BREACH WATCH

The UK NCSC now advises all services to adopt passkeys (FIDO2) wherever possible, citing superior resistance to phishing, credential reuse, and session hijacking. This shift has direct implications for third‑party risk management, urging organizations to verify that their vendors support passkey authentication.

Cisco is in talks to buy Astrix Security, a startup that secures AI‑driven, non‑human identities. The deal, valued at $250‑$350 million, expands Cisco’s IAM portfolio and introduces new supply‑chain considerations for enterprises relying on Cisco security products.

Nation-State Hits Now Comprise Majority of Serious Incidents Probed by Government British intelligence officials said they investigate about four major incidents per week, with the majority involving nation-state actors. Officials said the shape and scope of how cyberattacks are being wielded by the nation's adversaries continues to change as fast as the technology evolves.

A private Discord community leveraged stolen contractor credentials and leaked endpoint information to gain unauthorized access to Anthropic’s Claude Mythos preview AI model. The breach underscores supply‑chain credential risks for high‑impact AI services and prompts immediate third‑party risk reviews.

Merck has signed a multi‑year, up‑to‑$1 billion agreement with Google Cloud to embed the Gemini Enterprise agentic‑AI platform across its drug‑development lifecycle. The collaboration widens the third‑party risk surface, introducing critical cloud‑AI services into core pharmaceutical processes.

TrendAI’s Tom Kellermann warns that nation‑state actors and cybercriminals are now using autonomous, AI‑powered attack chains that operate at machine speed, demanding AI‑augmented telemetry and global threat intelligence for effective third‑party risk management.

Attackers accessed Rockstar Games’ internal network, leaking limited player data and revealing that GTA Online generates roughly $0.5 billion annually while Red Dead Redemption does not. The breach highlights financial‑data exposure risks for entertainment vendors.

SentinelOne Labs uncovered that low‑cost Chinese video doorbells and security cameras ship with hard‑coded root passwords and route video streams to servers in Hong Kong and mainland China. The opaque ownership structure and lack of firmware support create a supply‑chain risk that can compromise corporate networks and violate data‑residency regulations.

Apple released emergency updates to close CVE‑2026‑28950, a flaw that allowed deleted notifications to persist on iOS devices. The issue could expose sensitive message content, making it a priority for organizations with BYOD or iOS‑dependent workflows.

A command‑injection flaw (CVE‑2025‑29635) in end‑of‑life D‑Link DIR‑823X routers is being actively exploited by a Mirai‑derived botnet. The vulnerability enables remote code execution, allowing attackers to enlist routers into a DDoS‑capable network, posing a supply‑chain risk for organisations that still run legacy networking gear.

Google introduced Workspace Intelligence, an AI layer that reads Workspace content to provide context‑aware assistance while promising that data stays within the organization and is not used for external model training. TPRM teams must evaluate new data flows, regional storage options, and DLP integration.

Vonage has teamed up with Girls Who Code to create a responsible‑AI talent pipeline, offering workshops and mentorship that emphasize bias mitigation, transparency, and ethical governance. The program signals to customers and regulators that Vonage is proactively managing AI risk, a factor TPRM teams must now evaluate in vendor assessments.

Rapid7 identified two Kyber ransomware variants that encrypt Windows file servers and VMware ESXi hosts using post‑quantum Kyber1024 and classic RSA‑4096. The campaign, linked to a multi‑billion‑dollar U.S. defense contractor, deletes backups and disables services, raising supply‑chain risk for critical‑infrastructure vendors.

Mozilla released Firefox 150, fixing 271 security bugs identified by Anthropic’s Mythos AI. The rapid AI‑driven discovery underscores the need for vigilant third‑party patch management across all industries that rely on the browser.

Criminals are leasing massive SIM‑farm infrastructures to launch automated phishing, smishing and robocall attacks that appear to come from local numbers. The abuse of legitimate telecom resources creates a hidden, high‑volume threat vector that can compromise personal data and financial assets, making it a critical concern for third‑party risk managers.

Mastodon experienced a major DDoS attack on April 20 2026, following a similar incident on Bluesky. The outage lasted several hours before mitigation restored service. Third‑party risk managers should reassess DDoS resilience of external SaaS and API providers.

Anthropic reports that a Discord‑based threat group breached a vendor integration and accessed its Claude Mythos AI model, raising concerns over intellectual‑property theft and third‑party access controls for AI SaaS providers.

Threat actors hijacked the official Checkmarx KICS Docker Hub repository and VS Code Marketplace, overwriting legitimate images and publishing malicious extensions. Organizations using KICS risk injecting malware into CI/CD pipelines, making this a critical supply‑chain concern for third‑party risk managers.

Google rolled out three AI capabilities—Auto Browse, Skills, and Gemini Summary—to Chrome Enterprise, enabling autonomous browser actions and reusable prompts while giving IT teams new visibility and controls over AI usage. TPRM teams must assess data‑flow impacts and configure safeguards.

A new phishing campaign pretends to be an Apple purchase confirmation for a $899 iPhone, tricking recipients into clicking malicious links that harvest Apple ID credentials. The attack threatens enterprises that rely on Apple IDs for device management and SSO, making it a high‑priority TPRM concern.

Threat actors are abusing Microsoft Teams to pose as IT support, tricking users into revealing credentials or installing remote‑access tools. The resulting lateral movement can lead to corporate data exfiltration, making it a critical concern for third‑party risk managers.