Educational tech firm Instructure reached a deal with hackers after a major Canvas breach exposed data stolen from schools and universities.

Educational tech firm Instructure says it reached an agreement with the cybercrime group behind a major Canvas data theft, after attackers broke into its systems and threatened to publish stolen information from schools and universities.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirmed a cybersecurity incident that exposed users’ personal information. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the initial Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for it and added the company to its Tor data leak site.

In a new update, the company said it reached an agreement with the cybercrime group due to the risk of a public leak and by the possible impact on customers. It added that the stolen data was returned and that it received confirmation it had been destroyed. Instructure also said it was told customers would not be separately extorted.

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.” reads the company’s update. “With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

The company is still working with cybersecurity experts to complete the forensic investigation, strengthen its systems, and review the impacted data. It also plans to share details about the root cause and lessons learned to help the education technology sector defend against similar attacks.

Instructure leadership is organizing a webinar, expected on May 13, across multiple time zones, to discuss the incident and security improvements.

ShinyHunters allegedly stole around 3.65TB of data from Canvas and affected nearly 9,000 organizations. A second wave of activity was later seen, including extortion messages on login pages at hundreds of institutions.

Attackers are said to have used a flaw in the Free-for-Teacher environment to get in and pull out large amounts of user data, including names, emails, course details, enrollment information, and messages. Instructure says core course content, submissions, and passwords were not exposed.

To limit further risk, the company temporarily shut down Free-For-Teacher accounts and tightened access controls. It also said it is working with security experts to review the incident and improve defenses.

The stolen data could still be useful for phishing and impersonation campaigns, especially against students, staff, parents, and support teams. For schools, the main concern now is that even without passwords or course files, this kind of data can still fuel convincing follow-up attacks.

The U.S. House Committee on Homeland Security has asked Instructure executives to testify about two cyberattacks linked to the ShinyHunters extortion group that compromised the Canvas platform, stole student data, and disrupted schools during final exams.

Chairman Andrew R. Garbarino said the committee is investigating the breach, which affects tens of millions of students, educators, and administrators who use Canvas.

The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company’s Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams.

In a letter sent Monday afternoon to Instructure CEO Steve Daly, Homeland Security Committee Chairman Andrew R. Garbarino said the committee is investigating the massive breach at Instructure that impacts millions of students.

“The Committee on Homeland Security (Committee) is investigating the concerning reports related to recent cybersecurity incidents affecting Instructure Holdings, Inc. and the tens of millions of students, educators, and administrators who rely on its Canvas learning management platform. Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice. The group reportedly first struck on May 1, accessing personal data belonging to students and faculty across thousands of institutions, and struck again on May 7, defacing Canvas login pages nationwide and posting ransom demands directly on students’screens.” reads the letter “With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Fortinet patched critical flaws in FortiSandbox and FortiAuthenticator that could let attackers remotely execute code on unpatched systems.

Fortinet addressed two critical vulnerabilities affecting FortiSandbox and FortiAuthenticator. The flaws could allow attackers to execute arbitrary commands or code on unpatched systems.

The first vulnerability, tracked as CVE-2026-44277, is an improper access control issue in FortiAuthenticator.

“An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory.

Below are the impacted versions:

The vulnerability doesn’t affect FortiAuthenticator Cloud.

Fortinet experts discovered the flaw as part of an internal audit.

The second flaw addressed by the cybersecurity vendor is a missing authorization issue, tracked as CVE-2026-26083, in FortiSandbox. An attacker can trigger the flaw to achieve remote code execution on vulnerable systems.

“A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.” reads the advisory.

Neither flaw has been exploited in in-the-wild attacks.

Adham El Karn from the Fortinet Product Security team discovered and reported the issue internally.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiAuthenticator)

BWH Hotels says hackers accessed guest reservation data, including names and contacts, for over six months across multiple hotel brands.

BWH Hotels disclosed a data breach, with threat actors having had access to guest reservation data for more than six months. The incident exposed names and contact details of an undisclosed number of guests.

BWH Hotels is one of the world’s largest hotel networks, operating more than 4,000 hotels in over 100 countries. The group was created from the evolution of Best Western and today manages a multi-brand portfolio ranging from budget to luxury hospitality.

The hospitality group included brands such as Best Western Hotels & Resorts, WorldHotels, and Sure Hotels.

BWH Hotels disclosed that hackers accessed a reservation system between October 2025 and April 2026, exposing guest contact details and stay information.

“We are writing to let you know that on April 22, 2026, we identified unauthorized activity in one of our web applications that houses certain guest reservation data.” reads the data breach notification sent to the affected customers. “We have learned that certain guests’ names, email addresses, telephone numbers, and/or home addresses, along with other reservation details (e.g., reservation numbers, dates of stay, and any special requests) for reservations in our system were accessed by an unauthorized third‑party between October 14, 2025 and April 22, 2026, including yours.”

The company pointed out that payment data was not stored in the affected system and therefore was not compromised.

“Importantly, payment and other financial information was not stored in the affected system and therefore was not accessed.” continutes the notification.

After discovering the intrusion, BWH took the application offline, revoked access, and hired external cybersecurity experts to support the investigation and strengthen protections.

Guests were also warned to watch for phishing emails, texts, calls, or fake booking messages exploiting the stolen reservation data.

BWH Hotels urged guests to stay alert for phishing emails, fake booking pages, and suspicious payment requests following the breach.

The company recommends customers to verify website addresses before entering payment details and contact their bank immediately if financial data was shared with scammers.

BWH also apologized for the incident and provided support through its data protection office.

At this time, no known cybercriminal group has claimed responsibility for the attack targeting BWH Hotels.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Anthropic’s AI found five vulnerabilities in curl, but only one low-severity issue proved to be a real vulnerability.

In April, Anthropic made considerable noise announcing Mythos, a new artificial intelligence model described as so effective at identifying vulnerabilities in code as to be, in the company’s own words, “dangerously good.” So good, in fact, that Anthropic decided against releasing it to the general public, instead distributing access to a small group of major organizations to give them time to patch their most critical flaws before the model reached everyone else.

The industry reacted with a degree of alarm. Thousands of zero-days identified in a matter of weeks, software security as we knew it thrown into question, the script had all the ingredients of a viral tech story. And so it became one.

Then Daniel Stenberg weighed in. Stenberg is the creator and lead developer of curl, the data transfer library present on over twenty billion devices, every smartphone, every connected car, every server on the planet uses curl in one way or another. Through the Linux Foundation’s Alpha Omega project, he too was granted access, indirectly, via a third party, to a Mythos analysis of curl’s codebase. The result? The model analyzed 176,000 lines of C code and returned five vulnerabilities it described, with notable self-assurance, as “confirmed.”

