⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More

Published:

4 mei 2026 om 14:23:00

Alert date:

4 mei 2026 om 16:04:41

Source:

thehackernews.com

Operating Systems, Mobile & IoT, Cloud & Virtualization, Web Technologies, Enterprise Applications, Supply Chain & Dependencies, Ransomware & Malware, Zero-Day Vulnerabilities, Identity & Access, Data Breach & Exfiltration, Security Tools, Email & Messaging

Weekly security recap covering multiple high-impact threats including AI-powered phishing campaigns, Android spying tools, Linux kernel exploits, and GitHub remote code execution vulnerabilities. The article highlights how attackers have shifted from simple breach tactics to persistent occupation strategies, living inside SaaS sessions and using trusted commit processes. Threats are escalating faster than security teams can patch and respond to previous month's alerts. Attackers are turning control panels into kill switches and exploiting open-source pipelines as delivery systems.

Technical details

This weekly recap covers multiple cybersecurity incidents including: CVE-2026-41940 - a critical cPanel/WHM authentication bypass vulnerability under active exploitation leading to website wipes and ransomware deployment; CVE-2026-31431 'Copy Fail' - a Linux kernel logic bug allowing 100% reliable privilege escalation via a 732-byte Python exploit; TeamPCP's supply chain attacks compromising npm, PyPI, and Packagist packages using legitimate CI/CD pipelines; DEEP#DOOR Python backdoor framework providing persistent remote access and surveillance capabilities; CVE-2026-3854 - GitHub RCE vulnerability allowing code execution with a single git push; VECT 2.0 ransomware with flawed encryption that destroys large files; KidsProtect Android surveillance tool sold as subscription service; and various phishing campaigns using AI-powered techniques and legitimate platforms for credential theft.

Mitigation steps:

Apply patches immediately for CVE-2026-41940 (cPanel/WHM), CVE-2026-31431 (Linux kernel), and other listed CVEs
Check for affected package versions in supply chain and rotate credentials tied to CI/CD pipelines
Monitor for suspicious authentication activities and MFA device changes
Implement behavioral monitoring for SaaS environments
Review and restrict pipeline credential scopes
Add visibility into build and installation processes
Monitor for Teams-based phishing attempts from IT impersonators
Check systems for signs of DEEP#DOOR, KarstoRAT, or other mentioned malware
Verify integrity of open-source dependencies
Implement network monitoring for residential proxy traffic patterns
Review email security controls against vishing campaigns
Monitor for unauthorized remote access tool usage

Affected products:

cPanel and WebHost Manager (WHM)
Linux kernel (distributions from 2017)
PyPI packages
npm packages
Packagist packages
GitHub.com and GitHub Enterprise Server
Android devices
Windows systems
Mozilla Firefox and Tor Browser
ProFTPD
OpenEMR
Google Chrome
CPython
SonicWall
OpenSSH
FreeBSD
Exim
Wireshark
Jenkins
Notepad++
CODESYS
EnOcean SmartServer IoT platform
Microsoft Teams
Telegram Desktop
ClickUp

Related CVE's:

Related threat actors:

Islamic Cyber Resistance in Iraq

Versatile Werewolf

HeartlessSoul

IOC's:

battleflight[.]pro, api.ipify[.]org, TEMP\diag.zip, Mirai botnet variants, Sorry ransomware, Discord webhook exfiltration, BunnyCDN-hosted infrastructure, DEEP#DOOR backdoor, KidsProtect Android app, KYCShadow Android malware, KarstoRAT malware, VECT 2.0 ransomware, Bluekit phishing kit, FEMITBOT infrastructure

This article was created with the assistance of AI technology by Perceptive.