Cyber News Bytes: Bitwarden, Samsung Devices, and ADT Hacked This Week

Another week of new cyber attacks, here's what you missed.

Author

Sandra L
April 28, 2026

It’s been a BUSY week for cybersecurity news once again. But before that: one thing I wanted to ask, what content from me would help you the most? 👩🏻‍💻👀

Instead of guessing what you’d like to see more of, I’d rather hear it directly from you!

📝 I put together a short survey to better understand:

• Who you are and where you’re at in your career
• The type of content that would actually help you move forward

It takes less than 2 minutes, and your input will directly shape what I create next! 🙏

👉 You can complete the survey here.

Appreciate you taking the time to fill this out! I want to make sure the content you see here is actually worth your time.

And with that, let’s get into this week’s headlines!

1. Bitwarden CLI Hijacked in Supply Chain Attack

Password manager Bitwarden's command-line interface was compromised for 90 minutes on April 22nd in a sophisticated supply chain attack.

Attackers pushed malicious version 2026.4.0 to npm, embedding a self-propagating worm called "Shai-Hulud: The Third Coming" that steals SSH keys, cloud credentials, and AI coding tool secrets.

The malware uses GitHub as a remote command server to exfiltrate encrypted data and spreads by infecting victims' own npm packages.

Bitwarden caught and removed the package within hours, but the CLI has 250K monthly downloads and organizations that installed during the exposure window are now treating this as a full credential compromise event.

Why it matters: This attack weaponizes your own CI/CD pipeline against you.

If your development team pulled that version, assume every credential on those systems is burned.

More concerning is the worm's self-propagation capability, meaning one infected machine can silently spread through your entire supply chain via packages your developers publish.

The attackers are using asymmetric encryption to hide stolen data in public GitHub repos, making detection nearly impossible until secrets are already used against you.

2. CISA Warns of Active Exploitation in SimpleHelp, Samsung, D-Link Devices

The US Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its Known Exploited Vulnerabilities catalog on April 25th, all actively exploited in the wild.

The flaws affect SimpleHelp remote support software (CVE-2024-57726 and CVE-2024-57728), Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers.

The SimpleHelp vulnerabilities allow attackers to create API keys with excessive permissions and upload arbitrary files to execute code as admin.

Federal agencies have until specific deadlines to patch or remove affected devices from their networks.

Why it matters: These are not theoretical risks, they are actively being weaponized right now.

The SimpleHelp flaws score 9.9 and 7.2 on the CVSS scale, and attackers are already using them to escalate privileges and execute code on vulnerable systems.

If you are running any of these products, patch immediately or disconnect them, because threat actors are scanning for them as you read this.

CISA does not add things to the KEV catalog for fun, they add them because bad actors are actively breaking into systems using these exact vulnerabilities.

3. ADT Home Security Giant Hit by 10 Million Record Breach

ADT, America's largest home security company, confirmed a data breach on April 20th after the ShinyHunters extortion group threatened to leak over 10 million customer records.

The stolen data includes names, phone numbers, addresses, and in some cases dates of birth and the last four digits of Social Security numbers or Tax IDs.

ShinyHunters claims they breached ADT through a voice phishing attack that compromised an employee's Okta SSO account, then accessed the company's Salesforce instance to steal customer data.

The group has given ADT until April 27th to pay an undisclosed ransom or they will leak the data along with "several annoying digital problems."

Why it matters: When the company protecting your home gets breached, that is a wake-up call.

Over 10 million people now have their personal information in the hands of cybercriminals who are actively threatening to weaponize it.

The vishing attack shows how a single phone call to the wrong employee can unlock access to millions of customer records, and no amount of physical security cameras will protect you from that.

ADT has suffered three breaches in the past year, which raises serious questions about whether the people securing your house can even secure their own network.

4. Vercel Breach Exposes Customer Credentials Via Context.ai Hack

Web infrastructure provider Vercel disclosed a security breach on April 19th after attackers compromised Context.ai, a third-party AI tool used by one Vercel employee.

The attacker took over the employee's Google Workspace account through a compromised OAuth token, pivoted into Vercel's internal systems, and accessed environment variables for a limited subset of customers.

The breach originated from a Context.ai employee's machine infected with Lumma Stealer malware in February 2026, which harvested Google Workspace credentials and API keys.

Vercel is working with Google Mandiant and has rolled out new security features, including better management of sensitive environment variables.

Why it matters: This is the new attack surface.

Your vendors' security posture is now your security posture, and OAuth tokens are the new lateral movement vector.

The attacker never touched Vercel directly, they just walked through a door that a single employee's consumer AI app signup left wide open.

Context.ai had "Allow All" permissions granted to Vercel's enterprise Google Workspace, which means one rogue browser extension can hand over your entire cloud infrastructure.

Look, this was another hectic week for cybersecurity headlines.

A password manager got hijacked, a developer platform got breached through a side-door AI app, federal agencies are scrambling to patch actively exploited flaws, and the biggest home security company in America just confirmed 10 million records stolen.

The common thread here isn’t zero-days or nation-state hackers, it’s social engineering, supply chain weaknesses, and one employee clicking the wrong thing at the wrong time.

Your security is only as strong as your least-trained employee, your most careless vendor, and your oldest unpatched device.

As always, stay secure out there!

- Sandra