This month in Cybersecurity - April 2026 edition​

This month highlighted severe vulnerabilities across the tech stack, featuring major supply-chain compromises, AI-driven exploits, and data breaches. Here is a roundup of the key cybersecurity developments you need to know:

Vercel confirms breach as hackers claim to be selling stolen data

Cloud development platform Vercel has disclosed a security breach affecting a limited number of customers, which originated from a compromised employee Google Workspace account tied to a breached third-party AI tool, Context.ai. The attacker escalated access by enumerating unencrypted “non-sensitive” environment variables, prompting Vercel to upgrade its dashboard and strongly advise users to secure their data using the platform’s encrypted variable feature. While Vercel assures that its core infrastructure and open-source projects like Next.js remain unharmed, a threat actor claiming to be part of the “ShinyHunters” group, says they are actively attempting to sell allegedly stolen company data, including source code, API keys, and employee records, while reportedly demanding a $2 million ransom.

Hacker Uses Claude and ChatGPT to Breach Multiple Government Agencies

A single threat actor utilized commercial AI platforms, including Anthropic’s Claude Code and OpenAI’s GPT-4.1, to orchestrate a highly sophisticated cyberattack against nine Mexican government agencies, resulting in the theft of hundreds of millions of citizen records. Operating between December 2025 and February 2026, the attacker deeply integrated these AI tools to automate reconnaissance, execute remote commands, and rapidly develop custom exploits - compressing the attack timeline and allowing a single operator to process intelligence at the scale of an entire team. Despite the advanced AI-driven methodology, the campaign successfully exploited basic, conventional security gaps, underscoring the urgent need for organizations to address technical debt through foundational defensive practices like prompt patching, strict credential rotation, and robust network segmentation.

European Gym giant Basic-Fit data breach affects 1 million members

European gym giant Basic-Fit suffered a cyberattack exposing the personal and financial data of approximately one million members across six countries, including names, addresses, contact details, birth dates, and bank account information. Although the company claims the breach was stopped within minutes, attackers successfully exfiltrated data from corporate-owned clubs, while franchise systems remained secure. Basic-Fit has notified affected users and relevant data protection authorities, and while no passwords or identification documents were compromised, external security experts are actively monitoring the situation to ensure the stolen data is not leaked online.

New Booking.com data breach forces reservation PIN resets

Booking.com has confirmed a security breach in which hackers accessed the personal data and private property communications of an undisclosed number of customers. The compromised information includes full names, physical and email addresses, phone numbers, and reservation details, prompting the travel platform to immediately contain the issue, force PIN resets for affected bookings, and notify impacted users directly. While the company has urged customers to remain vigilant against phishing attempts and fraudulent payment requests, some users have already reported being targeted by scammers utilizing their private reservation information.

Brussels says EU age verification check ready amid child safety push

European Commission President Ursula von der Leyen has announced a “technically ready,” open-source EU age verification app designed to protect children from online harms and addictive social media features. Utilizing privacy-preserving “zero-knowledge proof” technology integrated with national digital identity wallets, the system allows users to verify their age without sharing personal data with tech giants like Meta and TikTok. This initiative aims to create a standardized, bloc-wide safety framework—preventing a fragmented patchwork of individual national bans like those emerging in France and Greece—while eliminating any remaining “excuses” for major platforms currently facing child safety investigations under the Digital Services Act.

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden has confirmed a software supply chain breach where a malicious version of its command-line interface (@bitwarden/cli@2026.4.0) was briefly distributed via npm, stemming from a compromised GitHub Action tied to the broader Checkmarx campaign. The trojanized package, allegedly deployed by the threat actor TeamPCP, functions as a highly capable credential stealer that targets developer secrets, CI/CD pipelines, cloud credentials, and AI coding tool configurations before exfiltrating the data to a spoofed Checkmarx domain and public GitHub repositories. While Bitwarden quickly deprecated the malicious release and confirmed that no end-user vault data or production systems were accessed, developers who downloaded the affected package are strongly advised to immediately uninstall it, clear their caches, and rotate all exposed secrets and tokens to prevent further supply chain propagation.

Open source package with 1 million monthly downloads stole user credentials

The developers of element-data, a popular open-source tool for monitoring machine-learning systems, suffered a supply chain attack after hackers exploited a vulnerable GitHub Action via a malicious pull request to steal signing keys and account tokens. This allowed the attackers to publish a compromised version of the package (0.23.3) to PyPI and Docker, which systematically scoured victim environments for sensitive data like cloud provider keys, API tokens, and SSH keys. Although the malicious package was removed within 12 hours and the underlying workflow vulnerability patched, developers who installed the compromised version are urgently advised to assume their environments were breached, remove the package, check for specific indicators of compromise (such as the .trinny-security-update file), and immediately rotate all exposed credentials.

That’s a wrap! We’d love to hear your thoughts. Don’t hesitate to share any comments or additional news we might have missed in the Passbolt community forum.