“curl is currently 176,000 lines of C code when we exclude blank lines. The source code consists of 660,000 words, which is 12% more words than the entire English edition of the novel War and Peace.” wrote Stenberg. “The report concluded it found five “Confirmed security vulnerabilities”. I think using the term confirmed is a little amusing when the AI says it confidently by itself. Yes, the AI thinks they are confirmed, but the curl security team has a slightly different take.

Five issues felt like nothing as we had expected an extensive list. Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed “just a bug”.”

Three of them turned out to be false positives, behaviors already documented in the API documentation, and one was simply a bug, not a security issue. A single real vulnerability remained, rated low severity, scheduled to be included in the curl 8.21.0 release in late June.

Daniel Stenberg concluded that the hype around Anthropic’s Mythos AI looked more like marketing, as he saw no major advantage over existing security tools.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.” he added.

curl is not an ordinary codebase. As Stenberg himself notes, and as the Mythos report openly acknowledges at the very top of its analysis: “curl is one of the most fuzzed and audited C codebases in existence (OSS-Fuzz, Coverity, CodeQL, multiple paid audits). Finding anything in the hot paths (HTTP/1, TLS, URL parsing core) is unlikely.” In the months prior, other AI-powered tools, Zeropath, AISLE, OpenAI’s Codex Security, had already produced somewhere between two and three hundred bugfixes in the codebase, including a dozen or more confirmed CVEs. Mythos arrived late, on ground that had already been extensively turned over.

There is also the Mozilla comparison. Mythos found over 270 vulnerabilities in Firefox, a result that genuinely impressed the browser’s security team. But Mozilla also made clear that every bug the model identified could have been found by elite human researchers. The value was not in the unreachability of the findings, but in the speed: closing the window between attacker discovery and vendor patch.

Stenberg, for his part, does not dismiss AI tooling in general, quite the opposite.

“AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past,” he wrote.

The argument is narrower: that Mythos, at least on curl, did not demonstrate meaningful superiority over what already exists.

Daniel Stenberg did not directly interact with Anthropic’s Mythos AI and only reviewed a generated report, limiting a full evaluation of the model’s capabilities. While the AI found just one low-severity flaw in curl’s heavily audited codebase, the results neither confirm the industry hype nor completely dismiss the technology. The test suggests AI vulnerability research may be useful, but current claims about revolutionary capabilities still appear overstated.

“Any project that has not scanned their source code with AI powered tooling will likely find huge number of flaws, bugs and possible vulnerabilities with this new generation of tools.” Stenberg concluded.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anthropic)

Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.

Cybercriminals are actively exploiting the critical cPanel vulnerability CVE-2026-41940 (CVSS score of 9.3) to deploy a backdoor called Filemanager on compromised servers.

cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.

Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

According to the Shadowserver Foundation, thousands of instances may be exposed.

cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.

QiAnXin XLab researchers linked the attacks to a threat actor known as Mr_Rot13.

Since its public disclosure on April 28, researchers have observed widespread exploitation linked to cryptomining, ransomware, botnets, and backdoor deployments. More than 2,000 malicious IPs worldwide have reportedly targeted the flaw, with activity traced mainly to Germany, the U.S., Brazil, and the Netherlands.

The issue has already been tied to attacks against Southeast Asian government and military institutions, where hackers allegedly stole 4.37 GB of sensitive data.

Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.

“On May 4, while sorting through the malicious payloads delivered via the CVE-2026-41940 vulnerability, we discovered a new and distinctive infector. This infector is written in Go, with a project named “Payload,” and it embeds a large amount of Turkish-language log messages, which appear to be AI-generated.” reads the report published QiAnXin XLab. “Its main functions are: implanting an SSH public key, malicious PHP, and JS code into the compromised cPanel system, stealing login credentials, sending the stolen information back to a Telegram group controlled by the attackers, and ultimately deploying a remote-control trojan named “filemanager.””

Threat analysts linked the campaign to a suspected long-running group called Mr_Rot13, which appears to have operated covertly since at least 2020 using the same infrastructure and hidden command-and-control systems.

Researchers analyzed a malicious “Payload” infector used in attacks exploiting the critical cPanel flaw CVE-2026-41940. The malware downloads and runs a backdoor called Filemanager from attacker-controlled servers, then deletes traces of the installer.

“The malicious script delivered by Mr_rot13 via CVE-2026-41940 is shown below. Its function is to request a malicious payload named Update from the download server cp.dene.[de.com, and run it continuously in the background using the nohup command (typically used together with &).” continues the report.

Written in Go and likely generated with AI assistance, the malware changes root passwords, installs SSH keys, deploys PHP webshells, injects malicious JavaScript into cPanel login pages, steals credentials, and exfiltrates sensitive data.

The attackers also used Telegram bots as a backup channel to receive stolen information. Analysts linked the infrastructure to a long-running threat actor called Mr_Rot13, active since at least 2020. The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.

Researchers discovered a PHP backdoor named helper.php linked to the Mr_Rot13 threat group and uploaded to VirusTotal in 2022 with no antivirus detections. The malware hid malicious code inside a legitimate WordPress file using XOR string obfuscation and communicated with the domain wrned.com, extending the group’s activity timeline back several years.

The backdoor collected data such as URLs, IP addresses, parameters, and user-agent details, then sent them to a remote command-and-control server. Although researchers could not fully decrypt the final payload, the analysis confirmed that WordPress sites were likely a major target of the operation.

“Over the six years from 2020 to the present, the detection rate of Mr_Rot13’s related samples and infrastructure across security products has remained extremely low.” concludes the QiAnXin XLab’s report. “Given that this threat activity is still ongoing and that the cPanel vulnerability involved is highly critical, we have written this threat brief specifically to share our findings with the security community, in order to work together to safeguard cybersecurity.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cPanel)

WannaCry showed how unpatched flaws and leaked cyber tools can cripple global systems, reshaping cybersecurity defenses worldwide.

In memory of the day the digital world was shaken, but learned to fight back.

The WannaCry ransomware attack represents one of the most significant events in recent cybersecurity history, not only for its global scale but also for the technical and geopolitical implications it raised. Analyzing its history means understanding how known vulnerabilities, advanced tools, and delays in mitigation can converge into an event capable of disrupting critical infrastructure worldwide.

WannaCry emerged on May 12, 2017 by exploiting a vulnerability in the SMBv1 protocol of Microsoft Windows (CVE-2017-0144 aka EternalBlue). This vulnerability, which was addressed by the Microsoft security patch MS17-010 in March 2017, allowed remote code execution without authentication. The most critical detail is that the exploit used, known as EternalBlue, was not developed by common cybercriminals but derived from offensive tools attributed to the National Security Agency (NSA), later leaked by the hacker group Shadow Brokers.

This combination made WannaCry particularly effective. It was not a traditional ransomware spread via phishing, but a worm capable of autonomously propagating within networks.

On that day in May, WannaCry began spreading rapidly, infecting over 200,000 systems in more than 150 countries within hours. Among the countries most affected were Spain, United Kingdom, United States, China, Portugal, Vietnam, Russia, and Ukraine, with particular impact on British hospital IT systems and Spanish telecommunications networks.

