A threat actor gained access to DigiCert's backend and stole 27 code signing certificates they later used to sign malware.

The incident took place last month and was traced back to a social engineering attack that successfully compromised two employees of DigiCert's tech support team.

According to

A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal Bureau of Investigation (FBI) and the Chinese Ministry of Public Security. Among those arrested are individuals from Burma and Indonesia, who were apprehended by authorities from Dubai and Thailand. Thet Min Nyi, 27, Wiliang Awang, 23, Andreas Chandra, 29, Lisa Mariam, 29, and two fugitive co-conspirators have been charged with federal fraud and money laundering charges in the U.S. "Fraudsters who target Americans from overseas cannot operate with impunity, no matter where in the world they reside," Assistant Attorney General A. Tysen Duva of the Justice Department's (DoJ) Crimi...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail by Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. "Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation," CISA said in an advisory. In a write-up published earlier this week, the researchers said Copy Fail is the result of a logic bug in the Linux kernel's authentication cryptographic template that allows an attacker to reliably trigger privilege escalation tri...

Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram's Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware.

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows.

Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility.

Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the exact nature of the data that may have been accessed by the attackers. However, it pointed out that there are no indications that its source code has been affected or exploited. "Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited," the company added.  The company did not share any details about who may be behind the incident, and for how long the attackers had access to its systems. Trellix noted that additional information will b...

A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential.

A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks.

A mysterious hacking group has stolen the personal and financial information of Moldovan citizens from the country's national healthcare database.

Moldova's national health insurance agency, CNAM,

Ion Vintilă, an adjunct director for Moldova's Cybersecurity Agency, had told reporters in a taped interview that almost 30% of the agency's data was impacted in the incident, but didn't specify in what manner.

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint were sentenced to four years in prison each for targeting U.S. companies in BlackCat (ALPHV) ransomware attacks.

The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030 [1] , with cybersecurity being the fastest-growing sector [2] . Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs. This execution gap is where most deals stall. MSPs often focus on frameworks and vulnerabilities, but their clients make decisions based on business outcomes: risk reduction, successful compliance audits, and business continuity. When sales messaging fails to bridge this divide, prospects tend to view cybersecurity as a cost center instead of a strategic investment. To win, MSPs must align security value with business priorities and translate complex offerings into compelling reasons for clients and prospects to act. Cynomi developed the GTM Academy Sales Kit to address this challenge and provide a structured, outcome-driven approach to help MSP sale...

The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg , 40, of Georgia, and Kevin Martin , 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023. The two defendants, who pleaded guilty to their crimes in December 2025, conspired with Angelo Martino, 41, of Florida, to conduct the attacks. "The three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware and ALPHV/BlackCat's extortion platform," the DoJ said . "All three men worked in the cybersecurity industry – meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this ca...

A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account " BufferZoneCorp ," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below - Ruby: knot-activesupport-logger knot-devise-jwt-helper knot-rack-session-store knot-rails-assets-pipeline knot-rspec-formatter-json knot-date-utils-rb (Sleeper gem) knot-simple-formatter (Sleeper gem) Go: github[.]com/BufferZoneCorp/go-metrics-sdk github[.]com/BufferZoneCorp/go-weather-sdk github[.]com/BufferZoneCorp/go-retryablehttp github[.]com/BufferZoneCorp/go-stdlib-ext github[.]com/BufferZoneCorp/grpc-client github[.]com...

Microsoft has released the KB5083631 optional cumulative update for Windows 11, which includes 34 changes, such as a new Xbox mode for Windows PCs, enhanced security and performance for batch files, and performance improvements for launching startup apps.

Microsoft has updated a Windows 11 in-box app removal policy introduced in October to include a dynamic list that lets IT admins choose which preinstalled Store apps to uninstall.

Microsoft has fixed a known issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files.

Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com . "In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications," CrowdStrike's Counter Adversary Operations said in a report. ...

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053 . The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707 . "The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis. Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lank...

Raw threat intel isn't enough without real-world context. Criminal IP has partnered with Securonix to integrate exposure-based intelligence into ThreatQ, automating analysis and speeding up investigations.

BleepingComputer initially published a story about a new data breach at Instructure. Shortly after publication, we determined that the information was incorrect and primarily based on outdated details from a prior incident. The article has been retracted, and we regret the error.

