Delinea Labs May 2026 Threat Outlook
In this monthly series, Delinea Labs reviews the identity-related activity that had the greatest operational impact over the previous month. We focus on how attacks unfolded, what failed in real environments, and what those failures signal for the month ahead.
April closed with the month’s most significant supply chain attacks specifically targeting AI assistant credentials. Claude MCP configs, Kiro settings files, and configuration artifacts that nobody has been treating as privileged identities, even though that’s exactly what they are.
That’s where April differs from prior months. The attack surface didn’t expand through new techniques but into territory that organizations haven’t yet started governing.
Here’s Delinea Labs’ outlook for May.
The TeamPCP supply chain campaign, which began with a stolen CI/CD token from Trivy in February, reached its most significant escalation in April. TeamPCP used a compromised Checkmarx GitHub Action to publish a trojanized Bitwarden CLI package to npm on April 22. The malicious version was live for approximately 90 minutes. During that window, it harvested GitHub tokens, SSH keys, AWK, GCP, and Azure credentials and GitHub Actions secrets from developer workstations across thousands of organizations.
Bitwarden is used by over 10 million users and 50,000 businesses, so this campaign’s reach came from trust, not technical sophistication. A single compromised machine identity in a trusted CI/CD pipeline escalated into a credential-harvesting operation at enterprise scale. TeamPCP subsequently partnered with Lapsus$ to convert those identities into ransomware leverage. Lapsus$ added Checkmarx to its leak side. AI startup Mercor confirmed it was among the affected organizations.
Several trends from April compound in ways that deserve direct attention:
1. AI assistant configurations are now identity artifacts
The Bitwarden payload specifically targeted Claude MCP configuration files and Kiro settings files, which contain API tokens, server definitions, and authentication endpoints for AI agent integrations. This is the first observed instance of a supply chain campaign explicitly harvesting AI assistant credentials. If an AI agent can reach production systems, its config file is a credential. Attackers have figured that out.
2. Credential stores are high-value targets
The DPRK-linked Omnistealer campaign harvested approximately 300,000 credentials across more than 10 password managers, major browsers, cloud storage platforms, and 60+ crypto wallet extensions. Delivery came through fake job offers on LinkedIn and GitHub. Command-and-control used blockchain transactions, making takedown effectively impossible. Attackers are targeting credential aggregation points because the return per compromise is significantly higher.
3. Non-human identities remain the fastest-growing attack surface
Kubernetes-related threat activity surged 282% in April, with service account tokens used as the primary mechanism for lateral movement across cloud environments. Service accounts authenticate without user interaction, bypass MFA by design, and accumulate access that outlasts the context that created it.
4. Social engineering at scale converts identity into infrastructure access
On April 1, Drift disclosed that DPRK-linked group UNC4736 stole $285 million through a six-month campaign that never touched a software vulnerability. Attackers built relationships with contributors through a fake Telegram trading group, compromised developer workstations, and harvested cloud session tokens that gave them direct access to smart contract infrastructure and hot wallets. The entry point was trust, and the credential was the key.
5. Identity is now an operational target in active conflict
During the Iran conflict, cyber operations targeted identity-controlled access pathways into critical infrastructure, including water, energy, and industrial control systems. Coordinated cyber actions disrupted communications and sensor systems ahead of kinetic operations. Control of the identity control plane translated directly into real-world infrastructure and control.
April saw 5,372 CVEs disclosed industry wide. Of those, 439 were identity-related and 41 directly impacted identity products.
Two CVEs deserve specific attention:
CVE-2026-33826 (CVSS 8.0): A Windows Active Directory flaw allowing a low-privileged attacker to send crafted RPC requests and execute code within AD services. Exploitation enables manipulation of authentication flows, privilege escalation, and persistent control over the identity control plane, turning a single flaw into a domain-wide compromise.
CVE-2026-4525 (CVSS 8.8): A HashiCorp Vault misconfiguration that allows tokens to be forwarded to backend authentication plugins, enabling token capture and unauthorized access. Vault tokens are trusted identity artifacts. Their exposure bypasses authentication entirely, allowing attackers to operate as valid identities within the environment.
The ratio of identity-related weaknesses to identity product vulnerabilities reinforces a consistent pattern: Attackers rarely need to compromise the identity platform itself. They exploit how identity is enforced—or not enforced—across surrounding systems.
The most active groups in April were Qilin (14%), TheGentlemen (13%), and DragonForce (9%). All three continued to follow the same operational model: credential theft as initial access, Active Directory compromise, privileged access abuse, and cloud identity pivoting. Encryption and extortion remain trailing indicators of identity failure that occurred much earlier.
April’s activity is not a collection of isolated incidents. The organizations most exposed are those still governing identity at the authentication layer rather than at execution.
Treat AI configuration files as privileged credentials. MCP configs, API token stores, and AI agent settings files belong in the same governance framework as service account credentials. If they sit unmanaged on developer workstations, they are an uncontrollable attack surface.
Govern non-human identities actively. The Kubernetes surge and the Vault CVE reflect the same underlying gap: machine identities that accumulate access, rarely get reviewed, and authenticate without human interaction. Inventory, scope, and rotation need to be continuous, not periodic.
Extend privileged access controls to supply chain identities. The TeamPCP cascade demonstrates that trust relationships across vendors, pipelines, and automation tools are part of the identity attack surface. Third-party machine identities need the same visibility and governance as internal ones.
Monitor privileged behavior after authentication. In the Drift incident, the initial access looked like normal developer activity. Detection came only after the theft was complete. Abnormal privilege use, lateral movement, and policy deviations post-authentication are where attacker activity surfaces for organizations equipped to see it.
Patch identity infrastructure with urgency. Both April CVEs carry exploitation windows measured in days. Active Directory and secrets management infrastructure need the same patching cadence as internet-facing systems.
Every month adds a new category to the ungoverned attack surface. April added AI agents. The question for May is whether security teams get ahead of that before attackers fully operationalize it.
Learn how the Delinea Platform powered by Iris AI helps organizations monitor identity activity, reduce standing privilege, and enforce access controls across human and non-human identities.