# Top Stories

CISA added the "Copy Fail" Linux vulnerability (CVE-2026-31431, CVSS 7.8) to its KEV catalog after threat actors began exploiting it for local privilege escalation on Linux systems. The flaw affects mainstream Linux distributions built since 2017 and allows attackers to gain root access, with exploitation beginning just one day after researchers disclosed a proof-of-concept exploit.

Over 40,000 servers have been compromised in ongoing attacks exploiting CVE-2026-41940, a recently patched zero-day vulnerability in cPanel that grants administrative access. The exploitation is targeting government, military entities in Southeast Asia, and MSPs across multiple countries including the Philippines, Laos, Canada, and the U.S.

A critical authentication bypass vulnerability in cPanel has sparked widespread exploitation with multiple proof-of-concept exploits appearing shortly after disclosure. One researcher claims there has been zero-day activity for at least a month, threatening millions of users who rely on the popular web hosting control panel.

Progress Software issued patches for two MOVEit Automation vulnerabilities, including a critical authentication bypass flaw that could compromise the enterprise managed file transfer application. MOVEit Automation is used to schedule and automate file movement workflows in enterprise environments without requiring custom scripts.

Cybersecurity firm Trellix disclosed a data breach after attackers gained unauthorized access to a portion of its source code repository. The company's investigation found no impact on its source code release or distribution processes, but the incident highlights risks to security vendors' intellectual property.

Educational technology giant Instructure confirmed a data breach with the ShinyHunters extortion gang claiming responsibility for the attack. The breach compromised names, email addresses, student ID numbers, and messages between users at educational institutions using Instructure's platforms.

The VENOMOUS#HELPER phishing campaign has targeted over 80 organizations since April 2025, primarily in the U.S., using legitimate RMM tools SimpleHelp and ScreenConnect to establish persistent remote access. Attackers abuse these remote monitoring and management tools to evade detection after initial compromise through phishing vectors.

A malicious version of the PyTorch Lightning package on the Python Package Index (PyPI) delivers credential-stealing malware targeting browsers, environment files, and cloud services. This supply chain attack demonstrates the ongoing threat to open-source package repositories used by machine learning developers.

DigiCert revoked certificates after hackers delivered malware through a customer chat channel, infected an analyst's system, and gained access to the internal support portal. The certificate authority took immediate action to prevent potential abuse of its digital certificate infrastructure.

China-based Silver Fox APT group deployed over 1,600 tax-themed phishing emails targeting organizations in Russia and India with the new ABCDoor backdoor malware. The campaign used fake correspondence from India's Income Tax Department in December 2025, followed by similar attacks against Russian entities.