A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign. "What we found wasn't a single phishing kit," security researcher Shaked Chen wrote in a report shared with The Hacker News. "It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back." The findings are just the latest example of how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims' Facebook accounts, which are then sold...

French authorities have detained a 15-year-old suspected of selling data stolen in a cyberattack on France Titres (ANTS), the country's agency for issuing and managing administrative documents.

Microsoft has confirmed that Windows 11 is getting a new modern Run dialog with dark mode support and faster performance in a new preview build.

Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact.

The US government has committed to countering Chinese 'distillation attacks' which are being used to steal the proprietary capabilities of American frontier AI models. We love a little governmental fist-shaking, but we don't think its plan will have China's AI labs shaking in their boots.

Distillation attacks, also known as model extraction attacks, upskill less capable models on the cheap by training them on the outputs of more advanced models.

Back in February,

In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security , OX Security , Socket , and StepSecurity , the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday. As of writing, the project has been quarantined by the administrators of the Python Package Index (PyPI) repository. PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch. The open-source project has more than 31,100 stars on GitHub. "The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload," Socket said. "The execution chain runs automatically when the lightn...

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us. Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign. You have to see these latest updates to believe them. Let’s look at the full list... SMS blaster phishing crackdown Canadian Authorities Arrest 3 Men for Alleged Use of SMS Blaster Canadian authorities have ar...

Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. It's assessed that the batch script is distributed via traditional approaches like phishing. It's currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful. "Based on our current a...

Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating  Search Engine Order (SEO) poisoning , a  dual-stage GitHub distribution architecture , and  decentralized blockchain-based command-and-control (C2) resolving, Threat Actors have established a highly resilient delivery and persistence mechanism. Creative Distribution via GitHub Facades The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking. The attack begins with  SEO poisoning on various search engines, including Bing, Yahoo, DuckDuckGo, and Yandex. That ensures that malicious results for niche IT terms rank at the top of...

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the vulnerability research team at Xint.io and Theori said . At its core, the vulnerability stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in a source code commit made in August 2017. Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four ...

Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration," Novee Security said in a Wednesday report. "This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized." The shortcoming, which does not have a CVE identifier, carries a CVSS score of 10.0. It affects the following versions - @google/gemini-cli

A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts.

A Romanian national who led an online swatting ring that targeted more than 75 public officials, multiple journalists, and four religious institutions was sentenced to 4 years in federal prison.

The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025.

The April 2026 KB5083769 security update breaks third-party backup applications from multiple vendors on systems running Windows 11 24H2 and 25H2.

When a new asset goes live, attackers start scanning within minutes. Sprocket Security shows how automated attacks move from discovery to compromise in under 24 hours.

An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions.

The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February.

A joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine cryptocurrency investment fraud centers.

The UK's cybersecurity agency has advised public and private organizations against relying too much on bad metrics to evaluate the efficiency of their security operations centers (SOCs).

Officials say bad metrics incentivize SOC teams to be careless about their jobs and rush through tickets and detections rather than be dedicated to protecting their networks.

While metrics can be used for other IT departments to evaluate their effectiveness, the true value of a SOC team comes from insight and not speed or quantity, hence SOC teams should not be treated as any other department that needs to be optimized.

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security , Onapsis , OX Security ,  SafeDep , Socket , StepSecurity , and Google-owned Wiz , the campaign – calling itself the Mini  Shai-Hulud – has affected the following packages associated with SAP's JavaScript and cloud application development ecosystem - mbt@1.2.48 @cap-js/db-service@2.10.1 @cap-js/postgres@2.2.2 @cap-js/sqlite@2.2.2 "The affected versions introduced new installation-time behavior that was not previously part of these packages' expected functionality," Socket said. "The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary." "The implementation also follows HTTP redirects wi...

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is " @validate-sdk/v2 ," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025. The malware campaign has been codenamed PromptMink by ReversingLabs, which linked the activity as part of a broader campaign mounted by the North Korean threat actor known as Famous Chollima (aka Shifty Corsair), which is behind the long-running Contagious Interview campaign and the fraudulent IT Worker scam . "The new malware campaign [...] inv...

