Insights, Guides & Product Strategy
Learn how teams discover, evaluate, and ship faster with the right tools.
Russian hackers turn Kazuar backdoor into modular P2P botnet
Russian hacker group Secret Blizzard has upgraded the Kazuar backdoor into a modular, peer-to-peer botnet designed for long-term persistence, stealth, and data exfiltration. The malware now uses three modules—Kernel (leader election and task orchestration), Bridge (external C2 proxy), and Worker (keylogging, screenshots, data harvesting, and reconnaissance)—with around 150 configurable options, including AMSI, ETW, and WLDP bypasses. Communications are AES-encrypted and protobuf-serialized via IPC. Microsoft warns this evolution increases evasion, urging defenses to emphasize behavioral detection. The botnet targets government and critical infrastructure across Europe, Asia, and Ukraine.
Critical Funnel Builder WordPress Plugin Bug Exploited to Steal Credit Card Data on WooCommerce Checkouts
Security researchers revealed a critical unauthenticated vulnerability in Funnel Builder for WordPress that injects malicious JavaScript into WooCommerce checkout pages, enabling theft of credit card data. The flaw affects all versions prior to 3.15.0.3 and can be triggered through an exposed checkout endpoint to modify the plugin’s External Scripts setting, loading a skimmer that collects card numbers, CVVs, billing addresses, and other customer data. The malicious payload is disguised as a fake Google Tag Manager/Analytics script and communicates with an attacker-controlled server. FunnelKit released version 3.15.0.3 to fix the issue; admins should update immediately and audit External Scripts for rogue entries. The attack was detected by Sansec and reportedly affects more than 40,000 sites.
Avada Builder WordPress plugin flaws allow site credential theft
Two flaws in the Avada Builder WordPress plugin (CVE-2026-4782 and CVE-2026-4798) could let attackers read arbitrary files (potentially exposing wp-config.php) and perform a time-based SQL injection, affecting roughly one million installations. Exploitation paths include authenticated subscriber access for file reads and unauthenticated access when WooCommerce is present and later deactivated. Patches were released as 3.15.2 (partial) and 3.15.3 (fully patched) with 3.15.3 released on May 12, 2026; site owners should update immediately.
Microsoft to automatically roll back faulty Windows drivers
Microsoft is piloting Cloud-Initiated Driver Recovery to remotely roll back faulty Windows Update drivers to a previous stable version, eliminating the need for partners or users to intervene. The recovery, managed entirely by Microsoft through Windows Update for drivers rejected during shiproom evaluation, will be tested May–August 2026 and roll out starting September 2026 as part of the Driver Quality Initiative and broader resiliency efforts.
Microsoft warns of Exchange zero-day flaw exploited in attacks
Microsoft warns of a high-severity Exchange Server zero-day (CVE-2026-42897) exploited via cross-site scripting to run arbitrary code in Outlook on the Web. The flaw affects Exchange 2016, Exchange 2019, and Exchange SE, with no permanent patch available yet. For immediate protection, Microsoft recommends enabling Exchange Emergency Mitigation Service (EEMS); an on-premises mitigation via EEMS is automatic on eligible servers, and the Exchange On-Premises Mitigation Tool (EOMT) remains an option for air-gapped environments. Patches are planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15, though updates for 2016/2019 may be limited to customers in the Period 2 ESU program. CISA and NSA have previously issued guidance to harden Exchange servers against such exploits.
TeamPCP Hackers Advertise Mistral AI Code Repos for Sale
TeamPCP hackers are offering nearly 450 Mistral AI repositories for sale at $25,000, with a one-week deadline before they leak the data. They claim the stolen data covers training, fine-tuning, benchmarking, model delivery, and inference materials from Mistral AI, tied to the TanStack supply-chain attack that also compromised CI/CD credentials and multiple npm/PyPI packages. Mistral AI says the breach touched some SDK packages but did not affect core repositories or hosted services, while OpenAI confirms related impacts and has rotated certificates and pushed updates for affected users.
Hackers Exploit Auth Bypass Flaw in Burst Statistics WordPress Plugin
Hackers are exploiting a critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181), allowing unauthenticated attackers to impersonate admins via REST API and potentially create rogue admin accounts. The flaw was introduced in version 3.4.0 (April 23) and persisted in 3.4.1. Wordfence began tracking on May 8, with thousands of attacks blocked in 24 hours. A patched release, version 3.4.2, arrived on May 12, 2026; users should upgrade or disable the plugin. With about 200,000 sites using Burst Statistics, an estimated 115,000 could still be at risk if they remain on older versions.
Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks (CVE-2026-20182)
Cisco warns of a critical authentication-bypass flaw in Catalyst SD-WAN Controller and Manager (CVE-2026-20182) being exploited in zero-day attacks to gain admin privileges and manipulate SD-WAN configurations. The vulnerability stems from a faulty peering authentication mechanism, allowing attackers to log in as a high-privileged internal user and access NETCONF. Threat actors were observed exploiting it in May 2026; indicators include rogue peering events and unexpected "Accepted publickey for vmanage-admin" entries. Cisco urges upgrading to fixed software, restricting SD-WAN management access, and reviewing logs; CISA has added the vulnerability to the Known Exploited Vulnerabilities catalog with a patch deadline of May 17, 2026.
OpenAI Confirms Security Breach in TanStack Supply Chain Attack
OpenAI confirms a security breach tied to the Mini Shai-Hulud TanStack supply-chain attack, with two employees’ devices compromised and limited access to a subset of internal repositories. There is no evidence of customer data, production systems, or deployed software being affected; however, code-signing certificates were exposed and rotated as a precaution. macOS OpenAI desktop apps must be updated by June 12, 2026, while Windows and iOS versions are unaffected. The incident underscores the broader risk of software supply-chain attacks across npm and PyPI ecosystems.
Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026
Security researchers at Pwn2Own Berlin 2026 racked up more than $523,000 on day one after 24 zero‑days were chained, with Orange Tsai earning $175,000 for a four‑bug sandbox escape on Microsoft Edge. Windows 11 was hacked three times, earning $30,000 per researcher (Angelboy, TwinkleStar03 with the DEVCORE Internship Program, Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity). IBM X‑Force XOR’s Valentina Palmiotti collected $20,000 for rooting Red Hat Linux for Workstations and $50,000 for a zero‑day in the NVIDIA Container Toolkit. Other notable wins included k3vg3n’s $40,000 for LiteLLM, NVIDIA Megatron Bridge exploits for $20,000, and OpenAI Codex exploits by Compass Security and maitai of Doyensec for $40,000 each, plus Chroma and LM Studio zero‑days. DEVCORE leads the competition with $205,000, followed by Palmiotti with $70,000. The three‑day event runs May 14–16 at OffensiveCon and will see researchers targeting browsers, servers, and AI/LLM platforms for prizes that could exceed $1,000,000; vendors will have 90 days to patch disclosed flaws.
KongTuke hackers now use Microsoft Teams for corporate breaches
The KongTuke group has shifted to using Microsoft Teams for social engineering to breach corporate networks, delivering ModeloRAT after victims paste a PowerShell command in a Teams chat. Active since April 2026, the operation rotates through multiple Microsoft 365 tenants to evade blocks and uses Unicode tricks to spoof IT staff. ModeloRAT now features a resilient five-server C2, multiple access paths, and enhanced persistence (Run keys, Startup shortcuts, VBScript launchers, scheduled tasks). Recommendations include restricting external Teams federation and using ReliaQuest IOC indicators to hunt for signs of compromise.