Italy was also affected by the attack, and the case was handled by the CNAIPIC, the cybercrime operations center of the Polizia Postale. The speed of propagation was largely due to the widespread presence of unpatched systems, especially outdated Windows versions like Windows XP.

Infection mechanism and behavior

Once inside a system, WannaCry encrypted files using strong cryptographic algorithms and displayed a ransom demand in Bitcoin. The requested payment was relatively low, around $300, but increased over time to pressure victims into paying quickly.

From a technical perspective, the real innovation was its automated lateral movement. Using EternalBlue, the malware scanned networks for other vulnerable systems and replicated itself without human interaction. This behavior made it more similar to a classic worm than to traditional ransomware.

A crucial moment in WannaCry’s history was the accidental discovery of a “kill switch.” Security researcher Marcus Hutchins (aka MalwareTech), while analyzing the code, noticed that the malware attempted to connect to an unregistered domain (hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com).

By registering that domain, he effectively slowed and partially stopped the worm’s global spread. This mechanism was likely intended as an anti-analysis technique, but it ended up playing a key role in mitigating the attack.

Attribution and lessons learned

Subsequent investigations attributed the attack to groups linked to North Korea, particularly the Lazarus Group. This attribution, supported by several governments including the United States and the United Kingdom, highlighted how cyber warfare tools can be repurposed in criminal or hybrid operations.

The WannaCry case also sparked intense debate about how governments manage software vulnerabilities. The fact that an intelligence-grade exploit escaped control and was used globally exposed the risks associated with stockpiling cyber weapons.

WannaCry marked a turning point in how cyber risk is perceived. It demonstrated that failing to apply security patches can lead to systemic consequences. Microsoft had released the necessary security update months before the attack, yet many organizations had not implemented it.

Another key lesson concerns network segmentation. The worm’s ability to move laterally exposed weaknesses in internal infrastructures that lacked proper isolation controls.

Finally, WannaCry emphasized the importance of international cooperation in cyber incident response. The timely sharing of technical information helped limit the damage and enabled faster development of countermeasures.

Years later, WannaCry remains a landmark case showing how known vulnerabilities, advanced tools, and organizational shortcomings can combine into a devastating cyberattack. It was neither the most sophisticated nor the most profitable ransomware, but it was undoubtedly one of the most impactful.

Its legacy is still visible today in modern security practices, which place greater emphasis on patch management, network resilience, and preparedness for large-scale attacks.

About the author: Salvatore Lombardo (X @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

ThreatFabric found a new TrickMo Android trojan focused on stealth and persistence, moving its command-and-control traffic to the TON network.

Security researchers at ThreatFabric have recently identified a new version of TrickMo, a dangerous Android banking trojan that shows how malware operators are focusing less on flashy new features and more on improving stealth, flexibility, and long-term control over infected devices.

“The variant is a direct evolution of the previously documented TrickMo: the on-device feature set is largely unchanged, but the platform underneath has been deliberately re-engineered for stealth, resilience and operator reach.” reads the report published by ThreatFabric. “The most visible change is at the network layer, where the bot’s command-and-control traffic has been moved off the conventional internet entirely and onto The Open Network (TON).”

Instead of creating completely new malware families, attackers are redesigning existing platforms to survive longer, avoid detection, and give operators more control.

The latest TrickMo variant was discovered between January and February 2026 during campaigns targeting banking and cryptocurrency wallet users in France, Italy, and Austria. Researchers believe this updated version is gradually replacing older TrickMo variants already active in the wild. While many of its visible features remain similar, the malware’s internal structure has changed significantly.

An interesting aspect of TrickMo is its modular design. The main application acts mostly as a launcher and persistence layer, while additional malicious functionality is downloaded later as separate modules. This architecture gives attackers flexibility because new features can be added without reinstalling the malware.

One of the most important updates involves how TrickMo communicates with its operators. Traditionally, malware relies on standard internet infrastructure such as domains and public servers for command-and-control communication. This new version has abandoned that approach almost entirely.

The Open Network (TON) is a legitimate blockchain platform. Researchers said TrickMo C operators abused its infrastructure, without involvement or responsibility from the TON project.

“The most significant change is the migration of command-and-control traffic onto The Open Network (TON).” continues the report. “The single largest architectural change in TrickMo is that the bot no longer reaches its operator over the conventional internet. The primary command-and-control transport has been moved onto The Open Network (TON) — a decentralised peer-to-peer overlay network originally built for Telegram, with its own routing and naming layer (ADNL). Hosts inside TON are not addressed by DNS or by IPs in the public routing table; they are addressed by opaque base32 strings under a .adnl pseudo-TLD which the TON network resolves through its own decentralised infrastructure.”

This makes detection and takedown efforts far more difficult because the infrastructure does not rely on the traditional DNS system.

The malware even includes an embedded TON proxy running locally on the infected phone. All communications pass through this proxy, helping traffic blend in with legitimate TON activity. From a defender’s perspective, malicious traffic becomes much harder to distinguish from normal encrypted network usage.

Beyond communication upgrades, TrickMo still performs the classic banking trojan functions that make it so dangerous. Once accessibility permissions are granted, attackers can remotely interact with the device in real time. The malware can display fake banking login pages, capture keystrokes, intercept SMS verification codes, monitor notifications, record screens, and remotely control the phone.

However, the newest variant expands far beyond simple banking fraud. Researchers discovered advanced networking capabilities built directly into the malware. Operators can now perform DNS lookups, ping systems, trace routes, and run HTTP requests directly from the infected device. This effectively turns compromised phones into reconnaissance tools inside corporate or home networks.

What makes this threat especially worrying is its professional evolution. TrickMo is no longer just a banking trojan stealing credentials. It is becoming a flexible cybercrime platform capable of remote surveillance, network pivoting, fraud support, and future feature expansion.

“The largest functional addition in this variant, and the change that justifies framing the family as a managed foothold rather than a banking trojan, is a network-operative subsystem.” states the report. “Five operator commands run network primitives from the device’s vantage point and return the results upstream:

Even more concerning is the addition of SSH tunneling and SOCKS5 proxy features. These tools allow attackers to route traffic through the victim’s own internet connection. In practice, this means cybercriminals can make fraudulent activity appear as if it originates directly from the victim’s device and IP address.

“This latest variant also expands the operational role of infected devices through SSH tunnelling and authenticated SOCKS5 proxying, effectively turning compromised phones into programmable network pivots and traffic-exit nodes whose connections originate from the victim’s own network environment.” states Threat Fabric.

This capability significantly increases the value of infected devices for cybercriminal operations.

Researchers also found signs that TrickMo operators are preparing for future capabilities. The malware contains inactive components linked to NFC permissions and a hooking framework called Pine. Although these features are not currently active, they suggest the developers are building a platform ready for future updates, possibly targeting contactless payment systems or deeper application manipulation.

