Weekly Intelligence Brief — April 12, 2026

The Two Paths Out of Islamabad

The first face-to-face talks between the United States and Iran since the 2015 nuclear negotiations lasted 21 hours and collapsed. VP Vance left Pakistan without scheduling a follow-up. Iran's parliamentary speaker said Tehran has "no trust in the opposing side." Hours later, Trump floated the idea of a full naval blockade on Iran.

There is no framework. No timeline. No agreement on what peace looks like. Iran wants sovereignty over the Strait of Hormuz, a full sanctions lift, and enrichment rights. The US wants denuclearization. Those positions aren't close, and the people who were supposed to close the gap just left the table.

Here is what makes this moment different from every crisis before it. The Strait of Hormuz has never been fully closed. During the Iran-Iraq Tanker War from 1984 to 1988, both sides attacked more than 450 commercial vessels and sank 55. Even then, oil flow never dropped below 98% of normal. Ships kept sailing because the economics justified the risk. In 2019, Iran attacked two tankers in the Gulf of Oman. Just two. Shipping rates jumped nearly 40% in 48 hours and insurance premiums spiked tenfold overnight. Markets calmed within two weeks because nothing followed. Every historical disruption at Hormuz has been partial or brief, and every one of them moved markets violently.

This is the first full closure. It's been six weeks. And it now has no diplomatic process behind it.

The Strait has been mined since February. The US Navy sent two destroyers through for the first time this week. Underwater drones are preparing to clear mines, but the Navy decommissioned its dedicated mine clearance ships last year and analysts say the strait can't be cleared by the April 22 ceasefire deadline. Two tankers that attempted transit on Saturday reversed course when news of the collapse broke. They're now sailing in circles near the entrance. A giant billboard went up in Tehran's Revolution Square: "The Strait of Hormuz remains closed."

The United States is a net energy exporter. We don't need Hormuz oil. But oil is a global commodity, and 90% of Japan's supply, roughly two-thirds of South Korea's, and half of India's flows through that strait. Their shortage is your price. More than 800 ships are still trapped. Thirty percent of the world's fertilizer trade is blocked. Freight rates are up 30%. Jet fuel has doubled. JP Morgan warned oil could hit $120 if the stalemate reaches July. Economists estimate that a closure lasting one to three months pushes oil above $150 and takes up to 1.5% off global GDP. Past three months and you're in 1973 territory.

The Houthis are already running a parallel tollbooth at Bab al-Mandeb, the chokepoint at the other end of the Arabian Peninsula. If both close, a quarter of global energy supply is blocked.

Every week Hormuz stays closed, the damage compounds. Shipping contracts get renegotiated. Insurance premiums reset permanently. Manufacturers find alternative suppliers and don't switch back. Six weeks is a disruption. Six months reshapes global trade routes. A year, and the companies that adapted early have a structural advantage over the ones that waited for normal to return.

The Takeaway: Six weeks of closure is already the longest full shutdown of the world's most important shipping lane in history. There is no precedent and no diplomatic process to end it. The effects aren't limited to oil companies and shipping lines. They cascade through petroleum derivatives, fertilizer, fuel surcharges, manufacturing inputs, and the price of everything your customers buy. The longer it lasts, the more global commerce rewrites itself around the closure. Some of those changes will favor your business. Some won't. But the companies mapping their exposure now get to choose how they adapt. The ones that aren't will find out what changed after the fact.

Sources: NPR — US-Iran Peace Talks in Islamabad Collapse - Bloomberg — Supertankers U-Turn in Hormuz as Talks Break Down - CRS — Strait of Hormuz Non-Oil Shipments (R48903) - FreightWaves — Asia-US Rates Up 29% - Lloyd's War Risk Registry — Iran-Iraq Tanker War Data - Al Jazeera — Bab al-Mandeb Threat

The Island That Makes Your Chips Had a Bad Week

Over 90% of the world's most advanced semiconductors are made in Taiwan. The chips in your servers, your laptops, your phones. One island.

China claims Taiwan belongs to it. Taiwan disagrees. That standoff has held for 75 years, and the reason your supply chain works is because both sides have kept it stable enough to keep the factories running. This week, that stability took hits from three directions.

First, China's president hosted the leader of Taiwan's opposition party in Beijing for the first time in a decade. She pledged to slow Taiwan's military buildup if her party wins power in 2028. China isn't just pressuring Taiwan militarily. It's backing a political candidate who would make the pressure unnecessary.

Second, China's military locked down airspace off its coast for 40 straight days, the longest airspace restriction on record. Normal drills last a few days. This one runs six weeks. Defense analysts say it's aimed at Japan, America's closest military ally in the Pacific. At the same time, American weapons that Taiwan has already paid for are stuck in a legislative backlog and haven't shipped.

