Grafana recently disclosed that an unauthorized party obtained a token granting access to the company’s GitHub environment and used it to download portions of its codebase. Grafana confirmed that no customer data or personal information was accessed, invalidated the compromised credentials, and applied additional controls. The response was fast, and the containment was effective.

The Foxconn incident tied to the Nitrogen ransomware group is instructive — not because it reveals new attack techniques, but because it confirms a structural shift in how enterprise environments are compromised. Attackers are no longer primarily exploiting unpatched software. They are compromising identity systems, inheriting trusted sessions, and moving laterally through legitimate administrative pathways. This is not an emerging trend. It is the established model.

Insurance carriers are not being targeted because their security teams have failed. They are being targeted because their operating model exposes identity at scale, and attackers know exactly where that exposure sits.

Canvas was not compromised one school at a time. The breach appears to have originated at a single, high-trust layer—the privileged access tier that spans the entire platform. The evidence now supports a clear conclusion: this was almost certainly an identity compromise at the privileged access layer. Not a student credential incident. Not 9,000 separate school intrusions. Not a novel zero-day exploit that somehow reached every campus simultaneously.

A repeatable, industrialized attack pattern is compromising Salesforce environments across regulated industries. The vulnerability is not in Salesforce. It is in the authentication model that controls access to it.

CrowdStrike is now tracking two financially motivated threat groups—Cordial Spider and Snarky Spider—that are systematically targeting identity platforms and SaaS environments across aviation, retail, financial services, healthcare, legal, and technology sectors. Their methods: voice phishing, social engineering, and spoofed SSO pages. Their objective: valid access, obtained without defeating a single firewall.

When a cloud platform makes headlines for a breach, attention falls on the platform. Was there a vulnerability? Was encryption broken? Was access control misconfigured? In the Snowflake-related incidents, those questions are the wrong ones. Snowflake was not breached. The platform performed exactly as designed. What failed was identity.

OAuth phishing has fundamentally changed the identity attack surface. It does not defeat MFA — it renders MFA irrelevant. Classic phishing targets credentials. OAuth phishing targets authorization. Attackers trick users into granting access to a malicious application. The user never enters a password. No MFA prompt appears. The attacker receives a valid OAuth token and gains persistent access — entirely within the normal login flow.

The MGM Resorts and Caesars breaches were not anomalies. They were demonstrations of a structural fact: identity that can be reset remotely will eventually be reset by someone who should not have access. What made those incidents significant was not the sophistication of the attack. It was its simplicity. Attackers did not exploit code vulnerabilities. They impersonated employees, contacted help desks, and had authentication reset. Legitimate access followed. Everything else — ransomware, data theft, operational disruption — was a consequence of that first failure.

The most important lesson in Vercel’s April 2026 security bulletin is not simply that internal systems were accessed. It is the likely path the attacker took to get there. According to Vercel, the incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker then used that access to take over the employee’s Vercel Google Workspace account, which in turn enabled access to some Vercel environments and non sensitive environment variables.

Zero trust has a clear mandate: never trust, always verify. Most enterprises apply this principle to their networks, devices, and applications. They rarely apply it to the moment identity leaves their direct control. Outsourced support desks and business process outsourcing providers now handle identity verification for millions of employees and customers. These teams operate under SLAs built around speed and resolution. They rely on scripted questions, knowledge-based verification, and procedural checks. None of these methods produce cryptographic proof.

For years, MFA was treated as a timing problem. Add enough friction, the thinking went, and attackers would be exposed before they could act. Real-time phishing relay attacks dismantle that assumption. They do not wait for friction. They route around it.