Massive Canvas Breach Hits 275M Users; Critical Zero-Days in Linux, cPanel, and PAN-OS Under Active Attack

Official JDownloader Site Compromised to Serve RAT Malware to Windows and Linux Users

The official website for JDownloader, a popular open-source download manager, was compromised in a supply chain attack between May 6 and May 7, 2026. Attackers exploited a vulnerability in the site's Content Management System (CMS) to alter download links, tricking users into installing malware. Windows users received a heavily obfuscated Python-based Remote Access Trojan (RAT), while Linux users were served malicious ELF binaries that established persistence. Users who downloaded the 'Alternative Installer' during this period are urged to reinstall their operating systems.

JDownloaderSupply Chain AttackMalwareRATPython +1 more

JDownloader Website Hacked to Distribute Python RAT in Supply Chain Attack

Braintrust AI Platform Breach Exposes Customer API Keys in AWS Account

Braintrust AWS Breach Prompts Urgent API Key Rotation After Unauthorized Access

Braintrust, a platform for evaluating AI models, suffered a security breach on May 4, 2026, after detecting unauthorized access to an Amazon Web Services (AWS) account. The compromised account stored sensitive customer API keys, creating a significant supply chain risk. Braintrust immediately notified customers, advising them to rotate all keys stored on the platform. While only one customer has been confirmed as directly affected, three others are investigating suspicious activity, highlighting the critical risk of third-party platforms holding secrets for the burgeoning AI ecosystem.

BraintrustCloud SecurityAWSAPI KeysData Breach +2 more

Braintrust AI Platform Breach Exposes Customer API Keys in AWS Account

Malicious Hugging Face Repo Impersonating OpenAI Distributes Infostealer Malware

Fake OpenAI Repository on Hugging Face Tricks Developers into Downloading Infostealer

A malicious repository on the Hugging Face AI platform successfully impersonated an OpenAI project to distribute infostealing malware. The fake repository, named 'Open-OSS/privacy-filter', used typosquatting and a copied description to appear legitimate, briefly reaching the #1 trending spot on the platform. It amassed over 244,000 downloads before being removed. The malware was designed to steal credentials, browser tokens, and crypto wallets from infected Windows systems, highlighting a significant supply chain threat targeting the AI and machine learning community.

Hugging FaceOpenAISupply Chain AttackMalwareInfostealer +2 more

Malicious Hugging Face Repo Impersonating OpenAI Distributes Infostealer Malware

Report Details "Operation HookedWing," a Four-Year Phishing Campaign Targeting 500+ Organizations

"Operation HookedWing": Persistent Phishing Campaign Steals Over 2,000 Credentials from Critical Sectors

A newly detailed report from SOCRadar has exposed "Operation HookedWing," a persistent and sophisticated phishing campaign that has been active for over four years. The campaign has successfully stolen more than 2,000 user credentials from over 500 organizations, with a focus on critical infrastructure, aviation, government, and financial sectors. The threat actors have continuously evolved their tactics, using a mix of GitHub domains, compromised servers, and lures in both English and French to trick victims into surrendering their Microsoft Outlook credentials on convincing, personalized landing pages.

PhishingOperation HookedWingCredential TheftSOCRadarGitHub +1 more

Report Details "Operation HookedWing," a Four-Year Phishing Campaign Targeting 500+ Organizations

KillSec Ransomware Group Targets Nigerian Oil and Gas Firm MRS Holdings

KillSec Ransomware Strikes Nigerian Oil & Gas Company MRS Holdings, Threatens Data Leak

The ransomware group KillSec has claimed a cyberattack on MRS Holdings, a major Nigerian oil and gas company, on May 9, 2026. The group has listed the company on its data leak site and is threatening to release confidential data if its ransom demands are not met. Initial threat intelligence suggests the attack may have been enabled by prior infostealer malware infections that compromised employee and user credentials, highlighting a common attack chain where stolen credentials serve as the entry point for ransomware gangs.

KillSecRansomwareMRS HoldingsNigeriaOil and Gas +2 more

KillSec Ransomware Group Targets Nigerian Oil and Gas Firm MRS Holdings

"Road Trap" Smishing Campaign Targets Switzerland with Fake Toll Notices

MEDIUM

"Road Trap" SMS Phishing Scam Hits Switzerland with Fake Toll and Traffic Fine Notices

A sophisticated global SMS phishing (smishing) campaign known as "Road Trap" is increasingly targeting mobile users in Switzerland. The attacks use realistic-looking text messages and high-quality phishing websites that impersonate transportation authorities. Victims are tricked into paying fake road tolls, traffic fines, and parking invoices, with the ultimate goal of stealing their banking details and credit card information. The campaign's success is amplified by its professional design, use of HTTPS, and mobile-optimized pages, posing a significant financial threat to the Swiss public.