As Android security continues to improve, malware developers are responding with smarter architectures, decentralized communications, and modular attack frameworks. TrickMo’s evolution demonstrates that the future of mobile malware is not necessarily louder or more visible — it is quieter, more persistent, and far more adaptable.

“Overall, Trickmo can be seen as a ‘reborn’ threat: not entirely new, but refined and adapted to remain effective in a more secure and scrutinized mobile environment.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

SailPoint disclosed a GitHub repository breach on April 20. The company contained the incident and said no customer data was affected.

SailPoint is a cybersecurity company that provides identity security and identity governance solutions for enterprises. Its products help organizations manage and control user access to systems, applications, and sensitive data.

SailPoint revealed a cybersecurity incident involving its GitHub repositories that occurred on April 20. The identity management firm said it quickly contained the breach with the help of a third-party cybersecurity firm. The company confirmed the attack did not impact customer data or its production and staging environments.

“On April 20, 2026, we detected unauthorized access to a subset of our GitHub repositories. Our incident response team quickly terminated the unauthorized activity and resolved the issue. The root cause was a vulnerability in a third-party application, which has been remediated.” reads the FORM 8-K filed with the U.S. Securities and Exchange Commission (SEC)..

“Based on our investigation, supported by a third-party cybersecurity response firm, we found no evidence that customer data in our production or staging environments were accessed or that our services were interrupted.”

SailPoint did not disclose further details about the security breach or the type of data that may have been compromised.

SailPoint said it directly notified affected customers and currently sees no need for further customer action.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SailPoint)

Google says hackers now use AI to create exploits, automate attacks, evade defenses, and target AI supply chains at scale.

Artificial intelligence is rapidly changing the cyber threat landscape, and a new report from the Google Cloud Threat Intelligence team highlights how attackers already use AI to improve vulnerability exploitation and gain initial access to cloud environments.

The report shows a clear shift in attacker behavior. Attackers now target software flaws and cloud services more than stolen credentials or phishing, making vulnerability exploitation a top entry method.

One of the most important findings concerns the growing role of AI in offensive operations. Attackers no longer use AI only to write phishing emails or automate repetitive tasks. They now experiment with AI systems capable of identifying vulnerabilities, generating exploit code, and accelerating attack chains.

Google researchers warn that the industry is entering a new phase of AI-enabled cybercrime. The report notes that threat actors increasingly integrate AI throughout the attack lifecycle, from reconnaissance to exploitation and malware development.

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments.” reads the report published by Google. “Our analysis of this malware reveals previously unreported capabilities and use cases for its integration with AI. This approach allows threat actors to offload operational tasks to AI for scaled and adaptive activity.”

Researchers warn that threat actors no longer use AI only to improve productivity. Cybercriminals and state-backed groups now test AI systems that can adapt during attacks, automate decisions, accelerate operations, and support tasks once handled only by human operators, marking a major shift in modern cyber operations.

The report also describes how attackers exploit newly disclosed vulnerabilities much faster than before. In some cases, criminals start scanning the internet for exposed systems within hours or days after security researchers publish technical details. That acceleration leaves defenders with very little time to patch systems before attackers strike.

Google identified the first known AI-developed zero-day exploit tied to a planned mass attack. Chinese and North Korean actors also show strong interest in using AI to discover vulnerabilities.

“For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI. The criminal threat actor planned to use it in a mass exploitation event but our proactive counter discovery may have prevented its use.” continues the report. “Threat actors associated with the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea (DPRK) have also demonstrated significant interest in capitalizing on AI for vulnerability discovery. “

Google found that attackers increasingly use software flaws to breach cloud environments, targeting APIs, SaaS apps, developer platforms, and AI services.

AI plays an important role in this acceleration. Large language models (LLMs) help attackers analyze technical documentation, understand proof-of-concept exploits, and generate malicious scripts faster than traditional methods allowed. Researchers increasingly fear that AI could reduce the technical barrier required to launch sophisticated attacks.

The report highlighted another critical issue: attackers increasingly target the broader AI ecosystem rather than AI models alone. Exposed API keys, insecure integrations, excessive permissions, and vulnerable third-party tools create new attack surfaces.

Recent investigations revealed cases where exposed Google Cloud API keys unintentionally granted access to Gemini AI services after configuration changes. Security researchers found thousands of publicly exposed keys that attackers could abuse to access sensitive AI endpoints or generate massive cloud costs.

Google also expanded its detection capabilities to monitor AI-related threats inside cloud environments. The company now tracks suspicious activity involving AI services, including abnormal service account usage, unusual AI API calls, malicious binaries, reverse shells, and data exfiltration attempts targeting AI workloads.

“Adversaries like “TeamPCP” (aka UNC6780) have begun targeting AI environments and software dependencies as an initial access vector. These supply chain attacks result in multiple types of machine learning (ML)-focused risks outlined in the Secure AI Framework (SAIF) taxonomy, namely Insecure Integrated Component (IIC) and Rogue Actions (RA).” continues the report. “Our analysis of forensic data associated with these attacks reveals threats actors attempting to pivot from compromised AI software to broader network environments for initial access and to engage in disruptive activities, such as ransomware deployment and extortion.”

The report states that software-based entry has become one of the dominant intrusion methods in cloud attacks. This trend reflects the increasing difficulty of stealing credentials from organizations that adopted MFA and stronger identity protections. Attackers instead focus on unpatched software, insecure APIs, and third-party integrations.

Another major concern involves autonomous AI-assisted attacks. Researchers and security companies already documented early cases where AI systems conducted reconnaissance, vulnerability scanning, and exploitation with limited human supervision. Anthropic recently disclosed an incident involving an AI-orchestrated cyberattack allegedly linked to a state-sponsored Chinese group. According to the company, the attackers used AI tools for reconnaissance, credential theft, and data exfiltration.

Although fully autonomous cyberattacks remain limited, Google researchers believe the trend will continue. AI systems increasingly support attackers by shortening operational timelines and improving scalability.

The report also examined how threat actors interact with generative AI systems. Google found that many attackers attempt to bypass AI safety protections using jailbreak prompts and prompt engineering techniques. However, most attempts remain unsophisticated and rely on publicly available methods rather than advanced AI manipulation.

Importantly, the report stressed that AI does not replace traditional attack techniques. Many successful breaches still originate from common security failures such as misconfigurations, exposed services, weak access controls, and poor patch management. A separate report from Wiz found that basic security mistakes still contribute to most cloud breaches.

The researchers also emphasized that defenders can use AI to strengthen security operations. AI tools already help analysts process telemetry, prioritize alerts, identify suspicious patterns, and accelerate incident response. However, the same technologies remain available to attackers.

One of the clearest warnings from the report appears in the statement that the cloud threat landscape is rapidly shifting. That shift no longer concerns only malware or phishing. It involves the convergence of AI, cloud infrastructure, automation, and software exploitation into a faster and more scalable attack model.

