In April 2026 we saw a collision between critical infrastructure risk, software supply chains, and the rapid expansion of AI-enabled systems. Malware targeting Israeli water networks showed how geopolitical cyber activity is continuing to move beyond IT disruption toward potential physical harm, while the Axios supply-chain compromise, unauthorised access to Claude Mythos, fake Zendesk and Okta login campaigns and the sale of internal company communications for AI training all reinforced the need to treat vendors, identity systems, support channels, and sensitive data as part of a much broader attack surface.
Happenings
[Israel] ZionSiphon Malware Targets Israeli Water Supply
Security firm DarkTrace have identified new malware targeting Israeli water infrastructure networks. Dubbed ZionSiphon, the malware executes inside networks that it identifies as hosted on Israeli IP address ranges and looks for common Israeli water management company names. When ZionSiphon identifies Israeli water infrastructure, it searches for relevant directories before attempting to sabotage operations – including modifying pump pressure and chlorine levels to cause major harm to anyone consuming the water. The attack uses privilege escalation, persistence, USB propagation, and industrial control systems (ICS) scanning to execute. It has been attributed to Iranian hackers who have been attacking the water infrastructure of Israel since 2020.
Researchers believe that ZionSiphon is incomplete, flawed, and unlikely to function in a real industrial environment. Both Dragos and Nozomi Networks reached a similar conclusion, describing ZionSiphon as demonstrative code rather than a deployable threat. Major flaws were identified in the malware’s geofencing and IP-checking logic, which could prevent it from correctly identifying Israeli targets. Additional issues were found in its OT logic, including unrealistic assumptions about ICS configurations, fictional configuration paths, and ineffective methods to manipulate ICS controls. These issues suggest the sample may have been experimental, unfinished, or intended as a proof of concept rather than a functional attack tool.
ZionSiphon is the latest example of cyberattacks not just designed to disrupt IT systems, but to cause significant damage and harm to the general population. It may also be used as part of a wider geopolitical strategy to cause disruption. There is growing use of malware and tools designed specifically to target OT networks which often have technical security limitations such as hardcoded credentials, standardised naming conventions and directories, and software that cannot be updated or patched. As the conflict in the Middle East continues, cyber-attacks on critical infrastructure are likely to continue with the intent to disrupt access to infrastructure and cause harm to civilians.
[Global] OpenAI MacOS Apps Impacted by Axios Supply-Chain Compromise
OpenAI has rotated the signing certificates for its macOS applications after a compromised version of Axios was pulled into one of its GitHub Actions workflows. Axios is a widely used JavaScript library for making HTTP requests to APIs. Malicious versions were published to Node Package Manager (npm) in March 2026 as part of a broader software supply-chain attack, and the malicious package attempted to install a remote-access trojan across Windows, macOS, and Linux systems.
The affected OpenAI workflow was used as part of the macOS app-signing process for ChatGPT Desktop, Codex App, Codex CLI, and Atlas. OpenAI said it found no evidence that user data, source code, systems, or published software were compromised. However, because the workflow had access to signing and notarisation material, OpenAI is treating the certificate as potentially exposed and replacing it as a precaution.
The primary risk is not that OpenAI shipped malicious software, but that the code-signing material could have been stolen by attackers. If misused, it could help make fake macOS applications appear more trustworthy. OpenAI has released updated builds, is working with Apple to block new signing using the old certificate and has advised macOS users to update before 8 May 2026.
[Global] Anthropic investigates unauthorised access to Claude Mythos
Anthropic is investigating reports that a small group gained unauthorised access to Claude Mythos Preview on the same day the restricted model was announced. The access reportedly came through a third-party vendor environment, with the group using contractor access and knowledge of Anthropic’s URL patterns to locate the model. Anthropic said it had no evidence that the activity affected its own systems or went beyond the vendor environment.
Claude Mythos is Anthropic’s most capable model yet for coding and agentic tasks and was released only as a gated research preview through Project Glasswing. Anthropic said the model had already identified thousands of zero-day vulnerabilities across critical infrastructure, while the UK AI Security Institute found that it completed a 32-step cyber-attack simulation in 3 out of 10 attempts. The same capability that helps defenders find and fix software flaws could also help attackers identify weaknesses and develop exploits if access is not tightly controlled. Because of these findings, Anthropic did not release Mythos publicly, instead only providing access through Project Glasswing, giving selected technology, security, infrastructure, and financial organisations early access so they could test and secure their own systems, while they develop safeguards for future Mythos-class models.
This incident shows that third-party environments should be held to the same standard as internal systems. Vendor portals, contractor accounts, and predictable access paths can all become weak points around an otherwise controlled release. Organisations using external partners for testing, development, or evaluation should treat those environments as part of their own attack surface. Strong authentication, scoped access, usage monitoring, and regular vendor assurance checks are essential when sensitive tools are being shared outside the organisation. Mythos also offers a glimpse into the future of vulnerability management at an enterprise scale, where defenders and attackers may enter an AI-enabled arms race, with defenders using advanced models to identify and patch weaknesses more quickly, and attackers using similar capabilities to find and exploit them first.
