top of page

ALL POSTS

Active Exploitation of cPanel CVE-2026-41940 Deploys Filemanager Backdoor Across 2,000+ Attacker IPs Globally

Key Findings Critical cPanel vulnerability CVE-2026-41940 (CVSS 9.3) is being actively exploited in the wild to deploy the Filemanager backdoor Over 2,000 malicious IPs from Germany, US, Brazil, Netherlands and other regions are conducting automated attacks Threat actor Mr_Rot13 has been linked to the campaign, with evidence of operations dating back to at least 2020 Exploitation has led to cryptomining, ransomware deployment, botnet propagation, and credential theft Southeas

Google Thwarted First AI-Generated Zero-Day Exploit Before Attack

Key Findings Google Threat Intelligence Group discovered a zero-day exploit developed entirely by artificial intelligence before attackers could deploy it at scale Code analysis revealed telltale AI artifacts including excessive documentation strings, highly annotated code, and a hallucinated CVSS score that don't match human developer patterns A well-known cybercrime group with a history of high-profile attacks and mass exploitation was preparing to use the exploit for finan

AI-Powered Zero-Day: Hackers' First Known 2FA Bypass Campaign Stopped by Google

Key Findings Google identified threat actors using an AI-generated zero-day exploit to bypass two-factor authentication on a web-based administration tool, marking the first confirmed use of AI in malicious vulnerability discovery in the wild The exploit was delivered as a Python script containing telltale signs of large language model generation, including excessive docstrings, fabricated CVSS scores, and textbook-style code formatting The vulnerability required valid user c

Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware, Reaches Top Downloads

Key Findings Malicious repository impersonating OpenAI's Privacy Filter reached #1 trending on Hugging Face with 244,000 downloads in 18 hours before removal Typosquatting attack used copied model descriptions and fake AI code to distribute Rust-based information stealer malware Multi-stage attack chain included privilege escalation, Windows Defender evasion, and credential theft targeting browsers, wallets, and Discord At least six additional malicious repositories using sim

Critical Ollama GGUF Loader Vulnerability Exposes Sensitive Process Memory to Remote Attackers

Key Findings CVE-2026-7482 (CVSS 9.1) affects Ollama versions before 0.17.1, impacting an estimated 300,000+ servers globally Out-of-bounds read in GGUF model loader allows unauthenticated remote attackers to leak entire process memory Vulnerability enables exfiltration of API keys, environment variables, system prompts, and user conversation data Two additional Windows update flaws (CVE-2026-42248 and CVE-2026-42249) enable persistent code execution but remain unpatched Olla

Hackers Exploit DigiCert to Issue Malware-Signing Certificates

Key Findings DigiCert's support team was compromised on April 2, 2026 when a staff member opened malware disguised as a screenshot in a help chat Attackers obtained initialization codes for EV Code Signing certificates, which function as bearer credentials for issuing valid certificates At least 60 certificates were revoked after hackers used stolen credentials to sign the Zhong Stealer malware A second compromised endpoint with a malfunctioning CrowdStrike sensor allowed att

Two US Men Imprisoned for Aiding North Korean Hackers in Infiltrating American Companies

Key Findings Two US men, Matthew Isaac Knoot and Erick Ntekereze Prince, sentenced to 18 months each for operating "laptop farms" that enabled North Korean hackers to infiltrate approximately 70 US companies The scheme generated over $1.2 million in illicit revenue, primarily funneled to North Korea's weapons of mass destruction programs Knoot's operation ran from July 2022 to August 2023; Prince's farm operated from June 2020 to August 2024 Victims incurred over $1.5 million

JDownloader's Official Site Distributes Malware to Windows and Linux Users in Major Supply Chain Attack

Key Findings JDownloader's official website was compromised between May 6-7, 2026, serving malicious installers to Windows and Linux users instead of legitimate software Attackers deployed a Python-based remote access trojan (RAT) that gave them remote control over infected systems, with an 8-minute execution delay The breach was limited to the Windows "Alternative Installer" and Linux shell installer; macOS, in-app updates, and package managers remained unaffected Attackers

JDownloader Site Compromised: Malicious Installers Distribute Python RAT Malware

Key Findings JDownloader's official website was compromised on May 6-7, allowing attackers to distribute malicious Windows and Linux installers The attack exploited an unpatched CMS vulnerability that allowed unauthorized modification of access control lists without authentication Only alternative installers were affected; macOS versions, core JAR files, and in-app updates remained secure due to separate infrastructure and cryptographic verification Users who downloaded compr

Critical cPanel and WHM Security Update: Three New Vulnerabilities Patched to Prevent File Read, Code Execution, and Privilege Escalation

Key Findings cPanel and WHM released patches for three vulnerabilities affecting multiple versions CVE-2026-29201 allows arbitrary file read through insufficient input validation CVE-2026-29202 enables arbitrary Perl code execution for authenticated users CVE-2026-29203 exploits unsafe symlink handling for denial-of-service and potential privilege escalation No evidence of active exploitation yet, but disclosure follows recent zero-day attacks using Mirai and Sorry ransomware

