DATE: 2MAY2026
MAJOR BREACHES HITTING THE WIRES
Trellix just confirmed unauthorized access to a portion of its source code repository. The cybersecurity vendor spotted the breach, looped in forensic experts, and notified law enforcement. No signs of code tampering or customer impact yet, but source leaks like this often fuel future exploits.
Edu-tech giant Instructure, the crew behind the Canvas learning platform, disclosed a fresh cyber incident. They are still digging into the scope and any data exposure. Schools and universities using Canvas should watch for follow-up alerts.
CRITICAL VULNS GETTING EXPLOITED RIGHT NOW
CISA is warning that a critical authentication bypass bug in cPanel and WHM (CVE-2026-41940) is already under active attack in the wild. Hosting providers and sysadmins running these panels need to apply the emergency patch immediately. This one lets attackers slip past login checks with minimal effort.
Microsoft pushed fixes for several issues, including incorrect Remote Desktop warnings and a batch of Windows 11 updates. Nothing zero-day level today, but the steady drumbeat of patches shows the patch treadmill never slows down.
THREAT GROUPS AND CAMPAIGNS TO WATCH
China-linked operators under the SHADOW-EARTH-053 tag are hammering governments in South and East Asia plus one NATO member. They chain N-day bugs in Microsoft Exchange and IIS servers to drop web shells and ShadowPad implants. Targets include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, journalists, and activists.
Vietnamese phishing crews codenamed AccountDumpling used Google AppSheet as a relay to snag roughly 30,000 Facebook accounts. The stolen creds are already for sale on underground shops.
Two fast-moving crews, Cordial Spider and Snarky Spider, are running vishing attacks paired with SSO abuse to raid SaaS environments. They trick users into fake login pages, grab tokens, and pivot for quick extortion. These ops have been live since late 2025 and show no signs of slowing.
Supply-chain poisoners dropped malicious Ruby gems, Go modules, and even versions of PyTorch Lightning on public repos. The payloads steal credentials, tamper with CI pipelines, and set up persistence. Most packages have been yanked, but scan your dependencies.
ARRESTS AND COURTROOM WINS
A 15-year-old in France is in custody for allegedly selling data stolen from France Titres (the national agency handling IDs and permits). The breach exposed sensitive administrative records.
Two former incident-response pros, Ryan Goldberg and Kevin Martin, each received four-year prison sentences for helping the BlackCat (ALPHV) ransomware gang hit U.S. companies. They used their day-job knowledge to negotiate and facilitate attacks before flipping to the dark side.
GOVERNMENT AND INDUSTRY MOVES
CISA added one new entry to its Known Exploited Vulnerabilities catalog and teamed with Five Eyes allies to release fresh guidance on safely deploying AI agents. The message is clear: treat agentic AI like any other high-risk system and lock it down early.
QUICK OSINT HITS FOR THE CREW
A new Python backdoor called DEEP#DOOR is spreading via phishing. It uses tunneling services to pull browser and cloud credentials while maintaining persistence through batch scripts and registry tweaks.
North Korean actors continue to dominate crypto thefts, pulling in 76 percent of all stolen funds tracked so far in 2026. AI tools are reportedly helping them scale the heists.
Linux kernels dating back to 2017 carry a local privilege-escalation flaw (CVE-2026-31431) that a 732-byte script can trigger for root access on major distros. Container setups are especially exposed.
Stay frosty out there. Patch fast, monitor your repos, and keep an eye on those SaaS logins.
HackNoGood OUT