Massive "Mini Shai-Hulud" Supply Chain Attack Hits SAP Ecosystem; CISA Warns of Actively Exploited Linux and cPanel Zero-Days

Cybercrime Groups Cordial Spider and Snarky Spider Target U.S. Firms with Advanced Vishing and SaaS-based Attacks

Two cybercrime groups, Cordial Spider and Snarky Spider, linked to "The Com" ecosystem, are conducting swift data theft and extortion campaigns. They use voice phishing (vishing) and fake Single Sign-On (SSO) pages to steal credentials, gain access to identity providers, and then move laterally across victims' SaaS applications like Google Workspace and Salesforce to exfiltrate data for seven-figure ransoms.

vishingphishingSaaSSSOextortion +3 more

6 min read

"Living Within SaaS": Cordial & Snarky Spider Groups Use Vishing, SSO Abuse for Rapid Extortion

NightSpire Ransomware Group Matures Into Significant Double-Extortion Threat

Evolving NightSpire Ransomware Uses Fortinet Flaw and Aggressive Tactics in Double-Extortion Campaigns

The NightSpire ransomware group, first seen in early 2025, has rapidly evolved into a full double-extortion operation. A May 1st report details its use of CVE-2024-55591 for initial access, Go-based payloads, and aggressive tactics, including a dedicated data leak site and extremely short ransom deadlines to pressure victims.

NightSpireransomwaredouble extortionCVE-2024-55591Fortinet +1 more

NightSpire Ransomware Group Matures Into Significant Double-Extortion Threat

Robinhood Flaw Abused to Send Phishing Emails From Company's Own Address

MEDIUM

Attackers Exploit Robinhood Account Creation Flaw to Send Phishing Emails from noreply@robinhood.com

A vulnerability in Robinhood's account creation process was exploited to send highly convincing phishing emails from the company's own `noreply@robinhood.com` address. Attackers injected malicious HTML into the device metadata field of new account confirmation emails. This created a fake security warning with a link to a credential-harvesting site, bypassing standard email security checks like SPF and DKIM.

RobinhoodphishingvulnerabilityHTML injectionemail security +1 more

Robinhood Flaw Abused to Send Phishing Emails From Company's Own Address

FulcrumSec Ransomware Group Claims Attack on Colombian Healthcare Firm IMEVI

FulcrumSec Ransomware Targets Colombian Healthcare and Engineering Firm IMEVI in Data Breach

The ransomware group FulcrumSec has claimed responsibility for a cyberattack on IMEVI, a Colombian healthcare and engineering services company. The group announced the breach on its leak site on May 1, 2026, threatening to publish a "full leak" of stolen data if the company does not enter negotiations, consistent with a double-extortion campaign.

FulcrumSecransomwareIMEVIhealthcaredata breach +1 more

4 min read

FulcrumSec Ransomware Group Claims Attack on Colombian Healthcare Firm IMEVI

Microsoft Patches Entra ID Flaw That Allowed Service Principal Takeover

Design Flaw in Microsoft Entra ID's "Agent ID Administrator" Role Enabled Privilege Escalation and Tenant Takeover

A design flaw in Microsoft's Entra ID "Agent ID Administrator" role allowed for privilege escalation and the takeover of arbitrary service principals, including highly privileged ones. An attacker assigned this role could add themselves as an owner to any service principal, inject credentials, and potentially escalate to Global Administrator. Microsoft patched the vulnerability in April 2026 after a responsible disclosure.

Microsoft Entra IDAzure ADprivilege escalationservice principalidentity management +2 more

Microsoft Patches Entra ID Flaw That Allowed Service Principal Takeover

ClickUp API Key Leak Exposes Corporate and Government Emails for 15 Months

MEDIUM

Hardcoded ClickUp API Key Exposes 959 Email Addresses from Fortune 500 Firms and Government Agencies

A hardcoded API key in a public JavaScript file on ClickUp's website exposed 959 email addresses of employees at major corporations and government agencies for over 15 months. The flaw, first reported via HackerOne in January 2025, allowed unauthenticated access to a 4.5MB file of internal data, including emails from Home Depot, Fortinet, Tenable, and various government workers.

ClickUpAPI keydata leakhardcoded credentialsSplit.io +1 more

ClickUp API Key Leak Exposes Corporate and Government Emails for 15 Months

Qilin Ransomware Group Claims Attack on U.S. Contractor Jayeff Construction

Prolific Qilin Ransomware Gang Adds Jayeff Construction to its List of Victims

The Qilin ransomware group has claimed responsibility for an attack on Jayeff Construction, a U.S.-based general contractor. The breach was announced on the group's data leak site around May 1, 2026. Qilin, a prominent Ransomware-as-a-Service (RaaS) operation, is known for its double-extortion tactics and use of cross-platform malware written in Go and Rust.

QilinAgendaransomwareJayeff ConstructionRaaS +1 more

Qilin Ransomware Group Claims Attack on U.S. Contractor Jayeff Construction

Updated Articles (2)

cPanel Zero-Day Auth Bypass (CVE-2026-41940) Actively Exploited for Months Before Patch

CRITICAL

Critical cPanel & WHM Zero-Day Vulnerability (CVE-2026-41940) Allowed Unauthenticated Admin Access, Exploited Since February

Update:

Active exploitation of CVE-2026-41940 in cPanel & WHM has surged, with tens of thousands of IPs scanning for vulnerable instances. The vulnerability also impacts WP Squared, and updated patch versions are now available, including 120.0.10, 118.0.16, 116.0.21, 110.0.21, and WP Squared 136.1.7. The Australian Cyber Security Centre (ACSC) has issued alerts, confirming widespread attacks. Shadowserver reports approximately 650,000 cPanel/WHM instances remain exposed. The flaw, allowing authentication bypass and potential RCE, is due to a missing authentication check in session handling, enabling session cookie manipulation.

May 1, 2026

Updated: May 2, 2026

CVE-2026-41940cPanelWHMZero-DayAuthentication Bypass +3 more

cPanel Zero-Day Auth Bypass (CVE-2026-41940) Actively Exploited for Months Before Patch

Ransomware Civil War: KryBit RaaS Hacks and Leaks Rival Gang 0APT