AI Cybersecurity Incident Report 2026: Vercel, EchoLeak & 346 AI Cases

A factual analysis of AI security in 2025 and the named 2026 incidents that defined the post-deployment threat surface: the Vercel / Context.ai OAuth supply-chain breach, EchoLeak (CVE-2025-32711), the OWASP LLM Top 10 v2025 update, and MITRE ATLAS agentic-AI expansion. With operational implications for mid-market AI adopters.

Published by BlueRadius Cyber | May 2026 | All figures sourced and footnoted

Executive Summary

The 2026 AI security picture opened with a named breach that crystallized the patterns red teams had been warning about for two years. In April 2026, Vercel disclosed a security incident rooted in a Vercel employee granting an AI productivity tool (Context.ai) "Allow All" OAuth permissions to the employee's corporate Google Workspace. Attackers, who had compromised a Context.ai employee via Lumma Stealer malware in February 2026, used those OAuth tokens to take over the Vercel employee's account and move laterally into Vercel's internal systems. Approximately two months of dwell time produced API keys, source code, and 580 employee records, which ShinyHunters subsequently listed for $2 million on BreachForums.[8][9][10][11]

Vercel is the canonical 2026 case study because it operationalized three risk classes the AI security frameworks have been formalizing: OWASP LLM06 (Excessive Agency, the agency granted to AI tools), OWASP LLM03 (Supply Chain, third-party AI providers as attack vectors), and the workforce-driven AI use pattern that Samsung's 2023 incidents first surfaced.[2][5][8]

Backing up from Vercel, the 2025 data is the foundation. The AI Incident Database logged 346 reported cases in 2025, covering fraud, impersonation, unsafe content, and AI-system failures observed in the real world.[1] Of those, 179 involved synthetic media (deepfake audio, video, or images) and 37 involved violent or unsafe content.[1] The OWASP Top 10 for LLM Applications was updated for 2025, with prompt injection remaining the #1 critical vulnerability for the second consecutive edition.[2] In June 2025, security researchers at Aim Security disclosed EchoLeak (CVE-2025-32711), the first publicly documented zero-click prompt-injection vulnerability weaponized for data exfiltration in a production LLM system (Microsoft 365 Copilot).[3] MITRE ATLAS, the standard adversarial-ML knowledge base, expanded to 16 tactics and 84 techniques with 14 new techniques added in 2025 specifically for AI agents.[4]

This report compiles the publicly verifiable picture of AI security through the first half of 2026, anchored on the 2025 framework year and the 2026 incident year. Every statistic is sourced and footnoted.

Key Findings

• 346 AI incidents logged by the AI Incident Database in 2025, with deepfakes accounting for the largest single category.[1]
• Prompt Injection remained #1 on the OWASP Top 10 for LLM Applications 2025, reflecting both the volume and severity of real-world exploitation.[2]
• EchoLeak (CVE-2025-32711) became the first publicly documented production weaponization of prompt injection for data exfiltration, affecting Microsoft 365 Copilot via a single crafted email.[3]
• MITRE ATLAS v5.1.0 (November 2025) expanded to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies, with 14 new techniques specifically covering AI agent attack surface.[4]
• Workforce-driven data exposure via consumer AI tools remained a primary mid-market risk class, validated by the Samsung Electronics three-incidents-in-twenty-days episode that drove an enterprise-wide ChatGPT ban in 2023 and continues to model the pattern.[5]
• Malicious browser extensions targeting ChatGPT and DeepSeek conversations emerged as an active exfiltration vector in 2024 and 2025, capturing prompts and responses for transmission to attacker-controlled servers.[6]
• Agentic AI opened a new attack surface (autonomous tool use, multi-step task chaining, persistent memory, vector-store grounding) that the 2025 frameworks now explicitly address.[2][4]

Bottom line: AI security in 2025 graduated from theoretical risk to production exploitation. The first weaponized prompt-injection CVE landed mid-year, the OWASP and MITRE frameworks both shifted to recognize agentic-AI attack surface, and incident reporting volume kept growing. For mid-market organizations deploying AI features or AI agents, this report frames the operational baseline that the 2026 buying conversations will assume.

