Here are today’s top cybersecurity stories for Thursday, April 30, 2026.
‘Copy Fail’ Linux Kernel Flaw CVE-2026-31431 Gets Public Root Exploit — Every Distribution Since 2017 at Risk
Security researchers at Theori disclosed CVE-2026-31431, dubbed Copy Fail, a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem present since August 2017. A working 732-byte Python proof-of-concept exploit grants root access on virtually all major Linux distributions — Ubuntu, Amazon Linux, RHEL, and SUSE — without requiring a race condition win, making it far more reliable than predecessors like Dirty Cow and Dirty Pipe. A kernel fix merged April 1 is available but not yet shipped by all distributions. Admins unable to update immediately should blacklist the algif_aead module as a temporary mitigation.
Help Net Security
CISA Adds Windows Shell Zero-Click CVE-2026-32202 and ConnectWise ScreenConnect to KEV — May 12 Federal Deadline
CISA added CVE-2026-32202, a zero-click NTLM hash leak in Windows Shell, to its Known Exploited Vulnerabilities catalog after Akamai researchers confirmed active exploitation. The flaw is the result of Microsoft’s incomplete patch of CVE-2026-21510, a zero-day exploited by APT28 against Ukraine and EU targets in December 2025. A second addition, CVE-2024-1708 in ConnectWise ScreenConnect, was also flagged as actively exploited. Federal Civilian Executive Branch agencies must apply patches by May 12, 2026.
BleepingComputer
Vimeo Confirms Data Breach After ShinyHunters Sets April 30 Leak Deadline
Vimeo disclosed a data breach affecting customer and user data after ShinyHunters threatened to publish stolen records by April 30 unless a ransom was paid. The breach traces to the earlier compromise of analytics vendor Anodot, whose stolen authentication tokens gave attackers access to Vimeo’s Snowflake and Google BigQuery environments. Exposed data includes email addresses, video metadata, and technical platform data — passwords and payment information were not affected. Vimeo disabled all Anodot credentials and engaged third-party forensics investigators.
BleepingComputer
Scattered Spider Member Arrested in Finland, US Seeks Extradition
A 19-year-old dual US-Estonian citizen known by the alias “Bouquet” was arrested at Helsinki airport on April 10 while attempting to board a flight to Japan. US federal prosecutors charged him with wire fraud, conspiracy, and computer intrusion, alleging he participated in at least four Scattered Spider breaches — including one he allegedly conducted at age 16 — that forced victim companies to pay millions in ransoms. US authorities are seeking extradition from Finland.
BleepingComputer
North Korea’s Famous Chollima Plants PromptMink Malware via AI-Assisted npm Commits
ReversingLabs researchers uncovered PromptMink, a sustained North Korean supply chain campaign in which a malicious npm dependency was introduced via a commit co-authored by Anthropic’s Claude Opus LLM. The attack uses layered packages — a first-tier clean package silently pulls in a second-tier payload named @validate-sdk/v2, which exfiltrates .env files, JSON credentials, crypto wallet data, and SSH keys to attacker-controlled servers. Over 60 packages and 300-plus versions have been tracked across npm and PyPI since late 2025.
The Hacker News
Qinglong Task Scheduler RCE Flaws CVE-2026-3965 and CVE-2026-4047 Exploited for Cryptomining
Attackers exploited two authentication bypass vulnerabilities in Qinglong, an open-source task scheduler widely used by developers for automated scripting. CVE-2026-3965 exposes protected admin API endpoints through a misconfigured URL rewrite rule, while CVE-2026-4047 exploits a case-sensitivity mismatch between the authentication middleware and the router. Exploitation began in early February and deployed XMRig cryptominers on victim servers. All users on version 2.20.1 or earlier should update immediately.
BleepingComputer
Everest Ransomware Claims Third-Party Vendor Breach at Citizens Bank and Frost Bank — 3.4 Million Records
The Everest ransomware group posted claims alleging the theft of 3.4 million records from Citizens Financial Group and 250,000 records from Frost Bank, including Social Security numbers, tax IDs, and financial account details. Both banks confirmed the breach originated at a third-party vendor and said they found no evidence of unauthorized access to their own networks. Class action lawsuits were filed in US District Court within four days of disclosure. The Everest six-day deadline for ransom payment has passed.
SecurityWeek
cPanel Zero-Day CVE-2026-41940 Was Exploited Since February — Two Months Before Patch Release
Help Net Security confirmed that attackers exploited CVE-2026-41940, the critical cPanel authentication bypass patched on April 29, in the wild for at least two months before the fix was available. First recorded exploitation dates to February 23, with evidence of even earlier activity. All cPanel and WHM versions after v11.40 were affected. Hosting providers are urged to verify patch deployment and audit web server access logs for indicators of compromise dating back to at least February.
Help Net Security
Stay tuned for today’s in-depth analysis posts.
