ADVISORIES & THREAT INTEL

Verizon’s 2026 DBIR reports that exploit techniques now drive 31 % of initial‑access breaches, exposing a dangerous vulnerability glut across enterprises. The finding underscores the need for rigorous third‑party patch management in TPRM programs.

HackRead warns that generative‑AI agents with high privileges are vulnerable to prompt‑injection attacks that can leak data or trigger malicious actions. Organizations must inventory AI agents, enforce prompt validation, and embed security clauses in vendor contracts to mitigate this emerging threat.

The SHub Reaper stealer disguises itself as popular apps, leveraging AppleScript to gain persistence on macOS and steal credentials. Its distribution through counterfeit WeChat and Miro installers expands the threat surface for organizations with macOS endpoints, demanding immediate TPRM attention.

Dell unveiled a suite of AI‑infrastructure solutions that keep compute and data on‑premise or at the edge, challenging the cloud‑first narrative. The move adds new hardware and software supply‑chain dependencies, raising third‑party risk for enterprises that handle regulated data.

As low‑Earth‑orbit mega‑constellations expand, nation‑state actors and criminal groups are developing cyber capabilities to attack on‑orbit assets. Conventional security tools fail in space, prompting a rapid R&D effort to build orbit‑specific defenses. This creates a new, high‑impact risk for any organization that depends on satellite services.

Verizon’s 2026 breach report reveals that a third of all confirmed data breaches began with the exploitation of known vulnerabilities, while organizations patched only a quarter of critical bugs and took 43 days on average to remediate. The trend heightens third‑party risk for any vendor relying on timely patch management.

Microsoft’s Digital Crimes Unit disrupted Fox Tempest, a malware‑signing‑as‑a‑service platform that issued trusted certificates to ransomware groups. Over 1,000 fraudulent certificates were revoked, curbing a supply‑chain threat that impacted healthcare, education, government, and financial services worldwide.

OpenAI now embeds cryptographic watermarks and C2PA metadata directly into every AI‑generated image, enabling easy verification of provenance. The move strengthens defenses against AI‑driven disinformation and raises the bar for third‑party risk assessments of visual AI services.

Google unveiled a cheaper AI Ultra Lite tier at $100 / month and reduced the full Ultra tier to $200 / month, adding higher usage limits, 20 TB of cloud storage, and new AI agents. The shift reshapes cost structures and expands the functional footprint of Google’s Gemini AI, prompting a review of vendor risk and data‑privacy controls.

Google’s Gemini Omni lets users generate videos from text, images, audio and video, including avatars that clone a person’s voice and likeness. The capability raises brand‑spoofing, fraud, and data‑privacy concerns for enterprises that rely on third‑party video production services.

Google rolled out an AI‑driven Search box powered by Gemini 3.5 Flash, adding background information agents, agentic coding, and deeper personalization. Enterprises must reassess data‑privacy, supply‑chain, and endpoint‑security controls around these capabilities.

At Google I/O 2026 the company rolled out AI‑powered Android updates, embedding Gemini across the OS, unveiling new XR capabilities, and introducing a hardware line called Googlebook. These changes broaden data collection and permission models, creating fresh third‑party risk considerations for enterprises.

Ofcom will require online platforms to adopt hash‑matching detection and enforce a two‑day takedown rule for deepfakes and non‑consensual intimate images, with heavy fines and possible service blocking for non‑compliance. TPRM teams must reassess vendor contracts and verify compliance capabilities.

A Microsoft Windows 11 update (KB5089549) fails with error 0x800f0922 on systems with insufficient EFI partition space, preventing critical security fixes from being applied. Organizations must remediate ESP size to restore patch flow and reduce third‑party risk.

Microsoft seized the Fox Tempest infrastructure, a malware‑signing‑as‑a‑service operation that issued thousands of fraudulent code‑signing certificates to ransomware affiliates. The disruption removes a critical supply‑chain weapon and forces organizations to reassess reliance on third‑party signing services.

ZDNet (CNET Group) released official rules for its 2026 Big Guessing Game, a three‑round, no‑purchase‑necessary contest open to U.S. adults. The event creates marketing‑related third‑party risk that TPRM teams should evaluate.

Fox Tempest provides a malware‑signing‑as‑a‑service that supplies valid code‑signing certificates to threat actors such as Vanilla Tempest and Storm. This service lets ransomware and other malware bypass signature‑based defenses, creating a hidden supply‑chain risk for organizations that trust signed binaries.

ZDNet identified six Android Auto‑compatible apps that improve driver safety, fuel cost management, parking, and media consumption. Organizations should evaluate the data‑privacy and security posture of these third‑party apps before allowing employee use.

7‑Eleven confirmed that attackers accessed its Salesforce tenant in April 2026, stealing over 600,000 records of franchisee and consumer data. The ShinyHunters gang publicly claimed responsibility and leaked a 9.4 GB archive, highlighting third‑party SaaS risk for retailers.

Criminal IP returned to Infosecurity Europe 2026 to unveil AI‑powered threat‑intelligence and attack‑surface‑management solutions. The vendor emphasized automated workflows while addressing prompt‑injection and data‑leak risks, a development that impacts third‑party risk programs.

Dark Reading reflects on two decades of cyber‑security change, noting that AI, cloud, and COVID‑19 have reshaped threats while many organizations still ignore basic security hygiene, creating heightened risk for third‑party relationships.