ADVISORIES & THREAT INTEL

The U.S. Coast Guard has issued a rule requiring cybersecurity officers, assessments, and plans for all U.S.-flagged commercial vessels and port facilities by July 2027. The mandate will reshape vendor risk assessments and inject over $1 B in compliance spend, making it a critical TPRM focus for maritime operators and OT service providers.

A KPMG survey of 2,110 C‑suite leaders shows that while 95% have AI strategies, only 8% report measurable returns. The report highlights the need for robust AI governance, data protection, and operational integration—critical considerations for third‑party risk managers evaluating AI‑enabled vendors.

University of Central Florida researchers introduced SecureRouter, an encrypted routing layer that dynamically selects AI models during MPC‑based inference. The approach halves latency compared with fixed‑model private inference, making secure AI more practical for healthcare, finance, and other data‑sensitive sectors.

Help Net Security released a comprehensive snapshot of current cybersecurity vacancies, covering roles from DevSecOps engineers to AI security testers. The list highlights emerging skill demands that third‑party risk managers should monitor when evaluating vendor capabilities.

The SANS ISC released its April 21 2026 Stormcast podcast, outlining the latest malware, phishing, and vulnerability activity observed worldwide. TPRM teams should ingest these indicators to keep vendor risk assessments current.

A set of 26 counterfeit cryptocurrency wallet apps slipped into Apple’s App Store for China, using typosquatting and fake branding to lure users. Once installed, the apps redirected victims to phishing sites and abused iOS provisioning profiles to exfiltrate seed phrases, enabling full wallet takeover. The campaign highlights a supply‑chain risk for any organization that permits mobile wallet usage.

Surfshark unveiled Dausos, a proprietary VPN protocol using AEGIS‑256X2 encryption and dedicated per‑user tunnels. Independent testing shows promising security enhancements but performance still trails WireGuard. TPRM teams should assess audit findings and pilot the protocol before enterprise rollout.

A sophisticated Android banking‑malware campaign is abusing screen‑overlay and Accessibility permissions to harvest PINs from over 800 mobile applications. The threat poses a high risk to financial‑service vendors and their downstream partners, demanding immediate review of mobile SDKs and device controls.

Italy’s data‑protection authority fined Poste Italiane and its Postepay subsidiary €12.5 million for illegally harvesting device‑level data from millions of users through overly invasive mobile‑app monitoring, highlighting a major privacy‑compliance risk for third‑party payment providers.

Qualys’ 2026 benchmark shows enterprises deployed millions of patches but still average 5 months 10 days to remediate complex third‑party software, underscoring a persistent exposure risk for third‑party risk managers.

Microsoft reports that threat actors are abusing external Teams chats to pose as IT staff, tricking users into granting Quick Assist remote control. The attackers then use native tools for lateral movement and exfiltrate data to cloud storage, posing a high‑risk scenario for any organization that enables external collaboration.

A security incident on France's ANTS portal may have exposed login credentials, names, emails, birth dates and other personal identifiers of citizens. The breach's origin and the number of affected users are unclear, raising concerns for any third‑party services that rely on ANTS‑verified identity data.

A recent BleepingComputer piece warns that many firms treat backups as full protection, ignoring the need for rapid recovery and business continuity. The gap leads to costly downtime, making it a critical consideration for third‑party risk managers.

Bluesky suffered a coordinated DDoS assault on April 15 2024 that knocked out feeds, notifications, threads and search for its 43 M user base. The outage underscores the need for robust third‑party DDoS mitigation clauses and heightened monitoring of state‑aligned threat actors.

ZDNet’s 2026 guide ranks the best robot vacuums for pet hair, a category of consumer IoT devices now entering corporate office spaces. The advisory flags potential security gaps and urges third‑party risk teams to vet these devices before procurement.

Microsoft is testing optional pre‑loading and reliability fixes for File Explorer in Windows 11 Insider builds, aiming to reduce launch times and eliminate visual glitches. Organizations should evaluate the impact on endpoint policies and third‑party integrations.

TechRepublic published a curated list of the five best Chrome VPN extensions for 2026, outlining their security features, privacy policies, and pricing. Organizations should vet these third‑party tools before allowing them on corporate devices to avoid data‑exposure risks.

Two compromised Axios npm releases (1.14.1 and 0.30.4) bundled a malicious plain‑crypto‑js dependency that downloads a remote‑access trojan. The threat targets developers, CI/CD pipelines, and any environment that installs the tainted packages, exposing credentials and internal networks. Third‑party risk programs must treat open‑source components as critical attack surfaces.

CISA has placed eight CVEs into its Known Exploited Vulnerabilities catalog after observing active attacks. The vulnerabilities affect a diverse set of software products, creating supply‑chain risk for any organization that relies on these vendors. TPRM teams should accelerate patching and verify third‑party remediation.

A British hacker tied to the Scattered Spider collective admitted to a $8 million cryptocurrency theft campaign that leveraged SMS‑phishing to steal credentials and launch ransomware attacks on firms such as MGM Resorts. The case highlights the need for robust credential controls and employee awareness in third‑party risk programs.

The UK NCSC warns that sophisticated threat actors are increasingly targeting critical national infrastructure, urging leaders to embed cyber‑resilience in supplier contracts and governance. Immediate TPRM actions are recommended to mitigate operational downtime, financial loss, and reputational damage.