ADT confirmed Friday that ShinyHunters compromised an employee's Okta SSO via vishing, pivoted into Salesforce, and now wants ransom paid by today. The crew is running the same playbook against 100+ enterprises (Atlassian, HubSpot, Moderna, Panera Bread), and the McGraw Hill leak two weeks ago came from this same campaign. Your help desk is now the primary attack surface: anyone reauthenticating an SSO session by phone needs a callback verification, or you are one social-engineered employee away from a SaaS-wide exfil. Audit who can reset MFA in your IdP today, and force step-up auth on any pivot from Okta to Salesforce.
Bitwarden CLI was malicious for 90 minutes
For roughly 90 minutes on April 22, the official @bitwarden/[email protected] npm package shipped a Shai-Hulud worm payload that harvested CI/CD secrets and GitHub tokens. About 334 developers pulled it before it was yanked, and the same campaign already burned Checkmarx earlier this month. End-user vaults are not impacted, but every CI pipeline that auto-pulled "latest" in that window needs a secret rotation and a GitHub Actions audit. Treat any npm package update from a security vendor with the same skepticism you would give an unsigned binary.
Powered by the DoGood network
The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.
CISA gives SimpleHelp users 11 days
CISA added two SimpleHelp remote support flaws (CVE-2024-57726, CVE-2024-57728) to its KEV catalog Thursday with a federal patch deadline of May 8. Both have been used as ransomware precursors going back to last year, including DragonForce campaigns, and SimpleHelp is embedded across MSP and IT toolchains as a low-friction remote control option. If your help desk or any contracted MSP runs SimpleHelp, you should not be waiting on the federal deadline. Identify exposed instances this week, patch to the vendor's latest, and scan for technician-level API key abuse that breaks the role model.
Watch This
Identity at the SaaS perimeter is where the next quarter's enterprise breach reports will come from. Verizon's DBIR shows third-party involvement in breaches doubled to 30% year over year, and edge device exploitation jumped 8x in a single year. The IdP is no longer just an authentication layer; it is the trust model for every connected SaaS, and SLSH-style attacks are designed to exploit exactly that.
This week, DoGood network members are pulling forward help-desk reauthentication audits and SSO-to-SaaS step-up controls. If you run IT or security at a $100M+ company, that is the conversation your peers are already having.
The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.
Know a CIO who needs this? Forward it and they can subscribe here.
Enterprise IT leader at a $100M+ company? Apply to join DoGood.