[Global] Fake Zendesk and Okta Pages to Bypass MFA and Steal Data
Fortinet Google Threat Intelligence Group has reported on a campaign in which a financially motivated threat actor (UNC6783) is using fake Zendesk and Okta login pages to bypass MFA and gain access to corporate environments. This adversary appears to be financially motivated, where they use social engineering techniques to gain access to environments via helpdesks and business process outsourcing (BPO), before extracting information and extorting the organisation.
The activity in this attack campaign relies on social engineering rather than exploitation of a technical vulnerability in Zendesk or Okta. Attackers engage support staff via the helpdesk or live chat processes, then steer them toward convincing fake login portals that are designed to look like legitimate Zendesk or Okta authentication screens, often using domains that appear plausible during a busy support interaction. Once a victim interacts with the fake page, the attackers can capture authentication material and other sensitive information, including clipboard contents. This can allow them to get around MFA protections and access internal systems. In some cases, the attackers also enrol their own devices after gaining access, creating persistence that may not be removed by a simple password reset. Stolen information may include support tickets, internal documents, employee details, customer data, and security-related submissions. The campaign appears focused on data theft and extortion, with victims being contacted to pay a ransom following the breach.
While phishing-resistant MFA remains important, this campaign shows that MFA alone is not enough when attackers can capture authenticated session material. Organisations should combine strong authentication with controls that bind access to trusted devices, detect suspicious session reuse and limit session length, and closely monitor new device enrolments or unusual activity in support platforms.
Techniques and Updates
Businesses Selling Internal Chat Data to Train AI Models
Failed startups and companies shutting down have found a new way to cash out by selling internal communications data to AI companies. Businesses such as SimpleClosure work on behalf of AI companies and researchers to purchase data off companies, including internal communications from platforms such as Slack, Zoom or Teams, internal emails, and service desk tickets for AI models to be trained on. Companies have indicated they are receiving up to $100,000 for this data which would provide entirely new and bespoke datasets to those training AI.
Internal communications provide valuable data to train AI on – while most AI is trained on publicly available data like websites and books, the way people talk to each other within an organisation is often messy and unstructured, containing shorthand, jargon, and slang. The data also contains specific knowledge and fixes, which researchers hope to use to develop better reasoning and problem-solving capabilities for AI by observing how people operate in the real world. An example of this is using an AI to tone-shift or write internal emails– it is likely to be much more effective if trained on massive internal email and communications datasets, rather than on polished and edited texts such as books.
As expected, this comes with privacy and confidentiality related risks that are unsettling those who have been employed by companies selling the data. Internal communications may include personally identifiable or private information such as financial, performance, or health concerns, or may contain information related to customers and customers support requests that have the potential to be leaked if an AI is jailbroken, or if the data is not properly sanitised. For the companies themselves this poses a security risk, with sensitive operational knowledge, legal information, and trade secrets being scraped and used to train AI. Information and data continue to become an ever increasingly valuable commodity as AI researchers and developers race to get more complex and unique datasets to train with.
Microsoft Updates
The month of April was particularly notable for the size of Microsoft’s Patch Tuesday release, with security vendors tracking more than 160 Microsoft CVEs, including two zero-day vulnerabilities and eight critical issues. One of the most important patched vulnerabilities was an actively exploited SharePoint Server spoofing vulnerability, while Microsoft Defender also received a patch due to a publicly disclosed elevation-of-privilege issue.
Microsoft Entra Agent ID reached general availability, providing an identity and authorisation framework for enterprise AI agents using standards such as OAuth 2.0, MCP, and A2A. This reflects a significant shift in identity management where organisations now need to govern not only human and workload identities, but also autonomous or semi-autonomous agents that can access applications, data, and workflows. Microsoft highlighted new controls intended to extend Conditional Access, governance, and lifecycle concepts into these agent-based scenarios, helping reduce the risk of unmanaged AI access and agent sprawl.
Microsoft continues to strengthen identity governance and hybrid identity foundations with Account Discovery for connected applications entering public preview, giving administrators better visibility into accounts that exist in SaaS or connected applications – including orphaned accounts that may not be assigned through Entra. This supports improvement in the joiner-mover-leaver process by helping organisations find unmanaged or stale accounts outside the core directory. In parallel, Microsoft announced a planned transition from Entra Connect Sync toward the cloud-native Entra Cloud Sync model, with customer notifications beginning from July 2026. This can be seen as a continuation of Microsoft’s efforts to reduce long-term dependency on complex on-premises sync infrastructure and move toward simpler, cloud-managed identity operations.
April’s updates also included practical defensive hardening in Windows; Remote Desktop received additional protections around potentially malicious .rdp files, with users now receiving stronger warning prompts before interacting with RDP files. This is an important protection as attackers continue to abuse trusted file types and familiar administrative tools to create convincing phishing or credential-theft scenarios. April updates also covered operational considerations, including reported issues affecting some third-party backup tools due to vulnerable driver blocking, showing the need for staged rollout, backup validation, and post-patch monitoring, particularly where endpoint protection, backup software, or domain services are business critical.