Cloud

Scattered Spider Pivoted Through Context AI to Reach Vercel Customer Credentials

Scattered Spider

Scattered Spider breached AI platform Context AI and used that initial access as a pivot into Vercel's infrastructure, exposing a reported "limited" set of customer credentials. The attack vector — compromising a smaller SaaS vendor with integrations into a higher-value platform — is consistent with the group's documented MO of targeting identity and authentication supply chain links. Vercel's role as a dominant CI/CD and frontend deployment platform means even a "limited" credential disclosure carries meaningful blast radius for any organizations with Vercel pipelines connected to production infrastructure. The sibling story (6095) confirms ShinyHunters is publicly claiming the breach, reflecting the established operational overlap between that group and Scattered Spider personas.

The Context AI → Vercel pivot is the key intelligence here: developer toolchain vendors are increasingly being targeted as soft-underbelly access paths into higher-value platforms, and this is a clean example of the pattern. Verify whether your organization uses Vercel and whether any service tokens, deployment secrets, or OAuth connections require rotation — "limited" customer credential exposure is always defined by the vendor, not the victim.

This fills in the missing piece from the 04-19 Vercel coverage — the initial access was a developer-toolchain SaaS with Vercel integrations, not Vercel itself. Expect more of this shape: smaller AI/dev-tools vendors are now the lateral hop of choice into higher-value CI/CD surfaces, and 'limited customer credential exposure' is always a vendor-side framing. ShinyHunters' public claim on the same breach (separate wire entry) is consistent with the group's documented persona overlap with Scattered Spider and adds nothing operational.

Editorial

The Vercel breach now has a named entry point — Scattered Spider popped Context AI first and pivoted through the integration — which advances the SDLC-as-target-class thread tracked all week into something more specific: trust-graph traversal across SaaS integrations. The operational implication is that the exposure isn't your Vercel tokens, it's any third-party vendor in your estate that holds Vercel tokens on your behalf, and the blast radius of a single popped AI/dev-tooling vendor now extends across every integration it brokers. Buchanan's guilty plea landing the same day is the second Scattered Spider plea in a week and, consistent with the arrests-as-lagging-indicator read from the 19th, has produced zero observable perturbation in cohort tempo.

FakeWallet sitting in the App Store for six months harvesting seed phrases is the mobile-supply-chain tail of the same crypto-theft economy Buchanan was monetizing at $8M — read these as convergent rather than coincidental, and scope the exposure wherever the firm touches custody, treasury rails, or material employee holdings. ZionSiphon is the opposite kind of signal: a buggy OT implant that failed against Israeli water and desalination targets, but with four mutually exclusive nation-state attributions already circulating — treat the actor list as noise, not intelligence, and note that confident attribution inside 48 hours of a failed OT attack is itself the tell.

Notable

Ransomware

Scattered Spider's Tyler Buchanan Pleads Guilty to $8M Wire Fraud / Identity Theft

Scattered Spider PLEAD

Tyler Robert Buchanan, 24, of Dundee, Scotland — previously identified as a suspected senior Scattered Spider figure — pleaded guilty Friday in U.S. federal court to conspiracy to commit wire fraud and aggravated identity theft, admitting to his role in a campaign that stole at least $8 million in cryptocurrency. The stolen sum is cryptocurrency-denominated, consistent with the group's established SIM swap and social engineering tradecraft rather than the ransomware pivot some sources have attributed to them. Scattered Spider remains operationally active — the concurrent Vercel/Context AI breach in sibling story 6090 was apparently ongoing while Buchanan's legal situation was developing, indicating the group's operational resilience to member prosecution.

The guilty plea rather than a trial significantly raises the probability of a cooperation agreement, which would be the higher-value intelligence outcome: cooperating witnesses expose group infrastructure, communication channels, and co-conspirators at a depth no technical collection achieves. Track whether Buchanan surfaces as a cooperating witness in subsequent Scattered Spider-related indictments — that's the signal worth waiting for here.

A plea — not a trial — strongly implies a cooperation agreement is on the table, which is where the real collection opportunity lives (infrastructure, comms channels, unnamed co-conspirators). Notably, the Vercel/Context AI op was running concurrently with Buchanan's legal proceedings: member-level prosecution has not meaningfully degraded the group's operational tempo, which should recalibrate anyone's expectations about law-enforcement pressure as a mitigation.