Braintrust Security Breach Exposes Critical Vulnerabilities in AI Supply Chain

Key Findings Braintrust, an AI observability startup, suffered an unauthorized breach of an AWS account on May 4, 2026 Attackers potentially accessed API keys and secrets used to connect to cloud-based AI models One customer confirmed compromised, three additional customers reported suspicious AI usage spikes The breach exposes growing vulnerabilities in AI supply chains as attackers target platforms storing valuable credentials Threat actors can abuse AI services while appea

Quasar Linux RAT (QLNX): A Fileless Implant Targeting Supply Chain with Stealth and Persistence

Key Findings Researchers discovered QLNX, a previously undocumented Linux remote access trojan targeting developers and DevOps environments The malware operates entirely from memory using memfd_create to avoid disk detection QLNX includes embedded C source code for PAM backdoors and LD_PRELOAD rootkits that dynamically compile on target systems The implant supports 58 command handlers including keylogging, credential theft, SSH lateral movement, and eBPF-based hiding Communic

ShinyHunters Breach Impacts Thousands of Universities Through Canvas LMS Vulnerability

Key Findings ShinyHunters claimed responsibility for breaching Instructure's Canvas LMS and defaced university login portals including canvas.vt.edu on Thursday The group claims to have exfiltrated 3.65TB of data from nearly 9,000 educational institutions affecting approximately 275 million users worldwide Exposed data includes names, email addresses, student ID numbers, and internal Canvas messages, but not passwords, financial records, or government IDs according to Instruc

ClaudeBleed: Hackers Exploit Chrome Extension Vulnerability to Hijack Claude and Steal Data

Key Findings LayerX researchers discovered ClaudeBleed, a critical vulnerability in Claude's Chrome extension that allows any other browser extension to take full control of the AI assistant The flaw stems from improper message source verification, allowing malicious scripts to issue commands to Claude without user knowledge or consent Attackers can extract files from Google Drive, read private emails, send messages on behalf of users, and access GitHub repositories Anthropic

PAN-OS RCE Exploit Actively Exploited for Root Access and Surveillance Operations

Key Findings CVE-2026-0300, a critical buffer overflow in PAN-OS User-ID Authentication Portal, is under active exploitation by suspected state-sponsored actors Unsuccessful exploitation attempts began April 9, 2026, with successful remote code execution achieved a week later Attackers achieved root-level access and injected shellcode into nginx worker processes Post-exploitation activities included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 to

PCPJack Cloud Worm: Exploiting 5 CVEs to Steal Credentials and Spread Across Systems

Key Findings PCPJack is a credential theft framework targeting exposed cloud infrastructure across Docker, Kubernetes, Redis, MongoDB, and RayML The malware exploits five CVEs (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703) to spread worm-like across networks PCPJack actively removes TeamPCP artifacts from compromised systems, suggesting possible connection to former TeamPCP members Stolen credentials are exfiltrated via Telegram and include acc

Ivanti EPMM CVE-2026-6973 RCE Actively Exploited to Grant Admin-Level Access

Key Findings Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2026-6973 is under active exploitation in limited attacks, requiring administrative authentication for RCE Five additional vulnerabilities patched in EPMM range from CVSS 7.0 to 8.9, with multiple allowing unauthenticated access and privilege escalation CISA added CVE-2026-6973 to Known Exploited Vulnerabilities catalog, mandating Federal agencies patch by May 10, 2026 Palo Alto Networks PAN-OS critical buff

ThreatsDay Bulletin: Edge Plaintext Password Exposure, Critical ICS 0-Days, Urgent Patch Alerts and 25+ Breaking Security Stories

Key Findings Microsoft Edge stores saved passwords in plaintext in memory on startup, accessible to any process with administrative privileges MicroStealer malware targeting education and telecom sectors spreads via multi-stage delivery chains and exfiltrates data through Discord FTC settlement with Kochava blocks sale of location data including income, device IDs, and real-time geolocation without explicit consent pnpm 11 implements 24-hour minimum release age for packages t

xlabs_v1 Mirai Botnet: Exploiting ADB Across IoT Devices for Large-Scale DDoS Operations

Key Findings New Mirai-derived botnet called xlabs_v1 targets internet-exposed Android Debug Bridge (ADB) services on port 5555 to compromise IoT devices for DDoS attacks Supports 21 flood variants across TCP, UDP, and raw protocols including RakNet and OpenVPN-shaped traffic designed to bypass consumer-grade DDoS protection Operates as a DDoS-for-hire service primarily targeting game servers and Minecraft hosts with bandwidth-tiered pricing Threat actor uses the moniker "Tad

Palo Alto PAN-OS Zero-Day Vulnerability Under Active Exploitation

Key Findings Critical buffer overflow vulnerability CVE-2026-0300 in Palo Alto Networks PAN-OS is actively being exploited in the wild with limited confirmed attacks Flaw affects authentication portals on PA-Series and VM-Series firewalls, allowing unauthenticated attackers to execute code with root privileges CVSS score of 9.3 with low attack complexity means the vulnerability is easily exploitable and automatable for mass campaigns More than 5,800 publicly exposed VM-Series

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page