The overall message from Google’s analysis is clear: organizations can no longer treat AI security as a future problem. Attackers already use AI to improve operations, accelerate exploitation, and target cloud ecosystems. Companies must strengthen vulnerability management, secure APIs and AI integrations, monitor third-party relationships, and reduce exposure windows before attackers exploit them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Artificial intelligence)

German police shut down a revived Crimenetwork marketplace with 22,000 users and 100+ sellers months after the original takedown.

German police dismantled a resurrected version of the German-language cybercrime marketplace Crimenetwork, just months after the original platform was taken down. The second iteration of the site had already attracted more than 22,000 users and over 100 sellers, showing how quickly underground markets can recover when operators are able to rebuild their infrastructure.

“Before being shut down by law enforcement at the end of 2024, “Crimenetwork” was for many years one of the central marketplaces of the German-speaking underground economy. The relaunch of the platform offered a similarly wide range of illegal goods and services, including stolen data, drugs, and forged documents. The relaunch most recently boasted over 22,000 users and more than 100 vendors.” reads the announcement by BKA. “Users of the new platform used cryptocurrencies such as Bitcoin, Litecoin, and Monero to conduct their transactions. During the operation, law enforcement secured extensive evidence suggesting the platform generated revenue exceeding €3.6 million.”

According to German authorities, the marketplace was being used to trade a broad range of illegal goods and services, including stolen personal data, drugs, forged documents, and other criminal offerings. Payments were made through cryptocurrencies such as Bitcoin, Litecoin, and Monero, making it easier for users to hide financial trails and move funds across borders. Investigators believe the platform generated more than €3.6 million in revenue before it was shut down.

Crimenetwork had originally been dismantled in December 2024. Since 2012, Crimenetwork facilitated the sale of illegal goods and services, including drugs, forged documents, hacking tools, and stolen data. The platform served as a hub for cybercriminals to trade and coordinate illegal operations.

At the time, police described it as the largest German-speaking criminal marketplace. Investigators estimated that more than $100 million in cryptocurrency had passed through the platform between 2018 and 2024, underlining the scale of the business and the level of trust it had built within the criminal underground.

In late 2024, police arrested a 29-year-old alleged admin of the marketplace, seized €1M in assets, and charged him with enabling sales of drugs, stolen data, and illegal services. He is not in custody.

Public Prosecutor’s Office in Frankfurt carried out the operation am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA).

What makes the latest takedown important is not only the shutdown itself, but also the arrest linked to the operation. Police said a 35-year-old German citizen suspected of being the administrator was detained in Mallorca by Spanish authorities. That arrest is significant because it suggests investigators were able to move beyond the platform’s technical infrastructure and identify a person directly involved in running it.

In addition to the arrest, law enforcement seized around €194,000 in assets connected to the marketplace. Authorities also obtained extensive user and transaction records, which are now being analyzed to better understand the criminal network behind the site and possibly identify vendors, buyers, and support actors who remained active on the platform.

The Crimenetwork case is a good reminder that online crime markets are often resilient. When one site is taken down, a successor may appear soon after on new servers, with a new interface and the same criminal audience. That happened here: the original platform was removed, but a new version emerged days later and quickly regained users and sellers.

Still, the case also shows that repeated law-enforcement pressure can make these markets harder to sustain. A marketplace is not just software. It depends on administrators, payment handling, trust systems, and a stable community of vendors and buyers. Once police start seizing data, freezing assets, and arresting people behind the scenes, rebuilding becomes much harder.

German police have been increasingly active against this type of infrastructure. The Crimenetwork operation fits into a broader pattern of investigations targeting cybercrime forums, darknet shops, and other illicit marketplaces that serve as distribution hubs for stolen data and fraud tools. These actions matter because marketplaces like this do not just sell illegal products; they help professionalize cybercrime by giving offenders a place to meet, trade, and scale their operations.

Other successful German police actions against online crime marketplaces show the same approach: follow the money, collect transaction data, identify the administrators, and work with foreign partners when suspects or servers are abroad. That combination has repeatedly led to arrests and seizures that weaken the ecosystem behind the platforms.

In April 2022, German authorities shut down Hydra, one of the world’s largest dark web marketplace. The seizure of the Hydra Market is the result of an international investigation conducted by the Central Office for Combating Cybercrime (ZIT) in partnership with U.S. law enforcement authorities since August 2021.

Hydra was a top Russian Darknet market famous among Russian speaking users that have been active since 2015.

According to the authorities, its sales amounted to at least 1.23 billion euros in 2020 alone. The German police seized approximately EUR 23 million worth of Bitcoin. The German authorities reported that around 17 million customers and over 19,000 seller accounts were registered on the Hydra Market.

The key lesson from Crimenetwork is clear. Shutting down a site is important, but the real disruption comes when investigators also remove the people, funds, and data that keep it alive. Without that pressure, a marketplace can return almost immediately. With it, the cost of rebuilding rises sharply.

For law enforcement, that makes marketplace disruption less of a one-time operation and more of a long campaign. For the criminal underground, it is a warning that even a revived platform may not stay online for long.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in BerriAI LiteLLM, tracked as CVE-2026-42208 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

At the end of April, attackers rapidly exploited the critical vulnerability in LiteLLM Python package just days after it became public. The vulnerability, an SQL injection in the proxy API key verification process, lets attackers access and potentially modify database data.

Instead of safely passing the key as a parameter, it directly inserts the user-supplied value into a database query. This unsafe practice opens the door to SQL injection.

An attacker doesn’t need valid credentials. By sending a specially crafted Authorization header to an API endpoint (such as /chat/completions), they can manipulate the query executed by the database. Because the request flows through an error-handling path, the malicious input still reaches the vulnerable query.

“A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy’s error-handling path.” reads the BerriAI’s advisory. “An attacker could read data from the proxy’s database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.”

Researchers observed real-world attacks targeting sensitive information stored in database tables, highlighting how quickly disclosed flaws can turn into active threats.

The flaw affects LiteLLM versions 1.81.16 to 1.83.6 and was fixed in 1.83.7 on April 19, 2026. The Sysdig Threat Research Team reported that attackers began exploiting it about 36 hours after disclosure.

“The Sysdig Threat Research Team (TRT) observed the first exploitation attempt 36 hours and seven minutes after the advisory was published to the global database.” reads the report published by Sysdig. “The traffic the Sysdig TRT captured was not a generic SQLmap spray, which is very common in SQL injection attacks, but a deliberate, and likely customized, enumeration of the production LiteLLM schema, targeting the three tables that hold the highest-value secrets: virtual API keys, stored provider credentials, and the proxy’s environment-variable configuration.

The attacker showed strong knowledge of LiteLLM’s database structure and quickly mapped table schemas, but researchers saw no signs of data theft or further compromise.