Dell Confirms Its SupportAssist Software Causes Windows BSOD Crashes
Dell has confirmed that its SupportAssist Remediation service is causing blue-screen crashes on some Windows 10/11 systems, producing the 0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS error after a wave of reports of random reboots. The company recommends disabling or uninstalling the Remediation service (Alienware variants included) as a workaround, warning that Dell OS Recovery points may be unavailable after removal. Dell Engineering says a fix is in progress, highlighting a pattern of past Dell software issues linked to updates.
West Pharmaceutical says hackers stole data, encrypted systems
West Pharmaceutical Services says it was the target of a material cybersecurity attack in which data was exfiltrated and some systems were encrypted. The compromise was detected May 4, 2026, with incident response actions including taking systems offline, notifying law enforcement, and engaging external forensics; core shipping and manufacturing systems have been restored and manufacturing partially restarted, but full restoration and the incident's financial impact are still undetermined. The company is working with Palo Alto Networks’ Unit 42, and no ransomware group has claimed responsibility at this time.
New critical Exim mailer flaw allows remote code execution
Exim’s open‑source mail transfer agent has a critical vulnerability (CVE-2026-45185) that allows unauthenticated remote code execution on affected builds (Exim 4.97–4.99.2) compiled with GnuTLS. The bug is a use-after-free during TLS shutdown in BDAT chunked SMTP traffic and can give attackers control over the server; OpenSSL builds are not affected. A patch is available in Exim 4.99.3. The flaw was discovered by Federico Kirschbaum of XBOW, who demonstrated an AI‑assisted PoC exploit, though researchers note humans still play a crucial role. Ubuntu and Debian users should update via their package managers.
Windows BitLocker zero-day gives access to protected drives, PoC released
Security researcher Chaotic Eclipse has released PoCs for two unpatched Windows flaws, YellowKey and GreenPlasma, collectively known as Chaotic Eclipse. YellowKey is a BitLocker bypass that exploits the Windows Recovery Environment to gain shell access on TPM-protected drives for Windows 11 and Windows Server 2022/2025, while GreenPlasma is a privilege-escalation flaw that could yield a SYSTEM shell. The disclosures follow earlier leaks (BlueHammer, RedSun), with the researcher promising more PoCs; Microsoft says it is investigating and urging mitigations like BitLocker PINs and BIOS passwords, though some configurations (such as TPM-only) may remain vulnerable.
Microsoft fixes Windows Autopatch bug installing restricted drivers
Microsoft fixed a Windows Autopatch bug in the EU that caused restricted driver updates to install on some Windows 11 devices (versions 23H2, 24H2, 25H2) despite IT policies, potentially causing reboots or failures. The fix is service-side and requires no action from customers. The article also notes a recent Windows Server 2019/2022 upgrade-to-2025 issue and new Office installation problems on Windows 365 after a service update.
Microsoft says some users can't install Office on Windows 365 devices
Microsoft says a recent service update introduced a configuration change that blocks some Windows 365 users from downloading or installing Office. A fix is being developed and will be deployed with the next update, scheduled for Friday; in the meantime, affected users can manually download Office from the Microsoft 365 download page. The issue is tracked as WP1309017 and is classified as an advisory with no fixed remediation timeline yet.
US govt seeks Instructure testimony on massive Canvas cyberattack
US House Homeland Security Committee has asked Instructure to testify by May 21 about two ShinyHunters cyberattacks on the Canvas platform that exposed millions of student and staff records and disrupted final exams across multiple states; Instructure disclosed the breach on May 3 (intrusion detected April 29), with exposed data including names, emails and student IDs, while a second attack defaced login portals, and ShinyHunters later claimed extensive data theft and, after pressure, said the data was destroyed.
UK fines water supplier $1.3M for exposing data of 664k customers
UK ICO fines South Staffordshire Water Plc £963,900 ($1.3M) for a 2020–2022 data breach that exposed the personal data of around 664,000 customers and staff, due to multiple security failures and a phishing-driven malware intrusion that went undetected for 20 months.
Instructure reaches 'agreement' with ShinyHunters to stop data leak
Instructure has announced an agreement with the ShinyHunters extortion group to stop the leakage of data stolen in a breach of the Canvas LMS, with the stolen data returned and destruction logs provided. The incident affected more than 30 million educators and students across 8,000 schools and universities, and ShinyHunters claimed about 3.6TB of data was stolen after exploiting Free-for-Teacher XSS flaws and even defaced Canvas login pages on May 7. Canvas has been restored, Free-for-Teacher accounts were temporarily shut, and Instructure will share further updates in a May 13 webinar; the FBI cautions that paying a ransom does not guarantee safety from further extortion.
Instructure confirms hackers used Canvas flaw to deface portals
Instructure confirmed that hackers exploited a Canvas vulnerability to deface login portals and leave an extortion message, using multiple XSS flaws to gain authenticated admin sessions. A second attack on May 7 leveraged the same flaw to pressure a ransom after an initial breach disclosed on April 29. The Free-for-Teacher environment was affected, Canvas was offline briefly and restored by May 9, and ShinyHunters claim to have stolen data from 8,809 institutions—up to 275 million records—though the defacement itself did not compromise data.
Webinar this week: Prevention alone is not enough against modern attacks
Bleeding-edge webinar (May 14, 2026 at 2:00 PM ET) from BleepingComputer explains why prevention alone isn’t enough against modern cyberattacks. Featuring Austin O’Saben of Kaseya, the session covers AI-driven phishing, SaaS abuse, and how trusted platforms are exploited, arguing that robust backups and a rapid recovery plan are essential to cyber resilience. Attendees will learn how to integrate prevention, detection, and quick recovery to minimize downtime and data loss.
Ivanti warns of new EPMM flaw exploited in zero-day attacks
Ivanti has issued a warning about a new high-severity remote code execution flaw in Endpoint Manager Mobile (EPMM), CVE-2026-6973, being exploited in zero-day attacks. The vulnerability affects EPMM versions up to 12.8.0.0 and requires admin authentication; users are urged to upgrade to 12.6.1.1, 12.7.0.1, or 12.8.0.1 and to rotate admin credentials. Ivanti says cloud products are unaffected and exploitation appears limited, though hundreds of EPMM IPs are exposed online per Shadowserver. The company also patched four additional high-severity EPMM flaws (CVE-2026-5786/7/8 and 7821) with no confirmed in-the-wild exploitation, while earlier CVEs (1281/1340) had been exploited in the wild.
The Browser Is Breaking Your DLP: How Data Slips Past Modern Controls
New analysis reveals traditional DLP misses browser-based data flows, with 46% of sensitive file uploads to web apps ending up in unsanctioned accounts. As work shifts to browser apps and AI tools, data is copied, pasted, typed into forms, or uploaded from personal or shadow accounts, often evading endpoint and network DLP. A real-world example shows proprietary code moving from a private repository into a personal ChatGPT session, leaving the organization unprotected. Browser-native DLP, like Keep Aware, runs inside the browser to inspect data in real time, understand context, and enforce inline controls—complementing existing DLP. The piece invites readers to book a demo to see browser-native DLP in action.
Americans sentenced for running 'laptop farms' for North Korea
Two U.S. nationals were sentenced to 18 months in prison for running “laptop farms” that helped North Korean IT workers fraudulently obtain remote jobs at nearly 70 American companies. Matthew Knoot operated the scheme from Nashville (July 2022–August 2023) using stolen identities, while Erick Prince aided North Korean workers through Taggcar Inc (2020–2024). The case, part of a broader effort to disrupt North Korea’s illicit IT revenue, involved substantial victim payments and remediation costs, with restitution and forfeiture orders issued.
