Just a couple of days ago, I wrote <mention-page url="https://www.notion.so/3360023f0e8380e28985e0e07b74bf51"/> and <mention-page url="https://www.notion.so/34c0023f0e83809a8355fb469b60ecdd"/>. I thought I had captured the full picture. I was wrong. Today GitHub had a critical merge PR bug (status incident, Elliott Williams on X). Yesterday it was something else. Last week it was something else. The list keeps growing faster than I can write about it. So this post is the receipt. Every hack, breach, outage, and bug I can remember from this year, in one place. If you've been feeling like the entire stack is falling apart at once, this is why.

The cloud keeps catching fire

The foundations everyone builds on have been wobbling for months. AWS US-EAST-1, October 20, 2025. Over 15 hours of degraded service, cascading into Snapchat, Roblox, Fortnite, Vercel, and thousands of apps that don't even know they live in us-east-1. AWS December 2025 outage. The one Amazon partly blamed on its own AI coding tool, Kiro, making changes to production systems. "User error," sure. AWS Bahrain (ME-SOUTH-1), March 2026. Multi-service disruption that rippled into LATAM workloads thousands of kilometers away. AWS US-EAST-1 wobble, February 10, 2026. Another reminder that one region still runs half the internet. Cloudflare, November 18, 2025. Up to 6 hours, hit roughly 28% of global HTTP traffic. Cloudflare, December 2025. Another ~28% traffic hit weeks later. Cloudflare, February 20, 2026. A subset of customers using Bring Your Own IP (BYOIP) had their routes withdrawn via BGP. The internet quite literally forgot how to find them. GitHub, all year. 37 incidents in February 2026 alone. Sub-90% uptime windows in late 2025. December 2025 alone had five separate incidents from Kafka misconfigs to Copilot model latency to runner timeouts. And now today, a critical merge PR bug. Vercel, October 20, 2025. Cascaded directly off the AWS outage. When us-east-1 sneezes, Vercel catches a cold.

The npm ecosystem is on fire

If 2025 was the year supply chain attacks went mainstream, 2026 is the year they industrialized. Shai-Hulud, September 2025. The original self-replicating npm worm. Compromised over 200 packages and 500 versions, including @ctrl/tinycolor (2.2M weekly downloads), ngx-bootstrap (300K), and ng2-file-upload (100K). Shai-Hulud 2.0, November to December 2025. Hit Zapier, PostHog, and Postman maintainer accounts. Exposed 33,185 secrets across 20,649 repositories. Shai-Hulud 3.0. A variant in @vietmoney/react-big-calendar with better obfuscation but the same bones. SANDWORM_MODE, February 20, 2026. Compromised at least 19 typosquatted npm packages, and notably included a module that injected prompt-injection logic into AI coding assistants. The worm goes after both your CI pipeline and your IDE at the same time. GlassWorm, March 2026. Over 400 compromised components across GitHub, npm, VS Code, and OpenVSX. Used invisible Unicode characters (the Trojan Source technique from CVE-2021-42574) to hide payloads in plain sight. Notably backdoored react-native-international-phone-number and react-native-country-select, with combined monthly downloads around 130,000. Axios, March 31, 2026. This was the big one. Versions 1.14.1 and 0.30.4 hijacked, the lead maintainer's npm account taken over via a fake Google Meet driver-update social engineering call. The malicious versions added a phantom dependency, [email protected], that deployed a cross-platform RAT in roughly 1.1 seconds and erased itself afterward. Microsoft attributed it to Sapphire Sleet, Google to UNC1069, both pointing at North Korea. The exposure window was about three hours across 100M+ weekly downloads. Bitwarden CLI, April 22, 2026. Malicious @bitwarden/[email protected] published through a poisoned checkmarx/ast-github-action for exactly 93 minutes (5:57 PM to 7:30 PM ET). The payload was a file called bw1.js. Bitwarden contained it fast, but it was the first time a password manager's CLI shipped malware to users. Namastex Labs / @automagik worm, April 2026. Self-spreading npm worm using TeamPCP-style techniques to steal developer tokens and auto-republish poisoned versions. Chalk and Debug. Both hit in the post-Shai-Hulud cluster of compromises. NodeCordRAT, November 2025. Three packages: bitcoin-main-lib, bitcoin-lib-js, bip40, all typosquatting bitcoinjs. pino-sdk-v2. Typosquat impersonating pino, one of the most-installed Node loggers. js-logger-pack. Multi-platform WebSocket stealer that grew from 601KB to 893KB over 12 days of active development. Solana-linked GlassWorm hijacks. Tracked by Sonatype as part of the broader campaign.

