Here are today’s top cybersecurity stories for Monday, May 4, 2026.
cPanel CVE-2026-41940 Mass-Exploited in “Sorry” Ransomware Attacks and Espionage Campaign
The critical authentication bypass flaw in cPanel and WHM (CVE-2026-41940, CVSS 9.8) is now being exploited at scale. Internet scanner Censys has identified over 44,000 compromised IP addresses running cPanel, with attackers deploying a Go-based Linux encryptor that appends the .sorry extension to files. Threat researchers at Ctrl-Alt-Intel separately identified an espionage campaign targeting government and military entities in Southeast Asia as well as MSPs and hosting providers in Canada, the Philippines, Laos, South Africa, and the United States. BleepingComputer | The Hacker News | Help Net Security
ShinyHunters Breaches Instructure Canvas: 275 Million Users Across 9,000 Schools Affected
EdTech firm Instructure, the company behind the Canvas learning management system, has confirmed a cybersecurity incident after ShinyHunters claimed to have stolen 3.65 TB of data from approximately 275 million users across nearly 9,000 institutions worldwide. Exposed data includes names, email addresses, student ID numbers, and private messages. Instructure states it found no evidence that passwords, government identifiers, or financial information were involved, and has rotated API keys. BleepingComputer | SecurityWeek
Trellix Confirms Source Code Breach After Unauthorized Repository Access
Cybersecurity vendor Trellix has disclosed that attackers gained unauthorized access to a portion of its source code repository. The company engaged forensic experts and notified law enforcement. Trellix states its investigation has found no evidence that source code was exploited or that its software release and distribution process was affected. No attribution has been publicly disclosed and the investigation remains active. The Hacker News
VENOMOUS#HELPER Campaign Uses RMM Tools Against 80+ Organizations
Securonix researchers have documented an active phishing campaign, dubbed VENOMOUS#HELPER, that has compromised over 80 organizations predominantly in the United States. Attackers send phishing emails impersonating the U.S. Social Security Administration to deliver SimpleHelp and ScreenConnect RMM installers, establishing persistent remote access. Researchers assess the campaign as consistent with ransomware precursor activity or an initial access broker operation. The Hacker News
FEMITBOT: Telegram Mini Apps Used for Large-Scale Crypto Scams and Android Malware Distribution
CTM360 researchers have uncovered FEMITBOT, a fraud platform that abuses Telegram’s Mini App feature to run cryptocurrency investment scams, impersonate major brands including Apple, NVIDIA, and Disney, and distribute Android malware. The platform deploys phishing pages directly inside Telegram’s WebView. Some Mini Apps distribute APK files impersonating brands including the BBC and Netflix. Victims are shown fake dashboards with fictional earnings to encourage further deposits. BleepingComputer
Windows 11 April Update KB5083769 Blocking Third-Party Backup Software
Microsoft’s April 2026 security updates add the kernel driver psmounterex.sys to Windows Code Integrity’s vulnerable driver blocklist, blocking backup applications that depend on the driver from mounting or managing disk images. Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, NinjaOne Backup, and UrBackup Server. The block is tied to CVE-2023-43896, a buffer overflow in older versions of Macrium Reflect. Microsoft recommends updating affected applications to patched versions. BleepingComputer
CISA Adds CVE-2026-31431 Linux Kernel LPE to Known Exploited Vulnerabilities Catalog
CISA has added CVE-2026-31431, a local privilege escalation flaw in the Linux kernel’s algif_aead module (CVSS 7.8), to its Known Exploited Vulnerabilities catalog following active exploitation confirmed in the wild. Affected distributions include Ubuntu, Amazon Linux, Red Hat Enterprise Linux, and SUSE. Federal Civilian Executive Branch agencies face a patching deadline of May 15, 2026. The Hacker News | CISA
15-Year-Old Detained in France Over ANTS Identity Agency Data Breach
French authorities have detained a 15-year-old connected to the breach of France Titres (ANTS), the government agency managing passports, national ID cards, and driving licences. Paris prosecutors formally charged the minor, believed to operate as “breach3d,” who listed data from 11.7 million to 18 million French citizens for sale on hacker forums. Data confirmed as stolen includes full names, email addresses, dates of birth, postal addresses, and phone numbers. BleepingComputer | Help Net Security
U.S. Charges Suspected Scattered Spider Member Peter Stokes for Multi-Million Dollar Extortion
U.S. federal prosecutors have charged 19-year-old Peter Stokes, a dual U.S.-Estonian national known online as “Bouquet,” arrested in Finland on April 10, 2026. Charges unsealed in Chicago include wire fraud, conspiracy, and computer intrusion linked to extortion campaigns targeting major enterprises. Stokes is alleged to have conducted social engineering attacks against IT help desks, including a May 2025 attack against a luxury retailer resulting in theft of approximately 100 GB of data. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
