April 2026 Cyber Recap: The npm Bloodbath and other topics.
Monthly Cyber Recap — April 2026
Monthly Cyber Recap — April 2026
If March 2026 cracked the door open on the npm registry, April kicked it off the hinges.
The Lead: A Month That Belonged to the Supply Chain
Every month has a theme. April’s was unmistakable: the software supply chain is now the primary battleground of enterprise security, and the perimeter we thought we were defending, endpoints, identities, networks, has quietly migrated upstream into package registries, GitHub Actions, and CI/CD pipelines that almost no one is monitoring with the same rigor.
Three forces collided this month to make that obvious.
First, the Shai-Hulud worm came back for a third time, this time riding inside the Bitwarden CLI, of all things. A password manager. The tool you install specifically to reduce credential risk became, for 93 minutes on April 22, the credential-harvesting payload itself.
Second, the fallout from the late-March Axios compromise kept widening. CISA issued formal guidance on April 20. Google’s Threat Intelligence Group attributed the attack to UNC1069, a North Korea-nexus actor. Microsoft separately tied the C2 infrastructure to Sapphire Sleet. What looked like a 39-minute typosquat on March 31 turned out to be a state-aligned operation with 100 million weekly downloads as its blast radius.
Third, the threat actor known as TeamPCP went on a tear. Having already compromised Aqua Security’s Trivy scanner in March, the group hit Checkmarx on April 22, used that foothold to compromise Bitwarden’s GitHub Actions, and reportedly shares tooling with the Shai-Hulud operators. A separate “Mini Shai-Hulud” campaign targeting SAP-related npm packages spilled into PyPI on April 30, dragging PyTorch Lightning down with it.
Underneath all of this, geopolitics kept the temperature high: Iran restored partial internet access on April 17 after a 47-day near-total outage tied to Operation Epic Fury, while Iran-aligned hacktivist groups continued to probe Western OT infrastructure. And Anthropic’s announcement of Project Glasswing — a coalition spinning up defensive AI capabilities ahead of its Claude Mythos preview — signaled that AI labs themselves now see offensive-AI proliferation as the next-12-months problem.
April was, in short, the month the industry stopped treating supply chain attacks as a category and started treating them as the category.
Major Industry News
1. The Bitwarden CLI Compromise (April 22)
For roughly 93 minutes on the evening of April 22, a malicious version of @bitwarden/[email protected] was live on the npm registry. The package's GitHub Action, checkmarx/ast-github-action — had been compromised in a separate attack on Checkmarx, and the attackers used it to inject a worm into Bitwarden's CI/CD pipeline.
The payload, signed with the string “Shai-Hulud: The Third Coming,” harvested AWS, Azure, GCP, GitHub, npm, and SSH credentials, then exfiltrated them to public GitHub repositories under each victim’s own account. Bitwarden estimates 334 downloads of the malicious version. Vault data was not touched. CI tokens, on the other hand, were a free-for-all.
A CVE has been issued for @bitwarden/[email protected], and Bitwarden re-released 2026.3.0 as 2026.4.1.
2. Microsoft April Patch Tuesday: 168 CVEs and a Defender Zero-Day
Microsoft’s April 14 Patch Tuesday was the second-largest in the company’s history, addressing 168 vulnerabilities, eight rated Critical, and two zero-days. The headliners:
- CVE-2026–32201: A SharePoint spoofing vulnerability exploited in the wild before patch availability.
- CVE-2026–33825: A Microsoft Defender local privilege escalation flaw matching the publicly-released “BlueHammer” exploit. Belgium’s CCB confirmed by April 21 that BlueHammer was being chained in the wild to deploy a tunneling agent dubbed BeigeBurrow.
- CVE-2026–33824: A CVSS 9.8 unauthenticated RCE in Windows IKE Service Extensions.
- CVE-2026–33827: A Critical RCE in the Windows TCP/IP stack, no user interaction required.
Oracle’s April Critical Patch Update added another 241 unique CVEs across 481 patches.
