CISO Daily Briefing – April 19, 2026

Executive Summary

The April 18–19 threat landscape is defined by three concurrent AI-enabled attack surface expansions colliding with a contracting US public-sector defense infrastructure. Microsoft Defender is simultaneously carrying three zero-days — two still unpatched and under active exploitation. A new commercial vishing platform, ATHR, has industrialized AI voice phishing into a $4,000 turnkey product targeting Microsoft, Google, and crypto exchange credentials. Slopsquatting — AI coding assistants hallucinating package names that attackers pre-register — has moved from theoretical to confirmed active exploitation on npm and PyPI. Simultaneously, NIST’s shift away from enriching the majority of CVEs and a proposed $707 million CISA budget cut are reshaping the defensive baseline enterprises have long assumed.

Microsoft Defender Triple Zero-Day Under Active Exploit

Critical

Three Defender zero-days disclosed in 13 days; two still unpatched. UnDefend silently blocks signature updates while BlueHammer/RedSun enable privilege escalation.

BlueHammer (CVE-2026-33825) patched April 14
RedSun and UnDefend remain unpatched
Active exploitation observed in the wild

ATHR AI Vishing Platform Industrializes Voice Phishing

High

New $4,000 cybercrime-as-a-service platform uses AI voice agents to fully automate TOAD attacks against Microsoft, Google, Coinbase, and Binance credentials.

$4,000 base fee plus 10% credential commission
Targets major SaaS and crypto accounts
First fully-automated AI-driven voice phishing kit

Slopsquatting: AI-Hallucinated Packages Ship Malware

High

LLMs hallucinate non-existent package names 18–21% of the time. Attackers pre-register those names on npm and PyPI with malicious payloads.

43% of hallucinated names are reproducible
Affects Claude Code, Copilot, Cursor workflows
Confirmed live incidents on npm and PyPI

NIST Ends NVD Enrichment for Majority of CVEs

High

Effective April 15, NIST will only enrich CVEs in KEV, federal software, or EO 14028 scope. The rest get no CVSS, CWE, or CPE data.

Driven by 263% surge in CVE submissions since 2020
Q1 2026 running 33% ahead of 2025 pace
VM programs must revisit NVD dependencies

CISA Defunding: $707M Cut Threatens Public-Private Defense

High

Proposed FY27 budget cuts 24% of CISA funding, eliminating ~1,100 staff and stakeholder engagement divisions. Enterprises must model operating without CISA’s tactical support.

CISA website already shows funding-lapse notice
KEV, joint advisories, sector alerts at risk
Timing coincides with accelerating AI threats

Overnight Research Output

ATHR AI Vishing Platform — Industrializing Credential Theft via Automated Voice Agents

High Urgency

Summary: ATHR is the first publicly documented cybercrime-as-a-service platform to fully automate the TOAD (Telephone-Oriented Attack Delivery) kill chain using AI voice agents, eliminating the skilled-operator bottleneck that previously constrained voice phishing at scale. Sold on underground forums at $4,000 plus a 10% commission on harvested credentials, the platform scripts AI-driven call flows that impersonate bank fraud teams, IT support, or account verification agents. It specifically targets Microsoft, Google, Coinbase, and Binance accounts — credential classes with immediate enterprise and financial sector impact. The AICM identity and trust components are directly implicated.

Key Sources:

BleepingComputer — New ATHR Vishing Platform Uses AI Voice Agents for Automated Attacks

Abnormal AI — ATHR AI Voice Phishing and TOAD Attacks

Cyber Security News — Hackers Use ATHR to Run AI-Powered Vishing Credential Theft

Why This Matters: This commoditizes enterprise-grade social engineering. Any workforce is now in scope for scalable voice-based credential theft, and traditional awareness training does not prepare users for the naturalness of LLM-driven calls. Expect account takeovers on SSO-adjacent tenants as a near-term leading indicator.

