Security Bulletin

April 29th, 2026

❓What:

• VECT 2.0 is a ransomware-as-a-service (RaaS) operation that behaves more like a data wiper due to a flawed encryption implementation.

• Files larger than ~131KB are irreversibly destroyed, not encrypted, because required decryption data (nonces/keys) are discarded during the process.

• Affects Windows, Linux, and ESXi environments and supports exfiltration + encryption + extortion (triple-extortion model).

April 22nd, 2026

❓What:

• A small group of unauthorized users gained access to Anthropic’s advanced cybersecurity AI model “Mythos”, which is not publicly released.

• Anthropic spawned Claude Mythos as part of their initiative "Project Glasswing", intended to be leveraged by MAMAA (acronym used for the major tech firms Meta, Apple, Microsoft, Amazon, and Alphabet (or Google)) to find and fix critical security vulnerabilities before being discovered by malicious actors.

• The breach originated through a third-party vendor environment, likely leveraging contractor-level access or credentials.

April 14th, 2026

Overview:

Microsoft’s April 14, 2026 Patch Tuesday addressed ~167 vulnerabilities, including eight critical issues (7 related to RCE, and 1 DoS) and two zero-days; one actively exploited and one publicly disclosed.

Vulnerability Category Breakdown:

• Elevation of Privilege (EoP): ~93 vulnerabilities (~56%)

April 7^th, 2026

❓What:

• The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for all federal agencies to remediate a critical vulnerability affecting Fortinet’s FortiClient Enterprise Management Server (EMS).

• The vulnerability, tracked by CISA in their KEV as CVE-2026-35616 (CVSS 9.1) is an improper access control / API authentication bypass (CWE-284), that could allow attackers to bypass API authentication and execute code and commands, and craft malicious requests.