Palo Alto Networks firewall zero-day exploited for nearly a month
Security researchers warn of a critical PAN-OS zero-day (CVE-2026-0300) in the User-ID Authentication Portal that has been exploited by suspected state-sponsored actors to achieve unauthenticated remote code execution on internet-facing PA-Series and VM-Series firewalls for nearly a month. Exploitation began around April 9, 2026; attackers succeeded about a week later and deployed EarthWorm and ReverseSocks5 to establish covert tunnels. Shadowserver reports thousands of exposed PAN-OS VM-series devices, with most in Asia and North America; Cloud NGFW and Panorama are unaffected. Patches are expected to begin rolling out on May 13; CISA has added CVE-2026-0300 to the KEV catalog and ordered Federal agencies to secure vulnerable devices by May 9. In the meantime, admins should restrict access to the Captive Portal or disable it and verify settings under Device > User Identification > Authentication Portal Settings.
Fake Claude AI website delivers new 'Beagle' Windows malware
Security researchers warn of a fake Claude AI website that distributes a trojanized Claude-Pro Relay installer, delivering a Windows backdoor named Beagle. The campaign uses a bogus Claude-Pro-windows-x64.zip that drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll, loading DonutLoader and Beagle in memory to grant attackers remote access, with C2 traffic to license.claude-pro.com on ports 443/8080. Mitigation advises downloading Claude only from the official portal and watching for NOVupdate artifacts; attribution remains unclear, though Sophos links Beagle to operators associated with PlugX.
DAEMON Tools Devs Confirm Breach, Release Malware-Free Version
Disc Soft confirms a supply-chain attack that trojanized DAEMON Tools Lite installers, releasing a malware-free 12.6 version on May 5 while other DAEMON Tools products appear unaffected. Users who installed 12.5.1 since April 8 should uninstall, run a full scan, and upgrade to 12.6; prior activity linked by Kaspersky involved backdoors and info-stealers, but the latest 12.6.0.2445 is reported to no longer exhibit malicious behavior.
Why ransomware attacks succeed even when backups exist
Ransomware now often defeats backups by exposing, compromising, or destroying backup systems during an attack, not because backups are absent. This post outlines the typical attack chain and why traditional backup strategies fail—shared credentials, weak access controls, lack of immutable backups, untested recovery, and siloed tools. It argues that immutability is critical but not sufficient on its own; it must be combined with strong access control, monitoring, and recovery validation. Five practical protections are recommended: enforce identity separation with MFA, isolate backup environments, use immutable backups, monitor backup activity, and regularly test restores. It also covers steps if backups are compromised, such as locating older clean copies, leveraging off-site immutable storage, and rebuilding from clean baselines. The piece advocates a resilience-first approach and an integrated cyber-protection platform that unifies backup, security, and recovery to achieve end-to-end visibility and reliable recovery in today’s threat landscape.
Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
Palo Alto Networks warns of a critical unpatched zero-day in the PAN-OS User-ID Authentication Portal (Captive Portal), tracked as CVE-2026-0300. The flaw, a buffer overflow, could allow unauthenticated attackers to execute code with root privileges on internet-facing PA-Series and VM-Series firewalls via crafted packets. Limited exploitation has been observed, and admins are urged to restrict portal access or disable it until a patch is released. Shadowserver data show thousands of PAN-OS VM-series devices online, underscoring the widespread risk.
New stealthy Quasar Linux malware targets software developers
Trend Micro researchers have uncovered Quasar Linux (QLNX), a stealthy new Linux malware implant targeting software developers' environments (npm, PyPI, GitHub, AWS, Docker, Kubernetes) and signaling a potential supply-chain attack vector. QLNX combines rootkit, backdoor, and credential-stealing capabilities to achieve long-term, fileless persistence, including in-memory execution, log deletion, process-name spoofing, and forensic data clearing. It uses seven persistence mechanisms (LD_PRELOAD, systemd, crontab, init.d, XDG autostart, and .bashrc injection) to ensure it loads across dynamically linked processes. The malware comprises modular blocks: a 58-command RAT core, a dual-layer rootkit (userland LD_PRELOAD and kernel eBPF), credential harvesting (SSH keys, cloud/config files, PAM backdoors), surveillance (keylogging, screenshots), networking and lateral movement, in-memory execution/injection, and real-time filesystem monitoring. By targeting developer workstations, QLNX aims to bypass enterprise defenses and access credentials underpinning software delivery pipelines; while IoCs are provided, attribution and deployment scope remain unclear.
Instructure Breach: Hacker Claims Data Theft From 8,800 Schools and Universities
Extortion group ShinyHunters claims to have stolen 280 million records from 8,809 schools and education platforms via Instructure's Canvas, exposing students’ and staff’s names, emails, and private messages; while some institutions confirm investigations, Instructure has not publicly commented and the scope of impacted organizations remains unverified.
DAEMON Tools trojanized in supply-chain attack to deploy backdoor
Kaspersky reports a supply-chain attack that trojanized DAEMON Tools installers, delivering a backdoor to thousands of systems worldwide since April 8, 2026. The first-stage malware acts as an information stealer, while some victims received a second-stage payload—a lightweight backdoor capable of executing commands and downloading files, sometimes in memory. In at least one case, a more advanced QUIC RAT was deployed against a Russian educational institution. The campaign affected users in over 100 countries, but second-stage payloads targeted about a dozen high-value targets in sectors such as retail, science, government, and manufacturing in Russia, Belarus, and Thailand. Affected DAEMON Tools versions span 12.5.0.2421–12.5.0.2434, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, and the attack is ongoing as of May 5, 2026. Organizations should audit systems with DAEMON Tools installed since April 8 and bolster supply-chain defenses.
Student hacked Taiwan high-speed rail to trigger emergency brakes
Taiwanese university student arrested for hacking the Taiwan High-Speed Rail’s TETRA system by using software-defined radios and handheld radios to transmit a high-priority alarm, causing four THSR trains to halt for 48 minutes on April 5; an accomplice aided the plot; the 23-year-old faces up to 10 years’ imprisonment and was released on NT$100,000 bail.
Vimeo data breach exposes personal information of 119,000 people
Vimeo confirms a breach linked to Anodot that exposed personal data for about 119,000 people—email addresses and, in some cases, names—along with technical data, video titles, and metadata. The company says no video content, valid user credentials, or payment card information were compromised, and there were no service disruptions; Anodot credentials were disabled and the integration removed, with law enforcement notified. After Vimeo's disclosure, the ShinyHunters extortion group leaked a 106GB cache of stolen data on the dark web, claiming access via Anodot tokens and signaling a broader campaign against SaaS platforms.
Google now offers up to $1.5 million for some Android exploits
Google is overhauling its Android and Chrome vulnerability rewards, offering up to $1.5 million for the hardest Android exploits (zero-click Pixel Titan M2 full-chain with persistence) and up to $750,000 without persistence, while Chrome rewards reach $250,000 plus a $250,128 bonus for MiraclePtr-protected memory. The program shifts toward concise, AI-friendly reports and focuses Android research on Linux-kernel vulnerabilities in Google-maintained components. Google notes a record $17.1 million paid in 2025 to 747 researchers, bringing total payouts since 2010 to $81.6 million, with 2026 payouts expected to rise. The Autonomous Validation Summit is scheduled for May 12–14, 2026.
