A sophisticated hacking campaign hit South-East Asian government and military targets by exploiting CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM. Attackers gained root-level access without valid credentials before a patch dropped on April 28, 2026. Beyond cPanel, hackers also cracked an Indonesian defense training portal using a CAPTCHA bypass and SQL injection, escalating to full OS access via PostgreSQL. The operation ended with 110 files (~4.37GB) stolen from the China Railway Society, including financial records with national ID numbers and bank details. Shadowserver tracked 44,000 IPs actively scanning for vulnerable servers. Patch cPanel immediately.

Source: Cybersecurity News

A sweeping supply chain attack dubbed "Mini Shai-Hulud," linked to the TeamPCP hacking group, has compromised over 1,800 developer repositories since April 29. Malicious versions of SAP NPM packages, Lightning PyPi (v2.6.2–2.6.3), intercom-client NPM (v7.0.4–7.0.5), and intercom-php (v5.0.2) were injected with credential-stealing malware. The malware harvests AWS keys, API tokens, VPN credentials, crypto wallet data, and more, exfiltrating it to GitHub repos and a dedicated domain. The payload also actively scans Kubernetes environments and HashiCorp Vault secrets. With the affected packages totaling nearly 30 million downloads combined, the blast radius could grow significantly.

Source: SecurityWeek

Rockstar Games has been hit by hackers for the second time in three years. A group called ShinyHunters — prolific English-speaking teen cybercriminals — claims to have breached servers managed by a third-party cloud provider and is threatening to publish stolen data after Rockstar refused to pay a ransom. Rockstar is downplaying the damage, telling the BBC the incident had "no impact" on the company or its players and that only "a limited amount of non-material information" was accessed. The breach echoes a 2023 hack by British teen Arion Kurtaj, who leaked GTA 6 footage and received an indefinite hospital order.

Source: BBC News

Researchers at Novee Security uncovered a critical vulnerability in Google's Gemini CLI that allowed attackers to execute arbitrary code on host machines — no prompt injection required. The flaw stemmed from Gemini CLI automatically trusting the current workspace folder, loading any agent configuration found there without sandboxing or human approval. A planted malicious config could expose secrets, credentials, and source code. In CI/CD pipelines, the risk escalated to full supply chain attacks. Google has since patched both Gemini CLI and the run-gemini-cli GitHub Action. The incident highlights a growing concern: AI coding agents now operate with trusted contributor-level access inside developer workflows.

Source: SecurityWeek

Cybersecurity firm Xint has discovered a critical Linux kernel vulnerability, dubbed "Copy Fail" (CVE-2026-31431), hiding in plain sight since 2017. Using AI-assisted scanning, researcher Tim Becker found a logic flaw in the kernel's cryptography system that lets any unprivileged local user gain full root access — reliably, 100% of the time, with just 10 lines of exploit code.

The bug affects every Linux distribution and leaves zero disk traces, clearing itself on reboot. Real-world risks include Kubernetes container escapes and CI/CD pipeline compromises. A patch is already available. Older, unpatched systems predating 2017 are ironically unaffected.

Source: Dark Reading

An AI tool from cybersecurity firm Aisle found 38 previously unknown vulnerabilities in OpenEMR, an open-source electronic health record platform used by over 100,000 healthcare providers globally. Discovered in just three months, the flaws ranged from medium to critical severity and included SQL injection, cross-site scripting, and authorization bypass issues. The worst could have exposed patient health data and handed attackers full server control. All 38 are now patched in versions released in February and March 2025. For comparison, a manual audit in 2018 took far longer and found only 23 flaws. OpenEMR has since built Aisle's tool into its code review process.

Source: Dark Reading

What started as a corporate data breach has snowballed into a serious diplomatic rift. South Korean e-commerce giant Coupang disclosed in November that a former employee stole an internal security key, exposing data from 33.7 million users. Seoul launched a sweeping crackdown — police raids, tax audits, parliamentary hearings — but CEO Bom Kim refused to appear. Washington reportedly pushed back, signalling it would pause high-level defence talks unless Kim faced no legal consequences. The fallout has stalled nuclear submarine cooperation talks and drawn 54 Republican lawmakers to accuse Seoul of targeting a US company. Analysts warn the alliance is nearing a "critical threshold of strain."

Source: The Guardian

Cybersecurity firm Checkmarx has confirmed that hackers stole data during a supply chain attack that began March 23, 2026. The breach, traced to the Trivy supply chain hack, allowed the TeamPCP group — potentially partnered with the Lapsus$ extortion gang — to hijack GitHub Actions and poison multiple open source packages. A second attack wave on April 22 compromised a DockerHub image and even the Bitwarden CLI NPM package. Lapsus$ later dumped a 96GB archive online, claiming it contained source code, employee data, and credentials. Checkmarx has since hired Mandiant, notified law enforcement, and says the breach is now fully contained.

Source: SecurityWeek

A data breach at Booking.com is powering a surge in scams called "reservation hijacks," where criminals impersonate hotels to trick customers into sending money. Stolen data includes names, emails, phone numbers, and booking details — enough for fraudsters to craft convincing, targeted messages. Financial data wasn't accessed, but experts warn the personal details are highly valuable. Booking.com has reset reservation PINs and is emailing affected customers, but won't say how many people were hit. Norton's Luis Corrons warns the breach gives criminals dangerous precision. Customers should avoid sharing card details via email, phone, WhatsApp, or text.

Source: BBC News

Google's Threat Intelligence Group and Mandiant have exposed a new financially motivated hacker group called UNC6692, which blends social engineering, custom malware, and AWS S3 buckets to steal credentials.

The group starts by flooding a target's inbox with spam, then impersonates IT help desk staff over Microsoft Teams, tricking victims into clicking a phishing link that silently installs malware — including a rogue browser extension, a Python backdoor, and a persistent remote access tool.

From there, attackers scan internal networks, hijack admin accounts, and dump Windows credential stores. Using legitimate cloud infrastructure lets them slip past traditional security filters undetected.

Source: Dark Reading