TECHZONE™

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities. "Both waves followed a nearly identical

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the

Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an

Trellix Confirms Source Code Breach With Unauthorized Repository Access https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the

30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to

Top Five Sales Challenges Costing MSPs Cybersecurity Revenue https://thehackernews.com/2026/05/top-five-sales-challenges-costing-msps.html The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030[1], with cybersecurity being the fastest-growing sector[2]. Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs. This execution gap is where most deals stall. MSPs often focus on

Two Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks https://thehackernews.com/2026/05/two-cybersecurity-professionals-get-4.html The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023.

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security, OX Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an

ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an

EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO)

This month in security with Tony Anscombe – April 2026 edition https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-april-2026/ Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 - here's some of what made the headlines this month

New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux

Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,"

SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the mini Shai-Hulud – has affected the following packages associated with SAP's JavaScript and cloud application

New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real