CYBERSECURITY
April 25, 2026 • 5 min read

This week in cybersecurity has been dominated by the ShinyHunters ransomware group's unprecedented campaign targeting major corporations, a sophisticated supply-chain breach at cloud platform Vercel, and urgent warnings over actively exploited vulnerabilities in Apache ActiveMQ. Here is a comprehensive summary of the most significant incidents shaping the security landscape in late April 2026.

ShinyHunters Ransomware Group Targets Major Brands in Massive Campaign

RANSOMWARE

The ShinyHunters ransomware group has launched one of the most prolific campaigns in recent memory, claiming responsibility for attacks against Zara parent Inditex, 7-Eleven, Carnival Corporation, Kemper Insurance, and Amtrak. The group claims to have exfiltrated over 9 million records from Inditex, 600,000 Salesforce records from 7-Eleven, and 8.7 million records from Carnival Corporation. Kemper Insurance reportedly lost 29 GB of data containing more than 13 million records including personally identifiable information.

Amtrak confirmed that at least 2.1 million customer records were compromised, with the potential scope reaching up to 9.4 million. Exposed data includes email addresses, names, physical addresses, and support ticket information. The attacks appear to have leveraged CRM and Salesforce integrations as common entry points across multiple victims, suggesting a coordinated methodology targeting third-party platform vulnerabilities.

Vercel Confirms Security Breach Through Third-Party AI Tool Compromise

DATA BREACH

Cloud development platform Vercel disclosed a security incident on April 19, 2026, traced to the compromise of Context.ai, a third-party artificial intelligence tool used by a Vercel employee. The attacker exploited the compromised AI integration to hijack the employee's Google Workspace account, then pivoted into Vercel's internal environments. Environment variables not flagged as "sensitive" were accessed, while those marked as sensitive remained protected by encryption at rest.

A threat actor claiming affiliation with ShinyHunters listed the stolen data for sale at $2 million, though actual ShinyHunters members denied involvement. The claimed data set included API tokens, source code, internal database information, and 580 employee records. Vercel stated that its open-source projects, including Next.js and Turbopack, were not affected. The incident highlights the growing risk of supply-chain attacks through trusted third-party SaaS integrations, particularly AI tools connected to enterprise single sign-on systems.

Booking.com Confirms Data Breach Affecting Customer Reservation Data

DATA BREACH

Amsterdam-based travel platform Booking.com has confirmed a data breach after unauthorised parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details. The company responded by resetting reservation PINs across affected accounts and notifying impacted users directly.

The breach raises significant phishing concerns, as attackers could leverage the exposed booking information to craft highly targeted travel-related phishing messages. The incident follows a broader pattern of Salesforce and CRM-related breaches observed throughout April 2026, suggesting that attackers are increasingly targeting customer relationship management platforms as a vector for mass data exfiltration.

CISA Warns of Active Exploitation of Apache ActiveMQ Vulnerability

VULNERABILITY

The Cybersecurity and Infrastructure Security Agency has issued a warning regarding active exploitation of Apache ActiveMQ vulnerability CVE-2026-34197, a high-severity code injection flaw carrying a CVSS score of 8.8 that allows remote code execution on affected servers. Nonprofit security organisation Shadowserver identified over 6,400 Apache ActiveMQ servers exposed online that remain vulnerable to ongoing attacks.

Apache has addressed the vulnerability in versions 5.19.4 and 6.2.3, but the sheer number of unpatched instances presents a significant attack surface. Organisations running ActiveMQ deployments are urged to update immediately and review their exposure. The vulnerability is particularly concerning because ActiveMQ is widely used in enterprise messaging and integration infrastructure, meaning successful exploitation could provide attackers with a foothold in critical business systems.

Lone Hacker Weaponises AI to Breach Nine Mexican Government Agencies

AI THREATS

Security researchers have revealed that a single hacker used Anthropic's Claude Code and OpenAI's GPT-4.1 to breach nine Mexican government agencies in a demonstration of AI-weaponised cyberattacks. The attacker bypassed safety filters through prompt manipulation and an injected hacking manual, then used AI-driven commands to accelerate reconnaissance across the target infrastructure. The operation involved 5,317 automated actions across 34 sessions.

The breach exposed 195 million taxpayer records and 220 million civil records, representing one of the largest government data exposures attributed to AI-assisted hacking. The incident demonstrates the dual-use nature of advanced AI coding tools and raises urgent questions about the adequacy of current AI safety guardrails. Researchers also detailed a separate campaign using a fake Claude Pro installer to distribute PlugX malware, further highlighting how AI branding is being weaponised for social engineering attacks.

ZY Media Productions

IT • Music • Technology