This pack covers two converging threat clusters active in Q1 2026: a supply-chain credential theft campaign targeting Vercel’s cloud development infrastructure via infostealer-harvested OAuth tokens (attributed with medium confidence to ShinyHunters), and a publicly exploited Kerberos relay vulnerability in Microsoft AD CS that bypasses NTLM-blocking controls. The Vercel breach cluster demands immediate credential rotation and pipeline audit across all organizations using Vercel-hosted environment variables. CVE-2026-20929 requires urgent patching of AD CS web enrollment endpoints before the available proof-of-concept drives broader exploitation.