Threat Intelligence

White line art on bronze: a cracked brick wall with one patched and one open crack, a stack of patch tiles descending, a remediation-cycle dial, three server racks with one tilted.

Vulnerabilities

cPanel Just Issued Its Second Emergency Patch in 10 Days. The Pattern Is the Story.

cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) just after CVE-2026-41940 compromised an estimated 44,000 servers. The pattern is the story.

10 May 2026

White line art on plum: two cloned AI model card tiles with a Trojan horse silhouette emerging from one, a data pipe to a crypto wallet, a browser with a key icon.

Application Security

A Fake OpenAI Repository on Hugging Face Hit 244,000 Downloads. It Was Stealing Crypto Wallets and Browser Sessions.

HiddenLayer disclosed on May 7 that a malicious Hugging Face repository, Open-OSS/privacy-filter, typosquatted OpenAI's legitimate Privacy Filter release and shipped a Rust-based infostealer called Boxter. The repo briefly hit #1 on Hugging Face and reached 244,000 downloads before takedown.

09 May 2026

White line art on sage green: a laptop with three floating keys descending toward its terminal screen, three credential file icons on a shelf below, a Linux penguin silhouette, and a red dot.

Application Security

A New Linux RAT Was Built to Steal npm and PyPI Tokens, and It's the Tool the Next LiteLLM Was Waiting For

Trend Micro researchers disclosed Quasar Linux RAT (QLNX) on May 4 — a Linux implant purpose-built to harvest npm tokens, PyPI keys, AWS credentials, Kubernetes configs, and the rest of the developer credential file universe. Capabilities map to the LiteLLM compromise of March 2026.

09 May 2026

White line art on slate blue-grey: a stack of database cylinders with a diagonal slash, a video-call window with a red-orange end-call dot, and a chat bubble with code brackets.

Cyber Crime

A Federal Jury Just Convicted One of the Brothers Who Wiped 96 Government Databases After Being Fired by Video Call

A federal jury in Alexandria, Virginia convicted Sohaib Akhter on May 7, 2026 for his role in deleting roughly 96 U.S. government databases at federal contractor Opexus on the day he and his twin brother were fired in February 2025. The case is also notable for an unprecedented detail:

08 May 2026

White line art on rust brown: an open filing cabinet drawer with three dashboard outlines (chart, gauge, line graph) fanned behind, an open padlock, and a red-orange accent dot.

Application Security

RansomHouse Claims the Trellix Breach, and the Screenshots Show More Than Source Code

RansomHouse claimed responsibility on May 7 for the Trellix breach the cybersecurity firm disclosed last week — and Cybernews researchers say screenshots posted by the group show internal VMware, Rubrik, and Dell EMC dashboards. That's a much wider compromise than Trellix's "portion of our source code

08 May 2026

White line art on olive green: two server racks linked by a shared cable through a central hexagonal node, with a bracket-handshake symbol above and a red-orange accent dot.

Threat Intelligence

Two Pro-Ukraine Hacktivist Groups Are Now Sharing Infrastructure — and It Looks Quasi-State-Sponsored

Kaspersky researchers reported on May 7-8 that pro-Ukraine hacktivist groups BO Team (also known as Black Owl) and Head Mare appear to be coordinating their cyber operations against Russian organizations — sharing infrastructure including command-and-control systems on the same compromised host. BO Team had previously operated more autonomously than other hacktivist

08 May 2026

Minimalist white line art on maroon: an open vault door with files spilling out onto a curved globe-grid, with an unlocked padlock above.

Application Security

WIRED Found 380,000 Vibe-Coded Apps on the Open Web — and 5,000 of Them Were Leaking Corporate Data

WIRED's Andy Greenberg published an investigation on May 7, 2026 reporting that the Israeli cybersecurity firm RedAccess found roughly 380,000 publicly accessible web assets built with AI "vibe-coding" platforms — Lovable, Base44, Replit, and Netlify — of which around 5,000 exposed sensitive corporate data and another

07 May 2026

Minimalist white line art on coral: a theatrical face mask hovering above a webcam and a video-call window, with strings connecting the mask to both like a puppet.

Fraud

A 404 Media Reporter Watched Someone Else Become Him, Live, on Microsoft Teams

404 Media's Joseph Cox published an investigation on May 7, 2026 in which he obtained, installed, and personally tested Haotian AI — a Chinese realtime deepfake software marketed to scammers — and watched a Cambodia-based operator's face shapeshift into his own during a live Microsoft Teams call. Haotian

07 May 2026

Minimalist white line art on beige: a hand emerges from a 'VERIFY' box holding a pill capsule toward a clipboard.

phishing

Australia Warns That Fake Cloudflare CAPTCHAs on Real Australian Websites Are Pushing Vidar Stealer

The Australian Signals Directorate's Australian Cyber Security Centre published an advisory on May 7, 2026 warning that pro-criminal threat actors are using compromised legitimate Australian WordPress websites as launch pads for ClickFix social-engineering attacks delivering the Vidar Stealer information-stealing malware. Visitors to compromised Australian business websites are shown

07 May 2026

Minimalist white line art on bright cyan-teal: a wax-sealed envelope with a small backdoor cut into one side, beside three stacked file icons on a shelf.

Malware

Daemon Tools Was Trojanized for a Month — and the Installer Was Properly Signed

Kaspersky disclosed on May 5, 2026 that Daemon Tools — disk-imaging software with millions of users worldwide — has been distributing trojanized installers from its official website since April 8, 2026. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across approximately 100 countries received a

07 May 2026

Minimalist white line art on hot magenta: an hourglass with sand draining beside two padlocks linked by a chain, with '72 HOURS' floating above.

Vulnerabilities

Ivanti EPMM Has a Third Zero-Day This Year — and CISA Just Gave Federal Agencies Three Days to Patch

Ivanti disclosed CVE-2026-6973 on May 7 — a CVSS 7.2 EPMM flaw under active exploitation. CISA gave federal agencies just three days to patch (May 10 deadline). It's the third EPMM zero-day of 2026, and Ivanti hints attackers are using credentials stolen during January's campaign. On

07 May 2026

Minimalist white line art on gold-amber: a telephone handset with its cord stretching across the frame to loop around a hardware wallet, with a house silhouette and coin pile mid-frame.

Cyber Crime

$250M Crypto Gang's Burglar Just Got 6.5 Years — Hardware Wallets Aren't Safe

Marlon Ferro, a 20-year-old Santa Ana, California man also known online as "GothFerrari" and "Marlo," was sentenced to 78 months in federal prison on May 7, 2026 for serving as the home-invader and money-launderer for a 14-person "Social Engineering Enterprise" that stole more than

07 May 2026

See all