April 2026 continued the surge of cybersecurity news seen in previous months, with cyber attacks by hackers proclaiming allegiance with Iran carrying over from March 2026. However, while nation-state cyberspace activity remained one of the most dominant themes of this month, additional major concerns are forming among the IT security community regarding the impact new AI models will have on exploiting vulnerabilities in networked software systems.
SWK Technologies has put together this recap of some of the top cybersecurity news stories from April to help your business stay informed on the latest threats and developments:
Pro-Iran Hackers Targeting U.S. Companies in Infrastructure Sectors
Only weeks after Iran-affiliated hackers successfully breached medtech vendor Stryker and leaked FBI Director Kash Patel’s personal data online, a multi-agency alert went out warning of a new round of cyber attacks targeting companies in critical infrastructure sectors across the United States. The joint advisory was published April 7, 2026, and co-authored by the FBI, CISA, the NSA, the EPA, the Department of Energy and U.S. Cyber Command, warning that threat actors aligned with Iran were conducting active exploitation of Internet-facing OT (operational technology) devices — specifically programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley — across multiple critical infrastructure sectors. The advisory confirmed that in several cases, this activity had already resulted in operational disruption and financial loss for some affected businesses.
These attacks seem to be part of a wider campaign that experts say is designed to sow uncertainty for both government institutions and private businesses in the U.S. and Israel. The hack of Kash Patel’s personal email — claimed by the pro-Iranian Handala Hack Team — reflect an effort to undermine the FBI director’s credibility and public standing rather than a purely intelligence-gathering operation. Photos from Patel’s past were released publicly alongside internal emails and travel documents, helping to reinforce accusations of alcoholism that were already leaking out of the administration and even contributing to suspicions the FBI Director used an easily identifiable personal email address to sign up for pornographic websites.
The FBI agency at large also experienced a serious breach earlier in March, which was quickly reported to Congress, although the broader details of the attack only started to become public in April. The affected system contained returns from legal process — including pen register and trap-and-trace surveillance data — and personally identifiable information pertaining to subjects of federal investigations, meaning the breach potentially exposed information about current U.S. surveillance targets. Though the FBI has not explicitly revealed the culprit, the Politico newspaper has claimed that they found evidence of Chinese involvement.
All three groups of incidents reflect the evolving nature of cyber warfare, although such attacks have been part of Iran’s playbook for years at least. While the actual impact of these breaches does not always match the dramatic consequences predicted by the perpetuating actors, they can help breed tension and tie up time as well as resources in combating them, as can be seen with the FBI’s renewed efforts to mitigate Russian-affiliated hacking later in April.
Vercel’s Internal Systems Compromised via Employee’s AI Tool
Vercel, a cloud platform for artificial intelligence application developers, released a bulletin on April 19, 2026, alerting of a security incident that compromised “non-sensitive” data of “a limited subset of customers” that was stored in the company’s internal systems. They claimed that they were able to trace the attack back to an earlier breach suffered by Context.ai, which was being utilized by one of Vercel’s employees using their company email address. The attacker ostensibly piggybacked across the points of entry between the employee’s Context and Google Workspace accounts into Vercel’s environments marked “non-sensitive” and access data within.
Researchers found that the initial breach of Context.ai began when an employee’s computer was infected with Lumma Stealer malware after they attempted to download exploits for the Roblox video game. That infection gave the attacker access to Context’s AWS environment and, from there, to OAuth tokens belonging to users of Context AI Office Suite, including one associated with the previously mentioned Vercel employee’s Google Workspace account. That employee had independently enabled full permissions to their Google Workspace account through the AI Office Suite — permissions intended to let AI agents perform actions such as writing emails or creating documents — providing the attacker with a pathway into Vercel’s internal systems.
Context’s own incident response statement revealed that the company had independently identified and stopped the unauthorized access to its AWS environment the previous month, before the connection to Vercel was established, and had engaged CrowdStrike for forensic investigation at that time. It was only after Vercel’s investigation provided new information that Context learned OAuth tokens belonging to some AI Office Suite users had been compromised during that earlier incident, with one of those tokens used to access Vercel’s Google Workspace. The AI Office Suite was a deprecated legacy consumer product, separate from Context’s current enterprise Bedrock platform, which the company claims runs in customer-owned environments that were not affected by the incident.
An individual that identified themselves belonging to the ShinyHunters syndicate claimed responsibility for the attack in a post on BreachForums, asserting possession of stolen access keys, source code and databases and offering the data for sale. Austin Larsen, a principal threat analyst at Google Threat Intelligence, publicly characterized the claimant as likely an imposter using an established name to inflate notoriety.