Amazon SES increasingly abused in phishing to evade detection
Kaspersky reports a surge in phishing using Amazon SES to bypass security filters, fueled by widespread exposure of AWS credentials in public repos, Docker images, and backups. Attackers automate secret discovery (e.g., with TruffleHog) to validate keys and blast realistic phishing campaigns—including DocuSign-like notices and fake invoices—without triggering SPF/DKIM/DMARC blocks. Blocking SES IPs is ineffective since SES is a trusted service. Recommended mitigations: enforce least-privilege IAM, enable MFA, rotate keys regularly, apply IP-based access controls, and use encryption.
Backdoored PyTorch Lightning package drops credential stealer
Security researchers disclosed a supply-chain attack in PyTorch Lightning: a compromised PyPI release (version 2.6.3) secretly downloads Bun and executes an obfuscated 11.4 MB JavaScript payload on import, delivering ShaiWorm, a credential-stealer that targets environment files, API keys, browser data, and cloud credentials (AWS/Azure/GCP) and can run arbitrary commands. Microsoft Defender blocked the payload on affected machines; maintainers have rolled back to version 2.6.1 and are auditing recent releases, with immediate secret rotation advised as the investigation continues.
Trellix discloses data breach after source code repository hack
Trellix disclosed a data breach after unauthorized access to a portion of its source code repository and is investigating with external forensics, reporting no evidence yet that the source code or its distribution process was compromised and that law enforcement has been notified; further details will be shared after the investigation. The incident comes amid other recent breaches at Checkmarx, Cisco, and HackerOne.
They don’t hack, they borrow: How fraudsters target credit unions
Flare researchers reveal a structured loan-fraud technique that targets small to mid-sized credit unions by borrowing identities rather than hacking systems. Attackers assemble stolen personal data, KBA answers, and credit histories to pass identity verification and loan checks, then move funds out quickly through intermediaries. The fraud workflow unfolds in eight steps—from identity acquisition to cash-out—designed to exploit weaknesses in onboarding and lending processes rather than software vulnerabilities. The report highlights higher risk for smaller lenders and urges proactive monitoring of exposed data sources to thwart such schemes.
Instructure Confirms Data Breach as ShinyHunters Claims Attack
Instructure confirms a cybersecurity incident affecting Canvas, with the ShinyHunters group claiming responsibility. The attackers say personal data from users at affected institutions—names, emails, student IDs, and messages—has been exposed. Instructure reports no current evidence of passwords, birth dates, government IDs, or financial information being compromised and has deployed patches, enhanced monitoring, and API key rotation requiring re-authorization for new keys. ShinyHunters’ data-leak listing cites roughly 240 million records across about 15,000 institutions and up to 275 million individuals, but independent verification of these figures is still pending.
Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
Microsoft Defender flagged legitimate DigiCert root certificates as malware after a threat signature update on April 30, causing false positives and removals from the Windows trust store; two root certificates were reportedly affected, and Microsoft rolled out fixes in Security Intelligence updates (from 1.449.430.0 to 1.449.431.0) with automatic or manual update options; the incident occurs in the context of a DigiCert breach and is discussed as a potential link, though the flagged root certs are different from the revoked code-signing certificates.
Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery
Cybersecurity researchers have uncovered FEMITBOT, a Telegram-based fraud operation that uses Mini Apps and bots to run fake crypto platforms, impersonate brands (Apple, NVIDIA, Disney, eBay, IBM, Moon Pay, YouKu, and more), and deliver Android malware. The campaigns share a common backend, allow rapid branding/language changes, and use tracking pixels to optimize performance. Victims encounter fake dashboards and urgency tactics, then are urged to deposit funds or complete referrals; some Mini Apps push Android APKs masquerading as legitimate apps via the in-app browser. Users are advised to avoid crypto-promoting Telegram bots and sideloading APKs.
Critical cPanel flaw mass-exploited in "Sorry" ransomware attacks
A critical vulnerability in cPanel/WHM (CVE-2026-41940) is being mass-exploited in the Sorry ransomware campaign. An emergency update for WHM and cPanel has been released, but attackers have already compromised tens of thousands of servers—at least 44,000 IPs according to Shadowserver—and deployed a Go-based Linux encryptor that appends the .sorry extension to files. Victims receive a ransom note with a Tox ID, and decryption requires the RSA-2048 private key; without it, decryption is effectively impossible. All cPanel/WHM users are urged to apply the security update immediately as exploitation continues to spread.
ConsentFix v3 Attacks Target Azure with Automated OAuth Abuse
Researchers warn of ConsentFix v3, a new automated OAuth abuse campaign targeting Microsoft Azure. The refinement verifies Azure tenants, gathers employee details for impersonation, and coordinates phishing and exfiltration across services (Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream) to capture OAuth codes and tokens. A Cloudflare Pages phishing page prompts a real Microsoft OAuth flow, with a Pipedream webhook receiving the code, exchanging it for tokens, and feeding them to Specter Portal to access compromised resources. Mitigations include token binding, behavioral detection, and app-auth restrictions, but the campaign’s reach and impact remain unclear.
Microsoft tests modern Windows Run, says it's faster than legacy dialog
Microsoft previews a modern Run dialog for Windows 11 in build 26300.8346, featuring Fluent Design, built-in dark mode, and a faster median time-to-show of 94ms compared with 103ms for the legacy Run. The Browse button is removed after usage analysis; the new dialog supports quick access to the home directory (~) and shows icons for easier entry identification. Activation is optional via Settings > Advanced Settings, and Microsoft is collecting feedback before broader rollout. The preview also includes changes to Windows Share UI for AAD users and expanded Magnifier zoom presets, with broader release planned in the coming months through the Experimental Channel.
Edu tech firm Instructure discloses cyber incident, probes impact
Instructure, the maker of Canvas, has disclosed a cybersecurity incident and says it is actively investigating with outside forensics experts. Some services, including Canvas Data 2 and Canvas Beta, have been under maintenance since May 1 as the company assesses impact, though it has not said whether the maintenance is related to the breach. The incident underscores a trend of education-technology breaches, following PowerSchool’s 2025 breach and a September 2025 Instructure Salesforce attack attributed to ShinyHunters.
15-year-old detained over French govt agency data breach
France detains a 15-year-old suspected of selling data from the ANTS breach that affected about 11.7 million accounts; investigators say 12–18 million records were offered for sale on a cybercrime forum. The minor faces charges for unauthorized access, persistence and data exfiltration, plus possession of hacking tools, with penalties up to seven years in prison and €300,000. A judge is reviewing the case, and formal charges have not yet been filed.
BleepingComputer retracts Instructure data breach story
BleepingComputer retracts its May 1, 2026 article about a purported Instructure data breach after confirming the information was incorrect and based on outdated details; the editors apologize for the error.
Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations
Criminal IP is partnering with Securonix to embed Criminal IP’s exposure-based threat intelligence into ThreatQ, enabling real-time enrichment of IP indicators within ThreatQ and automated workflows that keep context current. The integration adds contextual data such as maliciousness scores, VPN/proxy detection, remote access exposure, open ports, and known vulnerabilities, helping security teams triage faster and prioritize more accurately. Analysts can perform on-demand lookups and access enriched indicators directly in the ThreatQ dashboard, while the investment in the ThreatQ Orchestrator automates ingestion and filtering of exposure intelligence, enhancing investigation graphs and overall incident response workflows.
Microsoft fixes Remote Desktop warnings displaying incorrectly
Microsoft has fixed a bug that caused Remote Desktop (.rdp) security warnings to render incorrectly on multi-monitor systems with different scaling after the April 2026 updates. The fix, in the Windows 11 preview cumulative update KB5083631 (and related KBs for Windows 10/Server), introduces an educational prompt and renders the warning correctly, with publisher verification shown before connections; unsigned RDP files trigger a caution warning. The article also notes prior issues from KB5083769 (backup app failures due to VSS timeouts) and highlights ongoing phishing risks using RDP files, including campaigns attributed to APT29.
