Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server.

Google now offers up to $1.5 million for some Android exploits.

The top reward of $1.5 million is reserved for zero-click Pixel Titan M2 security chip full-chain exploits with persistence, the most technically demanding attack scenario in the program, while the same exploits, but without persistence, are also eligible for up to $750,000.

On the Google Chrome side, full-chain browser process exploits on up-to-date operating systems and hardware now come with rewards of up to $250,000, plus an additional $250,128 bonus for successfully exploiting MiraclePtr-protected memory allocations.

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs.

Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison.

WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities.

eaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API.

Critical MajorDoMo RCE (CVE-2026-27174): Unauthenticated Remote Code Execution Analysis.

San Diego Community College District fighting major cyberattack.

Chinese-linked Salt Typhoon suspected in Italy's Sistemi Informativi breach.

Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools.

A scan of 2M hosts found 1M exposed services, revealing widespread security gaps in self-hosted AI systems.

31% of 5,200 Ollama servers responded without authentication, and 90+ platforms were publicly accessible. Weak defaults and misconfigurations are driving exposure.

North Korea-linked ScarCruft breached sqgame[.]net in a supply chain attack, deploying BirdCall malware targeting ethnic Koreans in China.

Trojanized Android apps and earlier Windows updates enabled surveillance via cloud-based control systems.

A critical MetInfo CMS flaw (CVE-2026-29014, CVSS 9.8) is under active exploitation, allowing unauthenticated remote code execution.

Attacks began April 25 and surged by May 1, targeting exposed systems globally.

Critical RCE flaw (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 is under active exploitation.

Attackers use unauthenticated requests to execute commands; activity observed since March 17–31, 2026, with failed payload drops & MSI attempts.

Microsoft says 35,000 users were targeted in an April 2026 phishing campaign across 13,000 organizations in 26 countries.

Attackers used AiTM phishing, CAPTCHA pages, and trusted email services to steal credentials and bypass MFA.

CRITICAL: Palo Alto Networks has disclosed CVE-2026-0300, a buffer overflow in PAN-OS that is already being exploited in the wild.

CVSS 4.0 score: 9.3.

Unauthenticated attackers can hit the User-ID Authentication Portal (the Captive Portal service) with crafted packets and pop a root shell on the firewall.

China plans to nearly double its data center capacity to around 60 GW by 2030, adding 28 GW of new projects to the existing 32 GW installed at the end of 2025, according to Rystad Energy analysis. This AI- and HPC-driven expansion will boost power consumption to 289 TWh annually, accounting for 2.3% of national electricity demand with a 19% CAGR.

CVE-2026-23918 (CVSS 8.8) in HTTP Server 2.4.66.

The HTTP/2 double-free flaw can trigger DoS and potentially enable remote code execution via crafted requests. Fixed in 2.4.67.

US Gov't AI Pre-Release Testing Pact

The US Commerce Department's Center for AI Standards and Innovation (CAISI) has new voluntary agreements with Microsoft, Google, and xAI to evaluate advanced AI models for security risks before public release. Building on prior deals with OpenAI and Anthropic, this covers all major US frontier labs and involves over 40 assessments to date. It expands military-industry AI collaborations amid growing national security concerns.