Detecteam

Microsoft Defender detected and protected customers against a new software supply chain compromise affecting the "pytorch-lightning" package and immediately reported the issue to the repository maintainers for takedown: msft.it/6013vJisb. At the time the compromised packages were identified and distributed, Microsoft Defender had proactive detections that blocked the malicious files as Trojan:JS/ShaiWorm.DQ!MTB. For protected environments, Microsoft Defender for Endpoint raised the alert "ShaiWorm malware was prevented". Our assessment indicates that Microsoft continues to provide strong protection coverage and has prevented observed activity indicating attempts to install the modified packages. Microsoft Defender continues to monitor for potential follow-on activity, including suspicious use of potentially exposed cloud credentials across major cloud platforms. Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments. We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios. Microsoft continues to monitor and investigate the issue, with layered protections, broad prevention coverage, and ongoing hunting efforts in place. We will share updates as more information becomes available.

⚠️ Critical Wireshark Flaws Let Attackers Execute Arbitrary Code Via Malformed Packets Source: cybersecuritynews.com/wireshark-vuln… Wireshark, the world's most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files. Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5. The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. #cybersecuritynews #wireshark

🛡️ Trellix Source Code Breach - Hackers Gain Unauthorized Access to Repository Source: cybersecuritynews.com/trellix-source… Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion of its source code repository. The company confirmed the breach in an official statement published on its website, stating it immediately engaged leading forensic experts upon discovering the intrusion. Source code repositories are prime targets for attackers seeking to identify exploitable vulnerabilities, embed backdoors, or conduct supply chain attacks against downstream customers. #cybersecuritynews #Databreach

🚨 cPanelSniper - PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised Source: cybersecuritynews.com/cpanelsniper-p… A weaponized proof-of-concept (PoC) exploit framework dubbed "cPanelSniper" has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026. The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors. #cybersecuritynews #vulnerability

🚨 cPanelSniper — CVE-2026-41940 cPanel & WHM'de CVSS 10.0 kritik auth bypass. CRLF injection → session file poisoning → root WHM access. Zero creds. ~70M domain affected. 4-stage chain: → preauth session mint → CRLF inject via Authorization header → do_token_denied gadget (raw→cache flush) → /json-api/version → PWNED ✅ Interactive WHM shell ✅ Account enum · cmd exec · backdoor admin ✅ Bulk scan · pipeline ready · stdlib only 🔗 github.com/ynsmroztas/cPa… #BugBounty #InfoSec #WHM #RedTeam #AppSec #bugbountytip #bugbountytips #infosec #recon

⚠️ Linux Kernel 0-Day "Copy Fail" Roots Every Major Distribution Since 2017 Source: cybersecuritynews.com/linux-kernel-0… A critical zero-day vulnerability in the Linux kernel has been publicly disclosed, enabling any unprivileged local user to obtain root access on virtually every major Linux distribution shipped since 2017. Copy Fail is a straight-line logic bug not a race condition in the Linux kernel's authencesn cryptographic template, reachable via the AF_ALG socket interface combined with the splice() system call. A single 732-byte Python script using only standard library modules achieves deterministic root on every tested distribution and architecture. #cybersecuritynews #linux #CopyFail

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

🚨 Ransomware Alert 🚨 Qilin Ransomware group has added 4 new victims to their dark web portal. * A & A BUILDING MATERIAL CO 🇺🇸 * Longwood Engineering Company Limited 🇬🇧 * Exclusive Networks 🇫🇷 * iSTARpal 🇲🇾

A newly decoded piece of sabotage malware called Fast16, created before Stuxnet, was made to silently tamper with calculations in research and engineering software. Likely created by the US or an ally, and possibly used against Iran's nuclear program. wired.com/story/fast16-m…

#Lazarus C2 Control Panels & About How They Use AI to Industrialize Attacks on Developers #AiSecurity expel.com/blog/inside-la…

⚠️ Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions Source: cybersecuritynews.com/new-windows-rp… PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local privilege escalation to SYSTEM-level access, potentially affecting every version of Windows. PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers. When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate. #cybersecuritynews #Windows

🚨 Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide Source: cybersecuritynews.com/hackers-abuse-… A major investigation has revealed that sophisticated threat actors are exploiting fundamental vulnerabilities in global mobile networks to track users worldwide. By abusing legacy 3G SS7 and 4G Diameter signaling protocols, hackers are successfully bypassing telecom firewalls to conduct silent, cross-border espionage. By functioning as "Ghost Operators," they manipulate routing data to mask their origins while pinpointing the exact locations of high-value targets. While the older SS7 protocol completely lacks basic authentication, the newer 4G Diameter protocol suffers from weak security implementation across the industry. #cybersecuritynews