Two Former Ransomware Negotiators Sentenced to Four Years in Prison Over BlackCat (ALPHV) Attacks
Two former cybersecurity incident responders were sentenced to four years in prison each for conspiring to extort U.S. companies through the BlackCat/ALPHV ransomware operation, working as affiliates from May to November 2023 with accomplice Angelo Martino. They shared about 20% of ransoms and targeted multiple U.S. victims, including a Tampa medical device maker that paid $1.27 million on a $10 million demand. The FBI links BlackCat to more than 60 breaches and estimates at least $300 million in ransom payments from over 1,000 victims through September 2023.
New Bluekit phishing service includes an AI assistant, 40 templates
BlueKit debuts as a phishing toolkit with over 40 templates for services like Outlook, Gmail, iCloud, GitHub, and Ledger, plus an AI Assistant panel that supports models such as Llama, GPT-4.1, Claude, Gemini, and DeepSeek to draft campaigns. It offers end-to-end functionality—from domain purchase and phishing-page setup to campaign management and real-time monitoring, with data exfiltration possible via Telegram. Early reviews from Varonis say the AI drafts are skeletal and contain placeholders, indicating the feature set is still evolving, but the kit exemplifies the growing AI-enabled, all-in-one phishing platforms.
Romanian leader of online swatting ring gets 4 years in prison
Thomasz Szabo, a Romanian national who led an online swatting ring targeting more than 75 officials, journalists, and four religious institutions, was sentenced to four years in federal prison plus three years of supervised release after pleading guilty to conspiracy and explosives-threat charges. Extradited from Romania in 2024, Szabo operated since 2020 under multiple aliases, orchestrating false reports that drew armed police responses and wasted taxpayer resources; his followers targeted members of Congress, federal officials, judges, and churches, with one member boasting of 25 swatting calls in a single day.
New Linux Copy Fail flaw gives hackers root on major distros
A new Linux local privilege escalation called Copy Fail (CVE-2026-31431) lets an unprivileged user gain root by performing a 4-byte write into the page cache via the AF_ALG crypto interface and splice(), affecting kernels back to 2017. The exploit has been demonstrated on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16; upstream fixes were released on April 1, 2026, with distributions racing to push patches. Interim mitigations include disabling the AF_ALG interface or the algif_aead module, and promptly patching multi-tenant environments.
Hackers Exploit Authentication Bypass Flaws in Qinglong Task Scheduler to Deploy Cryptominers
Hackers exploited two authentication-bypass flaws in Qinglong’s open-source task scheduler (CVE-2026-3965 and CVE-2026-4047) to deploy cryptomining on exposed servers, beginning in February before public disclosure. The issues stemmed from a mismatch between middleware authorization and Express.js routing, allowing access to protected admin endpoints via unauthenticated paths. Infections were observed across multiple setups, with a rogue process named “.fullgc” consuming heavy CPU and attackers modifying config.sh to download miners from an external host; a fix was finally merged in PR #2941 after earlier mitigations in PR #2924 proved insufficient.
Hackers arrested for hijacking and selling 610,000 Roblox accounts
Ukrainian police in Lviv arrested three hackers who hijacked over 610,000 Roblox accounts and sold them for about $225,000. The operation, led by a 19-year-old, used credential-stealing malware disguised as a game-enhancer to target high-value accounts, with ten searches yielding cash and electronic evidence. The suspects, aged 19, 21, and 22, face up to 15 years in prison on theft and unauthorized IT interference charges, as investigations continue.
cPanel, WHM emergency update fixes critical auth bypass bug
cPanel and WHM issued an emergency update to fix a critical authentication bypass vulnerability that could grant unauthorized access to the hosting control panel. Admins must run the manual patch command (/scripts/upcp --force) to upgrade to patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5). Namecheap temporarily blocked WHM/cPanel ports 2083 and 2087 to protect users until patches were available, and users on unsupported versions should upgrade immediately. If exploited, the flaw could let attackers fully control hosting accounts, plant backdoors, and conduct other malicious activities.
European police dismantles €50 million crypto investment fraud ring
European authorities, led by Austria and Albania with Europol and Eurojust, dismantled a €50 million cryptocurrency investment fraud ring operating through call centers in Tirana. The scheme lured victims with fake platforms, diverted funds to an international money-laundering network, and included a secondary scam asking for fees to recover losses; 10 suspects were arrested and assets seized across multiple countries.
Learning from the Vercel breach: Shadow AI & OAuth sprawl
The article examines how shadow AI and OAuth sprawl threaten enterprise security, using the Vercel breach as a cautionary tale. It shows how a simple OAuth connection to Context.ai allowed attackers to pivot into Vercel’s data when Context.ai was compromised. Shadow IT is framed as broader than shadow apps, including shadow tenants, extensions, and especially shadow integrations that connect dangerous third-party tools to core systems. Recommended defenses include a default-deny policy for new OAuth grants, routine auditing of all active integrations, and visibility across all SaaS apps—not just the primary cloud platforms. The piece also notes a rising, widespread abuse of OAuth in attacks, including device code phishing, and highlights a new browser-based attacks report. It closes by promoting Push Security’s platform as a way to monitor, block, and remediate OAuth requests and related threats across the organization.
GitHub fixes RCE flaw that gave access to millions of private repos
GitHub fixed a critical remote code execution flaw (CVE-2026-3854) that could have allowed attackers to read or write millions of private repositories with a single malicious git push. Reported by Wiz on March 4, 2026, GitHub reproduced and patched the issue on GitHub.com within hours, and patches were released for GitHub Enterprise Server across multiple supported releases with a strong upgrade directive. The vulnerability could have given full server access on GHES, but no exploitation was found before disclosure and no customer data was accessed. Nonetheless, about 88% of reachable GHES instances remained vulnerable at the time, prompting an urgent upgrade for administrators.
CISA orders feds to patch Windows flaw exploited as zero-day
CISA has ordered federal agencies to patch Windows endpoints against CVE-2026-32202, a zero-day that enables NTLM hash leakage in low‑complexity, remote code‑execution scenarios. The flaw stems from an incomplete patch for CVE-2026-21510 and has been linked to APT28 activity targeting Ukraine and EU networks. Agencies must patch by May 12 under Binding Operational Directive 22-01, with guidance to apply vendor mitigations and monitor ongoing exploit activity including BlueHammer, RedSun, and UnDefend.
Microsoft Says Backend Change Broke Teams Free Chat and Calls
Microsoft confirms a backend change for Teams Free is causing chat and call failures for new users by skipping onboarding and privacy screens, leaving profiles as “Unknown” and unsearchable. Labeled a service degradation, the issue first appeared April 8 with regions and scope still unclear, and Microsoft says it will share more details later today as they work on a fix. This follows other recent Teams troubles, including Edge-update–related meeting join failures and a prior service update launch problem.
Video service Vimeo confirms Anodot breach exposed user data
Vimeo has disclosed that data from some customers and users was accessed in the wake of the Anodot breach. The exposed information reportedly includes email addresses for some users, plus technical details, video titles, and metadata, with no video content, credentials, or payment card data affected. The incident is linked to the ShinyHunters extortion group, which had threatened to publish stolen data by April 30; Vimeo has disabled Anodot credentials, severed the integration, and is collaborating with third-party security experts and law enforcement while it investigates and promises updates.
