CISO Daily Briefing – April 27, 2026

Executive Summary

The April 25-27 cycle is dominated by AI-developer supply-chain attacks and a converging identity crisis at the agent layer. GlassWorm v2 has seeded 73 cloned VS Code, Cursor, and Windsurf extensions on Open VSX, while Cisco Talos disclosed six months of n8n webhook abuse delivering malware through enterprise allow-listed infrastructure. Hacktivist group PhantomCore is chaining three TrueConf CVEs without any public PoC – proof the exploit window collapses with or without AI. Behind the noise, 68% of organizations cannot distinguish AI agent actions from human actions in audit logs, while ENISA’s NCAF 2.0 gives multinationals a fresh EU governance anchor.

GlassWorm v2 – 73 Sleeper Extensions Hit AI Editor Stack

HIGH

First self-propagating worm in a code-editor marketplace targets the VS Code, Cursor, and Windsurf editors AI engineers run. Six extensions are confirmed malicious; the remainder are sleepers awaiting activation.

320+ artifacts since December 2025 trace to one campaign
GitHub-hosted VSIX payloads bypass extension review
Cursor and Windsurf inherit VS Code’s extension model

n8n Webhooks Weaponized for Malware Delivery

HIGH

Threat actors abuse the AI workflow automation platform’s webhook URLs as trusted malware infrastructure. Email volume containing n8n webhook URLs jumped 686% from January 2025 to March 2026.

Trusted infrastructure bypasses email gateways and DLP
RMM tools (Datto, ITarian) repurposed for command-and-control
Cisco Talos primary research; campaign active since Oct 2025

PhantomCore Chains 3 TrueConf CVEs – No Public PoC

HIGH

Pro-Ukrainian hacktivists chain three TrueConf vulnerabilities for RCE on Russian government and defense networks despite no public exploit existing – human-driven proof the exploit window collapses without AI assistance.

Active since September 2025 against video-conferencing servers
Chain reproduced from advisory text alone
Counter-data point to AI-only velocity thesis

AI Agent Authority Gap – Identity Inheritance Is the Root Risk

HIGH

AI agents fail not from jailbreaks but from inheriting human or service authority without first-class identity. 68% of organizations cannot distinguish agent from human actions; ~75% over-permission them.

One compromised delegator cascades at machine speed
Board-level systemic risk, not a prompt-injection problem
CSA-Aembit survey is the strongest empirical anchor

ENISA NCAF 2.0 Aligns to NIS2 Article 19

MEDIUM

First major refresh of the EU’s national-maturity tool, structured around 20 strategic objectives and incorporating AI-relevant capability dimensions for the first time.

De facto template for NIS2 Article 19 peer reviews
Multinationals serving NIS2-essential entities should map programs
Cleanest fresh EU governance anchor since AI Act milestones

Overnight Research Output

GlassWorm v2 – 73 Sleeper Extensions on Open VSX Targeting AI Developer Toolchains

HIGH URGENCY

Summary: Socket flagged 73 cloned VS Code, Cursor, and Windsurf extensions on Open VSX tied to GlassWorm v2 – six confirmed malicious, the rest sleeper packages awaiting activation. All 320+ artifacts since December 2025 trace to the same campaign, using GitHub-hosted VSIX payloads, native binaries, and obfuscated JavaScript to evade detection. Because Cursor and Windsurf inherit VS Code’s extension model, the AI-tooling blast radius is larger than a generic IDE supply-chain story – and AI developer tooling has no equivalent corporate gatekeeping to enterprise npm vetting.

Key Sources:

The Hacker News (Apr 27, 2026) – Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware

Socket (Apr 2026) – 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations

Dark Reading – GlassWorm Returns, Slices Back into VS Code Extensions

Why This Matters: AI developer toolchains (Cursor, Windsurf) are the operational delivery vehicle for most enterprise AI engineering and have no equivalent corporate gatekeeping to npm package vetting. CISOs need editor-extension allow-listing on par with software dependency review.