TeamPCP weaponized the security tools

This one deserves its own section because it's the connective tissue behind half of 2026. TeamPCP (also known as PCPcat, ShellForce, DeadCatx3) is the same group behind the React2Shell (CVE-2025-55182) campaign in late 2025. They didn't bypass defenses, they weaponized them. Trivy, March 19, 2026. The first domino. Aqua Security's vulnerability scanner, used by 10,000+ dev teams. Attackers compromised the CI/CD pipeline, force-pushed malicious binaries starting at v0.69.4, and poisoned the trivy-action and setup-trivy GitHub Actions. They also pushed bad images to aquasec/trivy on Docker Hub. CVE-2026-33634. LiteLLM, March 24, 2026. Versions 1.82.7 and 1.82.8 on PyPI, with 95M monthly downloads behind them. The malware hid in a .pth file (litellm_init.pth) that ran on every Python startup, no import required. It exfiltrated env vars, SSH keys, AWS/GCP/Azure/Kubernetes credentials, Docker configs, DB passwords, crypto wallets, CI/CD secrets to models.litellm.cloud. Tracked as PYSEC-2026-2. Telnyx SDK on PyPI, March 27, 2026. Versions 4.87.1 and 4.87.2, infected with a ContainerWorm variant. Checkmarx KICS Docker Hub + GitHub Action + VS Code/Open VSX extensions, April 22, 2026. Malicious tags 2.63 and 2.66 on the AST results extension, 1.17.0 and 1.19.0 on the Developer Assist extension, plus poisoned Docker images. Bitwarden CLI, April 22, 2026. Downstream of Checkmarx. Bitwarden's repo used checkmarx/ast-github-action. OpenAI Axios certificate exposure, April 11, 2026. OpenAI's macOS code-signing GitHub Action used a floating tag that pulled the bad axios. They had to revoke their old codesign certificate (full revocation by May 8, 2026). Vect ransomware extortion, April 17, 2026. Started publishing downstream Trivy victims publicly.

Critical CVEs and bugs of 2026

Axios

Apple

Microsoft

Other notable CVEs

Platforms got popped

Vercel, April 19, 2026. ShinyHunters via Context.ai. A Context.ai employee downloaded a Roblox cheat that installed Lumma Stealer. The credentials sat dormant in a criminal marketplace for two months. Then someone realized a Vercel employee had a Context.ai browser extension installed, pivoted into Google Workspace, and pulled out non-"sensitive" environment variables that could still be decrypted to plaintext. Listed for $2M on a dark forum. Lovable, April 20, 2026. A Broken Object Level Authorization flaw, OWASP API Security Top 10 #1, that let any free-tier user pull source code, database credentials, AI chat histories, and customer data through five API calls. Reported on March 3 via HackerOne, marked as duplicate, sat exposed for 48 days. Real Supabase strings, real Stripe keys, real LinkedIn profiles in the data. Salesforce ShinyHunters wave, March to April 2026. Targeting Experience Cloud guest user misconfigurations. Confirmed or alleged victims include Cisco (3M+ records), McGraw Hill (13.5M records, 100GB+), 7-Eleven, Pitney Bowes, Medtronic, Canada Life, Zara, Carnival Corp, and Aman Resorts. Snowflake via Anodot, April 7, 2026. ShinyHunters again. Stolen SaaS-integration tokens used to pivot into a dozen-plus Snowflake customer environments. Snowflake itself wasn't breached, the trust path was. DocketWise. Roughly 116,000 victims, SSNs and passport data, with a six-month gap between discovery and notification. Stryker, March 2026. Operationally disruptive though no data was ultimately exposed. Cloud Imperium Games (Star Citizen), March 4, 2026. Backup access leaked usernames, names, DOBs, and contact info. Marquis Software Solutions. Ransomware attack hit ~672,000 people's bank and credit union data. England Hockey, March 12, 2026. AiLock ransomware, 129GB stolen. Nike. 1.4TB of internal data exfiltrated. Sri Lanka Finance Ministry. $2.5M diverted in payment fraud. Jaguar Land Rover. Production halt described as the most costly cyber-incident-driven outage in a decade. Collins Aerospace. Ransomware that caused weeks of flight cancellations and delays. Arup, January 2026. $25M stolen via an AI-generated deepfake video impersonating the CFO on a video call.