The Scale: AI Incident Database 2025

The AI Incident Database (AIID), maintained as a public catalog of reported AI-system harms, logged 346 incidents in 2025.[1] Coverage spans fraud, impersonation, unsafe content, and AI-system failures observed in the real world. Two categories dominated the volume:

• Deepfake / synthetic media incidents: 179 of 346 (52%). Includes voice impersonation in business email compromise, video manipulation in disinformation, and image deepfakes used in extortion and fraud.[1]
• Violent or unsafe content incidents: 37 of 346 (11%). Includes outputs that generated harmful guidance, child-safety violations, and content that violated platform safety policies.[1]

The remaining 130 incidents covered model failure modes, training-data exposure, hallucination causing operational harm, agentic AI failures, and other categories. The AIID reached the Incident #1000 cumulative milestone in early 2025.[7]

One methodological caveat that AIID notes explicitly: reported incidents undercount actual incident volume because most AI failures inside enterprise deployments are not publicly disclosed. Treat the 346 figure as a directional floor, not a comprehensive count.

OWASP Top 10 for LLM Applications 2025

The OWASP Top 10 for LLM Applications, the de facto industry framework for AI-specific application security risks, released its v2025 update in late 2024 and is the operational baseline most security teams should be working against.[2] The ranking:

1. Prompt Injection (#1 for the second consecutive edition)
2. Sensitive Information Disclosure
3. Supply Chain
4. Data and Model Poisoning
5. Improper Output Handling
6. Excessive Agency
7. System Prompt Leakage
8. Vector and Embedding Weaknesses
9. Misinformation
10. Unbounded Consumption

The 2025 update reorganized several entries to reflect agentic-AI deployment realities. Excessive Agency (LLM06) addresses the risk of granting AI agents too much capability to act autonomously without sufficient human checkpoints. Vector and Embedding Weaknesses (LLM08) covers retrieval-augmented generation (RAG) compromise patterns, including prompt injection via poisoned vector stores. System Prompt Leakage (LLM07) elevates the previously-underweighted risk of system-prompt exposure to attackers (which the EchoLeak vulnerability operationalized).[2]

For mid-market organizations building or deploying AI applications, the OWASP framework is the answer to "what should our AI security program actually cover." Any vendor security questionnaire that asks about AI security will increasingly map directly to these ten items.

EchoLeak (CVE-2025-32711): The First Production Prompt Injection

EchoLeak is the most significant named AI security incident of 2025. Aim Security researchers disclosed the zero-click vulnerability in Microsoft 365 Copilot in June 2025. Microsoft assigned CVE-2025-32711 and issued emergency patches.[3]

The attack mechanics are straightforward in concept and devastating in implementation: an attacker sends a crafted email to a Microsoft 365 user. The email contains an indirect prompt injection (instructions embedded in the email body that the AI system processes as commands). When the user later asks Copilot a question that retrieves the email (via RAG or context loading), Copilot executes the embedded instructions, which can exfiltrate confidential data from the user's email, files, or other connected sources. The user takes no explicit action. They simply ask Copilot a routine question, and the previously delivered email weaponizes the response.[3]

EchoLeak matters for two reasons. First, it confirmed in production what red teams had demonstrated in research environments: prompt injection is exploitable at scale in real LLM applications, including those built by the most well-resourced vendors. Second, it established the indirect prompt injection pattern (attack content arrives via a routine channel, exploitation happens later via the AI system's normal operation) as a credible enterprise threat model. For our broader treatment of AI risk in enterprise environments, see our analysis of enterprise product security in the age of Claude Code and our AI vendor risk assessment guide.

