Here are today’s top cybersecurity stories for Monday, April 20, 2026.
Vercel Confirms Breach Stemming From Context.ai OAuth Compromise
Web infrastructure provider Vercel confirmed a security incident after attackers compromised Context.ai, a third-party AI productivity tool used by a Vercel employee. The attacker abused a hijacked Google Workspace OAuth token to access Vercel’s internal environment variables. A threat actor — claiming to represent ShinyHunters, a claim the group denied — listed customer API keys, source code, and internal credentials for $2 million on a criminal forum. Vercel says hundreds of users across many organisations are affected and is urging customers to rotate secrets immediately. BleepingComputer | The Hacker News
ZionSiphon OT Malware Targets Israeli Water Treatment and Desalination ICS Systems
Researchers at Darktrace published an analysis of ZionSiphon, a politically motivated OT malware sample designed to tamper with chlorine dosing and pressure controls at Israeli water treatment and desalination plants, including Mekorot and four major seawater facilities. The malware uses Modbus, DNP3, and S7comm protocols, and attempts USB propagation and persistence. A logic flaw in the country-validation routine currently prevents the payload from executing, but Darktrace warns the code demonstrates growing threat-actor investment in ICS-targeted attack tooling. BleepingComputer | SecurityWeek
Microsoft Releases Emergency OOB Patches KB5091157 and KB5091575 for Domain Controller Reboot Loops
Microsoft released out-of-band updates KB5091157 (Windows Server 2025) and KB5091575 (Windows Server 2022) on April 19 to resolve LSASS crashes and continuous domain controller reboot loops triggered by the April 2026 Patch Tuesday update KB5082063. Affected environments are multi-domain forests using Privileged Access Management, with domain controllers entering restart cycles blocking authentication and directory services. The emergency patches are available through Windows Update and the Microsoft Update Catalog and do not require a system restart. BleepingComputer | The Register
NKAbuse Blockchain Backdoor Deployed Through Marimo CVE-2026-39987 via Typosquatted Hugging Face Space
Sysdig Threat Research published new findings showing attackers have escalated exploitation of Marimo CVE-2026-39987, deploying a previously undocumented NKAbuse variant — a Go-based backdoor using the NKN blockchain for command-and-control — staged through a typosquatted Hugging Face Space. Between April 11 and April 14, researchers logged 662 exploit events from 11 unique IP addresses across 10 countries. The campaign disguises the malware binary as “kagent,” mimicking a legitimate Kubernetes AI agent framework. BleepingComputer | Sysdig
766 Next.js Hosts Compromised as Attackers Exploit CVE-2025-55182 for Large-Scale Credential Theft
Threat cluster UAT-10608, attributed by Cisco Talos, exploited CVE-2025-55182 — a CVSS 10.0 remote code execution flaw in Next.js React Server Components — to compromise at least 766 hosts across cloud environments and steal AWS credentials, SSH private keys, GitHub tokens, Stripe API keys, and database connection strings. Attackers deployed the NEXUS Listener framework in an automated campaign driven by Shodan and Censys scanning. Organisations running self-hosted Next.js applications should apply patches and audit secrets immediately. The Hacker News
RedSun and UnDefend Windows Defender Zero-Days Remain Unpatched as Exploitation Continues
Researcher Chaotic Eclipse dropped a second fully functional Windows local privilege escalation exploit — RedSun — on April 16, two days after releasing UnDefend, a denial-of-service flaw blocking Defender definition updates. Microsoft patched the first of the trio (BlueHammer, CVE-2026-33825) in April Patch Tuesday, but RedSun and UnDefend remain unaddressed with no patch timeline announced. Huntress confirmed all three are actively exploited in the wild on fully patched Windows 10, Windows 11, and Windows Server systems. The Hacker News | Help Net Security
ZionSiphon Analysis Highlights Growing OT Malware Development Trend Among Threat Actors
Beyond ZionSiphon’s targeting of Israeli water infrastructure, Darktrace’s full report notes the malware represents part of a wider trend of threat actors investing in purpose-built OT attack tooling, including custom protocol parsers for Modbus and DNP3, USB propagation mechanisms for air-gapped environments, and sabotage logic targeting physical process parameters. The finding follows earlier 2026 disclosures of Iranian-affiliated actors exploiting internet-exposed Rockwell Allen-Bradley PLCs in US critical infrastructure sectors, documented in CISA Alert AA26-097A. Darktrace
Fortinet April Advisory Round-Up: FortiSandbox OS Command Injection Among 11 New Patches
Fortinet’s April advisory release addresses 11 vulnerabilities across FortiSandbox, FortiOS, FortiProxy, FortiAnalyzer, FortiManager, FortiPAM, and FortiSwitchManager. The most critical is CVE-2026-39808 (CVSS 9.1), an OS command injection in FortiSandbox allowing unauthenticated remote code execution, alongside CVE-2026-39813 (CVSS 9.1), a path traversal authentication bypass. Organisations using Fortinet products should prioritise the April advisory updates. The Hacker News
Stay tuned for today’s in-depth analysis posts.
