SA Threat Brief: Week 18

What Business Owners Need to Know This Week

Week 18 is a fallout week — no new SA ransomware victims were listed (count holds at 105) — but the W15–W17 incident cascade continued to escalate in severity. Standard Bank confirmed scope expansion on 22 April: credit card numbers, passport and driver’s licence data are now confirmed in the breach, with attacker movement confirmed across SharePoint, OneDrive, Power Apps, and Oracle SQL databases. Both XP95 deadlines (Stats SA and GCRA) lapsed on 20 April — data publication is assessed as near-certain. Polmed/ShinyHunters broke publicly on 20 April, exposing 100,000+ SAPS officers’ data including residential addresses and command structure roles — a national security incident. The Microsoft Defender zero-day trilogy (BlueHammer now patched; RedSun and UnDefend still UNPATCHED with no available fix) demands immediate hunting. The Bitwarden CLI Shai-Hulud supply chain attack (22 April, 93-minute window) demands credential rotation for any SA DevSecOps team using @bitwarden/cli@2026.4.0.

The Bottom Line: The absence of new ransomware listings is not a sign of reduced threat — it reflects that W15–W17 incidents are still unfolding. Standard Bank now encompasses payment cards, government identity documents, and cloud collaboration platforms. Two Defender zero-days remain unpatched with no vendor fix available. The Bitwarden supply chain attack is a direct threat to every DevSecOps team that auto-updated npm packages on 22 April. Manual hunting is the only mitigation for RedSun and UnDefend until patches are released.

The Week in Numbers

• 0 new SA ransomware victims listed in Week 18 — cumulative count holds at 105.
• 5 active SA breach investigations ongoing: Standard Bank, Polmed, ETFSA, Stats SA/GCRA fallout, and Adumo.
• 13 new CISA KEV entries across three batches in Week 18 — up from 7 in Week 17.
• 93 minutes — the window during which the malicious @bitwarden/cli@2026.4.0 package was available on npm before removal on 22 April.
• 2 Defender zero-days UNPATCHED (RedSun, UnDefend) with no available vendor fix as of 26 April.
• 481 patches in Oracle’s April CPU, of which multiple affect SA-common database deployments.
• EUR 68.18 million in GDPR fines issued in Q1 2026 — a benchmark for POPIA enforcement trajectory.
• 788 POPIA notifications in Q1 2026 (IR confirmed 14 April) — equivalent to the entire previous year.

Major Incidents: Who Was Hit and How

Standard Bank — Scope Expanded to Cards, Passports & Cloud Systems

On 22 April, Standard Bank confirmed that the scope of the ROOTBOY breach extends beyond the initially disclosed personal data: credit card numbers, passport numbers, and driver’s licence details are now confirmed as exposed. Forensic investigation confirmed attacker lateral movement across SharePoint, OneDrive, Power Apps, and Oracle SQL databases. The expanding scope transforms this from a CRM data breach into a full cross-platform intrusion affecting payment credentials, biometric identity documents, and collaboration infrastructure. The Information Regulator formal enforcement timeline is expected to accelerate following this disclosure.

XP95 — Deadline Lapsed, Publication Expected

The XP95 20 April publication deadlines for Statistics South Africa and the Gauteng City Region Academy have now lapsed without payment. Publication of 453,362 Stats SA records (HR applicant data) and 429,473 GCRA records (bursary and student data) is assessed as near-certain. Organisations with employees who applied for Stats SA positions or students who applied for GCRA bursaries should treat this as a confirmed secondary PII exposure and initiate breach notification processes.

Polmed / ShinyHunters — SAPS Data Goes Public

The Polmed/ShinyHunters breach broke publicly on 20 April, exposing data on over 100,000 SAPS officers including residential addresses, command structure roles, medical history, and dependent information. This is a national security incident: criminal networks now have potential access to the home addresses and unit assignments of law enforcement personnel. No official SAPS statement was issued in Week 18. The forensic probe is ongoing.

Microsoft Defender Zero-Day Trilogy — Two Still Unpatched

The Microsoft Defender zero-day trilogy status as of 26 April: BlueHammer (CVE-2026-33825) — patched. RedSun (privilege escalation to SYSTEM) and UnDefend (disables AV protection) — still UNPATCHED with no available fix. Huntress confirmed live intrusions using the RedSun/UnDefend chain in combination with FortiGate VPN initial access. Manual threat hunting is the only available mitigation until Microsoft releases patches. Any FortiGate VPN-using organisation is in the highest-risk cohort.

Bitwarden CLI — Shai-Hulud Supply Chain Attack

On 22 April, a malicious version of the Bitwarden CLI package (@bitwarden/cli@2026.4.0) was briefly available on npm for a 93-minute window before removal. The package, internally named “Shai-Hulud,” exfiltrates credentials from the Bitwarden vault to an attacker-controlled endpoint. Any SA DevSecOps team or developer who ran npm install or had auto-update pipelines during this window should assume vault credential compromise and rotate all secrets stored in Bitwarden immediately.

POPIA and Regulatory

The XP95 deadline lapse creates cascading Section 22 obligations: any organisation that submitted data to Stats SA HR portals or the GCRA bursary system must now assess whether they are a secondary data processor and whether notification to the Information Regulator and affected data subjects is required. The IR’s Q1 2026 figure of 788 breach notifications indicates that enforcement capacity is being built at pace. Oracle’s April CPU (481 patches) triggers Joint Standard 2/2024 patch-assessment documentation requirements for financial-sector entities running Oracle databases. GDPR Q1 fines of EUR 68.18 million set a clear benchmark for the trajectory of POPIA enforcement as the IR’s capacity grows.

Full Intelligence Report

The complete Week 18 technical report covers Standard Bank scope expansion analysis, XP95 post-deadline assessment, Polmed/ShinyHunters public-break details, Defender RedSun/UnDefend hunt playbook, Bitwarden Shai-Hulud IOCs and remediation steps, Oracle CPU patch prioritisation, and structured hunt missions (TH-2026-W18-01 to -04) with full IOC tables.

What Your Business Should Do Right Now

• Hunt for RedSun and UnDefend immediately: With no vendor patch available, run manual detection queries for FortiGate VPN initial access followed by Defender engine tampering. Check for new SYSTEM-level processes spawned from Defender components and unexpected AV disablement events in your SIEM.
• Rotate all Bitwarden secrets if you updated npm packages on 22 April: Check npm install logs for @bitwarden/cli@2026.4.0. If any developer or CI/CD pipeline may have installed this version, rotate every credential stored in affected Bitwarden vaults immediately.
• Activate XP95 secondary breach notifications: If your organisation submitted data to Stats SA HR portals or GCRA bursary programmes, initiate Section 22 notifications to the Information Regulator and prepare communications for affected data subjects. The deadline has lapsed; publication is imminent.
• Expand Standard Bank breach monitoring: The scope now includes payment cards and government identity documents. Brief your fraud teams to monitor for card-not-present fraud increases and identity document misuse. Review any Standard Bank-linked payment credential stores.
• Apply the 13 CISA KEV entries: Prioritise the three batches from Week 18 against your asset inventory. Financial-sector entities must document patch assessment timelines under Joint Standard 2/2024.
• Apply Oracle April CPU patches: Prioritise Oracle database patches relevant to your environment from the 481-patch CPU release. Document remediation for Joint Standard 2/2024 compliance.