Massive "Mini Shai-Hulud" Supply Chain Attack Hits SAP Ecosystem; CISA Warns of Actively Exploited Linux and cPanel Zero-Days

Publication Date: May 2, 2026

Summary

This period saw a severe escalation in supply chain attacks with the "Mini Shai-Hulud" campaign compromising the SAP developer ecosystem and other popular packages, affecting over 1,800 developers. Concurrently, CISA added two critical, actively exploited vulnerabilities to its KEV catalog: a Linux kernel privilege escalation flaw ("Copy Fail") and a cPanel authentication bypass zero-day, mandating immediate patching. Ransomware activity also remains high, with new campaigns from KRYBIT and NightSpire, while sophisticated social engineering attacks leveraging vishing and SaaS platforms continue to target major US industries.

Today New Articles

"Living Within SaaS": Cordial & Snarky Spider Groups Use Vishing, SSO Abuse for Rapid Extortion

Two cybercrime groups, Cordial Spider and Snarky Spider, linked to "The Com" ecosystem, are conducting swift data theft and extortion campaigns. They use voice phishing (vishing) and fake Single Sign-On (SSO) pages to steal credentials, gain access to identity...

NightSpire Ransomware Group Matures Into Significant Double-Extortion Threat

The NightSpire ransomware group, first seen in early 2025, has rapidly evolved into a full double-extortion operation. A May 1st report details its use of CVE-2024-55591 for initial access, Go-based payloads, and aggressive tactics, including a dedicated data...

Robinhood Flaw Abused to Send Phishing Emails From Company's Own Address

A vulnerability in Robinhood's account creation process was exploited to send highly convincing phishing emails from the company's own `noreply@robinhood.com` address. Attackers injected malicious HTML into the device metadata field of new account confirmation...

FulcrumSec Ransomware Group Claims Attack on Colombian Healthcare Firm IMEVI

The ransomware group FulcrumSec has claimed responsibility for a cyberattack on IMEVI, a Colombian healthcare and engineering services company. The group announced the breach on its leak site on May 1, 2026, threatening to publish a "full leak" of stolen data...

Microsoft Patches Entra ID Flaw That Allowed Service Principal Takeover

A design flaw in Microsoft's Entra ID "Agent ID Administrator" role allowed for privilege escalation and the takeover of arbitrary service principals, including highly privileged ones. An attacker assigned this role could add themselves as an owner to any serv...

ClickUp API Key Leak Exposes Corporate and Government Emails for 15 Months

A hardcoded API key in a public JavaScript file on ClickUp's website exposed 959 email addresses of employees at major corporations and government agencies for over 15 months. The flaw, first reported via HackerOne in January 2025, allowed unauthenticated acce...

Qilin Ransomware Group Claims Attack on U.S. Contractor Jayeff Construction

The Qilin ransomware group has claimed responsibility for an attack on Jayeff Construction, a U.S.-based general contractor. The breach was announced on the group's data leak site around May 1, 2026. Qilin, a prominent Ransomware-as-a-Service (RaaS) operation,...

Article Updates

cPanel Zero-Day Auth Bypass (CVE-2026-41940) Actively Exploited for Months Before Patch

Update:Active exploitation of CVE-2026-41940 in cPanel & WHM has surged, with tens of thousands of IPs scanning for vulnerable instances. The vulnerability also impacts WP Squared, and updated patch versions are now available, including 120.0.10, 118.0.16, 116.0.21,...

Ransomware Civil War: KryBit RaaS Hacks and Leaks Rival Gang 0APT

Update:The KRYBIT ransomware group has claimed an attack on Bomu Hospital, a healthcare provider in India, threatening to leak sensitive medical data, which significantly increases the incident's severity. New technical analysis reveals KRYBIT employs defense evasion...