The CVE Program Near-Miss (April 2025) and What Changed in 2026

The EchoLeak disclosure happened in June 2025, two months after the entire infrastructure that assigned its CVE number (CVE-2025-32711) almost shut down. The CVE ecosystem is operated by MITRE under contract from the U.S. Department of Homeland Security, and in April 2025 the contract was scheduled to expire on April 16 with no renewal in place. MITRE notified the CVE board, panic briefly rippled through the global vulnerability disclosure community, and CISA exercised an 11-month contract option period the night before expiration to keep services running through approximately March 2026.[13][14]

That near-miss has now been resolved. At the January 21, 2026, CVE board meeting, CISA confirmed there would be "no funding cliff in March" and that ongoing operations and planning extend well beyond that timeframe. CISA published a strategic roadmap covering sustained funding, modernization of CVE infrastructure, governance changes that broaden participation beyond U.S.-only stakeholders, and improvements to vulnerability prioritization that explicitly call out the volume challenge AI-related vulnerability disclosures will create.[15][16]

Two structural changes that came out of the 2025 crisis are worth tracking:

• Alternative CVE allocation systems launched. The European Union stood up the European Union Vulnerability Database (EUVD) in 2025, and a second international coalition began work on a parallel allocation system, both intended as a backstop in case the U.S.-funded CVE program is interrupted in a future cycle. Mid-market security teams should expect to see vulnerability identifiers from these alternative systems appearing in vendor advisories during 2026, alongside traditional CVE IDs.[17]
• Vulnerability prioritization is being rebuilt around prevalence and exploitation, not severity alone. CISA's roadmap explicitly addresses the volume problem: with AI-assisted vulnerability research producing more reports than any system can triage, prioritization that asks "is this being exploited" (via the KEV catalog) and "how widely is this deployed" matters more than CVSS score in isolation. Mid-market vulnerability management programs that still treat CVSS as the primary prioritization input are behind the curve.[15]

For mid-market AI adopters specifically, the CVE near-miss is a reminder that the vulnerability disclosure infrastructure is not background plumbing. AI security depends on rapid, public, coordinated disclosure (EchoLeak is the textbook case: research-to-CVE-to-patch in a defined window). If that pipeline is interrupted, the entire model of "vendors disclose, customers patch" breaks down. Tracking the health of CVE, KEV, and the new alternative allocation systems belongs in any AI vendor risk program.

CISA Itself Under Operational Pressure (May 2025 + February 2026)

The CVE registry funding crisis was one of three events that disrupted the U.S.-anchored vulnerability disclosure pipeline across 2025 and 2026:

• May 2025, advisories webpage move (announced, then paused). CISA announced that effective May 12, 2025, standard cybersecurity alerts and advisories would no longer publish to cisa.gov, with distribution moving to email subscriptions and the @CISACyber X account; only the most urgent items (zero-days, active exploitation, major incidents) would remain on the public alerts page. Significant pushback from security professionals led CISA to pause the change while reassessing. The advisories page is still live today, but the underlying intent to narrow public publishing remains visible in the agency's communications roadmap.[18][19]
• February to April 2026, DHS shutdown and CISA furlough. A federal shutdown that began February 14, 2026 furloughed roughly 1,453 of CISA's 2,341 employees, leaving the agency operating at approximately 38% capacity for about eight weeks before workers were recalled. CISA continued publishing KEV (Known Exploited Vulnerabilities) catalog updates during the disruption, but broader advisory output, threat-intelligence dissemination, and stakeholder communication ran at reduced cadence. Compounding factor: the agency had already lost roughly one-third of its workforce through buyouts and deferred resignations across 2025, with programs cut including the counter-ransomware initiative and parts of the secure-software-development effort.[20][21][22]

The combined picture matters for mid-market AI security planning: you can no longer assume CISA's advisory cadence is the steady-state heartbeat it was in 2022 to 2024. KEV remains the authoritative exploited-vulnerability source. For broader threat intelligence, vendor-specific advisories, and the AI-vulnerability disclosure conversation specifically, build multi-source resilience into your program (CISA + vendor PSIRTs + commercial threat intelligence + the EUVD as it matures), and stop treating any single feed as the canonical truth source.

