Today's picture
Ten allied nations including the US, UK, Australia, Canada, and Germany published a formal joint advisory today confirming that most China-nexus threat actors have moved to routing their operations through compromised home routers, SOHO devices, and IoT equipment. The goal is to make attacks look like they originate from legitimate residential and small business networks. Separately, Vercel disclosed a second wave of customer compromises uncovered during their breach investigation, with this set predating the Context.ai OAuth incident and linked to separate attack methods entirely.
Threat snapshot
2 new · 1 developing · 3 monitoring
New
Joint Advisory
Ten nations warn that China-nexus hackers are using your home routers and IoT devices as attack infrastructure.
CISA, NCSC, and eight other allied agencies confirm most China-linked threat groups now route operations through 260,000-plus compromised consumer devices. IP blocklists are becoming ineffective.
Developing
Breach Expanded
Vercel breach expands. Second independent set of customer compromises discovered, predating the OAuth incident.
Separate from the Context.ai OAuth attack. Additional accounts compromised via social engineering, malware, and other methods. Vercel notified affected customers.
New
KEV Listed
Marimo Python notebook RCE added to CISA KEV. Unauthenticated shell access in AI and data science environments.
CVE-2026-39987. Cohere AI open-source tool used in LLM development pipelines. Unauthenticated RCE with root privileges. Confirm whether Marimo runs in your data science or AI infrastructure.
Detailed intelligence
Full analysis
01 New Joint Advisory
Ten allied nations confirm China-nexus hackers are routing attacks through home routers and IoT devices at scale.
Joint Advisory · Apr 23
What happened
CISA, the UK National Cyber Security Centre, and agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden published a joint advisory on April 23 titled "Defending Against China-Nexus Covert Networks of Compromised Devices." The advisory confirms that most China-nexus threat actors have shifted from using individually controlled servers to operating large botnets built from compromised SOHO routers, IoT devices, and network-attached storage equipment. The shift is deliberate. By routing operations through devices sitting in homes and small businesses worldwide, these actors make their attack traffic appear to originate from legitimate residential networks, effectively defeating traditional IP-based detection and blocklists.
The advisory specifically names Volt Typhoon and Flax Typhoon as groups using this technique. One example cited involved a Chinese-linked company that infected over 260,000 devices globally to build a single proxy network. The advisory notes that multiple Chinese threat actor groups may share a single botnet simultaneously, and that these networks are continuously updated with new compromised devices to replace ones that are detected and cleaned.
The attack chain typically begins with credential theft or exploitation of unpatched vulnerabilities in edge devices including routers, firewalls, and VPN gateways from Cisco, Fortinet, and Juniper. Once inside, the attacker deploys a persistent implant that establishes an encrypted tunnel blending into normal traffic. The device then serves as a relay point, obscuring the true origin of subsequent operations against enterprise and critical infrastructure targets.
CyberSip Take
This advisory ties together a thread running through this entire brief. Issue 1 covered the GRU router hijacking campaign targeting home networks of remote workers. Issue 10 covered the BRIDGE:BREAK serial-to-IP converter research. Today's advisory formalizes at an allied-nation level what those items illustrated in isolation: the network perimeter has expanded to include every connected device near your employees, their homes, and their small office networks.
The practical implication for defenders shifts when you accept this framing. Traditional IP reputation blocklists are not effective against traffic originating from residential broadband ranges, because that traffic looks identical to a legitimate employee working from home. The advisory makes this explicit, stating that static IP blocking is becoming less useful as these botnets cycle through new compromised nodes continuously.
What the advisory recommends instead is behavioral baseline detection. Know what your corporate VPN connections normally look like, what operating systems they come from, what time zones, what device certificates. An anomalous connection from a residential IP in an unusual geography or from a device that does not match your managed endpoint profile is worth investigation even if the IP is not on any blocklist. Organizations that have never baselined their VPN connection patterns do not have the data they need to spot this. Building that baseline is not a complex project, but it requires starting.
Recommended actions
- Map and inventory all network edge devices including routers, firewalls, and VPN gateways. Identify firmware versions and confirm which are current. Unpatched edge devices are the primary entry point for building these covert networks.
- Baseline your corporate VPN connection patterns. Establish what normal looks like in terms of source geography, device type, operating system, and connection time. Anomalies against that baseline are more actionable than IP reputation alone.
- Implement dynamic threat intelligence feeds that include known covert network infrastructure indicators rather than relying solely on static IP blocklists.
- Enforce machine certificates for SSL VPN connections where possible. This raises the bar significantly compared to credential-only authentication from unmanaged devices.
- Review the CISA and NCSC joint advisory and its companion Hunt and Hardening guidance for specific indicators of compromise and detection queries relevant to this activity.
Derived from CISA and NCSC-UK joint advisory published April 23, 2026, with co-signatories from nine additional allied nations
02 Developing Breach Expanded
Vercel breach expands. A second independent set of customer compromises discovered, predating the OAuth incident.
Vercel Breach Update
What changed since Issue 8
Vercel published an updated statement on April 23 disclosing that its investigation, which expanded to include additional compromise indicators and a review of environment variable read events, identified a second and separate set of customer account compromises. This set is independent of and predates the Context.ai OAuth incident covered in Issue 8. Vercel attributes these earlier compromises to social engineering, malware, or other methods unconnected to the OAuth chain. Vercel says it notified affected customers in both groups and did not disclose the total number of accounts impacted across either incident.
