Here are today’s top cybersecurity stories for Friday, May 1, 2026.
BlackCat/ALPHV Ransomware: Two Cybersecurity Professionals Sentenced to Four Years
The U.S. Department of Justice sentenced Ryan Goldberg and Kevin Martin to four years in federal prison for their roles in a series of BlackCat/ALPHV ransomware attacks carried out in 2023. Goldberg worked as an incident response manager at Sygnia, while Martin was employed at DigitalMint — both men used their insider positions to extract higher ransoms, sharing victim insurance limits with the ransomware operators. A third co-conspirator, Angelo Martino, previously pleaded guilty and awaits sentencing.
The Hacker News
China-Aligned SHADOW-EARTH-053 Targets Asian Governments and a NATO Member
Trend Micro disclosed details of a long-running espionage campaign attributed to a China-aligned intrusion cluster designated SHADOW-EARTH-053, active since at least December 2024. The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers — including the ProxyLogon chain — to deploy GODZILLA web shells and ShadowPad backdoors via DLL sideloading. Targets span government and defense sectors across South, East, and Southeast Asia, plus one European government belonging to NATO.
The Hacker News
PyTorch Lightning Supply Chain Attack: 1,800 Developers Hit in Shai-Hulud Campaign
Threat actors compromised the popular PyPI package Lightning, publishing two malicious versions (2.6.2 and 2.6.3) on April 30, 2026. The malicious builds contain a hidden _runtime directory that executes an obfuscated JavaScript payload on import, stealing cloud credentials, environment variables, and authentication tokens while also attempting to poison downstream GitHub repositories. The campaign has been attributed to TeamPCP. Developers are advised to downgrade to version 2.6.1 and rotate all exposed secrets immediately.
The Hacker News
Bluekit: AI-Assisted Phishing Kit Bundles 40+ Templates and MFA Bypass
Researchers at Varonis disclosed a new phishing-as-a-service platform called Bluekit, which offers over 40 brand templates — including iCloud, Gmail, Outlook, GitHub, and Ledger — alongside an AI assistant that drafts campaign content. Bluekit captures session cookies and local storage data to facilitate MFA bypass, routing stolen credentials to operators via Telegram. The platform is under active development and gaining traction among lower-tier cybercriminals.
BleepingComputer
FBI and Dubai Police Dismantle Nine Crypto Scam Centers, Arrest 276
A coordinated international operation involving the FBI, Dubai Police, and Chinese Ministry of Public Security dismantled at least nine cryptocurrency “pig butchering” fraud centers and led to 276 arrests. Three defendants were charged federally in San Diego with wire fraud and money laundering. The operation targeted networks that cultivated victim trust through social media before directing them to fake investment platforms that drained their funds.
U.S. Department of Justice
CCCS Launches CIREN: Critical Infrastructure Resilience Initiative for Canadian Organizations
The Canadian Centre for Cyber Security launched the Critical Infrastructure Resilience and Escalated Threat Navigation (CIREN) initiative to help Canadian critical infrastructure operators prepare for prolonged cyber disruptions. CIREN covers energy, telecommunications, transportation, and water sectors and provides exercises and guidance for worst-case scenarios, responding to elevated state-driven and criminal threat activity.
Canadian Centre for Cyber Security
KB5083769 Breaks Third-Party Backup Software on Windows 11 24H2 and 25H2
Microsoft’s April 2026 security update KB5083769 is causing widespread failures in third-party backup applications — including Acronis Cyber Protect Cloud, Macrium Reflect, NinjaOne Backup, and UrBackup Server — due to a regression in the Volume Shadow Copy Service (VSS). Administrators are advised to hold deployment at MS-DEFCON 3. The recommended workaround is to uninstall the update and pause Windows Updates until a corrected build ships.
BleepingComputer
Qilin Ransomware Claims Jayeff Construction in Latest Double-Extortion Attack
Qilin ransomware operators posted Jayeff Construction, a UK-based construction firm, to their dark web leak site on May 1, 2026. Qilin has now claimed over 1,000 victims and continues to apply double-extortion pressure — demanding payment for a decryptor as well as the non-release of stolen data — across multiple industries and regions.
RedPacket Security
CIRCIA Final Rule Expected This Month as CISA Moves Toward Critical Infrastructure Reporting Mandate
CISA is on track to finalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) regulations in May 2026, after an earlier delay. The rule will require critical infrastructure owners and operators to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. CISA revised the proposed rule based on stakeholder feedback to reduce burden and improve harmonization with existing federal reporting requirements.
CyberScoop
Stay tuned for today’s in-depth analysis posts.
