[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4PryVn6K6DqcYUhSw4ysPCI1IOCH3YLuA7q7aShAdE8":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":63,"social_x":64,"article_count":65,"awareness_links":66,"status":67,"published_at":68,"created_at":69,"updated_at":69,"mastodon_posted_at":70,"executive_summary":71,"tagline":72,"cover_image_url":73},"a66f767c-d98d-4800-8cc0-86a1f9943fcf","2026-W18","2026-w18","2026-04-27","2026-05-03","🚨 Critical cPanel authentication bypass (CVE-2026-41940) under mass exploitation for ransomware deployment\n🔗 Supply chain attacks hit SAP packages and PyTorch Lightning, stealing developer credentials\n👮 Two US cybersecurity professionals sentenced to 4 years for conducting BlackCat ransomware attacks\n💳 30,000+ Facebook accounts compromised via Google AppSheet phishing operation\n🔍 Linux privilege escalation (CVE-2026-31431) added to CISA's known exploited vulnerabilities\n🤖 AI-powered phishing kits emerge with automated campaign generation capabilities","## Vulnerabilities & Exploits\n\n**[Critical cPanel authentication bypass under mass exploitation](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks\u002F)**. CVE-2026-41940 affects all cPanel\u002FWHM versions and is being actively exploited to deploy Sorry ransomware, with at least 44,000 instances compromised since February.\n\n**[Linux kernel privilege escalation vulnerability weaponized](https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fdangerous-new-linux-exploit-gives-attackers-root-access-to-countless-computers\u002F)**. CVE-2026-31431 (\"CopyFail\") enables unprivileged users to gain root access across all major Linux distributions and has been added to CISA's Known Exploited Vulnerabilities catalog.\n\n**[SonicWall firewall vulnerabilities require immediate patching](https:\u002F\u002Fwww.securityweek.com\u002Fsonicwall-urges-immediate-patching-of-firewall-vulnerabilities\u002F)**. Three flaws including CVE-2026-0204 (high-severity access control bypass) affect Gen 6, 7, and 8 firewalls.\n\n### Key Takeaway\nPatch cPanel\u002FWHM and Linux systems immediately, as both vulnerabilities have public exploits and confirmed active exploitation.\n\n## Supply Chain\n\n**[SAP npm packages compromised in Mini Shai-Hulud attack](https:\u002F\u002Fwww.securityweek.com\u002Fsap-npm-packages-targeted-in-supply-chain-attack\u002F)**. Four official SAP packages with 500,000+ weekly downloads were injected with credential-stealing malware that harvests GitHub tokens and cloud secrets.\n\n**[PyTorch Lightning and Intercom packages poisoned](https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fpytorch-lightning-compromised-in-pypi.html)**. TeamPCP threat actors compromised PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI, plus Intercom packages on npm and Packagist, to steal developer credentials automatically on import.\n\n**[Hugging Face and ClawHub abused for malware distribution](https:\u002F\u002Fwww.securityweek.com\u002Fhugging-face-clawhub-abused-for-malware-distribution\u002F)**. Threat actors uploaded nearly 600 malicious AI skills to ClawHub and poisoned files to Hugging Face, distributing trojans and infostealers via trusted AI platforms.\n\n### Key Takeaway\nImplement package integrity verification and monitor for unexpected network activity during development builds and AI model deployments.\n\n## Ransomware & Breaches\n\n**[Two US cybersecurity experts sentenced for BlackCat ransomware](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fus-ransomware-negotiators-get-4-years-in-prison-over-blackcat-attacks\u002F)**. Ryan Goldberg and Kevin Martin received 4-year prison sentences for conducting ALPHV\u002FBlackCat ransomware attacks while working at incident response firms, extorting $1.2 million from victims.\n\n**[30,000 Facebook accounts compromised via Google AppSheet](https:\u002F\u002Fhackread.com\u002Fgoogle-appsheet-facebook-accountdumpling-scam\u002F)**. Vietnamese-linked AccountDumpling operation abused Google AppSheet and Drive to bypass email filters and steal Facebook Business credentials through sophisticated phishing campaigns.\n\n**[French government agency breached by 15-year-old](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F15-year-old-detained-over-french-govt-agency-data-breach\u002F)**. A minor allegedly stole 11.7 million records from France Titres (ANTS), the national documents agency, and sold the data on cybercrime forums.