The AI labs broke too

The companies building the AI you depend on had their own brutal year. OpenAI Axios certificate compromise, April 11, 2026. Same Axios attack as everyone else, but OpenAI's exposure was their macOS code-signing pipeline. They're rotating certificates, presumably onto an HSM this time. OpenAI ChatGPT DNS exfiltration and Codex GitHub-token vuln, March 2026. A side channel through the Linux runtime let attackers smuggle data out via DNS requests, bypassing every visible guardrail. Anthropic "Mythos" leak, March 26 to 27, 2026. Around 3,000 unpublished assets sitting on an unsecured data store, including details on an unreleased model that Anthropic itself flagged as cyberattack-capable. Anthropic Claude Code source leak, March 31, 2026. A 60MB cli.js.map shipped inside the npm package exposed roughly 500,000 lines of TypeScript across ~1,900 files. CLI implementation, agent architecture, unreleased features, internal tooling. No model weights, but the entire scaffolding around them. Claude is shipping vulnerable code, April 22, 2026. Cyber experts publicly warned that the latest Claude models are introducing serious security issues into generated code at higher rates than previous versions. Anthropic disrupted Chinese state-sponsored AI-orchestrated espionage (mid-September 2025, reported in November). The first documented large-scale cyberattack executed largely by an AI agent, hitting roughly 30 global targets across tech, finance, chemicals, and government.

The browser is now an attack surface

108 malicious Chrome extensions, April 14, 2026. All talking to the same C2 infrastructure, stealing Google and Telegram data from 20,000+ users. AI Frame fake AI-assistant Chrome extensions, February 2026. 30 extensions, 260,000 users, full-screen iframe overlay phishing. MaliciousCorgi VS Code AI extensions, January 2026. 1.5M installs siphoning developer source code to China-based servers. Open VSX pre-publish bypass, March 2026. A bug that let malicious extensions pass scanning entirely. 72 malicious Open VSX extensions, since January 31, 2026. GlassWorm transitive loaders hidden behind seemingly clean parents. North-Korea-linked VS Code project-file backdoors, January 2026. Crafted .vscode files that ran backdoors the moment you opened the folder. Phantom Shuttle Chrome extensions. Hardcoded proxy credentials hidden inside what looked like a legitimate jQuery library. Browser Syncjacking. Multi-stage Chrome-extension device takeover. prettier-vscode-plus, November 2025. A four-hour live impersonation of the Prettier formatter.

The carryover from late 2025 still bleeding in

Most of 2026's worst incidents are downstream of things that started in 2025. tj-actions/changed-files, March 14 to 15, 2025. CVE-2025-30066. Over 23,000 GitHub repos compromised. reviewdog/action-setup. The upstream that enabled the tj-actions compromise. Coinbase-targeted GitHub Actions attack, March 2025. The original target before the campaign expanded. Oracle Cloud breach, March to April 2025. Threat actor "rose87168", 6 million records across 140,000 tenants on legacy Gen-1 servers. Oracle denied it for weeks. Oracle Health breach. Roughly 80 hospitals affected. React2Shell, CVE-2025-55182. The RCE that originally vaulted TeamPCP into the spotlight. Snowflake 2024 breach. Up to 165 customers, the foundational ShinyHunters playbook that's still being rerun in 2026.