View Full Research Note

n8n Webhook Abuse – Weaponizing AI Workflow Automation for Malware Delivery

HIGH URGENCY

Summary: Cisco Talos disclosed that since October 2025 threat actors have abused n8n – a popular AI workflow automation platform – to host webhook URLs delivering malicious payloads. Attackers repurpose RMM tools like Datto and ITarian for command-and-control and embed tracking pixels that fingerprint victim devices through trusted infrastructure. Email volume containing n8n webhook URLs jumped 686% from January 2025 to March 2026. This inverts most AI-security stories: rather than attacking AI systems, attackers use AI infrastructure as an allow-listed delivery channel that bypasses email gateways and DLP.

Key Sources:

Cisco Talos Intelligence – The n8n n8mare: How threat actors are misusing AI workflow automation

The Hacker News (Apr 15, 2026) – n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

TechRepublic – New Phishing Attack Turns n8n Into On-Demand Malware Machine

Why This Matters: AI-orchestration platforms (n8n, Zapier, Make, hosted LangChain) are now sitting on enterprise allow-lists by default. CISOs need to revisit URL-based allow-listing – allow-listing the domain is no longer sufficient when adversaries can host payloads on tenant-owned subpaths.

View Full Research Note

PhantomCore Reproduces Three-CVE TrueConf Exploit Chain Without Public PoC

HIGH URGENCY

Summary: Positive Technologies reported that pro-Ukrainian hacktivist group PhantomCore (also tracked as Fairy Trickster, Head Mare, Rainbow Hyena, UNG0901) has been chaining three TrueConf vulnerabilities for RCE on Russian video-conferencing servers since September 2025 – despite no public exploit code existing for the chain. The notable angle is the rate at which non-state hacktivist groups now reproduce complex multi-CVE chains from advisory text alone. This is consistent with the collapsing-exploit-window pattern from last week’s CSA whitepaper, but here the velocity is human-driven, not AI-assisted.

Key Sources:

Positive Technologies – Positive Technologies reports a new wave of attacks by the PhantomCore cyberespionage group

PT-ESC Threat Intelligence – Phantom pains: a large-scale cyberespionage campaign and a possible split within the PhantomCore APT group

Cyble – Head Mare Intensifies Attacks On Russia With PhantomCore

Why This Matters: CISOs assuming that restricting AI tooling solves the velocity problem need this counter-data-point: motivated humans are reproducing complex chains from advisory text at the same compressed timescale. Patch SLAs must shorten regardless of the AI threat model.

View Full Research Note

The AI Agent Authority Gap – Why Identity Inheritance, Not Behavior, Is the Systemic Risk

HIGH URGENCY

Summary: Multiple independent signals converge on the same systemic finding: AI agents are not failing because of jailbreaks or prompt injection but because they inherit authority from human or service identities without being first-class identities themselves. The CSA-Aembit survey shows 68% of organizations cannot distinguish agent actions from human actions in audit logs, and ~75% admit agents receive more access than necessary. This is a board-level systemic risk – a single compromised delegator cascades to every agent it has invoked, at machine speed.

Key Sources:

The Hacker News Expert Insights (Apr 24, 2026) – Bridging the AI Agent Authority Gap: Continuous Observability as the Decision Engine

Cloud Security Alliance / Aembit (Apr 20, 2026) – Who’s Behind That Action? The AI Agent Identity Crisis

Strata (2026) – The AI Agent Identity Crisis: A 2026 Guide

Why This Matters: CSA’s planned whitepaper consolidates Aembit, Strata, IANS, CyberArk, and NIST AI Agent Standards Initiative direction into a board-ready reference. Today’s takeaway for CISOs: agent identity is now a first-class IAM problem requiring its own controls, not an extension of service-account practice.

