# Top Stories

A newly discovered Linux kernel vulnerability dubbed 'Copy Fail' (CVE-2026-31431) affects nearly every Linux system built since 2017, allowing unprivileged local attackers to gain root permissions. The flaw impacts the kernel's authencesn cryptographic template and has been hiding in major distributions for nearly a decade, with a 10-line proof-of-concept exploit already published.

CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM, has been actively exploited as a zero-day since late February 2026. CISA has ordered federal agencies to patch by Sunday, as successful exploitation grants attackers complete control over cPanel host systems, configurations, databases, and managed websites.

North Korean threat actors now control 76% of all cryptocurrency stolen in 2026, conducting historic heists on a weekly basis with potential AI assistance. This represents a significant escalation in state-sponsored cryptocurrency theft targeting global financial infrastructure.

Vietnamese threat actors used Google AppSheet as a 'phishing relay' in the AccountDumpling campaign, compromising approximately 30,000 Facebook accounts through sophisticated phishing emails. The stolen accounts were then sold through an illicit storefront operated by the attackers.

French authorities detained a 15-year-old suspect for selling data stolen from France Titres (ANTS), the French agency responsible for issuing administrative documents including passports and driver's licenses. The incident represents a significant breach of France's national identity infrastructure.

Two cybersecurity incident responders, Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint), received 4-year prison sentences for secretly conducting BlackCat ransomware attacks against their own clients between April and December 2023. The case highlights insider threats within the cybersecurity incident response industry.

CrowdStrike identified Cordial Spider (UNC6671) and Snarky Spider (UNC6661) conducting rapid SaaS environment attacks using voice phishing and SSO abuse for data theft and extortion. These threat groups operate almost entirely within SaaS platforms while leaving minimal forensic traces.

China-aligned threat group SHADOW-EARTH-053 is targeting government and defense sectors across South, East, and Southeast Asia, plus one NATO member state in Europe. The campaign also targets journalists and activists, indicating both espionage and influence operations.

The GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules targeting CI pipelines for credential theft, GitHub Actions tampering, and SSH persistence. The supply chain attack uses sleeper packages to subsequently deliver malicious payloads in development environments.

Researchers disclosed DEEP#DOOR, a stealthy Python-based backdoor framework that disables Windows security controls via 'install_obf.bat' and harvests browser credentials, cloud service tokens, and system information. The malware establishes persistent access through tunneling services for covert data exfiltration.