BREACH WATCH

The U.S. Coast Guard has issued a rule requiring cybersecurity officers, assessments, and plans for all U.S.-flagged commercial vessels and port facilities by July 2027. The mandate will reshape vendor risk assessments and inject over $1 B in compliance spend, making it a critical TPRM focus for maritime operators and OT service providers.

Tempus AI is sued for training AI on and selling genetic data acquired from Ambry Genetics without patient consent, exposing pharma partners and downstream users to regulatory risk and potential re‑identification of supposedly de‑identified DNA.

A KPMG survey of 2,110 C‑suite leaders shows that while 95% have AI strategies, only 8% report measurable returns. The report highlights the need for robust AI governance, data protection, and operational integration—critical considerations for third‑party risk managers evaluating AI‑enabled vendors.

University of Central Florida researchers introduced SecureRouter, an encrypted routing layer that dynamically selects AI models during MPC‑based inference. The approach halves latency compared with fixed‑model private inference, making secure AI more practical for healthcare, finance, and other data‑sensitive sectors.

Help Net Security released a comprehensive snapshot of current cybersecurity vacancies, covering roles from DevSecOps engineers to AI security testers. The list highlights emerging skill demands that third‑party risk managers should monitor when evaluating vendor capabilities.

The SANS ISC released its April 21 2026 Stormcast podcast, outlining the latest malware, phishing, and vulnerability activity observed worldwide. TPRM teams should ingest these indicators to keep vendor risk assessments current.

State‑sponsored Lazarus hackers hijacked LayerZero’s verification layer, stealing $290 M of rsETH from KelpDAO and forcing major DeFi lenders to freeze collateral. The breach highlights supply‑chain risk in cross‑chain infrastructure for crypto‑finance platforms.

A set of 26 counterfeit cryptocurrency wallet apps slipped into Apple’s App Store for China, using typosquatting and fake branding to lure users. Once installed, the apps redirected victims to phishing sites and abused iOS provisioning profiles to exfiltrate seed phrases, enabling full wallet takeover. The campaign highlights a supply‑chain risk for any organization that permits mobile wallet usage.

Vercel disclosed a breach tied to its Context.ai integration that resulted in the theft of customer data now listed for $2 million. The incident highlights supply‑chain risk for organizations relying on cloud‑hosted platforms and third‑party services.

A Vercel employee’s use of an internal AI development assistant inadvertently accessed and leaked OAuth tokens, allowing attackers to retrieve source code and configuration data from Vercel‑hosted projects. The breach underscores the third‑party risk of credential exposure in SaaS platforms.

Researchers have uncovered thousands of known and new vulnerabilities in serial‑to‑IP converters that bridge legacy machine protocols to Ethernet. The flaws enable remote code execution, credential theft, and denial‑of‑service, putting manufacturing, energy, and other OT‑heavy sectors at risk. TPRM teams must inventory, patch, or isolate these devices to close a critical supply‑chain gap.

A cyber‑attack on the French ANTS portal on 15 April 2026 may have leaked personal details of up to 19 million individuals, including names, emails, birth dates and addresses. The breach poses significant identity‑theft risk for third‑party services that rely on ANTS‑verified data, making it a high‑priority TPRM concern.

Surfshark unveiled Dausos, a proprietary VPN protocol using AEGIS‑256X2 encryption and dedicated per‑user tunnels. Independent testing shows promising security enhancements but performance still trails WireGuard. TPRM teams should assess audit findings and pilot the protocol before enterprise rollout.

The Gentlemen ransomware‑as‑a‑service group has incorporated the SystemBC proxy botnet (≈1,570 compromised hosts) into its delivery chain, enabling covert, high‑volume attacks on corporate environments worldwide. This evolution raises supply‑chain risk for vendors hosting or relying on virtual servers.

Attackers accessed Amtrak’s customer‑relationship‑management system and extracted personal data for over 2.1 million travelers. The breach highlights third‑party SaaS risk for transportation firms and the need for stricter credential controls.

A newly disclosed open‑redirect flaw in the Model Control Plane (MCP) used by many AI SaaS platforms enables attackers to hijack model‑inference traffic, threatening data confidentiality and downstream services. Third‑party risk managers should reassess AI vendor controls and demand remediation to protect the AI supply chain.

Active exploitation of three Microsoft Defender vulnerabilities on Windows 10/11 has been confirmed. While Microsoft patched the BlueHammer issue, two additional flaws remain unpatched, exposing enterprises and managed service providers to elevated risk.

Tyler Buchanan, a key operative of the Scattered Spider group, admitted to hacking dozens of companies, stealing roughly $8 million in cryptocurrency, and exfiltrating sensitive corporate data through SMS‑based phishing and SIM‑swap attacks. The case underscores the risk of SMS MFA and the need for stronger credential protection in third‑party relationships.

A sophisticated Android banking‑malware campaign is abusing screen‑overlay and Accessibility permissions to harvest PINs from over 800 mobile applications. The threat poses a high risk to financial‑service vendors and their downstream partners, demanding immediate review of mobile SDKs and device controls.

A newly disclosed CVE‑2026‑5760 in the open‑source SGLang library allows remote code execution when malicious GGUF model files are processed. The flaw, scored 9.8 CVSS, impacts any organization using SGLang for AI inference, creating a high‑risk supply‑chain exposure for third‑party risk managers.

Italy’s data‑protection authority fined Poste Italiane and its Postepay subsidiary €12.5 million for illegally harvesting device‑level data from millions of users through overly invasive mobile‑app monitoring, highlighting a major privacy‑compliance risk for third‑party payment providers.