In today’s cybersecurity news…
Critical cPanel and WHM bug exploited as zero-day
Experts are warning about a critical CVE numbered (CVE-2026-41940) authentication bypass vulnerability in cPanel, a Linux-based web hosting control panel, as well as WHM, and WP Squared. The bug is being actively exploited in the wild. Hosting provider KnownHost, which uses cPanel, said it noticed successful exploits in the wild on the very day the vulnerability was disclosed. cPanel released a fix on Tuesday, after receiving pressure from hosting providers. According to Rapid7, “Shodan internet scans show that there are approximately 1.5 million cPanel instances exposed online,” but there is no data on how many are vulnerable to this particular bug.
Swiss police arrest suspected members of Black Axe group
The arrests, made in conjunction with German police, followed house searches across several Swiss cantons. The 10 suspects, believed to be members of the Nigerian gang are aged between 32 and 54, are accused of carrying out romance scams and money-laundering operations. The gang itself, Black Axe, is regarded by law enforcement as “a highly structured transnational criminal organization with a global presence.” Authorities “believe the group has about 30,000 registered members worldwide” and describe it as highly organized.
HHS ponders government posture for protecting data centers
The question revolves around whether to designate data centers as a standalone critical infrastructure sector. Given that they are regularly targeted, a hearing was held Wednesday to contemplate whether the federal government currently has the right setup for defending them. “Some industry witnesses and experts at the hearing of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection suggested that data centers be given their own standalone designation, especially in light of the boom in the building of such facilities across the country. This would follow a move already taken by the UK.
New Python backdoor uses tunneling service to steal browser and cloud credentials
Researchers from security firm Securonix have disclosed details of this stealthy Python-based backdoor framework called DEEP#DOOR that “comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts.” The batch script is distributed via phishing. Although it is not known how widespread the malware distribution has become, the attack chain is noteworthy in that the core Python implant is embedded directly inside the dropper script in a way that reduces the need to repeatedly reach out to external infrastructure, thus minimizing the forensic footprint.
Huge thanks to our sponsor, Guardsquare
Almost half of UK businesses pwned last year through phishing
According to the UK government’s latest Cyber Security Breaches Survey, released yesterday, 43 percent of businesses and 28 percent of charities reported a cyber incident in the past year. This translates to approximately 612,000 UK businesses and 57,000 UK charities, and these numbers have not improved since the last report. The report states that phishing is the most successful penetration technique, especially impersonation emails that pose as tech support and send employees to fake login pages. Malware, ransomware, and unauthorized access all trail some distance behind, the report says.
North Korean attacks use AI-inserted npm malware
Researchers at ReversingLabs are warning of malicious code in an npm package as a dependency to the project by Anthropic’s Claude Opus large language model (LLM). The package in question is “@validate-sdk/v2,” which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. “However, its real functionality is to plunder sensitive secrets from the compromised environment. The package, which shows signs of being vibe-coded using generative artificial intelligence (AI), was first uploaded to the repository in October 2025.” ReversingLabs has named this malware campaign PromptMink and has linked it to North Korean threat actor Famous Chollima.
Delia Ramirez takes over as top House cybersecurity Democrat
The Illinois Representative is “taking over as the top Democrat on the House Homeland Security panel’s cybersecurity subcommittee, replacing former Rep. Eric Swalwell after his resignation.” She is a vocal critic of the CISA cutbacks and the current administration’s Department of Government Efficiency initiative led by Elon Musk. She also expressed “criticisms of U.S. cybersecurity under the Biden administration, including of Microsoft’s role in the SolarWinds breach.”
LiteLLM bug exploited 36 hours after its disclosure
Attackers quickly exploited a critical flaw in the LiteLLM Python package (CVE-2026-42208) “to access and modify sensitive database data via SQL injection,” just days after it became public. This vulnerability is “an SQL injection in the proxy API key verification process [that] lets attackers access and potentially modify database data.” The attacker does not need valid credentials. “By sending a specially crafted Authorization header to an API endpoint (such as /chat/completions), they can manipulate the query executed by the database. Researchers working for the Sysdig Threat Research Team have observed the attacks in the wild.