Hardware and contests too, just for completeness

Pwn2Own Automotive 2026. 76 zero-days disclosed, $1,047,000 awarded, EV chargers from multiple manufacturers fell to live exploitation. Microsoft Zero Day Quest 2026. $2.3M paid out for fresh research. PyPI second audit, April 16, 2026. OIDC JTI race conditions, badge bypasses, audit-event drops, all remediated, but a reminder that the registries themselves are not above review.

Open source is closing its doors

Cal.com, one of the largest Next.js open-source projects, announced on April 14, 2026 that it was going closed source after five years. The reason: AI makes finding vulnerabilities in publicly available code too easy. Co-founder Bailey Pumfleet put it bluntly: AI coding assistants have fundamentally changed the security calculus for open-source software. The commercial edition's codebase would no longer be publicly available. A stripped-down community edition, Cal.diy, would continue under MIT License for self-hosters. The timing wasn't accidental. Cal.com's decision came days after Anthropic's Mythos leak demonstrated exactly what they feared, an AI capable of systematically discovering exploitable vulnerabilities given enough compute. On Hacker News, the top comment on Cal.com's announcement reframed the entire security landscape: "If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them." This is the logical endpoint of everything else in this post. When attackers can point an AI at your public codebase and find vulnerabilities faster than you can patch them, the calculus of open source changes fundamentally. Cal.com won't be the last.

By the numbers, Jan to Apr 2026 vs 2025

It's tempting to assume this year just feels worse because we're closer to it. The data says otherwise. Here's how Q1 2026 (and the early April window) actually compares to the same window last year.

Ransomware victims, Q1

Active ransomware crews went from 67 to 70 (Ransomware.live) and 76 to 89 (RansomLook), so somewhere between +4% and +17% more groups operating. Q1 2025 was the all-time record at the time of writing it. Q1 2026 just edged past it, and April is accelerating again.

Vulnerabilities and zero-days

npm and supply chain

Data breaches

The headline

Versus Jan to Apr 2025:

The honest one-line read: 2026 isn't dramatically more incidents than 2025, it's dramatically more consequential ones. Q1 2025 broke records on volume. Q1 2026 broke records on blast radius, with Axios (100M+ weekly downloads), LiteLLM (95M monthly), and the entire TeamPCP cascade hitting the tools everyone uses to defend themselves.

What ties all of this together

Look at the list and the pattern is obvious. A browser extension nobody thought about took down Vercel. A GitHub Action nobody pinned took down Bitwarden. A maintainer nobody knew got social-engineered into hijacking 100 million weekly Axios installs. An AI assistant making changes nobody fully reviewed contributed to an AWS outage. A bug report nobody triaged stayed open for 48 days at Lovable. The attackers aren't smarter than us. They've just figured out that we built the entire industry on implicit trust, and the trust is the vulnerability. Every story in this list is the same story in different clothes:

And at every layer, AI is making both sides faster. Attackers use it to find vulnerabilities, write phishing, and automate spread. Defenders ship it into production and accept its output as code review. Both sides are accelerating, but the asymmetry favors the attacker, because they only need one entry point and we need to defend all of them. I keep saying "the internet is breaking down" half-joking, but at some point the joke stops being funny. The web has always been a little fragile. What's new in 2026 is that the fragility is no longer a series of isolated incidents. It's the steady-state. The call really is coming from inside the house. From the npm install you ran this morning. From the GitHub Action you didn't pin. From the browser extension your colleague added last week. From the AI agent you gave write access to. From the cloud region you assumed had a backup somewhere. I'll keep writing these as they come. Unfortunately, I don't think I'm going to run out of material.

References