“We did not see follow-through, however. There were no authenticated calls using exfiltrated keys, no virtual-key minting via /key/generate, and no chained reuse of provider credentials.” continues the report. “The novelty of this finding is the speed and precision of the schema-enumeration attempt, not a confirmed compromise.”

Sysdig published indicators of compromise for attacks exploiting this vulnerability.

Users who can’t upgrade their installs are suggested to enable disable_error_logs: true in general settings to block the attack path and reduce exposure.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 11, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Instagram removes direct messages (DM) end-to-end encryption May 8, 2026, letting Meta access chats. Users should download backups amid privacy concerns and U.S. law pressure.

Starting May 8, 2026, Instagram users who previously enabled end-to-end encryption in direct messages will lose that protection, marking a significant shift in how private conversations are handled on the platform.

“End-to-end encrypted messaging on Instagram is no longer supported as of 8 May 2026.” reads the announcement.

• If you have chats that are affected by this change, you will see instructions on how you can download any media or messages that you may want to keep.
• If you’re on an older version of Instagram, you may also need to update the app before you can download your affected chats.

For Meta’s other end-to-end encrypted chat options, take a look at WhatsApp“

The change gives Meta the technical ability to access message content that was previously readable only by senders and recipients.

Users who previously used encrypted chats are being prompted to download their message history before the feature disappears, with in-app guidance provided.

However, once downloaded, those backups lose protection if uploaded to cloud services such as Google Drive or iCloud, since they would then exist in unencrypted form.

End-to-end encryption (E2EE) ensures only the sender and recipient can read messages or data. Even the service provider hosting the communication cannot access the content because it is encrypted on the sender’s device and only decrypted on the recipient’s device.

Instagram introduced optional encrypted messaging in 2023.

Meta has justified the decision by pointing to low usage and the complexity of maintaining separate messaging systems. Users who previously used encrypted chats are being prompted to download their message history before the feature disappears, with in-app guidance provided.

“In a statement to The Verge, Meta spokesperson Dina El-Kassaby Luce says the platform is discontinuing the feature because “very few people” were using E2EE in their DMs.” reported The Verge.

Experts are unsure what will happen to old encrypted Instagram chats after the change. They may become regular chats or become inaccessible, so users are advised to export and store backups locally instead of in the cloud.

The timing of the change has drawn attention because it comes just days before the final compliance phase of the U.S. Take It Down Act, a law signed in 2025 requiring platforms to remove non-consensual intimate images, including AI-generated deepfakes, within 48 hours of notification.

“Platforms cannot remove harmful content they cannot see. The Take It Down Act, signed by President Donald Trump in May 2025, requires companies to remove non-consensual deepfake images within 48 hours of a victim’s report. Enforcing that law requires platforms to have access to content. End-to-end encryption makes that access impossible.” reported Fox32 Chicago. “By removing the feature, Instagram positions itself to comply ahead of the May 19 deadline.”

The law requires companies to build enforcement systems by May 19, 2026. While Meta has not explicitly linked the two developments, analysts note that removing encryption makes it easier for platforms to detect and moderate harmful content at scale.

For Instagram users affected by the change, the immediate recommendation is simple: download any encrypted chat history before May 8. After that date, the option may disappear entirely.

Security experts also emphasize avoiding cloud backups for exported messages if privacy is the goal. Local storage is considered safer, though still dependent on device security.

More broadly, the shift highlights a recurring tension in large social platforms: balancing regulatory compliance, safety moderation, and user privacy. As governments push for faster removal of harmful content online, encryption continues to be a central point of conflict.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Instagram)

cPanel fixed three flaws that could allow file reads, code execution, and privilege escalation. No active exploitation has been reported yet.

cPanel has released security updates to fix three vulnerabilities affecting cPanel & WHM that could allow attackers to read files, execute code, or escalate privileges on vulnerable systems.

Below are the descriptions for these flaws:

• CVE-2026-29201 (CVSS score of 4.3): an input validation issue in the feature::LOADFEATUREFILE adminbin call that could let attackers read arbitrary files on the server.
• CVE-2026-29202 (CVSS score of 8.8): a critical flaw in the create_user API caused by improper validation of the plugin parameter. An authenticated attacker could exploit it to execute arbitrary Perl code with the privileges of the affected account.
• CVE-2026-29203 (CVSS score of 8.8): an unsafe symlink handling vulnerability that could allow a user to change permissions on arbitrary files using chmod, potentially leading to denial-of-service conditions or privilege escalation.

The issues have been patched across multiple supported cPanel & WHM releases, including versions 11.136.0.9, 11.134.0.25, 11.132.0.31, and newer builds. Updates were also released for WP Squared and legacy CentOS 6 / CloudLinux 6 systems.

Although there is currently no evidence of active exploitation, the disclosure comes shortly after threat actors weaponized another critical cPanel flaw, tracked as CVE-2026-41940, as a zero-day to deploy Mirai botnet variants.

Users should install the latest available versions as soon as possible.

Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-41940 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

According to the Shadowserver Foundation, thousands of instances may be exposed.

cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-29201, CVE-2026-29202, CVE-2026-29203)

JDownloader website was hacked to distribute malicious Windows and Linux installers carrying a Python RAT between May 6–7, 2026.

JDownloader official website was compromised in a supply chain attack that replaced legitimate Windows and Linux installers with malicious files between May 6 and May 7, 2026. JDownloader is a free, open-source download management application designed to simplify and automate file downloads from websites, file-hosting services, and video platforms.

Attackers modified download links on the site to serve users malware instead of the real software. Researchers found the Windows installer deployed a Python-based remote access trojan (RAT), giving attackers remote control over infected systems.

The attack targeted users downloading the Windows “Alternative Installer” and the Linux shell installer. JDownloader is a popular download manager used by millions on Windows, Linux, and macOS, making the incident particularly concerning.

The Reddit user PrinceOfNightSky first spotted the JDownloader compromise after Microsoft Defender flagged the downloaded installers as malicious. The user noticed suspicious developer names like “Zipline LLC” and “The Water Team” instead of the legitimate publisher, AppWork GmbH.

“I been using Jdownloader and switched to a new PC a few weeks ago. Luckily I had the installer in a usb drive but decided to download the latest version. The website is official but all the Exes for windows are being reported as malicious software by windows and the developer is being listed as “Zipline LLC.”” wrote PrinceOfNightSky. “And other times it’s saying “The Water Team” The software is obviously by Appwork and I have to manually unblock it from windows to run it which I will not do. I ended up plugging in my flash drive and the setup file on that flash drive has the Jdownloader logo along with AppWork being listed as the developer…”

JDownloader developers quickly confirmed the breach and temporarily shut down the website to investigate.

“I can confirm that the site has been compromised, have taken it down for further investigation.” JDownloader developers replied to PrinceOfNightSky. “The attack has modified alternative download page and exchanged links&details. The bad ones are missing digital singnature and as such smartscreen will block/warn the exeuction of it. The correct ones are okay and having proper digital signature in place.”