CyberSip Take
When an incident investigation uncovers a second, independent set of compromises predating the original one, it typically means one of two things. Either the organization is a high-value enough target that multiple actors were independently working to breach it, or its security posture had systematic gaps that different attacker methods were able to independently exploit. Vercel hosts Next.js deployments for a significant share of enterprise web infrastructure, and its environment variables contain API keys, database credentials, and deployment secrets for all of those organizations. That concentration of sensitive material makes it a worthwhile target from multiple angles. Any organization using Vercel that has not yet rotated their environment variable secrets should treat today's update as the prompt to do so, regardless of whether they received a direct notification from Vercel.
Recommended actions
- Rotate all Vercel environment variable secrets, API keys, and deployment tokens if not already done following the Issue 8 disclosure. Today's update confirms the breach scope is larger than initially known.
- Check whether your Vercel account received a notification from either disclosure. If not, verify directly in the Vercel dashboard under Security and Activity logs for unusual environment variable read events.
- Review which production secrets are stored in Vercel environment variables and consider whether any can be moved to a dedicated secrets management system with additional access controls and rotation policies.
Derived from Vercel public breach notification updates
03 New KEV Listed
Marimo Python notebook RCE added to CISA KEV. Unauthenticated shell access in AI and data science toolchains.
CVE-2026-39987
What happened
CISA added CVE-2026-39987 to the Known Exploited Vulnerabilities catalog, confirming active exploitation of a pre-authentication remote code execution vulnerability in Marimo, an open-source reactive Python notebook developed by Cohere AI. Marimo is deployed as a Docker container and used extensively in data science, AI research, and LLM development environments for running user-submitted or AI-generated code. The flaw allows an unauthenticated attacker to escape the Python sandbox, access the host process, and execute arbitrary system commands with root privileges via JavaScript prototype chain traversal. The CVSS score is 9.3.
CyberSip Take
Marimo is not a household name outside data science and AI development circles, which is exactly why this KEV entry warrants explicit mention. Tools like Marimo often live in AI research environments and LLM development pipelines that sit adjacent to production systems, model weights, training data, API keys, and cloud credentials. They tend to be deployed quickly by data science teams operating with significant autonomy and limited security review. A CVSS 9.3 unauthenticated RCE in a container tool that runs arbitrary code by design creates a straightforward path to the host system and everything the container has access to. The immediate question for any organization running AI or data science infrastructure is whether Marimo is present, whether it is internet-accessible, and whether it is running a patched version. Most IT teams will not know the answer without asking the data science team directly.
Recommended actions
- Ask your data science and AI teams whether Marimo is running in any environment. It may not appear in standard software inventories if it was deployed by researchers rather than IT.
- Update Marimo to the patched version addressing CVE-2026-39987. Check the Marimo security advisory on GitHub for the specific version that resolves the sandbox escape.
- If Marimo is internet-accessible, restrict access immediately to internal networks or authenticated users only while the patch is applied.
- Audit what credentials, secrets, and cloud access the Marimo container has been granted. A host-level compromise through this flaw gives an attacker everything the container can reach.
Derived from the CISA known-exploited vulnerabilities catalog and national vulnerability database
Still watching
Aging items · days 2–7
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Lotus Wiper targeting energy sector (Issue 11). No attribution confirmed. Relevant for critical infrastructure teams. Review offline backup integrity and NETLOGON share monitoring.
Day 2
Azure SRE Agent CVE-2026-32173 (Issue 11). Patched server-side by Microsoft. No customer action required to receive the fix. Audit agent permissions and review what secrets it has access to.
Day 2
Apache ActiveMQ CVE-2026-34197 (Issue 6). Federal deadline April 30. Active exploitation continues. Patch to version 5.19.4 or 6.2.3. This is the last time this item appears before expiring.
Day 8 · Final
Cross-source standouts
What connects this week
01
The perimeter is not where you think it is anymore
The China-nexus advisory published today, the GRU router campaign from Issue 1, the Teams external chat attack vector from Issue 10, and the Vercel OAuth chain from Issue 8 all describe attacks that entered through spaces most organizations do not treat as part of their security perimeter. Home routers. Third-party productivity apps. External collaboration features on enterprise platforms. The pattern that runs through April's coverage is consistent: the most effective attacks started somewhere outside the traditional defended boundary and walked in through a trusted path. The defensive investment that matches this pattern is not bigger perimeter walls. It is better visibility into what your trusted paths look like when they are operating normally, so anomalies are detectable.
02
AI development toolchains are becoming an attack surface that most security teams do not own
The Marimo KEV entry joins the Azure SRE Agent flaw, the nginx-ui MCP bypass, the Atlassian MCP chain, and the ATHR vishing platform as AI-adjacent security items from this month alone. What they share is that they all involve tools or platforms being deployed with privileged access or sensitive data exposure by teams other than IT, typically data science teams, AI researchers, or product developers moving fast. Security teams that do not have visibility into what AI and ML tooling is running in their environment are carrying an unknown amount of exposure. A conversation with the data science team is a reasonable first step.
Past issues · 7-day archive