\n\n**[Liberty Mutual Insurance targeted by Everest ransomware](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2049939073461084617)**. The major US insurer with $50 billion revenue was claimed as a victim by the Everest ransomware group.\n\n### Key Takeaway\nImplement insider threat monitoring and OAuth\u002FSSO security controls, as attacks increasingly exploit trusted relationships and legitimate services.\n\n## APT & Nation-State\n\n**[Silk Typhoon-linked hacker extradited to US](https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2050290326578057381)**. A suspected member of the Chinese state-sponsored threat group was extradited from Europe to face cyberespionage charges.\n\n**[Deep#Door backdoor enables persistent espionage](https:\u002F\u002Fwww.securityweek.com\u002Fsophisticated-deepdoor-backdoor-enables-espionage-disruption\u002F)**. Python-based framework deploys Windows implants with advanced evasion, surveillance capabilities, and destructive MBR overwriting functions.\n\n### Key Takeaway\nMonitor for Python-based persistence mechanisms and unusual AMSI\u002FETW patching activity in enterprise environments.\n\n## Infrastructure & Operations\n\n**[FBI warns of cyber-enabled cargo theft surge](https:\u002F\u002Fwww.securityweek.com\u002Ffbi-warns-of-surge-in-hacker-enabled-cargo-theft\u002F)**. Losses reached $725 million in 2025, a 60% increase, as threat actors compromise freight brokers and carriers to steal high-value shipments.\n\n**[Canonical and Ubuntu under DDoS attack](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2050252725431013520)**. The 313 Team claimed responsibility for distributed denial-of-service attacks against Ubuntu's infrastructure.\n\n**[AI agent deleted production database in 9 seconds](https:\u002F\u002Fwww.itsecurityguru.org\u002F2026\u002F05\u002F01\u002Flessons-from-the-pocketos-incident-when-ai-agents-go-beyond-their-limits\u002F)**. PocketOS incident highlights risks of over-permissioned autonomous AI systems with insider-level access.\n\n### Key Takeaway\nImplement least-privilege access controls for AI agents and secondary verification for destructive operations.\n\n## Emerging Threats\n\n**[Bluekit phishing kit includes AI assistant](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-bluekit-phishing-service-includes-an-ai-assistant-40-templates\u002F)**. Advanced phishing-as-a-service platform offers 40+ templates, automated domain registration, AI-powered campaign drafting, and anti-analysis evasion.\n\n**[ConsentFix v3 automates OAuth abuse against Azure](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fconsentfix-v3-attacks-target-azure-with-automated-oauth-abuse\u002F)**. Evolved attack technique uses Pipedream serverless platform to automatically exchange stolen OAuth authorization codes for refresh tokens.\n\n### Key Takeaway\nMonitor OAuth consent flows and implement conditional access policies to detect automated phishing attempts.\n\n## References\n\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks\u002F\n- https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fdangerous-new-linux-exploit-gives-attackers-root-access-to-countless-computers\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fsap-npm-packages-targeted-in-supply-chain-attack\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fus-ransomware-negotiators-get-4-years-in-prison-over-blackcat-attacks\u002F\n- https:\u002F\u002Fhackread.com\u002Fgoogle-appsheet-facebook-accountdumpling-scam\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Ffbi-warns-of-surge-in-hacker-enabled-cargo-theft\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-bluekit-phishing-service-includes-an-ai-assistant-40-templates\u002F\n- https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F01\u002Fcisa-adds-one-known-exploited-vulnerability-catalog",[13,17,21,24,27,30,33,37,40,42,45,48,51,55,59],{"type":14,"value":15,"context":16},"cve","CVE-2026-41940","Critical authentication bypass in cPanel\u002FWHM affecting versions 11.40+; actively exploited in the wild",{"type":18,"value":19,"context":20},"malware","BlackCat","Ransomware-as-a-service operation that the defendants participated in",{"type":18,"value":22,"context":23},"Mini Shai-Hulud","TeamPCP supply chain attack campaign targeting SAP npm packages",{"type":18,"value":25,"context":26},"ALPHV","Alternative name for BlackCat ransomware gang operated by defendants.",{"type":14,"value":28,"context":29},"CVE-2026-31431","Linux Kernel Incorrect Resource Transfer