Critical cPanel and WHM Auth Bypass Requires Emergency Manual Update
A critical cPanel and WHM flaw tracked as CVE-2026-41940 can allow attackers to access the control panel without authentication. The fix requires administrators to manually retrieve the patched build, which makes exposed hosting environments an immediate priority.
Source: BleepingComputer

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
Microsoft revised its advisory to mark CVE-2026-32202 as actively exploited in the wild after originally shipping a patch for it earlier this month. The issue stems from an incomplete fix in a previous exploit chain and can coerce authentication and expose sensitive information through malicious LNK handling.
Source: The Hacker News

Official SAP CAP and Cloud MTA npm Packages Compromised in Supply Chain Attack
Multiple official SAP npm packages tied to CAP and Cloud MTA were compromised with a malicious preinstall routine that downloaded and executed Bun and an obfuscated payload. Because these packages sit in real developer and CI/CD workflows, the incident creates direct risk to tokens, credentials, and enterprise build pipelines.
Source: Socket

Quick Page Post Redirect WordPress Plugin Hid a Dormant Backdoor for Five Years
Researchers found that the Quick Page Post Redirect plugin had contained a hidden backdoor since 2021, affecting more than 70,000 WordPress sites. The code let the operator inject arbitrary content or code while staying invisible to logged in administrators, turning a trusted plugin into a long term supply chain compromise.
Source: BleepingComputer

Qinglong Task Scheduler RCE Flaws Are Being Exploited for Cryptomining
Attackers have been abusing authentication bypass flaws in Qinglong to obtain unauthenticated remote code execution and drop the .fullgc cryptominer on exposed servers. The case is notable because a popular developer tool with broad deployment moved from open access bug to real world abuse with limited visibility outside Chinese language communities.
Source: Snyk

Hugging Face LeRobot PolicyServer Exposed to Unauthenticated RCE
CVE-2026-25874 affects the LeRobot PolicyServer because it deserializes untrusted pickle data over gRPC. An unauthenticated attacker who reaches the service can execute arbitrary operating system commands on systems that may have GPU access, robotics connectivity, and privileged internal network reach.
Source: Resecurity

UAT-4356 Continues Targeting Cisco Firepower Devices With FIRESTARTER
Cisco Talos says UAT-4356 is still exploiting previously known flaws in Firepower FXOS devices and deploying the FIRESTARTER backdoor. The implant can run arbitrary shellcode inside the LINA process, showing again how perimeter appliances remain high value espionage footholds.
Source: Cisco Talos

China Nexus Actors Rely on Covert Networks of Compromised Edge Devices
CISA and partner agencies warned that China nexus actors are strategically using large covert networks made up of compromised routers and other edge devices. These networks support the full attack chain from reconnaissance to exfiltration and are designed to be low cost, deniable, and difficult to block with static indicators alone.
Source: CISA

GopherWhisper Uses Slack, Discord, and Outlook in China Aligned Espionage
ESET revealed a previously undocumented China aligned group called GopherWhisper that targeted a Mongolian government entity with a mostly Go based toolset. The group abused Slack, Discord, Outlook, and file sharing services for command and control and exfiltration, helping malicious traffic blend into legitimate cloud activity.
Source: ESET

Vercel Finds More Compromised Accounts in Context.ai Linked Breach
Vercel said its expanded review identified additional compromised customer accounts connected to the April incident. The company says the intrusion began with a compromise at Context.ai that let the attacker pivot through a Vercel employee account and access non sensitive environment variables.
Source: Vercel

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
The malicious @bitwarden/cli 2026.4.0 package carried credential theft and propagation behavior tied to the broader Checkmarx campaign. Even though the issue was limited to the npm CLI package, it put developer secrets, CI artifacts, and cloud credentials at risk during normal package installation.
Source: Socket

Device Code Phishing Surges With More Than 7 Million Attacks in Four Weeks
Barracuda says device code phishing has surged past 7 million attacks in four weeks, largely driven by the EvilTokens kit. The technique abuses legitimate OAuth device login flows, giving attackers persistent authorized access without relying on classic fake login pages alone.
Source: Barracuda

BlackFile Linked to Retail and Hospitality Vishing Extortion
BlackFile has been tied to data theft and extortion attacks that begin with phone calls from attackers posing as internal IT staff. The campaigns target retail and hospitality organizations, steal credentials and one time passcodes, and then escalate into seven figure extortion demands.
Source: BleepingComputer

Coinbase Cartel Builds a 100 Plus Company Extortion Campaign on Stolen Infostealer Credentials
Hudson Rock says the Coinbase Cartel has claimed more than 100 victims while relying on old infostealer credentials rather than novel exploits or custom ransomware. The group focuses on cloud environments, FTP systems, and file transfer services, using pure data theft and extortion instead of encryption.
Source: InfoStealers

GlassWorm Activates 73 Open VSX Sleeper Extensions
Socket says the GlassWorm campaign expanded with 73 impersonation extensions on Open VSX, several of which were later activated into malware delivery vehicles. The pattern matters because the extensions can look benign at first, gain trust, and then weaponize the normal update path or transitive extension relationships.
Source: Socket