zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - April 20, 2026

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - April 20, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • Threat Actor Claiming to be ShinyHunters Claims Vercel Data Breach
  • Four Malware Families Hit Finance Sector
  • Geopolitical Focus: Iran says SoH Closed Again, Eight Children Killed in Mass Shooting in Louisiana

Threat Actor Claiming to be ShinyHunters Claims Vercel Data Breach

Source: https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

What we know: Cloud development platform Vercel has confirmed a data breach after a threat actor, claiming to be ShinyHunters, reportedly gained unauthorized access to some of Vercel’s internal systems. Vercel revealed that threat actors used an employee’s compromised account linked to third-party AI tool Context[.]ai leading to exposure of environment variables marked as non-sensitive.

Context: The threat actor has posted sample data on a dark web forum as proof, claiming to have broader access that includes API keys and internal deployment access. The attacker has reportedly demanded USD 2 million in ransom from Vercel. However, threat actors linked to the recent ShinyHunters-attributed attacks have reportedly denied involvement.

Analyst note: The compromised data is likely to lead to credential abuse and eroded trust among users. Developers using Vercel are likely at risk of supply chain attacks. Threat actor/s are likely to publish poisoned versions of Next[.]js on GitHub and npm as Vercel is the maintainer for the open-source web development framework. Mitigation measures and indicators of compromise (IOCs) have been released by Vercel.

Four Malware Families Hit Finance Sector

Source: https://hackread.com/recruitrat-saferrat-astrinox-massiv-android-malware/

What we know: Four new Android malware families—RecruitRat, SaferRat, Astrinox, and Massiv—are being deployed in separate campaigns to steal sensitive data from over 800 banking and cryptocurrency apps. These campaigns use overlays, keylogging, and real-time OTP interception to steal credentials and bypass security.

Context: The malware strains are spread via phishing sites, smishing texts, and fake apps (job portals, streaming services, business tools) and trick users into installing malicious APKs. Among the four malware families, Massiv remains particularly evasive with an unclear infection chain.

Analyst note: Given that attackers can bypass traditional safeguards and operate within trusted user environments, account takeovers and fraudulent transactions are likely to be harder to detect. Additionally, MFA-dependent security protocols are likely insufficient to protect transactions and financial processes, as the actors can bypass security controls by intercepting OTPs in real time.

Geopolitical Focus: Iran says SoH Closed Again, Eight Children Killed in Mass Shooting in Louisiana

  • The United States said it has seized an Iran-flagged cargo ship attempting to run its blockade of Iranian ports. The ship was reportedly sailing from China towards Iran's Bandar Abbas port.
  • Iran has closed the Strait of Hormuz (SoH) once again and is reportedly firing at vessels passing through the strait. India summoned the Iranian envoy after two of its merchant vessels were fired at while attempting to cross SoH.
  • Peace between Iran and the United States hangs in balance with the deadline approaching on April 21 and Iran refusing to enter the second round of negotiations.
  • Eight children have been killed in a mass shooting incident in Louisiana on April 19, which the authorities described as a domestic violence case. The suspect was killed by police while attempting to flee in a carjacked vehicle.
  • Ukraine has launched a terror investigation following a mass shooting and hostage incident in Kyiv on April 18. At least six people were killed and 15 injured.
  • A massive fire in a coastal “water village” in Malaysia’s Sabah state destroyed around 1,000 stilt homes and displaced thousands early Sunday. The blaze in Sandakan district affected about 9,007 residents, many from low-income, indigenous, and stateless communities.
  • The United States has reportedly given Cuba a two-week deadline to release key political prisoners, like Luis Manuel Otero Alcántara and Maykel Osorbo, following a secret meeting on April 10.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user berz0k: Untested threat actor "berz0k" has advertised an alleged zero-day preauth remote code execution (RCE) exploit targeting Asus AiCloud on DarkForums. The exploit enables execution of arbitrary code with root privileges on vulnerable devices. Threat actors are likely to leverage the exploit for widespread router compromise, enabling network pivoting, botnet recruitment, data exfiltration, distributed denial-of-service (DDoS) attacks, cryptocurrency mining, phishing infrastructure hosting, or account takeover attacks on connected users.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Protobuf[.]js vulnerability: An exploit for a critical RCE flaw in popular JavaScript implementation of Google's Protocol Buffers, protobuf[.]js, has been published. The flaw enables an attacker to supply a malicious schema leading to arbitrary code injection into the generated function. Successful exploitation is likely to grant attackers access to environment variables, internal systems, credentials, databases, and even enable lateral movement within the network.

Affected products: Protobuf[.]js versions 8.0.0/7.5.4 and lower

Tags: DIBtlp:green