Attackers exploited an unpatched vulnerability in the site’s content management system, letting them modify download pages and replace legitimate installer links with malicious files. However, the attackers never gained full server or operating system access.

The incident only affected the Windows “Alternative Installer” links and the Linux shell installer. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JAR package remained safe.

The developers advised users to verify installers through the “Digital Signatures” tab in file properties. Legitimate installers carry the signature “AppWork GmbH,” while unsigned files or files signed by different publishers should not be trusted.

“In early May 2026, attackers succeeded in altering the official JDownloader website so that certain installer links published here were repointed from the genuine JDownloader installer downloads to unrelated malicious third-party files: on Windows, only the installer download links for “Download Alternative Installer” — not the other installers offered on jdownloader.org — and the Linux shell installer link from the site.” reads the notice on the incident. “Our genuine installer packages were not modified — only the targets of the download links published here pointed to the wrong files. Installer binaries continue to be hosted externally as usual. Once confirmed, those malicious link targets were removed, links were corrected back to the legitimate external hosts, and the security issue was fixed. The website stayed fully offline while analysis, remediation, and further verification were completed. In the night of 8th–9th May 2026 (UTC), after those checks, it was brought back online and normal public service resumed with verified clean installer links.”

According to the notice, attackers only modified content and download links through JDownloader’s CMS and never gained access to the underlying servers or operating system. The developers confirmed that jdownloader.org has now been secured and restored.

ANY.RUN analysis shows the malware execution chain, including an 8-minute delay before the malicious payload activates.

Below are the indicators of compromise (IOCs) for the attack:

• Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3
• Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80
• PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a
• hxxps://parkspringshotel[.]com/m/Lu6aeloo.php (most likely another compromised URL)
• hxxpx://auraguest[.]lk/m/douV2quu.php (most likely another compromised URL)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape

Malware Newsletter

CloudZ RAT potentially steals OTP messages using Pheno plugin  

Backdoored PyTorch Lightning package drops credential stealer

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware  

Attackers adopt JavaScript runtime Bun to spread NWHStealer 

xlabs_v1 DDoS-for-Hire IoT Botnet Exposed:  One Operator Error. An Entire Operation Revealed   

Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games  

Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities  

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale 

Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities  

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook  

Fake call logs, real payments: How CallPhantom tricks Android users

PamDOORa: Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web

LCC-LLM: Leveraging Code-Centric Large Language Models for Malware Attribution

Trident: Improving Malware Detection with LLMs and Behavioral Features

Evolving IoT Botnet Threats and Practical Honeypot Observation: A Summary Review and Experimental StudyBeyond Pattern Matching: A Cognitive-Driven Framework for DGA Detection via Dual-Perspective Anomaly Perception

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

International Press – Newsletter

Cybercrime

Coordinated Takedown of Scam Centers Leads to at Least 276 Arrests; Alleged Managers and Recruiters Charged in San Diego  

Vimeo data breach exposes personal information of 119,000 people

Member of Prolific Russian Ransomware Group Sentenced to Prison  

Romanian National Appears in Federal Court Following Extradition from Romania on Bank Fraud Charges Stemming From “Vishing” Scheme  

AI Firm Braintrust Prompts API Key Rotation After Data Breach

Malware

CloudZ RAT potentially steals OTP messages using Pheno plugin  

xlabs_v1 DDoS-for-Hire IoT Botnet Exposed:  One Operator Error. An Entire Operation Revealed   

Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games  

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook  

Fake call logs, real payments: How CallPhantom tricks Android users

Hacking

The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)  

Meet Bluekit: The AI-Powered All-in-One Phishing Kit  

South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940)

Information about the Copy Fail vulnerability, which allows attackers to gain root access on virtually any modern Linux distribution    

The TSIG That Wasn’t: Finding an Authentication Bypass Across CoreDNS Transports  

Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack  

TrustFall: coding agent security flaw enables one-click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot  

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Dirty Frag: Universal Linux LPE 

ClaudeBleed: A Flaw In Claude’s Browser Extension Allows Any Extension to Hijack It 

Load-Bearing Assumptions — the rxrpc case (CVE-2026-43500) and the constraint that was never there  

Intelligence and Information Warfare

Army turns to ‘hackathons’ to better connect dozens of weapons, systems 

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack  

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution  

Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants  

Welcome to the GRU University, Where Moscow Turns Students into Spies and Hackers  

Cybersecurity

Preparing for a ‘vulnerability patch wave’      

Email threat landscape: Q1 2026 trends and insights  

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise  

India orders infosec red alert in case Mythos sparks crime spree

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

Google Chrome ‘silently’ downloads 4GB AI model to your device without permission, report claims — researcher says practice may violate EU law, waste thousands of kilowatts of energy  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Researchers uncovered QLNX, a Linux RAT targeting developers to steal credentials, log keystrokes, monitor systems, and enable remote access.

Security researchers discovered a previously undocumented Linux malware called Quasar Linux RAT (QLNX) that targets developers and DevOps environments. The malicious code can steal credentials, log keystrokes, manipulate files, monitor clipboard activity, and create network tunnels for remote access. Experts warn it poses a serious supply chain risk by targeting systems used in software development workflows.

“Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features. The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.” reads the report published by Trend Micro. “It dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using gcc, then deploys them via /etc/ld.so.preload for system-wide interception.”

QLNX is a powerful Linux remote access trojan that runs directly from memory to avoid detection, hides its activity using eBPF, wipes logs, and checks whether it is running inside containerized environments. It collects extensive information, including system details, clipboard data, shell history, SSH keys, Firefox profiles, and credentials through a malicious PAM module.

QLNX communicates with attackers through encrypted channels and supports a wide range of commands, including remote shell access, file management, code injection, screenshot capture, keylogging, SOCKS proxies, and network tunneling. The malware also includes several persistence methods, allowing it to survive reboots and maintain long-term access to infected Linux systems.

QLNX is a sophisticated Linux malware designed to operate entirely from memory and avoid leaving traces on disk. After execution, it copies itself into a RAM-backed file using memfd_create, deletes the original binary, and re-launches directly from memory using execveat or /proc/self/fd/<memfd> as a fallback. It uses the _MFD_RE environment variable to prevent infinite re-execution loops.

The malware then profiles the infected system, checking privileges, kernel version, SELinux status, containerization, GCC availability, X11 access, and support for process injection or keylogging. Based on these results, it selectively enables capabilities.

To evade detection, QLNX disguises itself as legitimate kernel threads such as [kworker/0:0] and rewrites process metadata visible in ps, top, and /proc. It also removes forensic environment variables and prevents multiple instances by creating a fake X11 lock file in /tmp.

