Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, May 1, 2026. I'm Steve Prentiss. Critical cPanel and WHM bug exploited as zero day experts are warning about a critical CVE numbered authentication bypass vulnerability in cPanel, which is a Linux based web hosting control pan as well as WHM and WP Squared. The bug is being actively exploited in the wild. Hosting provider Known Host, which uses cPanel, said it noticed successful exploits in the wild on the very day the vulnerability was disclosed. CPanel released a Fix on Tuesday after receiving pressure from hosting providers. According to Rapid7shodan Internet scans show that there are approximately 1.5 million cPanel instances exposed online, end quote. But there is no data on how many are vulnerable to this particular bug. Swiss police arrest suspected members of Black Axe group these arrests, made in conjunction with German police, followed house searches across several Swiss Cantons. The 10 suspects, believed to be members of this Nigerian gang, are aged between 32 and 54 and are accused of carrying out romance scams and money laundering operations. The gang itself, Black Axe, is regarded by law enforcement as a highly structured transnational criminal organization with a global presence. Authorities believe the group has about 30,000 registered members worldwide and describe it as highly organized HHS ponders government posture for protecting data centers this question revolves around whether to designate data centers as a standalone critical infrastructure sector, given that they are regularly targeted. A hearing was held Wednesday to contemplate whether the federal government currently has the right setup for defending them. Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection suggest that data centers be given their own standalone designation, especially in light of the boom in the building of such facilities across the country. This would follow a move already taken by the UK New Python Backdoor uses tunneling service to steal browser and cloud credentials. Researchers from security firm Securonix have disclosed details of this stealthy Python based backdoor framework called Deep Pound Door that is D E E P Door Deep Door that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. The batch script is distributed via a phishing campaign, although it is not known how widespread the malware distribution has become. The attack chain is noteworthy in that the core Python implant is embedded directly inside the Dropper script in a way that reduces the need to repeatedly reach out to external infrastructure, thus minimizing the forensic footprint. Huge thanks to our sponsor Guard Square, attackers are treating your mobile app like an open book. 63% of security leaders recently detected app tampering, cloning or unauthorized modifications. When your code runs in an untrusted environment, you need runtime, self protection and code hardening to keep attackers out. Address tampering before it starts. Learn more@guard square.com that is G U A-R-S Q U A R E guardsquare.com Almost half of UK businesses pwned last year through phishing, according to the UK government's latest Cybersecurity Breaches Survey, released yesterday. Thursday, 43% of businesses and 28% of charities reported a cyber incident in the past year. This translates to approximately 612,000 UK businesses and 57,000 UK charities, and these numbers have not improved since the last report. The report states that phishing is the most successful penetration technique, especially impersonation emails that pose as tech support and which send employees to fake login pages. Malware, ransomware and unauthorized access all trail some distance behind. The report says North Korean attacks use AI inserted NPM malware. Researchers at Reversing Labs are warning of malicious code in an NPM package as a dependency to the project by Anthropic's Claude Opus large language model. The package in question is validate SDK v2, which is listed on NPM as a utility software development kit for hashing, validation, encoding and decoding, and secure random generation. However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe coded using Generative artificial intelligence, was first uploaded to the repository in October of 2025. Reversing Labs has named this malware campaign prompt Mink and has linked it to North Korean threat actor Famous Kollima. Delia Ramirez takes over as top House cybersecurity Democrat the Illinois representative is taking over as the top Democrat on the House Homeland Security Panel's Cybersecurity subcommittee, replacing former Representative Eric Swalwell after his resignation. She is a vocal critic of the CESA cutbacks and the current administration's Department of Government Efficiency initiative led by Elon Musk. But she's also expressed criticisms of US Cybersecurity under the Biden administration, including of Microsoft's role in the SolarWinds breach. Lightllm bug exploited 36 hours after its disclosure Attackers quickly exploited this critical CVE numbered flaw in the lightllm Python package to access and modify sensitive database data via SQL injection, and this happened just days after it became public. This vulnerability is an SQL injection in the proxy API key verification process that lets attackers access and potentially modify database data. The attacker does not need valid credentials. By sending a specially crafted authorization header to an API endpoint, they can manipulate the query executed by the database. Researchers working for the sysdig Threat Research Team have observed the attacks in the wild. If you have some thoughts on the news from today, or about this show in general, please be sure to reach out to us@feedbacksawseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines. It.