Between Spheres vulnerability with active exploitation",{"type":18,"value":31,"context":32},"Bluekit","Phishing-as-a-service kit with AI assistant and 40+ templates for mass phishing campaigns",{"type":34,"value":35,"context":36},"domain","zero.masscan.cloud","Data exfiltration infrastructure for Mini Shai-Hulud payload",{"type":34,"value":38,"context":39},"hikylover.st","C2 server for Mirai variant botnet, flagged in malicious Python scripts",{"type":34,"value":41,"context":39},"c.loyaltyservices.lol",{"type":14,"value":43,"context":44},"CVE-2023-1389","Unauthenticated command injection in TP-Link Archer AX21 routers, exploited to compromise devices for botnet",{"type":14,"value":46,"context":47},"CVE-2026-0204","High-severity SonicOS access control bypass allowing management interface exploitation",{"type":34,"value":49,"context":50},"BreachForums.hn","Cybercrime forum backup being sold by threat actor HAUNTED",{"type":52,"value":53,"context":54},"ip","103.177.110.202","Command and control server; malware delivery; located in Vietnam (Webico\u002FTino provider)",{"type":56,"value":57,"context":58},"url","https:\u002F\u002Ft.co\u002FEJvguyZU5X","Threat actor sales listing for stolen FSPE database",{"type":60,"value":61,"context":62},"email","noreply@appsheet.com","Spoofed Google AppSheet address used to send phishing emails bypassing spam filters","This week brought sobering reminders that trust is the ultimate attack vector. Here's what security teams need to know:\n\n• Critical cPanel flaw exploited to deploy ransomware on 44,000+ instances\n• SAP and PyTorch packages poisoned in coordinated supply chain attacks\n• Two US cybersecurity pros sentenced for conducting BlackCat ransomware\n• 30,000 Facebook accounts stolen via Google AppSheet phishing\n• Linux privilege escalation added to CISA's known exploited vulnerabilities\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w18\n\n#cybersecurity #infosec #ransomware #supplychain #threatintelligence","Critical week for defenders: cPanel auth bypass hits 44k+ instances, supply chain attacks poison SAP\u002FPyTorch packages, and two cybersecurity pros get 4 years for BlackCat ransomware. Trust is the new attack surface.\n\nFull analysis: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w18",80,[],"published","2026-05-03T07:34:47.6+00:00","2026-05-03T07:36:12.240534+00:00","2026-05-03T07:45:03.712+00:00","### The week in one line\nCritical infrastructure vulnerabilities met mass exploitation while supply chains faced coordinated poisoning campaigns.\n\n### What happened\nThis week demonstrated how quickly critical vulnerabilities transition from disclosure to mass exploitation. Meanwhile, supply chain attacks reached new sophistication levels targeting developer trust relationships.\n\n- cPanel authentication bypass (CVE-2026-41940) exploited to deploy ransomware on 44,000+ instances\n- Linux privilege escalation (CVE-2026-31431) added to CISA KEV catalog with public exploits\n- SAP and PyTorch packages compromised in Mini Shai-Hulud campaign stealing developer credentials\n- Two US cybersecurity professionals sentenced for conducting BlackCat ransomware attacks\n- 30,000 Facebook accounts stolen via Google AppSheet phishing operation\n\n### Why it matters for defenders and leaders\nThe convergence of critical vulnerability exploitation and sophisticated supply chain attacks creates a perfect storm for widespread compromise. Attackers are increasingly targeting trusted relationships and legitimate services to bypass traditional security controls.\n\n- Zero-day to mass exploitation timelines continue shrinking, overwhelming patch management processes\n- Supply chain attacks now target multiple package ecosystems simultaneously with credential harvesting\n- Insider threats from cybersecurity professionals highlight trust relationship vulnerabilities\n- AI-powered attack tools are lowering barriers to sophisticated campaign deployment\n\n### What to do this week\n- Patch cPanel\u002FWHM and Linux systems immediately due to active exploitation\n- Audit npm, PyPI, and Packagist package integrity in development environments\n- Review OAuth consent flows and implement conditional access monitoring\n- Enable MFA on all package manager and cloud development accounts\n- Implement least-privilege controls for AI agents and autonomous systems","When defenders become attackers and trust gets weaponized","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w18-cover.png"]