HoneyLabs uncovered that the bulk of CVE‑2026‑4020 attacks stem from a single operator using a Google Cloud fleet of transient instances. The attacker masks itself with 3,299 rotating user‑agents, yet every request carries the same JA4H hash, revealing a single, highly coordinated operation that targeted over 36,000 ports for exposed secrets across developers' infrastructure deployments daily operations relying on cloud.

The exploit surfaced through the Gravity SMTP plugin’s vulnerable REST endpoint, which returned a 365 KB report containing SMTP credentials, SendGrid, Mailgun keys, and DKIM tokens. HoneyLabs logged 566 distinct IPs, 99.1 % sharing the same JA4H fingerprint, proving that what appeared as hundreds of actors was in fact one orchestrated sweep across 92 networks in 43 countries for security analysis today.

Defenders should block exposed .env, .git, and actuator endpoints, and rotate any leaked keys. Updating to Gravity SMTP 2.1.5 closes the immediate disclosure vector, but the broader wordlist attack remains. A single JA4H hash turned 566 anonymous addresses into one traceable operation, underscoring that fingerprinting can expose hidden cloud‑rented harvesting campaigns for security teams who monitor infrastructure across cloud environments today.