View Full Research Note

Microsoft Defender Triple Zero-Day — BlueHammer, RedSun, and UnDefend Under Active Exploitation

Critical Urgency

Summary: Three Microsoft Defender zero-days — CVE-2026-33825 (BlueHammer, patched April 14), RedSun, and UnDefend — were publicly disclosed in a 13-day window by a researcher frustrated with Microsoft’s handling of the disclosure process. All three are being exploited in the wild. UnDefend is particularly insidious: it allows a standard user to silently block Defender from receiving signature updates, silently degrading endpoint protection without triggering alerts. Paired with the BlueHammer/RedSun privilege-escalation chain, the combination gives attackers both initial footholds and defense-suppression persistence on a primary endpoint control.

Key Sources:

The Hacker News — Three Microsoft Defender Zero-Days Disclosed

BleepingComputer — Recently Leaked Windows Zero-Days Now Exploited in Attacks

Help Net Security — Microsoft Defender Zero-Days Exploited

Picus Security — BlueHammer & RedSun CVE-2026-33825 Explained

Why This Matters: For the first time, a primary enterprise endpoint control is simultaneously carrying active privilege-escalation AND defense-suppression vulnerabilities. Treat compensating controls — secondary EDR telemetry, application allow-listing, out-of-band signature verification — as load-bearing until Microsoft patches RedSun and UnDefend.

View Full Research Note

Slopsquatting — AI Code Assistants Hallucinate Package Names, Attackers Register Them

High Urgency

Summary: Researchers have confirmed active exploitation of slopsquatting — a supply chain vector where LLMs hallucinate non-existent package names at an 18–21% rate, and adversaries pre-register those names on npm and PyPI with malicious payloads. Critically, 43% of hallucinated names reproduce consistently across generation sessions, making them predictable and pre-registerable. Unlike typosquatting (which relies on human typos), slopsquatting is embedded in AI-assisted development workflows including Claude Code, GitHub Copilot, and Cursor — tooling that enterprises have widely adopted. At least one confirmed incident has reached real agent execution infrastructure.

Key Sources:

Trend Micro — Slopsquatting: When AI Agents Hallucinate Malicious Packages

Aikido — Slopsquatting AI Package Hallucination Attacks

FOSSA — Slopsquatting: New Software Supply Chain Risk

Infosecurity Magazine — AI Hallucinations and Slopsquatting

Snyk — Slopsquatting Mitigation Strategies

Why This Matters: Any enterprise using AI coding assistants in production workflows now carries an AI-specific supply chain attack surface. Dependency manifest validation must be added to SDLC gates; defensive pre-registration of commonly-hallucinated package names is a practical mitigation worth funding.

Read Full Paper (link pending)

NIST NVD Enrichment Triage — The 263% CVE Surge and Its Enterprise Consequences

High Urgency

Summary: Effective April 15, 2026, NIST formalized a triage policy under which the National Vulnerability Database will only enrich CVEs that appear in CISA’s KEV catalog, affect federal software, or cover critical software under Executive Order 14028. The majority of CVEs will be listed but not enriched — no CVSS score, CWE classification, or CPE data. The change is driven by a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running 33% ahead of last year’s pace. Enterprises whose vulnerability management programs consume NVD metadata as a baseline now face a structural data gap.

Key Sources:

The Hacker News — NIST Limits CVE Enrichment After 263% Surge

NIST — NVD Operations Updated to Address Record CVE Growth

Help Net Security — NIST NVD Enrichment Policy Change

Endor Labs — Surge in Submissions Forces NIST to Change How It Handles CVEs

Why This Matters: VM programs built assuming NVD enrichment do not scale linearly with the long tail of CVEs. Organizations need vendor-sourced enrichment, AI-assisted triage, or threat-intelligence-driven prioritization as immediate replacements — waiting for NIST to catch up is no longer a strategy. CSA’s AICM risk management controls provide the structural framing for this pivot.

