Unusual Activity and Vulnerabilities Reported by SANS and Wiz

🎬 On April 29, 2026, the SANS Internet Storm Center reported unusual activity in honeypots involving the X-Vercel-Set-Bypass HTTP header, which is used to bypass Vercel’s protection mechanisms like rate limiting. Attackers sent requests with this header, including an undocumented SameSite=None; Secure cookie attribute, potentially aiming to exploit cookie leakage or misconfigurations. The requests originated from open proxy servers, though the exact attacker intent remains unclear. Separately, security research firm Wiz disclosed a GitHub vulnerability affecting on-premises deployments, where improper sanitization of git pull commands in GitHub’s bobbled proxy led to OS command injection. GitHub patched the flaw within hours, confirming no exploitation occurred. Microsoft’s April Patch Tuesday included enhanced warnings for RDP files to combat phishing, though a subsequent issue caused garbled text in security prompts due to display scaling mismatches. The episode highlighted rapid vendor responses to critical vulnerabilities.