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive workflows still look like this: your CTI team finds a threat, they pass it to the Red Team to test, and eventually, the results reach the Blue Team for patching. This process is full of friction, silos, and delays. The reality is simple: You cannot fight an AI adversary moving at machine speed when your defense moves at the speed of a calendar invite. To bridge this gap, we’re hosting a technical deep dive with the team at Picus Security to unveil a new defensive paradigm: Autonomous Exposure Validation . Register for the Webinar Here ➜ Leading this session are Kevin Cole (VP of Produc...

Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure management was created to provide this context - to bridge the gap between remediation efforts and actual risk reduction. The market has responded with a flood of platforms claiming to deliver it.  Yet the question security leaders are asking is: which exposure management platform actually does provide it? In this article, I’ll break down the four dominant approaches to exposure management, explain what each one can and can't deliver, and lay out five evaluation criteria that help you separate platforms built to reduce risk to your unique business and environment from platforms ...

cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to the control panel software. The problem affects all currently supported versions of cPanel and WebHost Manager (WHM), according to an alert published by WebPros on Tuesday. It does not have an official identifier. The issue has been addressed in the following versions - 11.86.0.41 11.110.0.97 11.118.0.63 11.126.0.54 11.130.0.19 11.132.0.29 11.136.0.5 11.134.0.20 "If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected," cPanel noted. While cPanel did not share any details about the vulnerability, web hosting and domain registration company Namecheap disclosed that it "relates to an authentication login exploit that could allow unauthorized access to the ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in  ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. (Fixed in February 2024) CVE-2026-32202 (CVSS score: 4.3) - A protection mechanism failure vulnerability in  Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network. (Fixed in April 2026) The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft updated its advisory  for the flaw to acknowledge it had come under active exploitation. Although Microsoft has not disclosed the nature of the attacks weaponizi...

Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers' systems.

The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users' sites.

Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.

The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000.

A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication.

Austrian and Albanian authorities dismantled a criminal ring accused of running a large-scale cryptocurrency investment fraud operation that caused estimated losses of over €50 million ($58.5 million) to victims worldwide.

A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers.

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories.

Firefox and Tor Browser users are advised to install the latest security patches to address a bug that can allow threat actors to track them across the internet.

The bug works in normal browsing mode, in private browsing windows, and, in the case of Tor, across different Tor sessions.

The issue, found by the team at

An ugly-looking web panel has been linked to 94 SIM farms located across 17 countries around the globe.

ProxySmart

According to security firm

Elon Musk has refused to appear at a voluntary interview relating to a French criminal investigation into illegal content on X and sexual abuse material created by the Grok chatbot.

The strategy of applying pressure directly on technology company executives is one that French authorities have used before. This incident reminds us of

Both Telegram and X are being investigated by the same

A former FBI cyber official has urged Congress to investigate if ransomware groups that target hospitals and critical infrastructure can be designated as terrorist organizations.

Former FBI Cyber Deputy Director

Kaiser, who served in the FBI for 20 years, including as the agency's Cyber Deputy Director, has also urged lawmakers to examine if ransomware operators can be charged with murder or manslaughter if any attacks lead to a human death.

Security researchers at British security firm Darktrace have found a new and interesting piece of malware that was specifically designed to infect and sabotage the operations of Israel's national water management network.

Named

The malware is a very targeted operation that only works inside networks hosted on

The US National Institute of Standards and Technology announced on Wednesday a new policy regarding the US National Vulnerability Database, which the agency has been struggling to keep updated with details for every new vulnerability added to the system.

Going forward,

This will include three types of security flaws, which the agency says are critical to the safe operation of US government networks and its private sector.

A recent deep dive into the American adtech surveillance system, Webloc, highlights the national security and privacy risks of pervasive and easily obtainable geolocation data. It brings home, once again, that the US needs to clamp down on the collection and sale of geolocation data.

The report

Webloc was developed by Cobweb Technologies, but is now sold by the US firm Penlink after the two companies merged in 2023. A leaked technical proposal document, obtained by Citizen Lab, says that Webloc provides access to records from "up to 500 million mobile devices across the globe". These records contain device identifiers, location coordinates and profile data from mobile apps and digital advertising.