AI Phishing, Android Spy Tool, Linux Exploit, GitHub RCE & More

Ravie LakshmananMay 04, 2026Cybersecurity / Hacking

This week, the pace of cyber threats has become alarmingly rapid, outpacing many security teams scrambling to address previous alerts.

While some were still grappling with issues from last month, hackers swiftly transformed control panels into functional kill switches, exploited kernels as entry points, and weaponized open-source pipelines for stealthy operations.

The landscape has transitioned from simple breaches to long-term occupation, with attackers embedding themselves in Software as a Service (SaaS) environments, making trusted commits, and escalating their operations like legitimate businesses — but with chaos as their end product. The underground hacking scene is evolving into a more sophisticated, professional environment.

Here’s your comprehensive cybersecurity recap for the week:

⚡ Threat of the Week

Critical Vulnerability in cPanel Under Active Exploitation — An urgent flaw has emerged in cPanel and WebHost Manager (WHM), identified as CVE-2026-41940, and is currently being exploited in the wild. This vulnerability could enable authentication bypass, granting remote attackers increased control over the panel. In some instances, these attacks have resulted in full erasure of websites and backups. Others have deployed versions of the Mirai botnet and a ransomware variant known as Sorry.

• Cybercrime Groups Implement Vishing for Data Breaches — The Cordial Spider and Snarky Spider groups are executing rapid, high-impact attacks that predominantly operate within SaaS environments, leaving minimal footprints. They utilize voice calls, texts, and emails to direct targets to phishing pages that replicate legitimate single sign-on (SSO) portals, capturing credentials that provide entry into systems for deeper exploitation. According to CrowdStrike, these attackers use voice phishing to bypass multi-factor authentication (MFA), allowing them to traverse entire SaaS ecosystems while obscuring their activities through residential proxy networks.
• Exploitation of Copy Fail Linux Vulnerability — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2026-31431, a vulnerability affecting various Linux distributions, in its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This logic flaw in the Linux kernel’s authentication system allows for trivial privilege escalation through a small Python exploit. Importantly, it operates without leaving traces, complicating recovery efforts, especially in Kubernetes environments.
• Supply Chain Attacks by TeamPCP Continue — TeamPCP’s ongoing supply chain campaign has seen the compromise of several packages in npm, PyPI, and Packagist ecosystems through a technique termed “Mini Shai Hulud.” This group has previously targeted notable open-source tools, employing legitimate CI/CD pipelines to distribute poisoned software versions while blending into standard development workflows. Security teams are urged to check for affected versions and rotate affected credentials.
• Introducing DEEP#DOOR: A New Python Backdoor — A recently identified Python-based backdoor framework, known as DEEP#DOOR, offers extensive capabilities for persistent remote command execution and surveillance on Windows devices, enabling malicious activities like credential harvesting and even system crashes.
• Critical GitHub Vulnerability Disclosed — Researchers from Wiz uncovered a severe security flaw on GitHub.com and GitHub Enterprise Server (CVE-2026-3854), which allows authenticated users to achieve remote code execution. Prompt action from Microsoft led to a patch just six days after responsible disclosure. This vulnerability threatens the security of many enterprise codebases.
• VECT 2.0 Ransomware’s Severe Flaw — The VECT 2.0 ransomware has been found to irreversibly destroy files rather than just encrypt them, complicating recovery efforts. This ransomware-as-a-service program has already partnered with various criminal organizations to facilitate its operations.

🔥 Trending CVEs

The rate of bug disclosures is increasing weekly, and the interval between patching and potential exploitation is narrowing swiftly. Here are the urgent vulnerabilities to address:

Ensure you prioritize patches for the following critical issues: CVE-2026-41940 (cPanel and WHM), CVE-2026-31431 (Linux Kernel), CVE-2026-42208 (LiteLLM), CVE-2026-3854 (GitHub.com), and others within various systems and services across the cybersecurity landscape.

🎥 Cybersecurity Webinars

• Identifying Overlooked Attack Paths in Your Apps → Join a free session with Wiz and The Hacker News to learn how to uncover and address vulnerabilities across your software. Practical insights are provided to help prioritize genuine risks.
• Keeping Pace with AI Attacks through Autonomous Validation → Discover effective methods to rapidly identify risks and mitigate them in real-time with this informative webinar from Picus Security.
• Combatting AI Threats and Initial Access Tactics → Stay updated on the latest strategies to thwart AI-driven attacks during this free webinar hosted by Zscaler and The Hacker News.

