April 2026 set a new record for ransomware activity, with 801 publicly disclosed incidents - the highest single-month total ever recorded, up 69% from April 2025. The month also delivered a CVSS 10.0 zero-day in Cisco SD-WAN infrastructure, a coordinated Iranian APT campaign against operational technology systems, and a growing body of evidence that AI is no longer just an attacker's tool - it is becoming an attack surface in its own right.
Major Incidents
Canvas LMS Breach - 275 Million Records: ShinyHunters claimed responsibility for a breach of Instructure, the company behind Canvas LMS, which serves roughly 41% of North American higher education institutions. Approximately 275 million records and 3.65 terabytes of data were reported stolen. The incident underscores the exposure universities and research institutions - many of which hold defense-related contracts - carry through third-party platforms.
Vercel Supply-Chain Breach via OAuth: Cloud deployment platform Vercel confirmed a security incident traced to a compromised employee at Context.ai, who was infected by Lumma Stealer infostealer malware in February 2026. The attacker used stolen OAuth tokens to access Vercel's internal systems, exfiltrating unencrypted API keys, database credentials, signing keys, and environment variables. The stolen data was listed for sale on BreachForums for $2 million. The breach is notable as a textbook OAuth supply-chain attack - a single compromised vendor credential cascading into a platform used by hundreds of thousands of development teams.
McGraw Hill - 45 Million Records via Salesforce: ShinyHunters exploited a Salesforce database misconfiguration at the publishing giant to steal approximately 45 million records. The attack required no exploitation of a software vulnerability - just a misconfigured cloud instance, a reminder that configuration drift remains one of the most underestimated risks in enterprise environments.
Axios npm Package Supply-Chain Compromise: On March 31, malicious versions of the widely used Axios JavaScript library were injected with multi-stage payloads including a remote access trojan. The compromise was discovered in April, and CISA issued a dedicated alert on April 20. Any development team using Node.js should audit their dependency trees for affected Axios versions.
Critical Vulnerabilities
CVE-2026-20182 (Cisco Catalyst SD-WAN Controller - CVSS 10.0): Cisco issued a warning in mid-April about a maximum-severity authentication bypass affecting Catalyst SD-WAN Manager controllers. Successful exploitation grants unauthenticated attackers full administrative access to the controller and any connected WAN infrastructure. CISA added it to the Known Exploited Vulnerabilities catalog with a tight remediation deadline of April 23. Defense contractors running SD-WAN environments should treat this as an emergency patch.
CVE-2026-35616 (Fortinet FortiClient EMS - CVSS 9.8): A critical zero-day in FortiClient Enterprise Management Server was actively exploited before Fortinet issued a hotfix on April 4. A full patch remained pending at month-end. CISA added the vulnerability to the KEV catalog. Organizations using FortiClient EMS for endpoint management should apply the hotfix immediately and monitor for signs of prior compromise.
Microsoft April Patch Tuesday - 168 CVEs: Microsoft's April security update addressed 168 vulnerabilities, including CVE-2026-32201, a SharePoint spoofing/XSS flaw confirmed to be actively exploited in the wild at the time of patching. The volume of this month's release reflects ongoing pressure across the Microsoft ecosystem; prioritization should focus on the confirmed in-the-wild exploits.
Google Chrome Zero-Days: Google patched two actively exploited Chrome vulnerabilities - CVE-2026-5281 (use-after-free in the Dawn component) and CVE-2026-2441 (RCE potential via Chromium) - as part of a 21-CVE release. Chrome's auto-update mechanism means most users are protected quickly, but organizations managing browser deployments through policy should verify update propagation.
CISA KEV Additions - April 20 and April 24: Beyond the Cisco and Fortinet flaws, CISA's April 20 batch added vulnerabilities in PaperCut, JetBrains TeamCity, Quest KACE, Kentico, and Zimbra. The April 24 batch added a Samsung MagicINFO Server path traversal (CVE-2024-7399), two SimpleHelp flaws (CVE-2024-57726, CVE-2024-57728), and a D-Link DIR-823X command injection (CVE-2025-29635). Organizations running any of these products should prioritize patching immediately.
Ransomware Trends
Record Month - 801 Incidents: April 2026 recorded 801 publicly disclosed ransomware incidents globally, up from 474 in April 2025 and 379 in April 2024. The trend continues the 30% year-over-year growth seen throughout Q1 2026, driven by more prolific operators and increasingly automated attack tooling.
