Vercel, the company behind the Next.js framework and a major cloud app hosting platform, disclosed a security incident on April 19–20, 2026 after attackers used a compromised third‑party AI tool (identified as Context.ai) to abuse Google Workspace OAuth access. An attacker leveraged an employee’s “Allow All” OAuth grant to take over the employee’s account, pivot into Vercel internal systems and enumerate environment variables that were not marked as “sensitive.” Vercel says sensitive variables (encrypted at rest) show no evidence of access; a limited subset of customers had credentials exposed and were notified. A threat actor posted claims of stolen data for sale and a $2 million demand, invoking the ShinyHunters name; that group has denied involvement. Vercel engaged Mandiant and law enforcement, published an OAuth client ID as an IOC, and advised customers to rotate keys, review activity logs and enable sensitive variable protections. Vercel said Next.js, Turbopack and its open‑source projects remain unaffected and that investigation is ongoing.

The U.S. National Institute of Standards and Technology said on April 15, 2026 it is narrowing how it enriches entries in the National Vulnerability Database (NVD) to manage a sustained surge in reported software flaws. NIST will prioritize analysis and automatic enrichment for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, for software used by the federal government, and for critical software as defined under Executive Order 14028. The agency said submissions rose 263% from 2020 to 2025 and that it enriched nearly 42,000 vulnerabilities last year; CVE submissions in Q1 2026 were about one-third higher than a year earlier. CVEs outside the priority criteria will still be listed but receive a “Lowest Priority” label and will not automatically get CVSS scores or other metadata unless requested by users (nvd@nist.gov). NIST also said it will avoid duplicate scoring where CNAs provide severity and will reanalyse modified CVEs only when changes materially affect core enrichment data. The move follows a backlog that began after a 2024 funding lapse and aims to stabilise long-term NVD operations while NIST develops automation.

OpenAI on April 20, 2026 unveiled GPT-5.4-Cyber, a variant of its GPT-5.4 model fine-tuned for defensive cybersecurity tasks, and said it is scaling its Trusted Access for Cyber (TAC) programme to thousands of verified individuals and hundreds of teams. The model is described as more "cyber-permissive," lowering refusal thresholds for legitimate defensive prompts such as vulnerability discovery, binary reverse engineering and incident response, while remaining subject to usage policies and deployment constraints (including limits around zero-data-retention environments). OpenAI said it is committing support — including API credit commitments tied to its Cybersecurity Grant Program — and has onboarded large enterprises and security vendors and is working with standards bodies including the U.S. Center for AI Standards and Innovation and the UK AI Security Institute. The company framed the rollout as iterative and identity‑verified, with strong KYC and verification controls to reduce misuse. The move follows previews of rival frontier models such as Anthropic’s Mythos and sits within a wider industry push to embed frontier AI into defensive workflows while guarding against dual-use risks.

Security vendors on April 18, 2026, warned of a new Mirai-family botnet called Nexcorium that exploits a command-injection flaw (CVE-2024-3721) in TBK DVR models — primarily DVR-4104 and DVR-4216 — to build large-scale DDoS botnets. Fortinet FortiGuard Labs and other researchers found attackers delivering a downloader script that fetches multi-architecture payloads (ARM, MIPS, x86-64), then establishes persistence via modifications to /etc/inittab, /etc/rc.local, systemd services and cron jobs. Nexcorium embeds XOR-encoded configuration data, supports multiple flood types (UDP, TCP SYN/ACK, SMTP and others), includes brute-force Telnet credentials and reuses older exploits such as CVE-2017-17215 to broaden its reach. Unit 42 and others also observed scans targeting end-of-life TP‑Link routers; CISA had previously listed related flaws in its Known Exploited Vulnerabilities catalogue. Researchers note the campaign bears markers referencing a so‑called “Nexus Team.” Organisations are advised to patch or decommission vulnerable devices, remove default credentials, apply network segmentation and monitor for abnormal outbound connections to known C2 domains.

Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in the U.S. Central District of California to conspiracy to commit wire fraud and aggravated identity theft for his role in a phishing campaign that stole at least $8 million in virtual currency. Prosecutors say Buchanan and co‑conspirators ran the scheme from September 2021 to April 2023, sending hundreds of spoofed text messages that directed employees to fraudulent websites and captured login credentials. Stolen credentials and cryptocurrency seed phrases were reportedly shared on a Telegram channel administered by Buchanan. Court documents say the group targeted telecoms, IT suppliers, cloud communications firms, virtual asset companies and individuals — impacting at least a dozen companies and, in some filings, as many as 45 victims across the United States, Canada, India and the United Kingdom. Police Scotland assisted the FBI. Buchanan has been in U.S. custody since April 2025 and faces a maximum sentence of 22 years at a sentencing hearing set for Aug. 21. Several alleged co‑conspirators remain charged in U.S. courts; one has already pleaded guilty and been sentenced.