The Vercel Disclosure (April 2026): OAuth + AI Tool Supply Chain

If EchoLeak was the named 2025 production prompt-injection incident, the Vercel disclosure of April 2026 is the named 2026 incident that crystallized the AI supply-chain and Excessive Agency risk classes. Vercel, the deployment platform used by a substantial share of the React, Next.js, and AI SDK developer ecosystem, confirmed the breach after a threat actor operating as ShinyHunters listed stolen data for $2 million on BreachForums.[8][9]

Attack Chain

The incident reconstruction, drawn from Vercel's official knowledge-base bulletin and corroborating reporting:[8][10][11]

• February 2026, initial compromise. An employee at Context.ai (an AI Office Suite vendor) was infected with Lumma Stealer infostealer malware, reportedly via a malicious Roblox cheat script download. The malware exfiltrated credentials that enabled the attacker to enter Context.ai's AWS environment and extract OAuth tokens belonging to consumer users of Context.ai's Office Suite.
• Lateral movement via OAuth grant. A Vercel employee had previously signed up for Context.ai's AI Office Suite using their corporate Google Workspace account and granted the application "Allow All" OAuth permissions. The attacker used the exfiltrated OAuth token to take over the Vercel employee's Google Workspace account.
• Internal lateral movement. From the compromised Google Workspace account, the attacker moved into Vercel's internal systems with approximately two months of dwell time.
• Exfiltration. Stolen material included API keys, source code, and 580 employee records. Environment variables that were not explicitly marked as "sensitive" were readable within compromised team scopes.
• April 2026, disclosure and response. Vercel engaged Mandiant for incident response, notified law enforcement, contacted a limited subset of affected customers directly, and advised customers to review environment variables and enable the sensitive-variable encryption feature. Separately, Vercel disclosed that some customer data had been stolen prior to the main hack.[12]

Why Vercel Is the Canonical 2026 AI Supply Chain Case

Vercel matters because it operationalized three risk classes that the 2025 AI security frameworks formally describe but had not yet been demonstrated end-to-end in a named breach at this scale:

• OWASP LLM06, Excessive Agency. The "Allow All" OAuth grant to an AI productivity tool is the textbook case. The employee almost certainly did not intend to authorize an attacker chain that would take over their entire mailbox, drive, and downstream identity surface. They simply clicked through the OAuth consent screen the way users have been trained to.[2]
• OWASP LLM03, Supply Chain. Vercel was breached not because Vercel was attacked directly, but because an upstream AI vendor (Context.ai) was attacked, and the trust chain between organization and AI vendor was load-bearing. Every organization granting OAuth scopes to AI tools is now operating a supply-chain attack surface that is largely invisible to traditional vendor risk programs.[2]
• Workforce-driven AI use (the Samsung pattern, evolved). The 2023 Samsung incidents established that workforce AI tool use is a first-class risk class. The Vercel incident extends the pattern: the risk is not only the data the employee puts into the AI tool, but the agency the employee grants the AI tool to act on the employee's behalf across the corporate identity surface.[5]

Operational Implications for Mid-Market AI Adopters

The Vercel chain reframes several mid-market security controls that previously felt optional:

• OAuth grant inventory and review. Most organizations cannot quickly answer "which third-party applications hold OAuth grants to our Google Workspace or Microsoft 365 tenants, and what scopes did each request." A periodic OAuth grant audit (monthly or quarterly) and a policy that AI tool OAuth grants require approval should be baseline.
• Sensitive variable hygiene at the platform layer. Vercel's own remediation advice (mark sensitive environment variables explicitly so they encrypt at rest and become unreadable to compromised team scopes) generalizes: every platform that distinguishes "regular" and "sensitive" secrets defaults to the looser tier unless engineers act. Audit your own platforms.
• AI vendor supply-chain due diligence. Vendor risk programs that ask "is the vendor SOC 2" do not surface "does the vendor's employee endpoint security prevent Lumma Stealer." For AI vendors that hold OAuth tokens to your tenants, the upstream endpoint posture of the vendor's own workforce matters.
• Endpoint detection coverage for infostealers. Lumma Stealer and similar infostealer families are the initial-access vector for an increasing share of named breaches. EDR/MDR coverage that detects infostealer execution (not only post-exploitation lateral movement) is now table stakes. See our managed cybersecurity services for the 24/7 SOC posture mid-market organizations need.

