This Week's Cyber Pulse — April 28, 2026

Your weekly intelligence brief for small and mid-size businesses. Sourced, rated, and written in plain English.

Threat Roundup

🔴 HIGH SEVERITY: Third-Party Software Updates as Attack Vector

Two separate incidents this week highlighted the continuing danger of supply chain attacks. In both cases, legitimate software update mechanisms were compromised to deliver malicious payloads to downstream customers — in one case a widely-used accounting software plugin, in the other a network monitoring tool used by SMBs.

Supply chain attacks are particularly dangerous because your defenses can be perfect and you're still compromised — the attack comes through a trusted vendor's update mechanism.

Why SMBs are disproportionately affected: Enterprise customers have security operations centers (SOCs) that detect anomalous behavior post-compromise. SMBs typically don't, meaning the dwell time (time between compromise and detection) is much longer — often 197 days for SMBs vs. 12 days for enterprise.

What to do:

• Inventory all third-party software that auto-updates (particularly accounting, HR, and IT management tools)


• Enable change management logging — know what software changed and when


• Evaluate vendors on their security posture before onboarding (see our Vendor Risk Tool)


• Consider application whitelisting on critical systems (only approved software can run)

Severity: Critical | Affected: All SMBs | Source: CISA Supply Chain Security Guidance, Mandiant M-Trends 2026

🟡 MEDIUM SEVERITY: Managed Service Provider (MSP) Credential Compromise Campaign

A targeted campaign against managed service providers (MSPs) is using compromised MSP credentials to gain access to their SMB client environments. If your IT is managed by an MSP, your security posture is directly dependent on your MSP's security hygiene.

What to ask your MSP:

• Do you require MFA for all technician access to client environments?


• Do you use a privileged access management (PAM) solution?


• What is your incident response plan if your RMM (remote management) tool is compromised?


• Have you had a security assessment in the past 12 months?

If your MSP can't answer these questions confidently, that's a risk you own.

Severity: Medium | Affected: SMBs using MSPs | Source: CISA Advisory AA26-101A

🟡 MEDIUM SEVERITY: AI-Generated Spear Phishing at Scale

Large language models are being used by threat actors to generate highly personalized spear phishing emails at scale — eliminating the grammatical errors and generic phrasing that most phishing training teaches employees to spot.

Next-generation phishing training needs to focus on process verification (why would payroll ask me to change direct deposit via email?) rather than spotting poorly-written emails.

What to do:

• Update security awareness training to include AI-generated phishing examples


• Implement verbal confirmation protocols for any financial transaction requested via email


• CyberStackHub's Security Training Builder includes AI phishing scenario modules

Severity: Medium | Affected: All businesses | Source: Google Threat Analysis Group, IBM X-Force 2026

Compliance Deadline Watch

EU AI Act — August 2, 2026 GPAI Model Obligations

The EU AI Act's obligations for General-Purpose AI (GPAI) model providers become enforceable on August 2, 2026. If your company deploys AI models to EU users or uses GPAI models in products sold to EU customers, technical documentation and transparency obligations apply.

What this means for SMBs:

• Companies that merely use GPAI models (like ChatGPT or Claude via API) as internal tools are generally not directly regulated — but your vendors may be


• If you build AI-powered features into your product using foundation models, you likely have provider-level obligations


• The EU AI Act high-risk classification applies to AI systems in specific sectors (HR hiring, credit scoring, biometrics, critical infrastructure)

Action: If you're building AI features, conduct an EU AI Act classification assessment before August 2026. Our AI Act Compliance Checker covers this.

CMMC Level 2 Third-Party Assessment Window Open

C3PAOs (CMMC Third-Party Assessment Organizations) are now scheduling assessments for Q3/Q4 2026 and booking up quickly. If you need CMMC Level 2 certification by a specific contract deadline, book your C3PAO assessment now — wait times are 6–10 weeks.

Insurance Market Update

Supply chain incidents are now the second-most-common trigger for cyber insurance claims (after ransomware). Insurers are beginning to require vendor security attestations as part of underwriting — specifically, that you can document basic security requirements for your top 5–10 vendors.

Travelers and Zurich now include "supply chain failure" exclusions in standard SMB cyber policies unless the insured can demonstrate a vendor risk management program. A simple vendor questionnaire process (even a lightweight one) may be the difference between covered and uncovered in a supply chain incident.

Use CyberStackHub's Vendor Risk Questionnaire Generator to create and track vendor security attestations.

Tool Spotlight: Vendor Risk Questionnaire Generator

This week's spotlight: our Vendor Risk Tool — generate security questionnaires for your vendors, track their responses, and maintain documentation your cyber insurer can verify.

Given this week's supply chain threat focus, understanding your vendor security posture is the single highest-leverage action you can take right now.

→ Generate vendor risk questionnaires free

Run The Cyber Pulse Stack — Free

Your business has a unique risk profile — specific vendors, specific compliance obligations, specific industry threats. The Cyber Pulse Stack personalizes your weekly security brief to match.

Get it emailed, texted, or downloaded as a PDF.

→ Run The Cyber Pulse Stack free

Frequently Asked Questions

What is a supply chain attack?
A supply chain attack compromises a target by attacking a trusted third-party supplier rather than attacking the target directly. The attacker inserts malicious code into a legitimate software update, hardware component, or service, which is then distributed to all customers of that supplier. The SolarWinds attack (2020) was a high-profile example.

How do I assess my vendor security risk as a small business?
Start with a simple questionnaire covering MFA, patching practices, incident response, and data handling for any vendor with access to your systems or sensitive data. CyberStackHub's Vendor Risk Tool provides a free questionnaire template. For vendors with elevated access, require annual security attestations or SOC 2 reports.

Does the EU AI Act apply to US small businesses?
The EU AI Act applies to any company whose AI systems are used in the EU, regardless of where the company is headquartered. If your product or service is available to EU users and uses AI (especially in high-risk categories), you may have obligations. The extraterritorial scope is similar to GDPR's approach.

What should I look for when evaluating my MSP's security?
Key indicators of a security-conscious MSP: they require MFA for all admin access, they use a tiered privilege model (not all techs have full access), they have cyber insurance themselves, they've done a third-party security assessment, and they have a documented incident response plan. Ask for their security documentation before renewing your contract.

More editions: This Week's Cyber Pulse Archive