View Full Research Note

ENISA NCAF 2.0 – EU National Cybersecurity Maturity Framework Aligned to NIS2 Article 19

MEDIUM URGENCY

Summary: ENISA released NCAF 2.0 on April 22, 2026 – the updated National Capabilities Assessment Framework now formally aligned with NIS2 Article 19 peer reviews and structured around 20 strategic objectives. While framed as a tool for member-state policymakers, NCAF 2.0 is the de facto template EU regulators will use to judge national readiness. Multinational CISOs who sell into EU public-sector or NIS2-essential-entity markets need to map their programs against the same maturity dimensions before peer-review activity ramps. The framework also incorporates AI-relevant capability dimensions for the first time.

Key Sources:

ENISA (Apr 22, 2026) – Assess your National Cybersecurity Capabilities and Maturity with the updated ENISA Framework

ENISA Publication – National Capabilities Assessment Framework 2.0

Industrial Cyber (Apr 2026) – ENISA updates NCAF 2.0 to help governments measure and close cybersecurity gaps

Why This Matters: CSA’s recent governance output has been US-centric (CISA leadership vacuum, NIST NVD policy). NCAF 2.0 is a fresh hook to update CISO guidance for EU-operating organizations – and an early signal of how EU governance language is evolving around AI capability dimensions.

View Full Research Note

Notable News & Signals

Help Net Security: AI is flooding IAM systems with new identities

Coverage of CSA research showing the volume of agent and non-human identities is overwhelming legacy IAM tooling – context for today’s agent authority-gap whitepaper.

Source: Help Net Security (Feb 2026)

IANS: AI Agents Are Creating an Identity Security Crisis in 2026

Earlier industry signal corroborating the CSA-Aembit survey arc, framing agent identity as a board-priority risk for the year.

Source: IANS Research (Feb 24, 2026)

VPN Central: GlassWorm spreads via OpenVSX into Cursor and Windsurf

Secondary corroboration that the GlassWorm v2 reach extends across all VS Code-derivative editors used by AI engineers, not just core VS Code.

Source: VPN Central

CyberArk 2026 outlook: AI agents and identity risks

Vendor outlook aligning with CSA findings – AI agent identity will dominate enterprise IAM spend and architecture decisions through 2026.

Source: CyberArk

Topics Already Covered (No New Action Required)

Mythos remediation gap & vulnerability discovery asymmetry: Covered in after-mythos-cybersecurity-autonomous-systems-v1 (Apr 25), the too-dangerous-to-release pattern note (Apr 26), and the Mythos / White House governance note (Apr 21).
LMDeploy CVE-2026-33626 SSRF in LLM serving: Covered in two research notes (Apr 25 and Apr 26) on inference-server SSRF and LLM-serving exploitation.
Anthropic MCP design RCE & MCP supply-chain: Covered in mcp-design-rce-supply-chain-v1 (Apr 26) plus prior protocol-attack-surface notes (Apr 23 and Apr 25).
Shai-Hulud npm worm and self-propagating worm family: Covered in the Apr 25 worm note and the canistersprawl supply-chain worm note (Apr 23).
Microsoft Defender BlueHammer / RedSun / UnDefend triple zero-day: Covered in the triple zero-day note (Apr 19).
Kyber post-quantum ransomware: Covered in the post-quantum encryption ransomware note (Apr 23) and the Apr 24 variant.
NIST NVD enrichment policy & CVSS gap: Covered in three notes spanning Apr 19-26 on enrichment policy change, CVSS gap, and risk-based enrichment governance.
CISA funding lapse & leadership governance vacuum: Covered in the enterprise guidance note (Apr 23), Defender deficit note (Apr 19), and leadership vacuum note (Apr 24).
Vercel breach via ContextAI / AI-SaaS supply chain: Covered in the AI-SaaS supply-chain note (Apr 20).
Antigravity & agentic IDE prompt-injection sandbox escape: Covered in two notes on prompt-injection sandbox escape (Apr 21 and Apr 22).
GPT-5.4-Cyber & cyber-permissive AI governance: Covered in the cyber-permissive AI governance note (Apr 20).
sglang RCE / GGUF parsing CVE-2026-5760: Covered in two LLM-serving RCE notes (Apr 21 and Apr 22).

← Back to Research Index