Workforce-Driven Data Exposure: The Samsung Pattern

The Samsung Electronics incident from 2023 remains the canonical case study for mid-market AI security risk because the pattern continues to repeat across enterprise deployments. Within 20 days of allowing ChatGPT use, Samsung engineers triggered three separate sensitive-data leaks, prompting a company-wide ban on consumer ChatGPT:[5]

• An engineer pasted proprietary semiconductor source code into ChatGPT to check for errors
• An employee uploaded defect-identification code seeking optimization suggestions
• A third incident involved meeting minutes containing internal strategy

The Samsung pattern is now the default mid-market AI risk model: well-intentioned employees use consumer AI tools to accelerate routine work, sending proprietary or regulated data to providers without contractual data protection. Two compounding patterns emerged in 2024 and 2025:

• Malicious browser extensions targeting ChatGPT and DeepSeek conversations actively exfiltrate prompts and responses to attacker-controlled servers, with the user often unaware their AI session is being intercepted.[6]
• Vendor data exposures in AI provider supply chains continue, including OpenAI's 2025 disclosure of a data exposure tied to third-party analytics provider Mixpanel.[6]

For mid-market organizations, the structural responses are AI governance programs that include approved-tool inventories, contractual data protection for enterprise AI tier use, workforce training that addresses consumer-tool risk, and detection coverage for unauthorized AI tool use through the corporate identity surface.

Agentic AI: The New Attack Surface

The most significant 2025 framework shift in both OWASP and MITRE ATLAS was the explicit recognition of agentic AI as a distinct attack surface. MITRE ATLAS v5.1.0 (November 2025) added 14 new techniques in 2025 specifically covering AI agents, with continued updates through early 2026 expanding agentic coverage further.[4]

Agentic AI attack patterns flagged by the 2025 frameworks include:

• Memory manipulation: attackers inject content into an agent's persistent memory to alter future decisions across sessions
• Tool abuse: agents with access to external tools (email, code execution, web browsing, file systems) can be redirected to use those tools against the host organization
• Multi-step task chaining: attackers split malicious instructions across multiple seemingly innocuous inputs that the agent assembles into harmful action
• Cross-agent contamination: in multi-agent systems, compromise of one agent can propagate through inter-agent communication channels

The MITRE ATLAS framework expanded coverage to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies in 2025, with approximately 70% of mitigations mapping to existing security controls. For mid-market organizations, this matters operationally because it means an agentic-AI security program does not require entirely new tooling. Existing identity providers, SIEM platforms, endpoint detection, and SOC processes can integrate ATLAS-aligned mitigations without rebuilding the security stack.[4]

What This Means for Mid-Market AI Adopters in 2026

Four operational implications drop out of the 2025 incident and framework picture:

1. AI security is now a vendor risk question that enterprise procurement asks

Enterprise security review questionnaires for SaaS vendors increasingly include AI-specific sections covering model risk, training data governance, prompt-injection mitigation, output handling, and AI vendor risk for the components the vendor itself relies on. Mid-market SaaS firms shipping AI features need answers to these questions documented in advance. See our AI vendor risk assessment guide for the specific question patterns enterprise teams now use.

2. Prompt injection mitigation is a real engineering discipline, not a theoretical concern

EchoLeak demonstrated that even the most well-resourced AI vendors can ship prompt-injection-vulnerable systems. For mid-market organizations building AI applications, input validation, output sanitization, system-prompt protection, RAG-source vetting, and red-team testing against the OWASP Top 10 for LLMs are baseline engineering practice, not optional hardening.

3. Agentic AI deployments require executive-level governance, not just engineering controls

The Excessive Agency (LLM06) entry in the OWASP framework is fundamentally a governance question: how much autonomy do we grant the AI agent before a human is required in the loop? Mid-market organizations deploying AI agents need an AI governance program that answers this question explicitly for each agent deployment, with documented decision rationale and audit trail. Our AI governance practice builds these programs against NIST AI RMF, EU AI Act preparation, and ISO 42001 alongside the OWASP technical controls.