US reportedly charges Scattered Spider hacker arrested in Finland
A 19-year-old dual U.S.-Estonian citizen, online alias Bouquet, was arrested in Helsinki on April 10 while trying to fly to Japan and now faces U.S. charges as a member of the Scattered Spider hacking group. Prosecutors allege he helped breach multiple high-profile targets and extort millions in ransoms, with incidents dating back to 2023 and 2025. The case comes as another Scattered Spider leader pleaded guilty earlier this month.
Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data
Checkmarx confirms LAPSUS$ leaked data from its private GitHub repository after a March 23 supply-chain attack tied to the Trivy incident; attackers used stolen credentials to publish malicious artifacts, including Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner. A 96 GB data pack was posted on the LAPSUS$ portal and accessible on clearnet, with Checkmarx saying the exposed data originated from its GitHub and does not appear to contain customer information. Access to the affected repository has been blocked and a forensic investigation is ongoing, with more details expected within 24 hours.
Microsoft to Deprecate Legacy TLS in Exchange Online Starting July 2026
Microsoft will begin blocking legacy TLS for POP and IMAP in Exchange Online starting July 2026. After deprecation, POP3/IMAP4 connections must use TLS 1.2 or newer, and any connections using TLS 1.0 or 1.1 will fail. Most users are unaffected since TLS 1.2+ is already standard, but those using legacy endpoints or custom/embedded applications may face disruption and will need updates. Admins are advised to verify their clients support TLS 1.2+ and update devices or applications accordingly as part of this broader move to secure, modern TLS.
Inside an OPSEC Playbook: How Threat Actors Evade Detection
Flare researchers examine a cybercrime forum post in which a threat actor outlines a three-tier OPSEC framework for high-volume carding aimed at staying undetected over time. The Public Layer uses clean devices and rotated residential IPs; the Operational Layer is strictly isolated with encrypted containers and hardware-backed keys; the Extraction Layer keeps cashout systems isolated to break the forensic chain. The post highlights recurring mistakes—identity reuse, weak fingerprinting evasion, poor separation of stages, and metadata exposure—and introduces advanced resilience techniques such as time-delayed triggers, behavioral randomization, distributed verification, and dead man’s switches. Defenders are offered actionable takeaways: improve cross-platform identity correlation, evolve behavioral analytics, monitor the full attack chain, leverage metadata, and prepare for resilient adversaries. The material argues that OPSEC is becoming a competitive advantage in cybercrime, prioritizing longevity and stealth over short-term access.
Microsoft: New Remote Desktop warnings may display incorrectly
Microsoft confirms a new issue where security warnings for Remote Desktop (.rdp) files display incorrectly after the April 2026 updates, affecting Windows 11, Windows 10, and Windows Server. The problem is especially prevalent on systems with multiple monitors using different display scaling, causing unreadable text and misaligned buttons in the warning dialogs. The April 2026 safeguards introduce a one-time educational prompt, followed by a pre-connection security dialog that shows publisher status, remote address, and local resource redirections (all disabled by default). Unsigned RDP files trigger a "Caution: Unknown remote connection" warning. The article notes that threat actors have abused RDP files in phishing campaigns, including past use by the APT29 group.
Microsoft asks iPhone users to reauthenticate after Outlook outage
Microsoft has resolved a global Outlook.com outage that affected users worldwide and now requires iPhone users to re-authenticate their accounts in the iOS Mail app to regain access. The company cited a recently introduced change as the cause but did not disclose specifics or the scope, with service returning to normal around 7 PM UTC on April 27, 2026. The report notes related past outages—such as March’s Exchange Online issues and Copilot sign-in problems—and ongoing Microsoft 365 reliability efforts.
Robinhood Account Creation Flaw Abused to Send Phishing Emails
Robinhood’s account-creation process was abused to inject HTML into onboarding emails, allowing phishers to embed a convincing “Unrecognized Device” message and direct users to a phishing site. Attackers used known customer email lists from prior breaches and Gmail dot aliasing to send emails from a legitimate noreply@robinhood.com address with SPF/DKIM, prompting users to review activity. Robinhood says the incident did not involve a system or account breach and has removed the Device: field from onboarding emails; recipients are advised to delete the message and avoid clicking links.
GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions
GlassWorm malware returns to OpenVSX with 73 “sleeper” extensions that look benign until they update, delivering a malicious payload. Six extensions are active so far; the rest appear dormant or suspicious. The extensions clone legitimate listings and function as loaders, fetching the payload from GitHub, loading platform-specific modules, or using obfuscated JavaScript at runtime. This wave signals a shift from embedding malware to delivering it on update. Researchers note the campaign previously targeted wallets and credentials and mid-March 2026 saw hundreds of repos affected; a full list of the 73 extensions has been published, and developers are urged to rotate secrets and clean their environments.
Canada arrests three for operating “SMS blaster” device in Toronto
Canadian authorities have arrested three men in Toronto for operating an "SMS blaster" that mimics a cellular tower to send phishing texts. The rogue base stations, which can move across the Greater Toronto Area, allegedly entrapged about 13 million mobile users and could disconnect devices from legitimate networks, potentially hindering emergency services. The investigation, dubbed Project Lighthouse, began in November 2025; two suspects were arrested March 31 in Markham and Hamilton, with a third turning himself in on April 21. This is the first known sighting of such a device in Canada. Officials advise treating SMS as insecure, avoiding links in texts, and using end-to-end encrypted channels for sensitive communications, while noting that disabling 2G downgrades is recommended as an additional precaution.
Alleged Silk Typhoon Hacker Extradited to the U.S. for Cyberespionage
Xu Zewei, a Chinese national alleged to have carried out cyberespionage for China's Ministry of State Security and linked to the Silk Typhoon/Hafnium group, has been extradited from Italy to the United States to face criminal charges. U.S. prosecutors say he conducted intrusions from February 2020 to June 2021, including targeting COVID-19 research and exploiting Microsoft Exchange Server zero-days, while working as a contracted hacker for Shanghai Powerock Network under MSS direction; he was previously arrested in Milan in 2025 at the U.S. request for ties to Silk Typhoon.
PyPI package with 1.1M monthly downloads hacked to push infostealer
Attackers pushed a poisoned PyPI release of the elementary-data package (0.23.3) and a related Docker image to steal sensitive data and cryptocurrency wallets. The compromise exploited a GitHub Actions script-injection flaw in a pull request, exposing the workflow’s GITHUB_TOKEN and allowing a forged commit and tag to trigger the legitimate release pipeline. A clean replacement, elementary-data 0.23.4, was released, but users who installed 0.23.3 remain compromised, as the payload (elementary.pth) could exfiltrate SSH keys, credentials, cloud and Kubernetes secrets, environment tokens, and wallet files. With 1.1 million+ monthly downloads, affected users should rotate all secrets and restore from a safe point.
Microsoft rolls out revamped Windows Insider Program
Microsoft is revamping the Windows Insider Program to two channels—Experimental (replacing Dev/Canary) and Beta—to simplify testing and address Windows 11 reliability concerns. Beta will deliver features immediately while Experimental uses feature flags you can toggle in Settings; the rollout will happen in phases with specific builds for each channel.
UNC6692 Uses Microsoft Teams to Deploy Snow Malware
UNC6692 has deployed a new malware suite called Snow via Microsoft Teams, using social engineering and email bombing to entice victims. The Snow family consists of SnowBelt (a Chrome extension for persistence), SnowBasin (a backdoor), and SnowGlaze (a tunneler/C2 conduit). After compromising a network, the group performs internal reconnaissance, dumps LSASS memory, uses pass-the-hash, and exfiltrates Active Directory data (via LimeWire), enabling lateral movement and domain takeover. Mandiant provides IoCs and YARA rules to help detect Snow.
