Cyber Intelligence Daily — Apr 24, 2026

The tools you trust the most are the ones turning on you this week. A password manager's CLI got backdoored inside its own pipeline. The browser people use specifically to not be tracked had a stable identifier hiding in plain sight for years. France's identity agency — the literal issuer of who-you-are — confirmed a breach that may reach 19 million records. And somewhere beneath all of it, surveillance operators are still using the phone network itself as the implant.

• CVE-2026-33825 — Microsoft Defender: actively exploited, added to CISA KEV this week, federal patch deadline May 6. The antivirus has become the privilege escalation vector.
• CVE-2026-6770 — Firefox / Gecko IndexedDB: patched in Firefox 150 and ESR 140.10.0. Allowed websites to derive a stable, process-lifetime fingerprint that survived Tor Browser's "New Identity" reset.
• CVE-2026-33626 — LMDeploy (open-source LLM inference toolkit): exploited within 13 hours of disclosure per The Hacker News; no patch available at time of reporting. Remote code execution on model-serving endpoints.
• CVE-2023-27351 — PaperCut NG/MF: added to KEV (ransomware-linked, maturity escalated to commoditized), federal deadline May 4. A three-year-old auth bypass still delivering Cl0p and LockBit.
• CVE-2024-27199 — JetBrains TeamCity: added to KEV (ransomware-linked, commoditized), federal deadline May 4. Path traversal on the build server that sits at the center of many CI/CD pipelines.
• @bitwarden/[email protected] — Bitwarden CLI: malicious npm package distributed for 93 minutes on April 22 (5:57–7:30 PM ET). Contains the self-propagating Shai-Hulud credential worm; downgrade to 2026.3.0 immediately.

For 93 minutes on Wednesday evening, the npm registry handed out a version of Bitwarden's command-line tool that wasn't really Bitwarden's. Between 5:57 PM and 7:30 PM Eastern, @bitwarden/[email protected] installed cleanly under the legitimate name — signed, trusted, in the right place — and quietly began hunting for credentials. According to The Hacker News, the attacker didn't breach Bitwarden's servers; they compromised the CI/CD pipeline itself, riding in on a checkmarx/ast-github-action token and publishing as Bitwarden.

The payload is a worm that names itself. Aikido's analysis identifies it as "Shai-Hulud: The Third Coming" — a multi-stage credential thief going after SSH keys, cloud secrets, .env files, shell history, GitHub Actions tokens, and MCP configurations. If it finds a GitHub token, it weaponizes it: injecting malicious Actions workflows, harvesting secrets, spreading outward. One infected developer becomes an entry point into every pipeline their credentials can reach.

If this succeeds as an attack model, the npm ecosystem's entire trust story collapses from "is this package legitimate" to "was this specific minute's build legitimate." Defenders win only by pinning to hashes and assuming every fresh install is a roll of the dice. If it fails — meaning the industry treats it as an isolated incident and moves on — watch for the next victim in the Checkmarx chain. Socket has already documented poisoned checkmarx/kics Docker images alongside earlier hits on Trivy and LiteLLM. Attribution is contested: TeamPCP claims the Checkmarx side, but the Shai-Hulud worm may be a different crew entirely riding the same access.

Anyone who ran npm install @bitwarden/cli during that 93-minute window: rotate every secret on that machine. Bitwarden confirmed no vault data was touched. The pipelines are the problem.

The "New Identity" button in Tor Browser is the feature. It's the whole promise — click it, burn the session, start over, be unlinkable. Fingerprint.com discovered this week that for an unknown length of time, the button was a lie.

The bug, now tracked as CVE-2026-6770, lives in Firefox's IndexedDB — a browser storage API that websites use as a local database. IndexedDB returned entries in an order that turned out to be deterministic and stable within a running browser process. Any website could read that ordering, derive a unique identifier, and recognize the same user across "New Identity" resets. No permissions needed. Just JavaScript.

Since the flaw is in Gecko, the Firefox rendering engine, every Firefox-derived browser inherited it: LibreWolf, Mullvad Browser, Thunderbird, and Tor itself. Mozilla shipped the fix in Firefox 150 and ESR 140.10.0 on April 21. The advisory also credits researchers using Anthropic's Claude on at least one adjacent high-severity finding — an operational signal worth its own paragraph: vendors are starting to name AI-assisted discoveries in release notes.

