From foundational infrastructure changes that will quietly affect every security team's workflow, to a breach that threaded through an AI tool into one of the web's most widely used deployment platforms, this week's news demanded attention on multiple fronts at once. Here's what you need to know.
Explore this content with AI:
ChatGPT | Perplexity | Claude | Google AI Mode | Grok
Vercel breached through a compromised employee AI tool
Cloud development platform Vercel disclosed a security incident involving unauthorized access to certain internal systems. The incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker used that access to take over the employee's Google Workspace account, enabling them to access some Vercel environments and environment variables that were not marked as sensitive. Hudson Rock later uncovered that a Context.ai employee was compromised with Lumma Stealer infostealer malware in February 2026, raising the possibility that the infection may have triggered the broader supply chain escalation. A limited subset of customers had their non-sensitive environment variables compromised, and Vercel assessed the attacker as highly sophisticated based on their operational velocity and detailed understanding of its systems.
Why it matters: Vercel hosts deployment infrastructure for hundreds of thousands of organizations, including Web3 teams whose wallet interfaces and dashboards run on the platform. An attacker who moves from a small AI productivity tool to a developer's Google Workspace account, and from there into platform-level environment variables, demonstrates exactly the kind of lateral movement that perimeter defenses don't catch. Shadow AI tools — and even officially sanctioned third-party AI integrations — now represent a meaningful initial access vector. Organizations should inventory every AI tool with access to employee accounts and treat OAuth integrations as third-party vendors subject to the same vetting as any other supplier.
Read more at The Hacker News
NIST stops enriching most CVEs as vulnerability volume surges 263%
CVE submission volumes have increased by more than 260% in recent years and continue to accelerate into 2026. While NIST enriched roughly 42,000 vulnerabilities in 2025, it can no longer keep pace with the increasing volume. Under a new risk-based model effective April 15, NIST will focus its enrichment resources on three categories: CVEs listed in CISA's Known Exploited Vulnerabilities catalog, CVEs affecting software used within the U.S. federal government, and CVEs tied to critical software as defined by Executive Order 14028. Everything else will still be published in the NVD, but flagged as lowest priority and not scheduled for immediate enrichment.
Why it matters: For two decades, security teams have relied on the NVD as the baseline for vulnerability prioritization — severity scores, affected product details, and remediation context. That model is now structurally changing. Vulnerability scanners, risk platforms, and patch management tools that depend on NVD enrichment data may start returning incomplete or unscored results for a large portion of what they surface. Organizations need to develop their own enrichment workflows using CISA's KEV catalog, exploit prediction scoring, and threat intelligence feeds rather than waiting for NIST analysis that may no longer arrive.
Read more at The Hacker News
North Korea's UNC1069 is luring crypto professionals into fake meetings
North Korea-linked threat actor UNC1069 is running a highly targeted campaign that abuses fake Zoom, Google Meet, and Microsoft Teams meetings to compromise cryptocurrency and Web3 professionals across Windows, macOS, and Linux systems. Attackers often hijack legitimate accounts, continue existing conversations, and then schedule due diligence or partnership calls using services such as Calendly to appear trustworthy. Payloads are built specifically for the victim's operating system and appear to be updated variants of Cabbage RAT. Researchers also linked UNC1069 to the recent Axios NPM package compromise, noting overlaps with the Bluenoroff threat cluster previously reported by Mandiant.
Why it matters: Two weeks after North Korea was attributed to the $285 million Drift heist, new research confirms the same threat ecosystem is running parallel operations against crypto and Web3 professionals using fake video calls. The common thread across every North Korean crypto campaign this year — Drift, the Axios supply chain attack, and now this — is patient, human-first social engineering. No technical exploit is required when the target genuinely believes they are joining a legitimate investor meeting. Organizations in the crypto and fintech space should treat unsolicited meeting invitations, even from known contacts, with heightened scrutiny.
Read more at GBHackers
Researcher publicly drops second Windows Defender privilege escalation exploit
A vindictive security researcher publicly dropped a second Windows Defender privilege escalation exploit less than two weeks after Microsoft scrambled to patch the first one, and is threatening to release even more dangerous remote code execution exploits in response to how Microsoft handled the original disclosure. The researcher's stated frustration centers on the adequacy of Microsoft's response to their initial report — a dispute that has now escalated into public exploit releases with potentially significant consequences for unpatched systems.
Why it matters: Public exploit releases driven by researcher frustration with vendor response are a known pressure tactic, but they carry real risk regardless of intent. The window between a public proof-of-concept drop and active exploitation by threat actors is measured in hours, not days. Any organization running Windows Defender on unpatched systems should treat these releases as urgent, and the broader pattern of researchers releasing exploits publicly to force vendor action is worth monitoring as a structural dynamic in vulnerability disclosure.
Read more at HelpNet Security
Final thoughts
This week's stories reflect a threat landscape that continues to expand in unexpected directions. The Vercel breach is a case study in how AI tool adoption has created new supply chain risk that most organizations have not fully mapped. NIST's NVD changes will quietly reshape how every security team prioritizes remediation. And North Korea's continued focus on the crypto sector — through social engineering, supply chain attacks, and fake meeting lures — shows no signs of slowing. The organizations best positioned right now are the ones that don't rely on any single source of truth, whether that's a vulnerability database, a trusted software vendor, or a meeting invitation from a known contact.
Ready to see how OpenVPN can help protect your organization from attacks?
Try the self-hosted Access Server solution or managed CloudConnexa service for free — no credit card required.
See Which One is Right for You .png)