3. Iran’s 47-Day Internet Blackout Ends, but OT Targeting Doesn’t
Iran began restoring limited internet access on April 17, ending a 47-day near-complete blackout that began with the U.S./Israeli Operation Epic Fury. During the outage, Unit 42 identified a new threat cluster, CL-STA-1128 (Cyber Av3ngers / Storm-0784), that had pivoted from internet-exposed Unitronics PLCs to Rockwell Automation FactoryTalk infrastructure, suggesting Iran-aligned actors had pre-deployed VSAT/Starlink redundancy and never actually went dark operationally. Pro-Russian and Iran-aligned hacktivist groups (Cardinal, Handala, Tarnished Scorpius) continued to claim Israeli and U.S. targets throughout the month.
4. Project Glasswing and the AI Defense Coalition
Early in April, Anthropic launched a preview of Claude Mythos, simultaneously announcing Project Glasswing, a coalition with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks aimed at directing Mythos’s exploit-discovery capabilities toward defensive work. Anthropic committed up to $100M in usage credits plus $4M to open-source security organizations. The UK’s NCSC published a parallel warning on April 22 that AI is now materially widening the gap between threat capability and national resilience.
5. The Adobe and Vercel Breaches
Adobe disclosed an incident in which a threat actor calling themselves “Mr. Racoon” claimed exfiltration of 13 million customer support tickets, 15,000 employee records, and submissions to Adobe’s bug bounty program. Vercel confirmed on April 19 that a compromised internal system exposed “non-sensitive” data for a limited subset of customers, notable because Vercel sits underneath a substantial portion of the AI-application development stack. Drift Protocol lost over $280M to attackers who’d been positioned for at least six months before activating on April 1.
Featured Deep Dives
Two of the month’s defining incidents were the focus of long-form analysis I published in April. Together, they trace a single arc: the rapid evolution from maintainer-account compromise (the Axios pattern) to CI/CD-pipeline compromise (the Bitwarden pattern), and how the same threat ecosystem is iterating on both vectors in real time.
The Axios npm Supply Chain Attack: A Complete Breakdown
Published in the immediate aftermath of the March 31 compromise, this piece walks through the full attack chain: how UNC1069 social-engineered Axios maintainer Jason Saayman through a fake company impersonation, a branded Slack workspace, and a Microsoft Teams call that ended with him installing a “fix” that exfiltrated his long-lived npm token. From there, the attackers bypassed GitHub Actions entirely and direct-published [email protected] and [email protected] with a malicious [email protected] dependency that dropped a cross-platform RAT to macOS, Windows, and Linux through a postinstall hook.
Why it matters for April: The Axios post-mortem set the template every other April incident referenced. The “absence of OIDC provenance / SLSA attestation” red flag that researchers used to spot the Axios compromise in 39 minutes is the same signal that Endor Labs and Socket leaned on three weeks later for Bitwarden. And the social-engineering playbook described here is now confirmed to have hit at least four other maintainers across npm and PyPI through April.
93 Minutes on npm: Inside the Bitwarden CLI Supply Chain Attack
This is the technical companion piece for April 22. It maps the Shai-Hulud worm’s behavior to the NHI (Non-Human Identity) Kill Chain I’ve been documenting all month, walks through the GitHub Actions compromise that delivered the malicious tarball via OIDC trusted publishing, and gives readers a 10-minute checklist to determine whether their pipelines were affected during the 5:57 PM — 7:30 PM ET window.
Why it matters for April: Where Axios was a compromised human, Bitwarden was a compromised machine identity — specifically, a third-party GitHub Action with id-token: write permission. This is the more dangerous evolution, because no amount of phishing-resistant MFA on maintainer accounts protects you from an OIDC token issued to a workflow you didn't even know was running in your pipeline. Read together, the two pieces show how the same actors are attacking from both ends of the trust graph at once.
Reach out if you have questions or comments or what to collaborate
Session Messenger: 059db238ab37c3d92615c5cc24b694da29c598cc13e27886053722404118e14271