4. Workforce AI use policy enforcement is the highest-volume mid-market exposure

The Samsung pattern continues to model the largest single mid-market AI risk: well-intentioned employees using consumer AI tools to accelerate routine work, with sensitive data flowing outside contractual protection. The control set for this includes approved-tool inventory, enterprise AI tier contracts with data protection guarantees, identity-surface monitoring for unsanctioned AI use, and workforce training that explicitly addresses consumer-tool risk patterns.

Frequently Asked Questions

How many AI security incidents were reported in 2025?

The AI Incident Database logged 346 incidents in 2025, of which 179 involved deepfakes and 37 involved violent or unsafe content. The database notes that reported incidents undercount actual incident volume because most enterprise AI failures are not publicly disclosed.[1]

What is the OWASP Top 10 for LLM Applications?

The OWASP Top 10 for LLM Applications is the industry framework for AI-specific application security risks. The 2025 update places Prompt Injection at #1 for the second consecutive edition, with the full list covering Sensitive Information Disclosure, Supply Chain, Data and Model Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector and Embedding Weaknesses, Misinformation, and Unbounded Consumption.[2]

What is EchoLeak (CVE-2025-32711)?

EchoLeak is a zero-click prompt injection vulnerability in Microsoft 365 Copilot disclosed by Aim Security researchers in June 2025. It allowed remote attackers to exfiltrate confidential data by sending a crafted email that contained indirect prompt injection instructions, which Copilot would later execute when the user asked a routine question. Microsoft assigned CVE-2025-32711 and issued emergency patches. EchoLeak is the first publicly documented production weaponization of prompt injection for data exfiltration in a deployed LLM system.[3]

What is MITRE ATLAS and why does it matter?

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the standard knowledge base for adversarial machine learning tactics, techniques, and procedures. The v5.1.0 release in November 2025 expanded to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies, with 14 new techniques in 2025 specifically covering AI agents. ATLAS is to AI security roughly what MITRE ATT&CK is to general cybersecurity: the operational vocabulary security teams use to describe and defend against AI-specific attacks.[4]

What is the Samsung ChatGPT incident?

In 2023, Samsung Electronics engineers triggered three sensitive data leaks within 20 days of being allowed to use ChatGPT, including pasting proprietary semiconductor source code into the consumer tool. Samsung subsequently banned consumer ChatGPT enterprise-wide. The Samsung pattern remains the canonical case study for mid-market workforce-driven AI data exposure risk, and similar patterns continue to surface across enterprise AI deployments.[5]

What should mid-market organizations do about AI security?

Four structural actions: build an AI governance program aligned to NIST AI RMF and OWASP Top 10 for LLMs, deploy approved-tool inventory and enterprise AI tier contracts for workforce use, implement prompt-injection mitigation as standard engineering practice for any AI feature you ship, and treat AI agents with elevated governance scrutiny proportional to the agency you grant them. The fastest way to scope these against your environment is a structured assessment: request a free cybersecurity assessment.

How does AI governance fit with broader cybersecurity?

AI governance is a parallel discipline that overlaps with traditional cybersecurity in identity protection, data protection, vendor risk, and incident response. Most mid-market organizations layer AI governance on top of an existing cybersecurity program rather than treating it as a separate function. Our healthcare cybersecurity, financial services cybersecurity, and biotech cybersecurity hubs cover the vertical-specific dimensions where AI governance intersects with existing regulatory frameworks (HIPAA, NYDFS Part 500, FDA, EU AI Act).