Geopolitical

ZionSiphon OT Malware Targets Israeli Water Sector, Fails Due to Its Own Bugs

CVE-2026-40872 CVE-2026-4440 APT28 Lazarus Group MuddyWater Scattered Spider Silk Typhoon TeamPCP UNC1069 Conficker Milan PLEAD UPPERCUT Uroburos

ZionSiphon malware was identified targeting Israeli water and desalination OT systems, ultimately failing due to implementation bugs in the malware itself. Risky Biz coverage attributes the campaign to an implausibly broad coalition — APT28, Lazarus Group, MuddyWater, Silk Typhoon, Scattered Spider, TeamPCP, and UNC1069 — while the associated software fingerprints span Uroburos (historically Turla/APT28), PLEAD and UPPERCUT (APT10/BlackTech), and Conficker. Attribution spanning four mutually exclusive nation-state nexuses simultaneously is a strong indicator of either deliberate false-flagging via borrowed tooling or attribution methodology that conflates shared code provenance with actor identity. CVE-2026-40872 (no NVD data available) and CVE-2026-4440 (EPSS 0.00074) appear in coverage but cannot be assessed for exploitability with available intelligence; detection IOCs are available via the companion THN coverage in story 6128.

The failure due to bugs is the analytically critical detail: APT28 and Lazarus have both demonstrated mature OT/ICS payload capability (Industroyer, PIPEDREAM lineage), so buggy ICS logic would be anomalous for either and partially falsifies those attributions. This failure profile is more consistent with a less-seasoned actor borrowing nation-state tooling for plausible deniability — which, if accurate, makes the geopolitical read considerably more ambiguous than the headline actor list implies. The PLEAD software linkage also appears in the sibling Scattered Spider guilty plea story (6170), though that may be an extraction coincidence rather than a meaningful cross-story connection.

The buggy-implementation detail is the analytical hinge here — APT28 and Lazarus both have mature, battle-tested OT capability (Industroyer, PIPEDREAM lineage), so amateur-hour ICS logic doesn't fit either. The 'attribution' to seven mutually incompatible nation-state clusters simultaneously plus Conficker is either aggressive false-flagging via borrowed code or a methodology conflating shared tooling with actor identity. Either way, don't carry the headline actor list into internal threat models. Financial-sector relevance is thin absent direct OT exposure; the companion IOC publication (story below) is the operational output worth ingesting for teams with OT-adjacent visibility.

Malware

FakeWallet Crypto Stealer Sat in Apple App Store for Six Months

Kaspersky's Securelist disclosed FakeWallet, a campaign that placed 20+ trojanized cryptocurrency wallet applications in the Apple App Store beginning at least fall 2025, going undetected until March 2026. The apps redirect victims to fake App Store lookalike pages distributing malware specifically engineered to exfiltrate seed phrases and private keys — a form of credential theft that is non-reversible, unlike password compromise. Six months of undetected operation inside Apple's ostensibly walled garden is the headline finding and directly undermines the platform's primary security assurance for enterprise mobile deployments. Kaspersky has published IOCs.

Seed phrase exfiltration represents permanent asset loss — there is no rotation path for a compromised private key, which distinguishes this from conventional credential theft. For financial services organizations with any crypto custody operations, institutional trading, or employee crypto exposure, this is a direct asset risk vector, not a privacy issue. Apple's review process demonstrably has blind spots for trojanized apps that mimic legitimate wallet UX rather than deploying obvious malicious functionality — that gap will be exploited again.

The security differentiator for financial services is that seed-phrase theft is permanent — there is no equivalent of a password reset for an exfiltrated private key, so the normal 'rotate and move on' playbook does not apply. Six months of undetected residency inside the walled garden also punctures the implicit threat model a lot of enterprise MDM policies still ride on (App-Store-only installs as a sufficient control). Worth surfacing to anyone owning mobile device policy for employees with crypto custody, trading, or treasury responsibilities.

Briefs

ICS/OT

IOCs Published for ZionSiphon Water-Sector OT Campaign

ZionSiphon malware identified targeting critical Israeli water and desalination infrastructure with detection IOCs available.

AI Threats

Palo Alto Unit 42 Claims Frontier AI Now Enables Autonomous Zero-Day Discovery

TeamPCP threat actor demonstrated systematic use of frontier AI models to discover software vulnerabilities and break security controls.

TeamPCP