⚠️ CrowdStrike LogScale Vulnerability Allows Remote Attackers to Read Files from Server Source: cybersecuritynews.com/crowdstrike-lo… An urgent security advisory for a critical unauthenticated path-traversal vulnerability (CVE-2026-40050) affecting its LogScale platform, warning that a remote attacker could exploit the flaw to read arbitrary files directly from the server’s filesystem without authentication. The vulnerability resides in a specific cluster API endpoint within CrowdStrike LogScale. If this endpoint is exposed, a remote attacker can leverage it to traverse the server’s directory structure and access sensitive files without needing credentials. #cybersecuritynews

#Sandworm group leverages nested SSH-TOR tunnels to build a double-encrypted anonymous direct elevator between victims and attackers. This highly evasive attack enables unrestricted sensitive data theft and persistent remote control. mp.weixin.qq.com/s/nJpqvXCYV3Zd…

🚨 Gentlemen RaaS Attacking Windows, Linux With additional locker written in C for ESXi Source: cybersecuritynews.com/gentlemen-raas… A new ransomware-as-a-service (RaaS) operation known as “The Gentlemen” has emerged as a serious threat to corporate networks worldwide. Since appearing around mid-2025, this group has rapidly grown into a well-organized criminal platform, publicly claiming over 320 victims, with most attacks more than 240 recorded in the opening months of 2026. The group offers lockers written in the Go programming language that work across Windows, Linux, NAS, and BSD environments, along with a separate locker written in C specifically designed to target VMware ESXi hypervisors. #cybersecuritynews

🚨 Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access Source: cybersecuritynews.com/defender-0-day… A newly disclosed zero-day vulnerability in Microsoft Defender, dubbed "RedSun," allows an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems, and as of now, remains unpatched. RedSun is the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as "Chaotic Eclipse" (also referred to as Nightmare-Eclipse on GitHub). RedSun follows the same exploit tradition but introduces an entirely new and independent attack vector, suggesting that Defender's architectural weaknesses run far deeper than a single isolated flaw. #cybersecuritynews #Windowsdefender

🚨 Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks Source: cybersecuritynews.com/sharepoint-ser… A critical zero-day spoofing vulnerability in Microsoft SharePoint Server is being actively exploited in the wild, Microsoft confirmed on April 14, 2026, as part of its monthly security update cycle. Tracked as CVE-2026-32201, the flaw affects multiple versions of SharePoint Server and has been assigned a CVSS base score of 6.5 (Important), with an adjusted temporal score of 6.0 reflecting the availability of an official fix. The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, allowing an unauthenticated remote attacker to perform spoofing attacks over a network. #cybersecuritynews

CISA flags Windows Task Host vulnerability as exploited in attacks bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Stealthy RCE on Hardened Linux: noexec + Userland Execution PoC hardenedlinux.org/blog/2026-04-1…

This is very good malware. This is solid-solid-SOLID B+ malware, very close to A- malware. APT37 is using a old-school playbook. They're doing EPO (Entry Point Obfuscation) on a self-delivered binary for evasion. They also unironically are using something akin to cavity infection ... but on themselves. This is something you saw more in the Windows 95 - Windows XP era, not something you see in 2026. Very cool. I respect it. The multi-staged fragmentation of shellcode phases is also really, really, really cool. This is (once again) a more old-school technique usually reserved for infected binaries, not self-delivered binaries. Despite all of these super cool features, APT37 shoots themselves in the foot immediately. - EAT walking for Kernel32 functionality (???) - XOR decryption is a huge red flag - Allocating with PAGE_EXECUTE_READWRITE (???) - Hardcoded OAuth token (???) - Used external dependency for AES (???) Why not use NT functionality to hook evasion? XOR is easily identified in static analysis, why XOR? Allocating memory with VirtualAlloc with RWX is a MASSIVE RED FLAG. They also hardcode a OAuth token ... they can multi-staged shellcode payload with old-school malware techniques but hardcore AN OAUTH TOKEN? It unironically makes me wonder if they had one old-head malware guy working on it, then they had some newer dude do the non-hardcore stuff. There is a huge gap in skill sets here. Or the old-head hasn't kept up to date on malware stuff since 2005... or they got lazy... I don't know, really weird.