Sources

1. TechRound (summarizing AI Incident Database data analyzed by Cybernews), "AI Incidents Reached 346 Reported Cases In 2025, AI Incident Database Says," 2026. techround.co.uk. Primary source: incidentdatabase.ai.
2. OWASP Foundation, "OWASP Top 10 for Large Language Model Applications 2025," PDF v4.2.0a. owasp.org.
3. Aim Security / arXiv preprint, "EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System," 2025. arxiv.org. CVE-2025-32711 disclosed June 2025.
4. MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), v5.1.0 release notes (November 2025) and ongoing framework documentation. atlas.mitre.org.
5. Cybersecurity Dive and Dark Reading reporting on the Samsung Electronics ChatGPT data-leak incidents, 2023. cybersecuritydive.com, darkreading.com.
6. Industry reporting on malicious Chrome extensions targeting ChatGPT and DeepSeek conversations and on the OpenAI / Mixpanel data exposure disclosed in 2025. Aggregated coverage at wald.ai.
7. AI Incident Database 2025 incident roundup posts documenting the Incident #1000 milestone in early 2025. incidentdatabase.ai/blog.
8. Vercel, "April 2026 security incident" (official knowledge-base bulletin). vercel.com/kb/bulletin/vercel-april-2026-security-incident.
9. Bleeping Computer, "Vercel confirms breach as hackers claim to be selling stolen data," April 2026. bleepingcomputer.com.
10. Tom's Hardware, "AI cloud company Vercel breached after employee grants AI tool unrestricted access to Google Workspace, hacker seeking $2 million for stolen data," April 2026. tomshardware.com.
11. CyberScoop, "Vercel's security breach started with malware disguised as Roblox cheats," April 2026. cyberscoop.com. Trend Micro analysis of the OAuth supply-chain pattern: trendmicro.com.
12. TechCrunch, "Vercel says some of its customers' data was stolen prior to its recent hack," April 2026. techcrunch.com.
13. CSO Online, "CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo," April 2025, and subsequent coverage of the 11-month contract extension. csoonline.com.
14. Cyber Defense Magazine, "CISA Steps In to Keep CVE Services Alive," April 2025. cyberdefensemagazine.com. Infosecurity Magazine, "CISA Throws Lifeline to CVE Program with Contract Extension." infosecurity-magazine.com.
15. CSO Online, "CVE program funding secured, easing fears of repeat crisis," 2026, reporting on the January 21, 2026 CVE board meeting. csoonline.com.
16. CPO Magazine, "CISA Outlines Future Vision for CVE Program With Plans for Funding and Improved Vulnerability Prioritization," 2026. cpomagazine.com. Strategic roadmap reflects sustained funding and KEV-prioritized vulnerability triage.
17. Cybersecurity Dive, "The CVE Program, a bedrock of global cyber defense, is teetering on the brink," 2025, on the European Union Vulnerability Database (EUVD) and parallel international allocation systems. cybersecuritydive.com. Cybernews, "CVE database funding extended through 2026 - was the panic all for nothing?" cybernews.com.
18. GBHackers, "CISA to Stop Publishing Cybersecurity Alerts and Advisories on Webpages," May 2025. gbhackers.com. Cyberpress coverage: cyberpress.org.
19. Infosecurity Magazine, "CISA Reverses Decision on Cybersecurity Advisory Changes," 2025, on the community pushback that led CISA to pause the May 2025 advisories-page change. infosecurity-magazine.com.
20. Nextgov/FCW, "CISA to furlough most of its workforce under impending DHS shutdown," February 2026. nextgov.com. Defense One reporting: defenseone.com.
21. State of Surveillance, "CISA Running at 38% Capacity as DHS Shutdown Guts America's Cyber Defense," February 2026. stateofsurveillance.org. TechCrunch context on Trump-administration workforce reductions: techcrunch.com.
22. Federal News Network, "DHS calling furloughed staff back to work despite shutdown," April 2026, and GovInfoSecurity, "CISA Workers Recalled Despite Shutdown," documenting the approximately eight-week furlough period and partial workforce restoration. federalnewsnetwork.com, govinfosecurity.com.

All figures and named incidents in this report are drawn from publicly available primary sources or established secondary reporting. Where industry reports or vendor analyses are cited, the publisher is identified explicitly. This report does not reproduce raw incident submissions or proprietary threat intelligence; readers seeking individual incident-level disclosures should consult the AI Incident Database directly at incidentdatabase.ai.