Europe (Ireland, London) and Asia Pacific (New Zealand). Powered by custom Intel Xeon 6 processors exclusive to AWS, C8i-flex deliver up to 15% better price-performance and 2.5x the memory bandwidth versus prior Intel-based instances, and up to 20% higher throughput than C7i-flex. AWS reports workload-specific gains — up to 60% faster NGINX, 40% for deep learning recommendation models, and 35% for Memcached — and offers sizes from large to 16xlarge purchasable via Savings Plans, On-Demand, and Spot.

⚡ Starting today, Amazon EC2 C8i instances are available in Europe (Ireland) and Asia Pacific (New Zealand). Powered by AWS-exclusive custom Intel Xeon 6 processors, C8i delivers up to 15% better price-performance and 2.5x the memory bandwidth versus previous Intel-based instances, and up to 20% higher performance than C7i. AWS reports workload-specific gains — up to 60% faster for NGINX, 40% for deep learning recommendation models, and 35% for Memcached. The family includes 13 sizes (two bare metal and a new 96xlarge) and can be purchased via Savings Plans, On-Demand, or Spot.

🔒 Rapid7 analyzed two Kyber ransomware variants discovered in March 2026 that were deployed on the same network: one targeting VMware ESXi and one targeting Windows file servers. The ESXi build advertises post‑quantum Kyber1024 but instead uses ChaCha8 for file encryption and RSA‑4096 for key wrapping. The Windows variant, written in Rust, implements Kyber1024 and X25519 to protect symmetric keys while using AES‑CTR for bulk file encryption, and includes destructive routines such as service termination, backup deletion and an experimental Hyper‑V shutdown.