ADT confirms data breach after ShinyHunters leak threat
ADT confirms a data breach after a ShinyHunters extortion threat, detecting unauthorized access on April 20, 2026 and concluding personal data was stolen. The exposed information includes names, phone numbers, and addresses, with a small percentage containing dates of birth and the last four digits of Social Security numbers or Tax IDs; payment data was not accessed and customer security systems were not affected. ShinyHunters claimed as many as 10 million records were stolen and threatened to leak the data unless a ransom is paid. The attackers allegedly used a vishing campaign to compromise an employee’s Okta SSO and accessed Salesforce data. ADT says it has contacted all affected individuals.
New ‘Pack2TheRoot’ flaw gives hackers root Linux access
Researchers have disclosed Pack2TheRoot, a local privilege escalation vulnerability (CVE-2026-41651) in the PackageKit daemon that could let an unprivileged Linux user install or remove system packages and gain root. The flaw has persisted since 2014 in PackageKit 1.0.2 through 1.3.4 and is being mitigated by PackageKit 1.3.5. Affected distributions include Ubuntu (18.04–26.x), Debian, Rocky Linux, and Fedora; other PackageKit–using systems may be vulnerable. Users should upgrade to PackageKit 1.3.5, verify packagekit version with dpkg -l | grep packagekit (or rpm -qa), and check the PackageKit daemon status with systemctl status packagekit or pkmon. The Deutsche Telekom Red Team uncovered that certain commands could bypass authentication on Fedora, enabling privilege escalation; details and PoC are redacted to allow patch propagation.
DORA and operational resilience: Credential management as a financial risk control
EU’s Digital Operational Resilience Act (DORA) Article 9 makes credential security a binding financial risk control for banks and financial institutions, emphasizing that stolen credentials are the top initial access vector and can enable months of unseen operational disruption. The post breaks down Article 9 requirements—phishing-resistant MFA (FIDO2/WebAuthn), least-privilege access with just-in-time provisioning, and cryptographic key protection with encrypted credential vaults—and maps them to practical controls like PAM, session recording, and comprehensive audit trails. It uses breaches (France’s national bank registry and Santander’s vendor-based Snowflake breach) to illustrate regulatory exposure and the risk of vendor credentials. A four-part program is proposed: deploy phishing-resistant MFA, enforce least privilege, vault all credentials, and monitor continuously. Passwork is highlighted as a self-hosted, ISO 27001-certified solution that supports these controls and provides audit-ready logs, with an emphasis on audit preparation to satisfy regulators.
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
More than 10,000 Zimbra Collaboration Suite installations exposed online remain vulnerable to an ongoing XSS flaw (CVE-2025-48700), risking unauthenticated data exposure via JavaScript in user sessions. Affected versions include ZCS 8.8.15, 9.0, 10.0, and 10.1; patches were released by Synacor in June 2025. CISA has flagged the vulnerability as exploited in the wild and added it to the Known Exploited Vulnerabilities catalog, with federal agencies ordered to patch by April 23, 2026. Shadowserver reports about 10,500 unpatched servers, concentrated in Asia and Europe. The situation echoes past Zimbra abuses by state-backed groups (e.g., APT28, Cozy Bear) in phishing and credential-stealing campaigns, underscoring ongoing risk to governments and enterprises.
Microsoft now lets admins uninstall Copilot on enterprise devices
Microsoft has introduced a new policy, Remove Microsoft Copilot App, that lets IT admins uninstall the Copilot assistant from managed Windows devices. The policy, available as a Policy CSP and via Group Policy after the April 2026 Patch Tuesday, targets Windows 11 25H2 devices where the Microsoft 365 Copilot and Copilot are installed, the user did not install the Copilot app themselves, and Copilot hasn’t been launched in the prior 28 days; it is deployable through Intune or SCCM and uninstalls Copilot non-disruptively, though users can reinstall if they choose.
Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
Trigona ransomware operators are now using a custom command-line exfiltration tool, uploader_client.exe, to steal data more quickly from compromised networks. The tool connects to a hardcoded server, supports up to five parallel uploads per file, rotates TCP connections after 2GB of traffic, and can selectively exfiltrate certain file types while requiring an authentication key to access stolen data. The March attacks attributed to a gang affiliate signal a shift from publicly available tools to proprietary malware to stay under security monitoring. In these campaigns, Trigona also deploys the Huorong Network Security Suite’s HRSword kernel driver, tools to disable security products, PowerRun for elevated execution, AnyDesk for remote access, and credential tools like Mimikatz and Nirsoft. Symantec provides IoCs to aid detection and blocking of these activities.
New Checkmarx supply-chain breach affects KICS analysis tool
Security researchers have disclosed a supply-chain breach affecting Checkmarx KICS, compromising official Docker images and VS Code/Open VSX extensions to harvest secrets from developer environments. The attack uses a hidden MCP addon to steal GitHub tokens, cloud credentials, npm tokens, SSH keys, and environment variables, encrypting and exfiltrating them to a spoofed audit.checkmarx.cx domain, with automatically created GitHub repos for data leakage. The malicious activity was active on 2026-04-22 from 14:17:59 to 15:41:31 UTC; affected tags have been restored and the fake v2.1.21 tag removed. Checkmarx has rotated exposed credentials and removed artifacts; users should rotate secrets, rebuild from known safe baselines, block exfiltration endpoints, and use pinned SHAs. Safe versions include DockerHub KICS v2.1.20 and updated extensions.
Kyber ransomware gang toys with post-quantum encryption on Windows
Rapid7 reveals a new Kyber ransomware operation targeting Windows and VMware ESXi, with one variant claiming post-quantum Kyber1024 encryption. Two variants were observed in March 2026 using the same campaign ID and Tor-based infrastructure: a Windows Rust-based encryptor that uses Kyber1024 (and X25519) to protect AES-CTR bulk encryption, and an ESXi-focused variant that encrypts datastore files, can terminate VMs, and deface management interfaces. The Windows payload appends the .#~~~ extension, shuts down services, deletes backups, wipes event logs, and can terminate Hyper-V VMs; the ESXi variant enumerates VMs, encrypts datastores, and defaces interfaces. A Linux ESXi variant reportedly uses ChaCha8 with RSA-4096 for key wrapping. Despite Kyber1024 branding, Rapid7 notes Kyber is not used for direct file encryption; files are effectively unrecoverable without the attacker key. So far, at least one victim is publicly listed—a large U.S. defense contractor and IT services provider.
Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process
This post exposes Caller-as-a-Service, a structured, scalable fraud operation that treats phone scams like a professional business. It maps a full attack lifecycle with distinct roles—from data sourcing and infrastructure to live-call agents—supervision, and varied compensation models. It explains underground recruitment tactics (including “proof-of-profit” visuals and English-language targeting), how stolen data fuels campaigns, and the shift toward industrialized social engineering. The piece also outlines defender and individual implications, recommending stronger identity verification, behavioral analytics, and MFA, and it highlights Flare’s ability to detect leaked data and recruitment activity to preempt attacks.
