Vercel Got Breached Through Its AI Coding Tool. NIST Stopped Scoring Your CVEs.
Big Picture
For three weeks, AI tools have moved from productivity booster to attack surface. This week the progression hit a new milestone: Vercel breached through its own AI coding assistant. The breach vector was the tool itself, not the code the tool produced.
Meanwhile the infrastructure that tells you which vulnerabilities to fix is changing. NIST will stop enriching most CVEs. The CVSS score your scanner relies on is disappearing for most new findings. More code, fewer scores, and AI tools that are now themselves the attack surface.
TL;DR
The Vercel Breach and the AI Supply Chain Problem Nobody Planned For
Last week this newsletter covered four developer tool attacks in seven days. Those attacks targeted code developers build with. The Vercel breach went a layer deeper. Attackers compromised Context.ai, a third-party AI coding assistant, and used its OAuth permissions to reach internal systems and customer credentials. The breach vector was the trust relationship the AI was granted.
Prompt injection turned Google Antigravity's file search into full RCE the same week, bypassing its most restrictive Secure Mode. Capsule Security researchers found prompt injection flaws in Microsoft Copilot Studio and Salesforce Agentforce enabling SharePoint data exfiltration. Anthropic's Model Context Protocol has a critical RCE design flaw affecting millions of AI agent users. Each used a different attack technique. Each hit a different vendor. This is a vulnerability class, not coincidence.
OAuth scoping for AI assistants has no standard framework. Prompt injection testing is not part of third-party security questionnaires. The Axios supply chain compromise three weeks ago was a leading indicator, not an outlier. The Vercel breach confirms the point from the opposite direction: the tools you use to write code are now the entry point.
Takeaways
Run grep -r "OAuth" .github/ and grep -r "permissions" .github/workflows/ on your CI configs. Context.ai had read/write access to Vercel's internal repos, secrets manager, and customer credential store through a single OAuth grant. List every AI tool with OAuth tokens in your org, pull the scope grants, and revoke anything beyond read-only on non-production resources.
Claude Mythos by the Numbers
The CSA assembled 60 CISOs to publish a Mythos response plan two weeks ago. This week the first independent verification arrived. VulnCheck analyzed 75 Anthropic-credited CVEs and found exactly 1 directly attributable to Glasswing. Anthropic claims 12 zero-days in OpenSSL. The third-party audit tells a different story about verified production impact.
Glasswing remains unreleased. The coalition backing it includes AWS, Apple, Cisco, Google, and Microsoft. The White House is preparing civilian agency authorization while the DoD maintains its supply-chain risk designation against Anthropic. One branch of the federal government sees enough promise to grant access. Another considers the vendor too risky.
The VulnCheck finding sets a baseline. Marketing demonstrations are not production evidence. 1 verified CVE out of 75 claimed is not failure, but it is a gap buyers should account for.
Takeaways
Before any Mythos-related procurement decision, request the VulnCheck report and compare it against Anthropic's claims. 1 verified CVE out of 75 is the only independently confirmed number. If your vendor cannot point to third-party validation of their AI vulnerability discovery, you are buying a demo, not a capability.
The Patch Avalanche Continues
Readers of this newsletter will recognize the pattern. Last week, 167 Microsoft CVEs. This week:
• Oracle's quarterly CPU: 481 patches across 28 product families, 34 critical, over 300 remotely exploitable without authentication
• Apache ActiveMQ RCE affecting 6,400+ internet-exposed servers, actively exploited
• 8 CISA KEV additions including three Cisco Catalyst SD-WAN Manager flaws, federal deadlines April 27-30
• Microsoft emergency out-of-band patches for critical ASP.NET Core privilege escalation
• Three Microsoft Defender zero-days, all exploited, SYSTEM-level privilege escalation, two still unpatched
• Thymeleaf critical sandbox bypass (CVE-2026-40478, CVSS 9.1) in the most widely used Java template engine, no workarounds
Fifth consecutive week with a concentrated remediation event. The volume is not spiking and returning to baseline. It is staying elevated. Combined with the NVD dropping CVSS enrichment for most vulnerabilities, you are looking at more patches and less prioritization data simultaneously.
Takeaways
If you run Apache ActiveMQ, check exposure now: shodan search "ActiveMQ" --fields ip_str,port or query your asset inventory for port 61616. 6,400 servers are internet-exposed and attackers are already in. Federal agencies: CISA KEV deadlines hit April 27 (Cisco SD-WAN) and April 30 (ActiveMQ). Miss those and you are out of compliance, not just at risk.