Third, China still controls 98% of the world's supply of heavy rare earths, the materials inside every piece of electronics your company buys. Export restrictions on seven of those materials have been active since last year, and a planned expansion to five more was only paused temporarily as a trade bargaining chip.

All of this happened in a week when the world's attention was on Iran.

The Takeaway: You probably don't buy semiconductors directly. But your laptop vendor does. Your cloud provider does. Your phone carrier, your payment processor, your building access system, your security cameras. A 90-day disruption to Taiwan's chip production wouldn't show up as a line item on your budget. It would show up as lead times doubling on every piece of hardware you try to replace, upgrade, or expand. And the rare earth restrictions work the same way. You don't buy samarium. But the company that makes your servers does. Ask your IT and procurement teams a simple question: if hardware lead times doubled tomorrow, what breaks first?

Sources: CNBC — Xi Meets Taiwan Opposition Leader in Beijing - Taipei Times — China Reserves Offshore Airspace for 40 Days - CNN — US Intelligence: China Preparing Weapons to Iran - CSIS — China's Rare Earth Restrictions

Every Phone in Your Building Is for Sale

A tool called Webloc can track 500 million mobile devices in real time. Not through malware. Not through a warrant. Through the advertising data your phone broadcasts every time an app checks for ads.

Citizen Lab published the findings this week. Penlink, a US surveillance company, built Webloc by buying location data from the same ad exchanges that serve you banner ads. Every time an app on your phone pings an ad network, it shares your GPS coordinates and a unique advertising ID. Data brokers collect those pings, bundle them, and sell them. Penlink's customers include ICE, the US military, Hungarian intelligence, and El Salvador's national police. Seventy-two members of Congress have called for an investigation.

The government surveillance angle got the headlines. The business risk is worse.

Anyone with a credit card can buy this data. No clearance. No warrant. No disclosure requirement. Competitive intelligence firms, hedge funds, private investigators, hostile acquirers, or a disgruntled former employee with a few hundred dollars. The data is commercial, legal to purchase, and precise enough to track an individual device to a specific building, floor, and meeting room.

This isn't theoretical. In 2021, a Catholic news outlet bought broker data and tracked a priest to gay bars via his Grindr advertising ID. He resigned within days. In 2019, the New York Times used broker data to track a senior DOD official from the Pentagon to his home. In 2022, researchers used commercially available data to identify devices inside NSA headquarters, CIA facilities, and military bases. None of these required hacking. All of it was for sale.

Your executives travel. They visit clients, partners, lawyers, investment banks. They sit in board meetings where M&A strategy gets discussed. Their phones are in their pockets, broadcasting location to ad networks the entire time. Anyone who wants to know where your CEO was last Tuesday can find out for the cost of a software subscription.

The Takeaway: This isn't a surveillance problem. It's a corporate espionage problem that nobody is treating as one. On company-managed devices, your MDM can disable advertising identifiers and enforce app tracking restrictions. But most executives carry personal phones too, and those are completely unmanaged. At minimum, brief your leadership team on disabling ad tracking in their phone settings. It takes thirty seconds and it stops the largest source of commercially available location data.

Sources: Citizen Lab — Penlink's Webloc Surveillance Tool - The Pillar — Catholic Priest Tracked via Grindr Ad Data (2021) - New York Times — One Nation, Tracked (2019)

Three Things You Trust That You Shouldn't

Your security perimeter protects your network. The problem is how much of your business runs on infrastructure that isn't your network. Three stories this week exposed three versions of the same blind spot.

Your employees' home routers. The FBI disclosed Operation Masquerade: Russia's GRU compromised thousands of TP-Link routers across at least 23 states. Not sophisticated zero-days. They exploited a known vulnerability in a $35 router that millions of Americans bought at Best Buy and never updated. Once inside the router, they hijacked DNS to redirect employees to pixel-perfect fake Outlook login pages. Credentials harvested. Then they used those credentials to launch adversary-in-the-middle attacks against corporate Outlook Web Access, intercepting emails and MFA tokens in real time.

Your VPN encrypts the tunnel. It doesn't help if the device at the other end is already compromised. And your company doesn't own that device, doesn't manage it, and in most cases doesn't know what model it is. The GRU wasn't hacking corporations. They were hacking the gap between your employee's home and your network, and that gap has existed since March 2020 when everybody started working from their kitchen table.

Your software's dependencies. North Korean hackers stole the credentials of a maintainer of Axios, an open-source HTTP library downloaded more than 100 million times a week. They injected a cross-platform backdoor into version 1.14.1. This wasn't an obscure package. Axios is in the dependency tree of virtually every modern web application. When your developers run npm install, dozens of packages like Axios pull in automatically. Nobody reviews them line by line.