SmishingPhishingScamSwitzerlandRoad Trap +1 more

4 min read

"Road Trap" Smishing Campaign Targets Switzerland with Fake Toll Notices

Fake TronLink Chrome Extension Deploys Double-Layer Phishing to Steal Crypto Keys

Malicious TronLink Chrome Extension Uses Double-Layer Phishing to Steal Cryptocurrency Wallets

Security firm SlowMist has uncovered a malicious Google Chrome extension that impersonates the official TronLink crypto wallet to steal users' funds. The fake extension uses Unicode obfuscation to spoof the real extension's name and executes a two-layer phishing attack. It tricks TRON users into entering their sensitive mnemonic phrases, private keys, and passwords on a convincing fake interface. The stolen credentials are then immediately exfiltrated to a Telegram bot controlled by the attackers, giving them full access to drain the victim's wallet.

CryptocurrencyPhishingMalwareChrome ExtensionTronLink +2 more

Fake TronLink Chrome Extension Deploys Double-Layer Phishing to Steal Crypto Keys

Updated Articles (4)

Critical cPanel Zero-Day (CVE-2026-41940) Actively Exploited, Over 40,000 Servers Compromised

Widespread Exploitation of Critical cPanel Zero-Day Flaw (CVE-2026-41940) Leads to Mass Server Compromise and Ransomware Attacks

New analysis reveals that the active exploitation of CVE-2026-41940 in cPanel now includes the widespread deployment of Mirai botnet malware, specifically the 'Nuclear.x86' variant, in addition to the previously reported '.sorry' ransomware. Threat actors are conducting automated, mass exploitation campaigns, leveraging the flaw to gain root access and absorb compromised servers into DDoS botnets. This significantly broadens the scope and impact of the attacks. Updated patched versions include 11.136.0.9, 11.134.0.25, and 11.132.0.31. Administrators must patch immediately to prevent server compromise and participation in botnet activities.

May 4, 2026

cPanelWHMCVE-2026-41940Zero-DayRansomware +3 more

CISA KEV Alert: Actively Exploited Ivanti EPMM Flaw (CVE-2026-1340) Allows Full Server Takeover

CISA Adds Critical Ivanti Endpoint Manager Mobile RCE Vulnerability to Known Exploited List

Ivanti has disclosed CVE-2026-6973, a new high-severity RCE in EPMM requiring authenticated admin access, now actively exploited and added to CISA KEV. This is the third EPMM zero-day this year. Security researchers warn that attackers are likely chaining this flaw with previously reported unauthenticated vulnerabilities, such as CVE-2026-1340 (the subject of this article), to achieve full system compromise. Patches are available for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Organizations must update immediately and rotate admin credentials, assuming compromise if running vulnerable versions.

April 14, 2026

CVE-2026-1340IvantiMobileIronCISAKEV +3 more

6 min read

CISA KEV Alert: Actively Exploited Ivanti EPMM Flaw (CVE-2026-1340) Allows Full Server Takeover

PAN-OS Zero-Day CVE-2026-0300 Actively Exploited for Unauthenticated RCE

State-Sponsored Actors Exploit Critical PAN-OS Zero-Day (CVE-2026-0300) for Remote Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive due to active exploitation. Contrary to earlier reports, patches are not yet available and are anticipated on or after May 13, 2026. This heightens the urgency for organizations to apply vendor-recommended mitigations, such as restricting access to the User-ID Authentication Portal, as the critical zero-day continues to be exploited by a state-sponsored actor.

May 7, 2026

PAN-OSZero-DayRCEBuffer OverflowCaptive Portal +5 more

PAN-OS Zero-Day CVE-2026-0300 Actively Exploited for Unauthenticated RCE

Critical Unpatched 'Dirty Frag' Linux Zero-Day Allows Instant Root Access

Unpatched 'Dirty Frag' Zero-Day (CVE-2026-43284) in Linux Kernel Allows Immediate Root Privilege Escalation

A functional proof-of-concept (PoC) exploit for the 'Dirty Frag' Linux zero-day (CVE-2026-43284) has been publicly released, dramatically lowering the barrier for attackers to achieve root privilege escalation. While not yet observed in the wild, the availability of the PoC necessitates immediate action. New hunting hints include monitoring for low-privilege accounts spawning root processes and command-line auditing for PoC compilation. Administrators are urged to implement the `blacklist algif_aead` mitigation and prepare for rapid patching once available. This development significantly escalates the urgency and potential impact of the vulnerability.

May 8, 2026