Morning Review in IT Security — May 1, 2026

The cybersecurity landscape continues to shift rapidly as critical vulnerabilities enter active exploitation, insider threats reach sentencing phase, and supply chain attacks expand their reach into enterprise development ecosystems. Today's briefing covers urgent threats spanning authentication systems, ransomware conspiracies, and compromised software packages that demand immediate attention from security teams.

cPanel Authentication Bypass Under Active Exploitation

The Cybersecurity and Infrastructure Security Agency has added CVE-2026-41940, a critical authentication bypass vulnerability in cPanel, to its Known Exploited Vulnerabilities catalog following confirmed active attacks against hosting providers. The flaw entered the KEV list just days after hosting providers disclosed ongoing exploitation in their environments, indicating rapid weaponization by threat actors. Source: cPanel's authentication bypass bug is being exploited in the wild, CISA warns

Organizations operating cPanel infrastructure should prioritize immediate patching and monitoring for signs of unauthorized access. The speed of exploitation underscores the critical nature of this vulnerability and the necessity for swift remediation across affected systems.

Two U.S. Cybersecurity Professionals Sentenced in BlackCat Ransomware Operation

Two cybersecurity professionals based in the United States have received sentences in connection with their involvement in the BlackCat ransomware operation. Source: When the Defenders Become the Attackers: Two U.S. Cybersecurity Pros Sentenced in BlackCat Ransom...

This case represents a significant development in insider threat prosecutions, demonstrating that law enforcement continues to pursue individuals with security expertise who have turned to criminal activity. The sentencing reinforces the legal consequences facing those who leverage their professional knowledge to participate in ransomware campaigns.

TeamPCP Expands Supply Chain Attacks to SAP npm Packages

The threat group TeamPCP has compromised multiple npm packages within SAP's cloud application development ecosystem through an attack variant designated "Mini Shai-Hulud." The compromise represents an expansion of TeamPCP's supply chain attack capabilities targeting enterprise development infrastructure. Source: TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack

Development teams utilizing SAP's cloud application ecosystem should audit their dependencies and verify the integrity of recently installed packages. This attack vector demonstrates the persistent threat to open-source supply chains serving enterprise customers.

Misconfigured Carding Server Exposes 345,000 Stolen Credit Cards

A misconfigured server operated by threat actors associated with the Jerry's Store carding marketplace has leaked approximately 345,000 stolen credit cards. The exposure resulted from an artificial intelligence coding error that introduced a critical security misconfiguration, allowing unauthorized access to the server's contents. Source: Misconfigured Server Run by Hackers Leaks 345,000 Stolen Credit Cards

The incident illustrates how even criminal infrastructure remains vulnerable to operational security failures, particularly when automated tools introduce unforeseen vulnerabilities. The exposed credentials represent a significant fraud risk for affected cardholders and financial institutions.

Security teams should remain vigilant regarding these emerging threats, with particular attention to patching cPanel systems, auditing SAP development dependencies, and monitoring for fraudulent activity associated with the exposed credit card data.