Once established, QLNX initializes 58 command handlers and connects to its C2 server over a custom TLS-based protocol, HTTPS, or HTTP. It sends a beacon containing system details, privilege level, geolocation, machine fingerprint, hostname, and network data. The malware supports extensive post-compromise functions including shell access, file management, persistence, credential theft, SSH lateral movement, screenshots, keylogging, rootkits, SOCKS proxies, port forwarding, log wiping, PAM credential hooks, eBPF hiding, and in-memory BOF execution.

QLNX supports three communication channels, raw TCP, HTTPS, and HTTP, all carrying the same binary command protocol. TCP and HTTPS are protected with TLS, while HTTP is used in plaintext during analysis or fallback scenarios.

Every session begins with the 4-byte magic value “QLNX” (0x51 4C 4E 58), which identifies and initializes the protocol. In TCP/TLS mode, it is embedded in the initial check-in packet; in HTTPS/HTTP, it is sent as a standalone payload or encoded in requests. After this, the server responds with session state data (e.g., cookies or IDs).

In the default raw TLS mode, QLNX uses a custom length-prefixed binary protocol after disabling certificate validation. A four-step handshake precedes full bidirectional communication, after which a persistent command loop is established.

For HTTP/HTTPS, the malware uses POST requests to send Base64-encoded data and GET requests to poll for commands every five seconds. Session tracking relies on a server-generated hex ID passed via URL and cookies. Before contacting the C2, it queries ip-api.com to obtain geolocation data, which is included in the initial registration packet alongside a machine fingerprint derived from system identifiers.

After registration, the server issues ACK and confirmation packets before enabling command execution. If no commands are available, responses remain empty; otherwise, Base64-encoded payloads are decoded, dispatched via a handler table, executed locally, and results are returned to the C2.

The persistence subsystem includes seven mechanisms such as systemd services, cron jobs, init scripts, XDG autostart entries, and LD_PRELOAD-based injection. Artifacts are tagged with “QLNX_MANAGED” for tracking.

LD_PRELOAD persistence is particularly aggressive: a compiled shared library is injected into all dynamically linked processes, ensuring reinfection on any program execution. Even basic commands like ls or ps can respawn the malware if the preload entry remains.

QLNX also implements two PAM backdoors that compile on the target system, enabling credential harvesting and authentication interception. Logs are stored in hidden files and optionally exfiltrated.

“QLNX incorporates a PAM backdoor with inline hooking, enabling plaintext credential interception during authentication. It uses the hardcoded master password O$$f$QtYJK and XOR-encrypted credential harvesting to /var/log/.ICE-unix.” cotinues the report.

A userland rootkit hides files, processes, and binaries by hooking libc functions via LD_PRELOAD, while an optional eBPF controller manipulates kernel maps to hide processes, files, and ports at kernel level.

Finally, a credential-stealing module extracts SSH keys, browser data, cloud tokens, developer credentials, system secrets, and clipboard content, enabling full compromise of development and cloud environments.

QLNX includes a peer-to-peer (P2P) mesh feature that links infected hosts together, turning individual implants into a distributed network. This design increases resilience because the malware can maintain communication and coordination even if parts of its command infrastructure are disrupted, making full removal from an environment significantly more difficult.

“The QLNX implant was built for long-term stealth and credential theft. What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.” concludes the report. “The combination of the rootkit, the PAM backdoor capable of silently intercepting plaintext passwords, and the P2P mesh network allowing implants to relay through each other all compound the difficulty of detection and eradication.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Braintrust warned customers to rotate API keys after hackers breached an AWS account, exposing secrets tied to cloud-based AI models.

AI observability startup Braintrust warned customers to rotate API keys after attackers gained unauthorized access to one of the company’s AWS accounts, potentially exposing secrets used to connect to cloud-based AI models.

The company said it discovered suspicious activity on May 4 and immediately locked down the affected account, restricted access to related systems, and rotated internal credentials. The firm launched an investigation into the security incident.

“We’ve identified a security incident that involved unauthorized access to one of our AWS accounts. We are actively investigating, and we have engaged incident response experts.” reads the security breach notice published by the company. “We have contained the incident by locking down the compromised account, auditing and restricting access across related systems, rotating internal secrets, and engaging incident response experts to support our investigation. As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust.”

Braintrust notified customers the following day and shared indicators of compromise and remediation guidance.

Although Braintrust says the impact appears limited, experts warn the breach highlights growing AI supply chain risks, as AI platforms increasingly store valuable API credentials targeted by attackers.

The potential exposure could affect organizations relying on Braintrust to manage AI provider keys across services and applications.

Researchers note that once threat actors obtain valid API keys, they can abuse AI services while appearing as legitimate users, often bypassing traditional security controls.

“To date, we’ve confirmed the issue affected one customer. Three additional customers reported suspicious spikes in AI provider usage, and we’re investigating those alongside them.” continues the notice. “We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing.”

The incident also reflects a broader trend of attackers targeting cloud accounts and SaaS providers to gain indirect access to downstream customers and interconnected AI infrastructure.

The company plans to add new safeguards, including timestamps and user attribution for API key changes, while the investigation into the incident remains ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.

The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.

In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.

“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”

The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.

Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.

The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.

RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.

The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Poland’s ABW confirmed hackers breached ICS at five water plants, gaining ability to alter equipment settings. Russia-linked APT groups suspected.

Poland’s Internal Security Agency (ABW) has published a detailed account of a sustained campaign targeting the country’s water plants, documenting security breaches at five water treatment facilities in 2025. The incidents mark one of the clearest documented cases in Europe of state-linked hackers gaining direct access to industrial control systems managing public water supplies.

The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In several cases, attackers didn’t just observe, they obtained the ability to modify operational parameters of equipment in real time, creating a direct and concrete risk to the continuity of public water services. A breach of this kind isn’t a data theft. It is the digital equivalent of sabotage.

“In some cases, the attackers gained access to industrial control systems and obtained the capability to modify device operating parameters.” reads the report published by ABW. “This created a direct threat to the continuity of water supply processes and the proper functioning of municipal infrastructure.”

The attack vectors ABW identified are as unglamorous as they are alarming: weak password policies and systems left directly exposed to the internet. These are not sophisticated zero-day exploits. They are basic security failures that the OT and ICS security community has been warning about for years.

“The incidents were made possible by inadequate security measures, including weak password policies and the exposure of management interfaces directly to the public internet.” continues the report. “In several cases, systems responsible for operational technology were accessible without sufficient protection mechanisms.”

The attribution points firmly eastward. ABW identified Russian APT groups APT28 and APT29, the same actors linked to election interference across Europe and the SolarWinds supply chain attack, as well as UNC1151, a Belarusian-aligned group previously connected to the Ghostwriter operation targeting NATO countries.

“APT28, APT29 and UNC1151 are among the most active state-linked cyber espionage groups operating against European targets.” concludes the report. “Their activities combine intelligence collection, disruptive cyber operations and coordinated information warfare campaigns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Water Plants)