← Back to Blog
Security Briefing4 min read2026-04-24

Security Briefing, April 24 2026: Breeze Cache Exploitation, Bitwarden npm Supply-Chain Risk, and GopherWhisper Cloud C2

The common thread today is simple: attackers keep winning wherever defenders quietly outsource trust, whether that trust sits in a WordPress plugin, an npm package, or a collaboration platform everyone assumes is normal.


Top line: Three stories matter this morning: a real WordPress website takeover path is being exploited in the wild, a trusted developer tool distribution path got poisoned, and a China-linked espionage cluster keeps showing how legitimate cloud services make excellent cover for attacker communications.


1. Breeze Cache gives attackers a live WordPress takeover route

Attackers are actively exploiting CVE-2026-3844 in the Breeze Cache WordPress plugin. The bug stems from missing file-type validation in the fetch_gravatar_from_remote function and can let an unauthenticated attacker upload arbitrary files. If the “Host Files Locally - Gravatars” add-on is enabled, that can become remote code execution and full site compromise. The plugin has more than 400,000 active installs, and Wordfence has already seen exploitation activity.


2. The Bitwarden CLI npm compromise is a bigger developer trust warning than it first looks

The malicious @bitwarden/cli npm package version 2026.4.0 was available for a short window on April 22 and contained malware designed to steal developer secrets. Researchers say it harvested npm and GitHub tokens, SSH keys, and cloud credentials, then exfiltrated data through attacker-controlled GitHub repositories. Bitwarden says vault data and production systems were not impacted, but any environment that installed the poisoned package during the exposed window should be treated as compromised.


3. Checkmarx fallout and GopherWhisper both prove the same point: trusted services are now part of attacker tradecraft

The Checkmarx KICS supply-chain breach hit Docker images and developer extensions, while ESET’s GopherWhisper report shows a China-linked threat cluster using Outlook, Slack, Discord, and Microsoft Graph API for command-and-control against government targets. These are different campaigns, but the lesson is identical: attackers are hiding inside normal developer and collaboration workflows because defenders still give them too much implicit trust.


What security teams should do today

  1. Patch Breeze Cache or disable the risky feature now, then check for signs of compromise.
  2. If any team installed the malicious Bitwarden CLI npm package, rotate secrets and re-establish trust from clean systems.
  3. Audit Checkmarx and adjacent developer tooling exposure, especially Docker pulls, extensions, and CI runners.
  4. Expand monitoring for cloud-service abuse across Outlook, Microsoft Graph, Slack, and Discord instead of relying only on classic malware indicators.

Sources


Bottom line: Bottom line: the attackers are not just exploiting software bugs, they are exploiting default trust. That is why today’s fixes need to include patching, secret rotation, and much harder scrutiny of the services your teams already rely on every hour.

Find the trust breaks before they turn into incidents

KENSAI helps teams surface exposed attack paths across web apps, developer tooling, identity, and cloud systems before small trust failures become expensive breaches.

Free Scan →

Stay sharp.

🗡️ KENSAI Security Team