Checkmarx confirmed Friday that data from its private GitHub repository was posted on the dark web following the March 23 TeamPCP supply-chain attack. The LAPSUS$ group published the dump, which includes Checkmarx source code, an employee database, API keys, and MongoDB and MySQL credentials. Checkmarx says the affected GitHub repository was separate from the customer Checkmarx One SaaS production environment, with no customer data stored in it. The bigger picture: an attack that started by poisoning a single GitHub Action 35 days ago has now produced a full source code, credentials, and employee data leak - under five weeks end to end.
ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.
Itron, the Washington-based utility technology company that manages 112 million energy and water meter endpoints across 7,700 customers in 100 countries, disclosed a cyberattack in an SEC 8-K filing April 24. An unauthorized third party reached parts of Itron's corporate IT network on April 13. Itron says it has expelled the attackers and seen no follow-up activity, and that customer-hosted environments (the actual utility infrastructure) were untouched. No ransomware group has claimed the attack. The incident is significant because Itron sits in the middle of US critical infrastructure - meter data, billing, and grid telemetry pass through its software at thousands of utilities.
Medtronic, the world's largest medical device maker, confirmed a breach of its corporate IT systems in an SEC filing April 24. ShinyHunters had listed Medtronic on its leak site April 18 claiming theft of more than 9 million records of personal data plus terabytes of internal corporate documents, with an April 21 deadline. The Medtronic listing has since been removed - a strong signal the company either paid the ransom or is still negotiating. Medtronic says product safety, manufacturing, distribution, and patient care are unaffected; the breach was confined to corporate IT, which is segregated from device infrastructure. Investigation into what personal data was exposed is ongoing.
Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.
Security researcher @weezerOSINT disclosed on April 20 that Lovable, the Swedish AI code-generation platform that just raised a $330M Series B at a $6.6B valuation, had a Broken Object Level Authorization flaw letting any free account read another user's project source code, hardcoded database credentials, AI chat transcripts, and customer data - using only five API calls. The /projects/{id}/* endpoints verified Firebase authentication but skipped any ownership check. On April 23 Lovable published a formal incident report admitting the exposure window ran February 3 to April 20, a full 76 days, caused by a backend regression that silently undid a fix shipped in 2025. Every Lovable project created before November 2025 was readable. The researcher demonstrated the impact by pulling source code from Connected Women in AI, a Danish nonprofit with over 3,700 edits in 2026 alone, extracting hardcoded Supabase credentials from that code, then querying the live database to retrieve real names, LinkedIn profiles, and Stripe customer IDs belonging to Accenture Denmark and Copenhagen Business School staff. Lovable's initial public response was to deny a breach occurred and blame its documentation and HackerOne triage partner before eventually apologizing.
Vercel updated its security bulletin on April 23 to disclose that ongoing forensics has uncovered additional customer accounts compromised in the Context.ai-linked breach that went public on April 19, and - more worryingly - a separate cluster of customer accounts with evidence of compromise that predates and appears unconnected to the Context.ai incident. CEO Guillermo Rauch confirmed on X that the threat actor has been active beyond Context.ai's compromise. Hudson Rock's forensic report traced patient-zero to a Context.ai employee whose laptop was infected by Lumma Stealer in February 2026 after downloading Roblox auto-farm scripts - a roughly four-week dwell time before the operator pivoted into Context.ai's AWS environment and then through OAuth tokens into Vercel's Google Workspace. The stolen credential set from that single laptop included Google Workspace logins, Supabase keys, Datadog tokens, Authkit credentials, and the support@context.ai account. Vercel has now confirmed non-sensitive environment variables in affected team scopes were readable to the attacker, and says customer notifications are going out individually rather than via a public list.
Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.
The Everest ransomware group listed Citizens Financial Group and Frost Bank on its leak site on April 20 with a six-day deadline that expires today. Everest claims 3.4 million Citizens records (names, addresses, account numbers) and 250,000 Frost records with the more sensitive set: SSNs, tax IDs, mortgage rates, and income data. Both banks confirmed the breach traces to a third-party vendor - a statement-printing provider for Citizens, a tax-document fulfillment firm for Frost - rather than direct compromise. Citizens disclosed publicly April 21; class-action lawsuits were filed April 23.
Follow-up: this is the origin-story update to the Vercel breach disclosed April 19 (which our publication did not cover at the time). Hudson Rock traced the initial compromise to a Context.ai employee whose laptop was infected by Lumma Stealer malware in February 2026 after the user downloaded Roblox 'auto-farm' scripts and game-exploit executors - a notorious delivery vector for infostealers. The malware harvested that employee's Google Workspace credentials plus access keys and logins for Supabase, Datadog, and Authkit. The haul also included the support@context.ai account, letting the attacker escalate inside Context.ai, reach its AWS environment, and then pivot through compromised Google Workspace OAuth tokens into a Vercel employee's enterprise workspace that had granted the 'AI Office Suite' app 'Allow All' permissions. The attacker (ShinyHunters, now selling the data for $2M on BreachForums) read Vercel environment variables not flagged as 'sensitive.' Google pulled the Context.ai Chrome extension (ID omddlmnhcofjbnbflmjginpjjblphbgk) on March 27 - it embedded an OAuth grant for read access to users' entire Google Drive. The lesson is brutal: one employee's personal risky behavior on a work device cascaded through four SaaS platforms into a supply-chain breach that a threat actor is now auctioning.
TrustStrike Labs