Microsoft Releases Emergency Patches for Critical ASP.NET Core Privilege Escalation Flaw
Microsoft issued out-of-band security updates to patch a critical ASP.NET Core Data Protection vulnerability (CVE-2026-40372) that could allow attackers to forge authentication cookies and escalate to SYSTEM privileges. The flaw stems from a regression in DataProtection packages 10.0.0–10.0.6, where the HMAC validation used the wrong bytes, enabling forged payloads to bypass authenticity checks and decrypt prior payloads in auth cookies, antiforgery tokens, TempData, and OIDC state. If exploited, attackers could impersonate a privileged user and cause the app to issue legitimately signed tokens to themselves; those tokens remain valid after upgrading unless the DataProtection key ring is rotated. Microsoft urges updating Microsoft.AspNetCore.DataProtection to 10.0.7 and redeploying to reject forged payloads, and to rotate the key ring to invalidate any minted tokens. The advisory notes the vulnerability can also enable file disclosure and data modification, without impacting system availability. Related context includes earlier CVE-2025-55315 and other Windows Server updates released in April 2026.
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks
More than 1,300 Microsoft SharePoint servers remain online and unpatched against CVE-2026-32201, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Exploitation could allow attackers to view or modify sensitive data with a low-complexity, no-interaction attack, though it cannot disable access to the resource. Microsoft released patches in April 2026, but Shadowserver reports only a small number of systems have been updated. CISA added CVE-2026-32201 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch by April 28 under BOD 22-01. The April Patch Tuesday also fixed 167 vulnerabilities, including two zero-days.
French govt agency confirms breach as hacker offers to sell data
France’s ANTS agency confirms a data breach after a threat actor claimed access to the ants.gouv.fr portal, potentially exposing up to 19 million records. Exposed data include login IDs, full names, emails, dates of birth, unique account IDs, and some postal addresses, places of birth, and phone numbers, with the breach not granting portal access but enabling phishing risks. Authorities CNIL, the Paris Public Prosecutor, and ANSSI are involved, and the attacker has offered the data for sale; users are advised to stay vigilant for suspicious messages, with no action required at this time.
KelpDAO Hit by $290 Million Heist Linked to Lazarus Hackers
North Korea’s Lazarus Group is suspected to have stolen about $290 million from KelpDAO by exploiting a compromised cross-chain verification layer to drain roughly 116,500 rsETH (around $293 million) and move funds through Tornado Cash. The attack also affected Compound and Euler, with Aave freezing rsETH deposits/borrowing. LayerZero and partners are investigating, with attribution pointing to Lazarus TraderTraitor. The breach appears isolated to rsETH with no broader contagion.
China's Apple App Store infiltrated by crypto-stealing wallet apps
Security researchers have uncovered 26 fake crypto-wallet apps on Apple's App Store in China that impersonate wallets like MetaMask, Coinbase, Trust Wallet, and OneKey to steal seed phrases. The FakeWallet campaign, linked to SparkKitty, used typosquatting and spoofed branding and was disguised as games or calculator apps to evade bans. These trojanized apps harvest mnemonic phrases during setup, encrypt them, and transmit them to attackers, enabling funds to be drained from wallets—even via phishing prompts on cold-storage devices. Although China-focused, the malware has no geographic limit. Apple removed all 26 apps after the disclosure; users should verify publishers and use official sources only.
The Gentlemen ransomware now uses SystemBC for bot-powered attacks
Check Point reveals that The Gentlemen ransomware affiliate network has begun using SystemBC proxy malware, forming a botnet of over 1,570 hosts to covertly deliver payloads and support post‑exploitation operations, signaling a shift toward a broader, more mature toolchain targeting corporate environments across the US, UK, Germany, Australia, and Romania.
NIST to stop rating non-priority flaws due to volume increase
NIST’s National Vulnerability Database will stop assigning severity scores to lower-priority vulnerabilities due to a surge in submissions. Beginning April 15, 2026, CVEs will be enriched only if they meet risk-based criteria: they appear in CISA’s Known Exploited Vulnerabilities catalog, affect U.S. federal software, or involve software deemed critical under Executive Order 14028. All submitted CVEs will still appear in the NVD, but those not meeting the criteria will be labeled Not Scheduled; enrichment requests for the lowest-priority CVEs can still be sent to nvd@nist.gov. The change aims to focus on vulnerabilities with the greatest potential for widespread impact amid a 263% rise in submissions and 42,000 CVEs enriched in 2025.
Vercel confirms breach as hackers claim to be selling stolen data
Vercel confirms a security incident after a third-party AI tool’s Google Workspace OAuth app was compromised, with attackers claiming to sell stolen data. The breach allegedly allowed access to non‑sensitive environment variables and, later, broader access; Vercel says core services remain unaffected and is working with investigators and law enforcement. Customers are advised to review environment variables, rotate secrets, and enable the sensitive-variable encryption feature; attribution to ShinyHunters remains unverified.
Microsoft releases emergency updates to fix Windows Server issues
Microsoft issued emergency out-of-band updates to fix issues caused by April 2026 security updates for Windows Server, including installation failures on Windows Server 2025, LSASS-related domain controller restart loops, and BitLocker recovery prompts after KB5082063, with fixes covering Windows Server 2025, 23H2, 2022, 2019, 2016, and Azure Datacenter editions.
Microsoft tests Windows Explorer speed, performance improvements
Microsoft is testing Windows 11 File Explorer speed and performance improvements for Insider users, including an optional background preloading feature to speed launches. The rollout also includes reliability fixes (stopping explorer.exe) and dark-mode white-flash fixes, building on the May 2025 Startup Boost for Office apps, plus a new Xbox mode for a full-screen gaming interface. The changes are rolling out to Release Preview Insiders on Windows 11 24H2/25H2 with builds 26100.8313 and 26200.8313 (KB5083631).
Microsoft Pulls Service Update Causing Teams Launch Failures
Microsoft has reverted a service update that caused Teams desktop launch failures due to a regression in the client build caching system; users experiencing the issue should fully quit and restart Teams for the fix to propagate, while Microsoft continues to monitor telemetry and seek confirmation that the incident is resolved.
Seiko USA website defaced as hacker claims customer data theft
Seiko USA’s website was defaced with a ransom note claiming the Shopify-backed customer database was breached and exfiltrated, threatening to publish sensitive data unless a 72-hour negotiation window is met. The attackers allege they obtained names, emails, phone numbers, order histories, shipping details, and account notes, and point to a specific Shopify account ID (8069776801871) for negotiations. The claim’s legitimacy is unconfirmed, Seiko has not publicly commented, and the defacement has since been removed.
Recently leaked Windows zero-days now exploited in attacks
Threat actors are actively exploiting three newly disclosed Windows zero-days—BlueHammer, RedSun, and UnDefend—to gain SYSTEM or elevated privileges and to block Defender updates. BlueHammer has been patched in the April 2026 updates (CVE-2026-33825), but RedSun and UnDefend remain unpatched, enabling attacks on Windows 10/11 and Windows Server 2019+ even with Defender enabled. Security researchers have observed all three exploits in the wild since early April, including an instance via a compromised SSLVPN session, indicating hands-on-keyboard activity and foreshadowing a wave of further exploits.
CISA flags Apache ActiveMQ flaw as actively exploited in attacks
CISA warns that the high-severity CVE-2026-34197 flaw in Apache ActiveMQ is now actively exploited in attacks. The vulnerability enables remote code execution through improper input validation and was patched on March 30 for ActiveMQ Classic 6.2.3 and 5.19.4; ShadowServer reports over 7,500 exposed servers. CISA added CVE-2026-34197 to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by April 30 under BOD 22-01, while PRIVATE sector defenders are urged to apply mitigations for CVE-2026-35616 and monitor logs for suspicious broker activity; this follows prior ActiveMQ exploits CVE-2023-46604 and CVE-2016-3088.
Stay Updated
Get weekly insights on developer tools, product updates, and tech guides straight to your inbox.