Alabama Becomes 21st State to Adopt Data Privacy Law
After being passed by the Alabama legislature on April 7, 2026, and after being signed by Governor Kay Ivery later on April 16, the APDPA (Alabama Personal Data Protection Act) will make the state the twenty-first to launch a consumer data privacy law once it goes into effect on May 1, 2027. The new bill establishes privacy rights for consumers who are residents of the state, sets duties for businesses that collect and process their personal data and creates enforcement mechanisms for violations. The law applies to businesses operating in Alabama, or those producing products or services targeting Alabama residents, that either control or process the personal data of more than 25,000 consumers or derive more than 25% of their gross revenue from the sale of personal data.
The APDPA follows what has been described as the Virginia model of consumer privacy legislation, often characterized as the more “business-friendly” approach in comparison to stricter regulations like GDPR, NYCRR 500 or the California Consumer Privacy Act (CCPA). It includes core consumer rights familiar from other state laws — access, correction, deletion and the ability to opt out of the sale of personal data — while providing broad exemptions for small businesses, HIPAA-covered entities, federally regulated financial institutions and certain other regulated industries. The law’s definition of a “sale of personal data” extends beyond pure monetary exchange to include disclosures made for other things of real value, though Alabama carves out analytics services and marketing services provided solely to the controller from what counts as a covered sale.
The Alabama legislation arrives as state privacy laws continue to multiply, each with its own thresholds, exemptions and enforcement mechanisms, creating a growing patchwork of compliance obligations for businesses operating across state lines. Virginia itself also moved further on the privacy front in April 2026, when Governor Abigail Spanberger signed a bill banning the sale of geolocation data — a stricter measure than what the APDPA covers. Other states have focused specifically on data privacy protections for minors, reflecting both a broader legislative trend and growing regulatory attention to how personal information is collected from younger users. AI is accelerating these concerns, as automated data collection and processing make it easier to build detailed individual profiles at scale, placing both legislators and businesses under pressure to adapt faster than the typical policy cycle allows.
Cybersecurity Concerns Raised About Claude Mythos Model
Anthropic announced the launch of a Preview version of their new Claude Mythos model in early April 2026 – and quickly also warned about the cybersecurity implications of their own tool, simultaneously announcing “Project Glasswing,” aiming to combat the rapidly evolving capabilities of AI to identify software exploits. The Project brings together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks in an effort to direct Mythos Preview’s capabilities toward defensive security work before they can be more widely exploited offensively. Anthropic committed up to $100 million in usage credits for Mythos Preview across the initiative’s participants, as well as $4 million in direct donations to open-source security organizations, framing the release as an urgent attempt to get ahead of capabilities that will proliferate regardless of whether one company exercises restraint.
Testing showed that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so, including a 27-year-old vulnerability in OpenBSD. Anthropic’s security team found that engineers with no formal security background were able to ask Mythos Preview to find remote code execution vulnerabilities and have a working exploit ready by the following morning. The same capabilities that make the model effective at identifying and patching vulnerabilities also make it effective at constructing attacks — and those capabilities, according to Anthropic, were not explicitly trained for but emerged as a downstream consequence of general improvements in reasoning, code generation and autonomy.
The announcement drew varied reactions from the public, with some welcoming Anthropic’s transparency and the coordinated defensive framework while others questioned whether Glasswing amounts to a meaningful security measure or primarily serves to frame a powerful and potentially dangerous model release more favorably. Both South Korean and Indian regulators engaged with cybersecurity authorities about the model’s implications, and the U.S Treasury Department and Federal Reserve Chair separately met with the CEOs of several banks to discuss potential risks to financial infrastructure. However, hostility between the Trump administration and Anthropic does further complicate the implications, as the company was already deemed a “national security risk” almost immediately after previously announcing they would seek to limit their AI solutions being leveraged for the war in Iran extending into surveillance of or even attacks against Americans.
This story took another sharp turn in later April, though, when several claims emerged that unauthorized parties had gained access to Mythos and penetrated beyond the available partner network. Anthropic had released the Preview model to a limited group of critical industry partners specifically to prevent uncontrolled access, yet it was reported by Bloomberg that a small forum user group claimed they were able to log into the Mythos environment, potentially with credentials from within the partner network. It also emerged that personnel from some American government agencies were skirting the Pentagon designation of Anthropic as a risk to try to access the model, although the language of the Department of War’s proclamation does still allow usage for a limited time.
Stay Prepared for the Latest Cybersecurity Developments with SWK
The stories covered here are still only a fraction of the cybersecurity news developments that occurred throughout April 2026, with several of even these incidents still evolving at the time of this writing. The cyber threat landscape is changing, but SWK Technologies is here to help your business prepare for these risks to your valuable systems and data with award-winning solutions scaled for SMB needs.
Contact SWK here to learn how we can help you defend against the biggest cyber threats today, and the ones taking shape for tomorrow.