View Full Research Note

The Defender Deficit — CISA Defunding and the Widening Public-Private Cybersecurity Gap

High Urgency

Summary: The White House FY27 budget proposal cuts $707 million (approximately 24%) from CISA’s funding, reducing staff from 3,700 to roughly 2,600 and eliminating divisions responsible for stakeholder engagement, public-private partnership coordination, and state/local support. CISA’s own website currently displays a “lapse in federal funding” notice. This arrives precisely as AI-accelerated offensive capabilities (Mythos, GPT-5.4-Cyber, nation-state LLM integration documented in Mandiant M-Trends 2026) are scaling fastest. KEV updates, sector-specific alerts, joint advisories, and no-cost cyber services are all at risk.

Key Sources:

TechCrunch — CISA Budget Cuts $700 Million Under Trump

Security Boulevard — Trump’s Proposed $707M CISA Cut: A Gift to Nation-State Actors

Government Executive — Cuts Hit CISA, NIST, and IRS in Trump’s FY27 Budget

SOCRadar — CISA Budget Cuts and US Cyber Defense 2026

SiliconANGLE — White House Targets CISA with $707M Budget Cut

Why This Matters: Security programs with dependencies on CISA KEV, joint advisories, or sector engagement must prepare continuity plans. Incident response, threat intelligence, and regulatory compliance workflows that assume CISA availability need restructuring now, before the gap materializes. CSA’s AICM risk management and SSRM frameworks provide the structural framing.

View Full Research Note

Notable News & Signals

Schneier Essay Raises Governance Concerns on Claude Mythos

Bruce Schneier’s April 17 essay examines the societal and governance dimensions of agentic AI vulnerability discovery at scale. Technical content is covered by CSA’s AI-Powered Vulnerability Discovery whitepaper; the governance framing is worth monitoring.

Source: Schneier on Security (April 17, 2026)

MCP Dev Summit: Gateway-Only Security Stance Reaffirmed

The April 16 MCP Dev Summit reinforced that production MCP deployments require gateway-enforced authentication and policy controls. Findings refine but do not fundamentally alter the threat model in CSA’s MCP Protocol Security research note.

Source: MCP Dev Summit (April 16, 2026)

Wiz Confirms Ongoing TeamPCP / LiteLLM / Trivy Supply Chain Campaign

Wiz Research published authoritative incident reporting on the active TeamPCP campaign compromising LiteLLM, Trivy, and Axios packages. Campaign fits the pattern already addressed in CSA’s MCP and supply chain research; monitor for fresh IOCs.

Source: Wiz Research Blog

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV

CISA added CVE-2026-34197 (Jolokia API code injection in ActiveMQ) to the Known Exploited Vulnerabilities catalog. Significant for enterprise patching programs though it represents a well-understood exploitation pattern with no distinct AI angle.

Source: CISA Known Exploited Vulnerabilities Catalog

Updated AI-Generated Code Vulnerability Studies Confirm 87% Defect Rate

DryRun Security and Georgia Tech published reinforcing studies on vulnerability rates in AI-generated code. Findings track existing CSA guidance — no new threat model, but useful citation material for board-level risk conversations.

Source: DryRun Security; Georgia Tech Research

Topics Already Covered (No New Action Required)

Claude Mythos / Project Glasswing: Addressed by CSA’s AI-Powered Vulnerability Discovery whitepaper and the Anthropic Claude Opus 4.6 zero-day discovery research note. Schneier’s April 17 essay raises governance dimensions worth monitoring.
MCP Protocol Security Vulnerabilities: Addressed by CSA’s existing MCP Protocol Security research note. April 16 MCP Dev Summit findings refine but do not fundamentally alter the documented threat model.
TeamPCP / LiteLLM / Trivy / Axios Supply Chain Campaign: Covered as part of CSA’s MCP and supply chain security research. Wiz Research holds the authoritative incident reporting on this ongoing campaign.
Apache ActiveMQ CVE-2026-34197: CISA KEV addition and active exploitation are significant for enterprise patching but represent a well-understood Jolokia API code injection pattern with no distinct AI security angle.
AI-Generated Code Security (87% defect statistic): Multiple research cycles have addressed this. DryRun Security and Georgia Tech studies reinforce existing CSA guidance rather than surfacing a new threat model.

← Back to Research Index