Daily Threat Briefing – April 29, 2026

Severity● Critical

ThreatsZero-Day Vuln Exploit Ransomware Credential Theft APT Supply Chain Data Breach

IndustriesTechnology Finance Government Defense

THREAT LEVEL: CRITICAL – Multiple critical zero-day vulnerabilities and active ransomware campaigns targeting enterprise infrastructure require immediate patching and defensive measures.

Executive Summary

Critical RCE vulnerabilities in GitHub (CVE-2026-3854, CVSS 8.7) and Hugging Face LeRobot (CVE-2026-25874, CVSS 9.3) are actively exploitable and require emergency patching.
VECT 2.0 ransomware functions as a destructive data wiper for files over 131KB across Windows, Linux, and ESXi environments, rendering recovery impossible.
Russian state-sponsored actors harvesting Microsoft Office authentication tokens via router exploits; North Korean BlueNoroff using AI-deepfake Zoom calls to scale cryptocurrency attacks.
Supply chain threats escalating with GlassWorm VS Code extensions and LiteLLM pre-auth SQLi exploitation targeting LLM infrastructure.
Law enforcement actions against Scattered Spider members ongoing; ransomware gang leadership identified in Germany.

Top Threats Today

1. Critical GitHub RCE – CVE-2026-3854

Severity: CRITICAL Affected: Technology

A critical remote code execution vulnerability in GitHub.com and GitHub Enterprise Server (CVSS 8.7) allows authenticated users to execute arbitrary code via a single “git push” command. This vulnerability poses immediate risk to all organizations using GitHub for source code management and CI/CD pipelines.

Recommended Action

Immediately update GitHub Enterprise Server to patched version
Review git push logs for suspicious activity in the past 30 days
Implement IP-based access controls and MFA enforcement for all GitHub accounts

2. Hugging Face LeRobot Unauthenticated RCE – CVE-2026-25874

Severity: CRITICAL Affected: Technology

A critical pre-authentication RCE vulnerability (CVSS 9.3) in Hugging Face’s LeRobot open-source robotics platform affects systems with 24,000+ GitHub stars. Exploitation requires no authentication, making this immediately actionable for threat actors targeting AI/ML infrastructure.

Recommended Action

Audit all deployments of LeRobot across infrastructure
Apply security patches immediately or isolate affected instances from network
Monitor network traffic for exploitation attempts targeting default ports

3. VECT 2.0 Ransomware Data Wiper Campaign

Severity: CRITICAL Affected: Technology Finance

VECT 2.0 contains a critical encryption implementation flaw that irreversibly destroys files larger than 131KB across Windows, Linux, and ESXi platforms. The broken nonce handling renders the malware non-recoverable even by threat actors, functioning as destructive wipers rather than traditional ransomware.

Recommended Action

Enable immutable backups across all critical systems, especially ESXi hypervisors
Implement detection signatures for VECT 2.0 across endpoints and network perimeter
Isolate any systems showing encryption activity; do not pay ransom (recovery impossible)

4. Russian State-Sponsored Token Harvesting via Router Exploitation

Severity: CRITICAL Affected: Government Finance Technology

Russian military intelligence operators are mass-harvesting Microsoft Office authentication tokens by exploiting known vulnerabilities in legacy Internet routers. This campaign enables persistent access to enterprise email and collaboration systems without requiring user passwords.

Recommended Action

Inventory and patch all Internet-facing routers; remove unsupported legacy models
Enforce conditional access policies requiring MFA for all Office 365 sessions from unusual locations
Monitor Azure AD for impossible travel, token replay, and anomalous sign-in patterns

5. LiteLLM Pre-Auth SQLi Exploitation – CVE-2026-42208

Severity: HIGH Affected: Technology

Hackers are actively exploiting a critical pre-authentication SQL injection vulnerability in LiteLLM, an open-source LLM gateway. Exploitation allows extraction of sensitive information from LLM deployments without authentication, affecting organizations relying on LiteLLM for AI model access control.

Recommended Action

Immediately patch or isolate LiteLLM instances from network access
Audit database access logs for SQLi patterns and unauthorized queries
Migrate to patched version and rotate all LLM API credentials

Today’s Action Checklist

☐ URGENT: Patch GitHub Enterprise and audit git push logs for CVE-2026-3854 exploitation
☐ URGENT: Inventory and isolate Hugging Face LeRobot deployments; apply CVE-2026-25874 patches
☐ URGENT: Review firewall logs for router exploitation patterns; begin legacy router replacement program
☐ HIGH: Audit and patch all Internet-exposed router infrastructure; enable router update automation
☐ HIGH: Implement immutable backup strategy for ESXi and critical Windows/Linux systems
☐ HIGH: Deploy VECT 2.0 detection signatures and monitor for encryption activity
☐ HIGH: Enforce conditional access and MFA for all Microsoft Office 365 sessions
☐ HIGH: Patch or isolate LiteLLM instances; audit LLM database access
☐ MEDIUM: Review and apply April 2026 Patch Tuesday updates (167 vulnerabilities including SharePoint zero-day)
☐ MEDIUM: Deploy detection for GlassWorm VS Code extensions in developer environments

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

Executive Summary

Top Threats Today

1. Critical GitHub RCE – CVE-2026-3854

Recommended Action

2. Hugging Face LeRobot Unauthenticated RCE – CVE-2026-25874

Recommended Action

3. VECT 2.0 Ransomware Data Wiper Campaign

Recommended Action

4. Russian State-Sponsored Token Harvesting via Router Exploitation

Recommended Action

5. LiteLLM Pre-Auth SQLi Exploitation – CVE-2026-42208

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox