New Tooling
- Open-Source Privacy Proxy Masks PII Before Prompts Reach External AI Services
"Enterprise developers routinely send prompts to external large language models that contain customer emails, support transcripts, and other identifying information, often without a sanitization layer between the application and the API. Dataiku has released Kiji Privacy Proxy, an open-source local gateway that detects and masks personally identifiable information before requests leave the network."
https://www.helpnetsecurity.com/2026/05/01/open-source-pii-privacy-proxy/ - Introducing Model Provenance Kit: Know Where Your AI Models Come From
"Enterprises pulling models from Hugging Face and other open repositories rarely keep records of how those models are altered after download, leaving organizations with little ability to confirm what they are running in production. The State of AI Security 2026 from Cisco places this level of access inside a growing pattern of AI-driven operations that connect directly to core business systems, and identifies AI supply chain exposure as a recurring risk. Cisco has published the Model Provenance Kit, an open-source Python toolkit and command-line interface that determines whether two transformer models share a common origin by examining architecture metadata, tokenizer structure, and the learned weights themselves."
https://blogs.cisco.com/ai/model-provenance-kit
https://github.com/cisco-ai-defense/model-provenance-kit
https://huggingface.co/datasets/cisco-ai/model-provenance-kit
https://www.helpnetsecurity.com/2026/04/30/cisco-ai-model-provenance-kit/
Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
Malware
- Critrical cPanel Flaw Mass-Exploited In "Sorry" Ransomware Attacks
"A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels. WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February."
https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ - Chinese Cybercrime Infrastructure Detected: Automated Exploitation & Harvesting Infrastructure
"SOCRadar Threat Research Team identified automated Chinese cybercrime infrastructure that blends large-scale exploitation with structured orchestration and monetization. The operation is coordinated through a centralized backend (referred to as ‘paperclip‘) and an agent-based workflow system OpenClaw, enabling operators to manage campaigns through structured missions."
https://socradar.io/blog/chinese-cybercrime-exploitation-harvesting/
https://hackread.com/45k-attacks-53k-backdoor-china-cybercrime-operation/ - Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games
"Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and application-layer attacks, highlighting ongoing risks from opportunistic botnet activity across internet-facing environments."
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
https://hackread.com/hackers-jenkins-ddos-botnet-gaming-servers/ - Poisoning The Well: AI Supply Chain Attacks On Hugging Face And OpenClaw
"Acronis Threat Research Unit has identified in-the-wild threat activity abusing AI distribution platforms such as Hugging Face and ClawHub to deliver malware disguised as models, datasets and agent extensions. Unlike traditional software supply chain attacks that result in a single system compromise, these campaigns exploit trust in AI ecosystems and agents, enabling malicious functionality to be executed on behalf of users and extending the impact beyond the initial infection. Hugging Face alone hosts over one million machine learning models and hundreds of thousands of datasets, making it a primary distribution layer for AI development."
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw/
https://www.securityweek.com/hugging-face-clawhub-abused-for-malware-distribution/ - NightSpire: Wannabe Warlords In Ransomware’s Shadow Realm
"NightSpire is a financially motivated ransomware group that was first observed in February 2025 and has claimed 259 victims across dozens of countries as of May 1, 2026. The group has an interesting backstory that will take us beyond its emergence, into 2024 when the NightSpire operators appear to have been working with other developers and different tools. We’ll come back to that."
https://blog.barracuda.com/2026/05/01/nightspire-wannabe-warlords-in-ransomwares-shadow-realm - "AccountDumpling": Hunting Down The Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts
"30,000 Facebook accounts have been compromised by phishing emails Google itself delivers. Authenticated, signed, and never blocked. We call this ”AccountDumpling”: a Vietnamese-linked operation that turns Google AppSheet into a phishing relay, then sells the stolen accounts back through a storefront run by the same hands. Pulling on that thread led us through Netlify-hosted Facebook clones, Vercel-hosted reward traps, Google Drive-hosted PDFs, and recruiter-style social engineering, all riding the same Google-authenticated relay and feeding the same Telegram bot infrastructure. We mapped roughly 30,000 victims and traced the operation back to a Vietnamese name embedded in a Canva-generated PDF the attackers forgot to scrub. We also recovered enough victim data to reach out directly to many of them, telling them they had been compromised and helping them act before more damage was done."
https://guard.io/labs/accountdumpling---hunting-down-the-google-sent-phishing-wave-compromising-30-000-facebook-accounts
https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
https://hackread.com/google-appsheet-facebook-accountdumpling-scam/
- Malicious Ruby Gems And Go Modules Impersonate Developer Tools To Steal Secrets And Poison CI
"We investigated the GitHub account BufferZoneCorp, which published a cluster of repositories linked to malicious Ruby gems and Go modules. The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems. On the Ruby side, the analyzed gems automate secret theft. They harvest secret-bearing environment variables and read local credential material such as SSH keys, AWS credentials, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials, then send the collected data to a hidden exfiltration endpoint."
https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci
https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html - Cyber Spies Target Russian Aviation Firms To Steal Satellite And GPS Data
"A cyber-espionage group has been targeting Russian government agencies and companies in the aviation industry to steal sensitive geospatial data, according to a report released this week. The group, known as HeartlessSoul, has been active since at least September 2025 and has carried out cyberattacks designed to infiltrate Russian organizations and individual users, researchers at Russian cybersecurity firm Kaspersky said. The attackers appear particularly interested in obtaining geographic information system (GIS) data — specialized file formats that can reveal detailed information about infrastructure such as roads, engineering networks, terrain and potentially strategic facilities. Such files are commonly used by engineering, government and industrial organizations and can contain detailed mapping data."
https://therecord.media/russia-cyber-espionage-aviation - Pro-Iran Crew Turns DDoS Into Shakedown As Ubuntu.com Stays Down
"Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant. "I can confirm that Canonical's web infrastructure is under a sustained, cross-border Distributed Denial of Service (DDoS) attack" a Canonical spokesperson told The Register. "Our teams are working to restore full availability to all affected services. We will provide updates in our official channels as soon as we are able to.""
https://www.theregister.com/2026/05/01/canonical_confirms_ubuntu_infrastructure_under/ - ConsentFix v3 Attacks Target Azure With Automated OAuth Abuse
"A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums as an improved technique that automates attacks against Microsoft Azure. The first version of ConsentFix was presented by Push Security last December as a variation of ClickFix for OAuth phishing attacks, which tricks victims into completing a legitimate Microsoft login flow via the Azure CLI. Using social engineering, the attacker fooled victims into pasting a localhost URL containing an OAuth authorization code that can be used to obtain tokens and hijack the account without passwords, despite multi-factor authentication (MFA)."
https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target-azure-with-automated-oauth-abuse/ - Telegram Mini Apps Abused For Crypto Scams, Android Malware Delivery
"Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform. Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the app."
https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/
https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns - MiniRAT: A Go-Based MacOS RAT Delivered Via Malicious Npm Package
"A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints."
https://www.iru.com/blog/minirat
Breaches/Hacks/Leaks
- Edu Tech Firm Instructure Discloses Cyber Incident, Probes Impact
"Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact. The U.S.-based education technology company is best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning. "Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts," reads a statement from Steve Proud, Chief Security Officer."
https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/
https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/ - Trellix Confirms Source Code Breach With Unauthorized Repository Access
"Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the exact nature of the data that may have been accessed by the attackers. However, it pointed out that there are no indications that its source code has been affected or exploited."
https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html
https://securityaffairs.com/191584/data-breach/trellix-discloses-the-breach-of-a-code-repository.html - Salt Typhoon Breach IBM Subsidiary In Italy: a Warning For Europe’s Digital Defenses
"In late April 2026, the Italian cybersecurity landscape was shaken by a significant breach targeting Sistemi Informativi, a company wholly owned by IBM Italy that provides IT infrastructure management for key public and private institutions. The incident, first reported by La Repubblica, has raised fresh concerns about the growing reach of Chinese-linked cyber operations in Europe. Sistemi Informativi is central to Italy’s digital infrastructure, managing systems for public agencies and key industries. Its outage quickly raised alarms among cybersecurity authorities and critical infrastructure operators. IBM confirmed the security breach through an official statement, acknowledging that it had “identified and contained a cybersecurity incident” and had activated incident response protocols involving both in-house and external specialists. The company said systems are now stable and services restored, but gave no details on the breach’s scope. Its website stayed offline for hours during containment."
https://securityaffairs.com/191638/apt/salt-typhoon-breach-ibm-subsidiary-in-italy-a-warning-for-europes-digital-defenses.html
General News
- 15-Year-Old Detained Over French Govt Agency Data Breach
"French authorities have detained a 15-year-old suspected of selling data stolen in a cyberattack on France Titres (ANTS), the country’s agency for issuing and managing administrative documents. The government agency confirmed the breach and the authenticity of the data offered for sale on a cybercriminal forum by someone using the alias ‘breach3d’. On April 13, ANTS detected suspicious activity on its network and notified authorities a few days later, on April 16, the Paris Prosecutor’s Office said. Following an investigation, the authorities believe that the suspected 15-year-old used the moniker ‘breach3d’ to offer for sale between 12 and 18 million records stolen in the ANTS data breach."
https://www.bleepingcomputer.com/news/security/15-year-old-detained-over-french-govt-agency-data-breach/ - North Korea Stole 76% Of All Crypto Hack Value In 2026 — With Just Two Attacks
"North Korean hacking groups accounted for 76% of all crypto hack losses in 2026 through April — not because North Korea launched a wave of attacks, but because two attacks totaling USD 577 million dwarfed everything else. The Drift Protocol breach on April 1 (USD 285 million) and the KelpDAO bridge exploit on April 18 (USD 292 million) represent 3% of 2026 incident count and 76% of stolen value. That ratio — small number of attacks, outsized share of losses — has characterized North Korea's approach across most years since 2017."
https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks
https://www.darkreading.com/cybersecurity-analytics/crypto-stolen-2026-north-korea - Preparing For a ‘vulnerability Patch Wave’
"Whether they are technology producers and vendors, or consumers and operators, all organisations have ‘technical debt’; a backlog of technical issues – that is both expensive and time-consuming – as a result of prioritising short-term gains over building resilient products. Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. As a result, the NCSC expect there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary and software as a service."
https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave
https://therecord.media/british-cyber-ai-patch-wave
https://www.theregister.com/2026/05/02/ncsc_brace_for_patch_tsunami/ - Careful Adoption Of Agentic AI Services
"CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems. This guide outlines key security challenges and risks associated with agentic AI, and provides actionable steps for designing, deploying, and operating these systems safely. It helps organizations align AI risk management with existing cybersecurity frameworks and strengthen oversight as agentic AI adoption grows."
https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
https://www.cyber.gov.au/business-government/secure-design/artificial-intelligence/careful-adoption-of-agentic-ai-services
https://www.cyber.gov.au/sites/default/files/2026-05/careful_adoption_of_agentic_ai_services.pdf
https://cyberscoop.com/cisa-nsa-five-eyes-guidance-secure-deployment-ai-agents/ - Microsoft Defender Wrongly Flags DigiCert Certs As Trojan:Win32/Cerdigent.A!dha
"Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th. Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store."
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/
https://bugzilla.mozilla.org/show_bug.cgi?id=2033170 - Shadow AI Risks Deepen As 31% Of Users Get No Employer Training
"Between one-fifth and one-third of workers use AI outside the influence and governance of the IT function, according to a global survey of 6,000 full-time employees at enterprise organizations. Researchers found a widening gap between employee AI adoption and the controls organizations have in place to manage it. The Lenovo Work Reborn Research Series 2026 report documents a workforce split into two groups: employees equipped with IT-managed tools, training, and oversight, and those operating independently with consumer AI services."
https://www.helpnetsecurity.com/2026/05/01/shadow-ai-risks-it-oversight/ - Network Stats For Q1 2026: Neocloud Traffic Trends
"Welcome to our second quarterly Network Stats report covering Q1 of 2026. Along with Drive Stats and Performance Stats, Network Stats pulls back the curtain on real-world infrastructure data, particularly how network-level analytics reflect emerging AI industry trends and usage patterns. One of the roles of the Network Engineering (NetEng) team at Backblaze is to monitor how traffic moves into, out of, and across our platform—not just day-to-day, but over time as customer behavior and industry dynamics evolve. Right now, few forces are reshaping networks faster than AI. With the launch of B2 Overdrive in April 2025, we built a direct, high-performance path between our storage layers and neoclouds where processing, inference, and modeling take place. It has given us a front-row seat to the impact of AI and how network behavior is changing with it. This quarter, in addition to our regular data analysis, we’ve added some geographic heatmaps to understand where and how data is moving."
https://www.backblaze.com/blog/network-stats-for-q1-2026-neocloud-traffic-trends/
https://www.helpnetsecurity.com/2026/05/01/backblaze-ai-network-traffic-trends-report/ - Ransomware And Cyber Extortion In Q1 2026
"In Q1 2026, ransomware pressure increased in two directions: established groups like “Akira” and “Qilin” maintained high victim volumes, while newer actors added noise and uncertainty. “The Gentlemen” broke into the top tier, showing how quickly a capable group can scale. Meanwhile, “0APT” and “ALP-001” appeared to use questionable leak claims to pressure large enterprises. Extortion group “ShinyHunters” showed that identity-first intrusions and software-as-a-service (SaaS)-native data theft can deliver major impact without deploying encryptors. Defenders must prioritize the common behaviors that drive ransomware impact, including abuse of external remote services, identity compromise, lateral movement over administrative protocols, and defense evasion."
https://reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q1-2026/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