This week, OpenAI disclosed that the compromised Axios package made it into their macOS app-signing workflow. They're rotating security certificates and forcing app updates by May 8. If OpenAI, a company that employs some of the best security talent on the planet, didn't catch it in their build pipeline, ask yourself honestly whether your team would have.

The deeper problem: most popular open-source projects are maintained by one or two people. The entire modern software economy runs on packages maintained by people who have day jobs, no security budget, and no obligation to your company. One stolen password compromised a package that runs inside applications used by millions of organizations. The Axios maintainer didn't work for you. You've probably never heard of them. But their credentials were the keys to your software supply chain.

Your data's physical path. The UK Ministry of Defence confirmed that three Russian submarines spent a month mapping undersea cable routes in British and North Atlantic waters. One Akula-class attack submarine ran decoy patterns while two deep-sea research submarines from Russia's GUGI unit, a secretive directorate that specializes in undersea operations, surveyed cable infrastructure. The UK deployed a frigate, a tanker, and maritime patrol aircraft to track and deter them. Defence Secretary Healey said any attempt to damage the cables "will not be tolerated."

Ninety-seven percent of intercontinental data travels through undersea cables. Not satellites. Physical cables on the ocean floor, many of them no thicker than a garden hose. Your cloud provider's cross-region replication. Your payment processor's transatlantic settlement. Your video calls to the London office. Your disaster recovery site in Ireland. All of it transits infrastructure that a foreign military just spent a month surveying, timed to coincide with the Iran war so nobody would notice.

Three blind spots. Three things outside your perimeter, maintained by someone else, that your business depends on every day.

The Takeaway: Each of these has a specific question for a specific person. Ask your CISO: do we have any visibility into the routers and home networks our remote workforce connects through, and are we monitoring for DNS anomalies on VPN sessions? Ask your VP of Engineering: when was the last time we audited our dependency tree for packages maintained by fewer than three people, and do we pin versions or auto-update? Ask your Cloud Architect: do we know the physical cable paths our data takes between regions, and what happens to our failover if a North Atlantic cable is cut? If the answer to any of them is "I'd have to check," that's the one to start with Monday morning.

Sources: FBI/CISA/NSA — Joint Advisory AA26-097A: GRU Router Exploitation - CNBC — OpenAI Identifies Security Issue in Axios Package - UK MoD — Russian Submarine Operation Exposed - Sonatype — 454,600 Malicious Packages in 2025

The Safety Net Is Being Dismantled

The White House proposed cutting CISA's budget by $491 million in FY2026 and another $707 million in FY2027. The combined effect eliminates more than a thousand positions and drops the agency from 3,400 people two years ago to under 2,500. Election security is gone entirely. Chemical facility security is gone. The Joint Cyber Defense Collaborative lost $14 million. There is no Senate-confirmed director.

Those are the numbers. Here's what they mean for your business.

CISA runs free vulnerability scanning for 7,791 critical infrastructure organizations. That number more than doubled in two years because companies that couldn't afford commercial scanning tools got it from the government instead. If your organization uses CISA's scanning services, or your vendors do, that capability is shrinking.

CISA publishes the Known Exploited Vulnerabilities catalog that drives patching priorities across every federal agency and most of the private sector. CISA coordinates joint advisories with the FBI, NSA, and Five Eyes partners — the kind that warned about Iranian PLC exploitation and Russian router hijacking this same week. CISA runs the incident coordination that connects a breach at one company to the pattern affecting fifty others. All of that runs on people, and a thousand of them just got cut.

The CIRCIA rule, which would have required critical infrastructure companies to report cyber incidents within 72 hours, has been delayed to May 2026 and may never take effect. FISA Section 702, the surveillance authority the FBI uses to track foreign cyber actors operating inside US networks, sunsets on April 20. Eight days from now.

This is happening while the US is in an active conflict with a nation-state adversary that is conducting cyber operations against American companies. The Stryker attack, the PLC exploitation, the Handala target list. The threat is escalating and the safety net is being cut simultaneously.

The Takeaway: If your security program depends on any CISA service — vulnerability scanning, advisories, incident coordination, sector-specific guidance — assume it will degrade. Inventory your CISA dependencies now. Budget for commercial replacements where they exist. Join your sector ISAC if you haven't already. The free tier of national cyber defense is disappearing.

Sources: White House FY2027 Budget — DHS/CISA - CISA — Known Exploited Vulnerabilities Catalog - CyberScoop — CISA Budget Cuts and Staffing Reductions - Lawfare — FISA Section 702 Sunset

Know someone who should read this? Forward this email. They can subscribe at stateofthethreat.com/subscribe.

Read more at stateofthethreat.com