The question nobody has answered: how long was this exploitable, and did surveillance vendors find it first? Fingerprint.com is, by trade, a commercial fingerprinting company. They found a tracking vector and reported it. Someone else, somewhere, may have found it years ago and chosen differently. Tor Browser users remain exposed until the Tor Project ships its ESR-based rebuild — watch for that release as the real all-clear.

On April 15, France's Agence Nationale des Titres Sécurisés — the national body that issues passports, ID cards, residence permits, and driver's licenses — detected an intrusion at its ants.gouv.fr portal. On Wednesday, ANTS confirmed the breach publicly. A threat actor is offering what they claim is 18 to 19 million records: names, emails, phone numbers, birth details, addresses, account metadata. Per BleepingComputer, ANTS has notified CNIL, the Paris Public Prosecutor, and brought in ANSSI for the technical response.

ANTS says the exposed data does not grant portal access. True, but beside the point. This is government-verified identity data on roughly a third of France's population — data that doesn't rotate, doesn't expire, and can't be reset. What changes if the claim holds: French-language phishing and impersonation fraud get a decade-long tailwind, and every downstream service that trusts "data from the passport office" as a verification anchor has to reconsider. The signal to watch: ANSSI's technical findings. If the root cause is an API flaw in a stack shared across French government portals — and many of them run on shared infrastructure — this stops being an ANTS-only story.

The sale hasn't been independently verified. The breach has.

Citizen Lab published research this week on two surveillance campaigns that don't bother with the phone at all. They abuse SS7 (the signaling protocol underpinning 2G and 3G) and Diameter (its 4G/5G successor) — the systems carriers use behind the scenes to route calls, hand off roaming, and deliver texts. The operators masqueraded as legitimate telecom providers or piggybacked on carrier access to pull location data and metadata on targets. Citizen Lab names three telecoms implicated in providing access, including 019Mobile and Tango Networks U.K. In one case, operators used SIMjacker-style silent SMS commands that speak directly to the SIM card without ever surfacing to the user.

If this is a small slice of a larger pattern — which the researchers say it is — then a meaningful fraction of state and quasi-state location collection lives in legacy signaling seams that were never fixed, only papered over with filtering rules carriers apply unevenly. The observable signal for the next six months: whether any national regulator responds publicly. Quiet remediation is the tell that the exposure is large. Public action is the tell that it's larger.

Your phone can be tracked without your phone being compromised. That is the takeaway, and it is not new — but the evidence keeps getting more specific.

Russian security outlet Xakep reported Wednesday on a severe authorization flaw in Lovable, a drag-and-drop AI coding platform. The bug allowed authenticated users to read the chat histories of unrelated accounts — meaning anyone's prompts to the AI, including whatever they pasted in to get their code fixed. Developers routinely paste API keys, database credentials, internal business logic, and proprietary source into these prompts. An exposed chat history is a map of a company's sensitive intellectual property, handed to a stranger. This matters in the context of this week's supply-chain theme: the tools developers trust — password managers, IaC scanners, AI coding assistants — keep turning out to be the shortest path in. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep also reports that unknown actors obtained access to Claude Mythos Preview — the restricted Anthropic model made available only to Project Glasswing partners. Details are thin; attribution is absent; Anthropic has not commented publicly. But if accurate, it's an early data point on a growing concern: partner-only and preview-tier frontier models have different access controls than production APIs, and those controls are starting to matter as adversaries map the AI supply chain the same way they've mapped the software one. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Ukraine's national cyber agency published advisory #21075 detailing a campaign by UAC-0255 that phishes government bodies, hospitals, and security firms with a ZIP file labeled "CERT_UA_protection_tool." Victims are directed to an AI-generated lookalike site (cert-ua[.]tech) cloned wholesale from the real portal. The payload is AGEWHEEZE, a remote access trojan. The escalation worth noting: during wartime, a fake warning from your own incident responders is a near-perfect lure. Expect the playbook to travel. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

A password manager that ratted out its own users for 93 minutes, a privacy browser that remembered you through the amnesia button, and a surveillance racket that doesn't need to touch your phone because it owns the wires between them. The supply chain isn't a metaphor anymore — it's a layer cake, and every layer is on fire, and the scanner we bought to find the fire is also on fire.

Stay paranoid. Rotate your tokens.

Forward this to the developer on your team who still runs npm install without pinning — they'll thank you tomorrow, or apologize Monday.