📰 Around the Cyber World

• OpenAI Implements Enhanced Account Security — OpenAI has initiated an Advanced Account Security program to provide robust protections for high-risk users, including tighter sign-in safeguards and improved visibility into account activities.
• Significant Rise in Ransomware Incidents — Fortinet reported a staggering increase in confirmed ransomware victims, from around 1,600 in 2024 to over 7,800 in 2025, attributing this surge to the availability of crime service kits.
• KidsProtect: A New Android Surveillance Tool — A dangerous Android app called KidsProtect is being marketed online, allowing operators to control victims’ devices covertly for activities like recording calls and accessing personal data remotely.
• New KYCShadow Malware Detected — Disguised as a reputable bank verification app, this Android malware targets primarily Indian users and harvests sensitive data through a multi-stage installation process.
• Targeted Phishing Campaigns in Pakistan — Specific government organizations in Punjab have been targeted by sophisticated phishing attempts using fake government infrastructure to deliver malware.
• Increased Usage of Calendly-themed Phishing — Phishing attacks impersonating Calendly have seen a rise, utilizing diversified kits for data theft.
• Exposing GovTrap and FEMITBOT Fraud Campaigns — Various tactics, including SMS phishing and fake domains, are being employed in sophisticated efforts to execute financial fraud.
• Detection of New PowerShell Desktop Stealer — A malicious PowerShell script discovered on Pastebin is capable of extracting sensitive Telegram session data.
• Surge in Phishing via Microsoft Teams — An increase in phishing attempts impersonating IT support personnel has been identified, aiming to deceive users into granting remote access.
• KarstoRAT Malware Emerges — Newly identified KarstoRAT enables extensive data theft and remote monitoring capabilities, utilizing popular gaming platforms as lures.
• Data Exposure from ClickUp — ClickUp disclosed an incident where 893 customer emails were exposed due to improper client-side configuration.
• Arrest of Alleged Scattered Spider Member — A 19-year-old was taken into custody for his association with the notorious Scattered Spider hacking group.
• New Attacks Linked to Versatile Werewolf — This threat actor has targeted Russian organizations through phishing tactics aimed at confidential data collection.
• Cisco Launches Model Provenance Kit — In response to concerns surrounding third-party AI models, Cisco has introduced an open-source tool designed to trace the origin and integrity of machine learning models.
• Malware Delivery via Hugging Face and ClawHub — Instances of threat actors using credible AI platforms for malware distribution have been reported, highlighting vulnerabilities within these ecosystems.
• Cracking a Cryptocurrency Fraud Ring — European authorities dismantled a fraud operation that resulted in significant financial losses worldwide.
• Flaws in EnOcean’s SmartServer — Two security vulnerabilities found in the SmartServer IoT platform allow potential arbitrary command execution and data leaks.
• Android Credential Manager Update by Google — The latest update streamlines email verification processes for users, enhancing overall security measures.
• Massive Secrets Leak Amid Development Environments — Truffle Security reported almost 8,800 sensitive secrets leaked online across various cloud development platforms.
• Connection Between Xygeni Compromise and Proxy Botnet — Investigations reveal ties between a supply chain compromise and a botnet of hacked routers linked to malicious activities.
• Brazilian Company Under Scrutiny for DDoS Activity — A Brazilian firm specializing in DDoS protection has come under fire for allegedly enabling significant attacks on local ISPs.
• Canonical Faces Sustained DDoS Attacks — After a pro-Iranian group claimed responsibility for attacks against Canonical, the company’s web services were temporarily disrupted.
• Introduction of Bluekit Phishing Kit — A new phishing toolkit, Bluekit, features various templates and AI tools to facilitate launching targeted fraud campaigns.
• North Korea Denies U.S. Cyber Threat Claims — The North Korean government has rejected allegations of cyber threats, labeling them as unfounded and politically motivated.

🔧 Cybersecurity Tools

• Model Provenance Kit → This open-source Python tool from Cisco AI Defense aids in identifying the origins of machine learning models, allowing for comparative analysis.
• AutoFyn → An innovative open-source tool designed to optimize coding processes by running Claude AI in self-improving loops for various measurable goals, such as security enhancements.

Disclaimer: This information is intended for research and educational purposes only. It has not undergone a formal security assessment. Always test in a controlled environment before deployment.

Conclusion

It’s crucial to remain vigilant.

The frequency and sophistication of attacks are rapidly increasing, leaving little room for complacency. Act decisively by patching known vulnerabilities, verifying your supply chains, and tightening access controls for SaaS applications. Treat every login attempt and pipeline operation as potentially suspicious. Implementing proactive measures now can prevent significant issues down the line.

Until next Monday, stay alert and keep your defenses robust. The threats are real and persistent, and so must be your responses. See you in the next recap.