Takeaways
Vulnerabilities in the Wild
16 disclosed | 7 actively exploited | 3 zero-days
Actively Exploited
• Microsoft ASP.NET Core Privilege Escalation (Critical) Emergency out-of-band patches for critical privilege escalation impacting enterprise .NET web applications. Source
• Apache ActiveMQ RCE (Critical | CISA KEV | Deadline: April 30) Remote code execution actively exploited in the wild, affecting 6,400+ internet-exposed servers. Source
• Cisco Catalyst SD-WAN Manager (High | CISA KEV | Deadline: April 27) Three vulnerabilities including CVE-2026-20133 added to CISA KEV catalog. Federal remediation deadline April 27-30. Source
• Vercel / Context.ai OAuth Breach (High) Vercel breached through compromised AI coding assistant Context.ai. OAuth permissions abused to access internal systems and customer credentials. Source
Zero-Days (Microsoft Defender)
• Microsoft Defender Zero-Day #1: Cloud-Tagged File Handling (High | Patched) Privilege escalation to SYSTEM level via cloud-tagged file handling. Actively exploited. Source
• Microsoft Defender Zero-Day #2: Batch Oplocks (High | Unpatched) Privilege escalation to SYSTEM level via batch oplocks. Actively exploited. Still unpatched. Source
• Microsoft Defender Zero-Day #3: Undocumented RPC Endpoints (High | Unpatched) Privilege escalation to SYSTEM level via undocumented RPC endpoints. Can disable Defender updates. Source
Critical Severity
• CVE-2026-40478: Thymeleaf Sandbox Bypass (CVSS 9.1) Critical sandbox bypass in the most widely used Java template engine. No workarounds; upgrade to 3.1.4.RELEASE. Source
• Anthropic MCP RCE Design Flaw (Critical | Unpatched) Critical RCE design flaw in Model Context Protocol affecting millions of AI agent users. Source
• Oracle April 2026 CPU (34 Critical across 28 product families) 481 security patches, over 300 remotely exploitable without authentication. Source
• Protobuf-ES Code Execution (Critical) Critical flaw in Protobuf JavaScript/TypeScript library enables code execution. Source
• CVE-2026-34621 (Critical | PoC Available) PoC weaponized as campaign targeting 62 pre-authenticated Brazilian fintech targets. Source
High Severity
• Microsoft SharePoint Spoofing (High) Over 1,300 SharePoint servers vulnerable. Authorities urging immediate updates. Source
• Google Antigravity Prompt Injection RCE (High) Prompt injection achieved full RCE despite most restrictive Secure Mode. Source
• Copilot Studio / Agentforce Prompt Injection (High) Prompt injection flaws in Microsoft Copilot Studio and Salesforce Agentforce enabling SharePoint data exfiltration. Source
• Azure SRE Agent Eavesdropping (High) Flaw allowed outsiders to silently eavesdrop on enterprise cloud operations. Source
Curated Reading List
Thought-Provoking
• 200 Bugs/Week/Engineer: How Trail of Bits Rebuilt Around AI Why it's worth your time: Trail of Bits details how they restructured their entire auditing practice around AI, reporting 200 bugs per week per engineer with concrete workflow changes.
• The AIpocalypse: How LLM-Based Exploitation Is the New Normal Why it's worth your time: Academic security researcher maps how LLM-based exploitation moved from theoretical to routine, with original data on attack cost curves and defender response gaps.
• Breaking Opus 4.7 with ChatGPT (Hacking Claude's Memory) Why it's worth your time: Original research showing cross-model prompt injection attacks that manipulate Claude's persistent memory via ChatGPT-generated payloads. Demonstrates agent-to-agent attack chains.
Current Events
• SmokedMeat: Open-Source Tool Shows What Attackers Do Inside CI/CD Pipelines Why it's worth your time: New open-source tool that simulates attacker behavior inside CI/CD pipelines, giving teams a practical way to test pipeline security controls.
• Vercel April 2026 Incident: Non-Sensitive Environment Variables Need Investigation Too Why it's worth your time: Goes beyond the breach headline to explain why even non-sensitive environment variables exposed in the Vercel incident create meaningful attack surface.
• Azure SRE Agent Flaw Lets Outsiders Eavesdrop on Cloud Operations Why it's worth your time: Another AI agent vulnerability, this time in Azure's SRE automation. Technical details on how agent-to-cloud trust relationships create eavesdropping risk.
