SANS Stormcast Friday April 24rd, 2026: Apple Update; Bitwarden Compromise; ASP.NET Core Patch

Apple issued a single‑patch update for iOS and iPadOS that fixes a notification‑center flaw where deleted notifications persisted. The vulnerability was referenced in a recent FBI case that recovered partial Signal messages, confirming active exploitation. Because many end‑to‑end encrypted apps rely on the operating system’s notification subsystem, remnants can leak sensitive metadata even when the app attempts to erase them. The patch removes the residual data, raising the bar for attackers targeting secure messengers and reminding vendors to consider OS‑level artifact handling in their threat models.

Bitwarden’s command‑line interface was compromised after attackers hijacked a GitHub Actions worker, a technique first seen in the earlier Checkmarx‑related supply‑chain breach. The same malicious infrastructure harvested GitHub API keys and other developer credentials, suggesting that any organization using the affected CLI may have had its tokens exfiltrated. While the breach does not appear to target vault‑stored passwords, the exposure of authentication tokens can enable further lateral movement. Users should verify their CLI version, pause updates until details emerge, and rotate all GitHub and related secrets immediately.

Microsoft released an emergency fix for the ASP.NET Core data‑protection library after discovering a padding‑oracle flaw that allowed attackers to spoof user identities and bypass cryptographic checks. The issue mirrors a 2010 vulnerability (MS‑10‑70) and requires developers to rebuild and redeploy any applications that depend on the affected package. In addition to updating the library via NuGet, organizations must rotate any keys or certificates that were used with the vulnerable version to prevent replay attacks. Prompt remediation protects .NET services from credential theft and preserves trust in enterprise applications.