🛑 Gemini and Cursor vulnerabilities exposed direct code execution in dev workflows.

#Gemini CLI (CVSS 10.0) auto-trusted folders in CI, letting malicious .gemini/ configs from PRs run on hosts. #Cursor bugs triggered hidden Git hooks and exposed local API keys via extensions.

🔗 Details → https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html

⚠️ UPDATE: #cPanel flaw now tracked as CVE-2026-41940 (CVSS 9.8)—an auth bypass granting unauthenticated admin access.

Actively exploited as a 0-day for weeks. Root cause: CRLF injection lets attackers forge sessions and escalate to root.

🔗 Exploit mechanics and real-world impact → https://thehackernews.com/2026/04/critical-cpanel-authentication.html

⚠️ A new #Linux flaw mirrors Dirty Pipe—but adds cross-container impact.

“Copy Fail” (CVE-2026-31431) lets any local user overwrite cached system files and run them as root. No race condition.

Works across major Linux distros since 2017.

🔗 Read → https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html

🚨 Attackers are targeting enterprise admins with fake tools and running control through #Ethereum smart contracts.

Malware spreads via SEO-poisoned #GitHub repos, then pulls live C2 from blockchain. No domains to block. Access lands on high-privilege systems.

🔗 Learn how this campaign turns search results into enterprise breaches → https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html

⚠️ Malware now ships its payload inside the installer.

DEEP#DOOR embeds a Python backdoor in a script, extracts it at runtime, and avoids external downloads.

Using tunneling, it keeps access and steals credentials with minimal trace.

🔗 Read → https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html

AI-enabled cyber attacks are on the rise. Are you prepared? Most orgs aren’t as prepared as they think for AI-enabled attacks, but it’s never too late to start.

The cyber risk playbook for the AI threat era draws on research from over 200 GRC, IT, and cybersecurity professionals to gain new insights into AI-enabled attacks and the need for proactive cyber resilience.

Get the playbook today → https://thn.news/nyc-cyber-training

🔥 Cyber chaos exploding this week...

• Fake cell towers
• npm .env theft
• Extensions sell data
• 3.4M servers exposed
• Vidar tops stealers
• 38 OpenEMR flaws
• Komari backdoor used
• Saiga 2FA kits
• Black Axe arrests
• PhantomRPC unpatched
• Robinhood phishing trick
• arXiv leaks keys
• Qinglong crypto mining
• PyPI supply attack

🛡️ Full list here → https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html

🚨 Supply chain attacks are escalating...

A widely used AI dev tool, PyTorch Lightning, was compromised on PyPI and turned into a credential stealer.

→ Malicious code runs on import
→ No user action needed
→ Credentials silently stolen

Read: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html

🤦‍♂️ Another supply chain hit.

intercom-client npm package compromised
→ Malicious preinstall hook executes on install
→ Credentials targeted across dev & CI/CD

Linked to ongoing Mini Shai-Hulud campaign.

Read this update here: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html#intercom-npm-package-compromised-as-part-of-mini-shai-hulud

⚠️ Update: Mini Shai-Hulud is spreading across ecosystems.

→ intercom-client (npm) and intercom-php (Packagist) compromised
→ Install-time hooks deploy credential stealer

Attack targets GitHub tokens, cloud creds, SSH keys, Kubernetes, Vault, Docker, and .env files.

Read: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html#intercom-npm-and-packagist-package-compromised-as-part-of-mini-shai-hulud

Campaign linked to TeamPCP and earlier Lightning compromise.

😬 Poisoned Ruby gems + Go modules used in a supply chain attack.

• Steal AWS creds, SSH keys, configs
• Tamper GitHub Actions via fake binaries
• Add SSH access for persistence

Read → https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html

🛑 Two cybersecurity professionals were sentenced to four years each for helping deploy BlackCat ransomware across the U.S. in 2023.

They took a share of ransom payments, including about $1.2 million in Bitcoin from one victim.

Read → https://thehackernews.com/2026/05/two-cybersecurity-professionals-get-4.html

Cybersecurity market: $38 B → $69 B by 2030

Yet MSPs still lose deals:
• 77% can’t create urgency
• 66% face cost pushback
• 8+ decision-makers per deal

Fix: sell outcomes, not tech

Read more → https://thehackernews.com/2026/05/top-five-sales-challenges-costing-msps.html

⚠️ China-linked hackers targeted governments across Asia + a NATO state (Poland), exploiting Exchange/IIS flaws to deploy ShadowPad.

At the same time: journalists & activists hit with phishing campaigns.

Two ops. Same priorities.

Details here → https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html

⚠️ Two cybercrime groups are executing rapid SaaS attacks with minimal trace.

Cordial Spider and Snarky Spider use vishing and AiTM phishing to steal credentials, bypass MFA, and access multiple platforms through SSO.

Read: https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html

🛑 30,000 Facebook accounts compromised in a phishing campaign using Google AppSheet emails.

A Vietnamese-linked operation called AccountDumpling targeted Facebook Business users, stole credentials, sent data to Telegram, and resold accounts.

Read: https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html

🚨 Cybersecurity firm Trellix confirms a breach.

Attackers accessed part of its source code repository; no exploitation or release impact found. Investigation ongoing with forensic experts and law enforcement.

Details ➜ https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html

🚨 New analysis reveals browser extensions legally selling user data.

80 extensions affect 6.5M+ users—ad blockers and streaming tools included—collecting and reselling browsing, viewing, and demographic data.

All disclosed in privacy policies.

Read: https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html#extensions-legally-sell-user-data

⚠️ A new #Linux flaw is now under active exploitation.

CISA added CVE-2026-31431 to its KEV list. The bug lets low-privilege users gain full root access. Patches released.

Fix deadline: May 15, 2026.

Read: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

276 suspects arrested in a global crackdown on crypto investment scams.

Dubai Police, FBI, and Chinese authorities shut down 9 scam centers targeting Americans. $701 M in crypto seized. FBI alerts helped save $562 M for nearly 9,000 victims.

Read: https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html

CVE-2026-41940 (cPanel) exploited within 24h

• 44,000 IPs linked to scanning/brute-force activity
• Targets: Southeast Asia gov/military + MSPs
• Enables auth bypass → full system control
• Mirai variants and Sorry ransomware observed

Read: https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html