Most Active Groups: Qilin led April's activity with 111 confirmed incidents, followed by TheGentlemen (83), Dragonforce (65), CoinbaseCartel (45), Akira (49), and LockBit 5 (37 - the reconstituted operation following law enforcement disruption). ShinyHunters, historically a data-theft actor, sharply increased its ransomware activity from 6 incidents in March to 20 in April.
Manufacturing Remains the Top Target: Manufacturing was among the two most-targeted industries for the fifth consecutive year, with 95 ransomware incidents in April alone and roughly 1,585 attacks per week globally. Ransomware accounts for more than 90% of total cyber insurance losses in the sector despite representing only 12% of claims by volume - reflecting the severity of each incident when it does occur.
"EDR Killer" Tools Become Standard: Security researchers documented the widespread adoption of EDR killer tools - utilities designed to disable endpoint detection and response software before ransomware payload delivery - as standard components in attack playbooks. Defenders relying solely on endpoint agents should evaluate additional detection layers including network-level anomaly detection.
Government Advisories and Nation-State Threats
Joint Advisory AA26-097A - Iranian APT Targeting OT/PLCs: On April 7, six agencies - FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's CNMF - jointly warned that Iranian-affiliated threat actors linked to the IRGC Cyber Electronic Command are actively targeting internet-exposed programmable logic controllers and HMI/SCADA systems across water, energy, and government facilities. The campaign involves manipulating PLC project files and falsifying HMI dashboard displays to cause operational disruptions. Defense industrial base facilities with internet-exposed OT systems should audit external connectivity and implement network segmentation immediately.
China-Nexus Covert Device Networks (AA26-113A): CISA published an advisory on Chinese state-sponsored actors operating covert networks of compromised edge devices - routers, VPN appliances, and IoT endpoints - as relay infrastructure for espionage operations against defense, technology, and critical infrastructure targets. The advisory reinforces prior VOLT TYPHOON reporting and highlights the need to treat any internet-exposed network device as a potential pivot point.
AI as an Attack Surface
Microsoft's Security Blog published a widely cited April 2 analysis documenting a shift in the threat landscape: AI is no longer primarily a tool attackers use - it is increasingly the target. Open-source AI frameworks including LiteLLM, LangChain, and integrations with Hugging Face are being systematically probed and compromised as supply-chain attack vectors. The Mercor breach - in which attackers stole four terabytes of data via a LiteLLM compromise - is the clearest April example. Any defense contractor deploying AI-assisted tools in their development or operations environment should include those tools in their vulnerability management and supply-chain risk assessment programs.
Separately, the Tycoon2FA phishing-as-a-service platform - which operates as an adversary-in-the-middle to intercept credentials and session tokens in real time - reached a scale where it accounted for approximately 62% of all phishing attempts blocked by Microsoft monthly at its peak. MFA alone does not defeat Tycoon2FA; organizations should implement phishing-resistant MFA (FIDO2/hardware keys) where possible and monitor for session hijacking indicators.
CMMC and Compliance Updates
NIST SP 800-171 Rev. 3 - Start Planning Now: A widely circulated April 2026 commentary in Federal News Network advised DIB companies to begin mapping their environments against NIST SP 800-171 Revision 3, even though DoD assessments still formally reference Rev. 2. Rev. 3 adds three new control families - supply chain security, incident response, and countering advanced threats - plus 14 additional controls. Contractors who wait for formal DoD adoption before beginning Rev. 3 gap analysis will face compressed timelines when the requirement is enforced.
NDAA Section 1513 - AI/CMMC Framework: The FY2026 NDAA directed DoD to develop a cybersecurity framework specifically for AI and machine learning technologies and incorporate it into DFARS and CMMC. DoD's status report to Congress is due June 16, 2026. Defense contractors deploying AI tools - including AI coding assistants, automated testing platforms, or LLM-based workflow tools - should begin assessing exposure now rather than waiting for the framework to be formalized.
CMMC Phase 2 Countdown: The November 10, 2026 implementation date for CMMC Phase 2 is now less than seven months away. Contractors requiring Level 2 certification must complete a third-party C3PAO assessment before that date. Given current C3PAO scheduling backlogs, organizations that have not initiated the process should do so immediately. The CGA CMMC Gap Assessment Grant provides a $5,000 in-kind professional gap assessment against all 110 NIST SP 800-171 controls at no cost to the contractor.