In today’s cybersecurity news…
cPanel, WHM release fixes for three new vulnerabilities
This is not a follow-up from last week’s report of a cPanel and WHM flaw, but in fact three new ones that also could be exploited to achieve privilege escalation, code execution, and denial-of-service. The CVE-numbered vulnerabilities, two of which have CVSS scores of 8.8, have been patched, and users are of course advised to update to the latest versions for optimal protection. There is no evidence that these three vulnerabilities have been exploited in the wild. The CVE numbers and details on these vulnerabilities are available in the shownotes to this episode.
CVE-2026-29201 (CVSS score: 4.3) – An insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” adminbin call that could result in an arbitrary file read.
CVE-2026-29202 (CVSS score: 8.8) – An insufficient input validation of the “plugin” parameter in the “create_user API” call that could result in arbitrary Perl code execution on behalf of the already authenticated account’s system user.
CVE-2026-29203 (CVSS score: 8.8) – An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.
Official JDownloader site serves malware to Windows and Linux users
The website belonging to JDownloader, the free, open-source download management application used by millions, was hacked and forced to distribute malicious Windows and Linux installers carrying a Python RAT. This occurred on May 6 and 7 of this year. The attack targeted users downloading the Windows “Alternative Installer” and the Linux shell installer. JDownloader developers confirmed the breach and temporarily shut down the website to investigate.
Sen. Schumer seeks DHS plan on AI cyber coordination
The Senate’s top Democrat “called on the Department of Homeland Security Friday to work closely with state and local governments to defend against artificial intelligence-strengthened hacks. The Senate Minority Leader wrote to DHS Secretary Markwayne Mullin to make sure state, local, tribal and territorial (SLTT) governments “aren’t left behind as AI models advance, posing new hacking threats.” In his letter, he stated that it was “glaringly obvious that the Department of Homeland Security needs an updated plan for coordinating these efforts with the resopective governments.” He Schumer wants a plan from DHS by July 1.
EU considers restricting use of U.S. cloud platforms for sensitive government data
The European Union is considering imposing rules to restrict its member governments’ use of U.S. cloud providers to handle sensitive data as part of its “Tech Sovereignty Package” due to be released on May 27. The package is intended to bolster the bloc’s strategic autonomy in key digital areas. The new rules come at a time of increased tensions between EU members and the current U.S. administration. The discussions, however, do not relate to private-sector companies.
(CNBC)
Huge thanks to our sponsor, Doppel
But Doppel sees through the disguise. Our AI-native platform detects and disrupts attacks across every channel, while training employees to recognize deepfakes and deception.
We fight relentlessly to protect your business, brand, and people.
Doppel. Outpacing what’s next in social engineering.
Learn more at doppel.com
Multiple universities reschedule final exams following Canvas cyber incident
Following up on a story we covered on Tuesday, many universities across the U.S. have been forced to delay final exams this week following a cyberattack on the popular education software provider, Canvas. Students encountered an online message from the ShinyHunters cybercriminal gang, that said they breached the Canvas creator Instructure “again” due to a lack of ransom negotiations. Universities affected include Baylor, the Universities of Texas, Pennsylvania, Oklahoma, and Florida, as well as Iowa State, Duke, Northwestern, Princeton., and Ohio State and many K-12 school districts.
Fake OpenAI repository on Hugging Face pushes infostealer malware
“A malicious Hugging Face repository that reached the platform’s trending list impersonated OpenAI’s “Privacy Filter” project to deliver information-stealing malware to Windows users.” It accumulated 244,000 downloads before the platform responded to reports and removed it. Hugging Face is a platform that “lets developers and researchers share AI models, datasets, and machine learning (ML) tools.” Researchers at HiddenLayer, a company focused on safeguarding AI and ML models against attacks, discovered the campaign on May 7, after noticing a malicious repository named Open-OSS/privacy-filter, which had typosquatted OpenAI’s legitimate Privacy Filter release.
Police shut down rebooted Crimenetwork marketplace
German authorities have shut down a relaunched version of the criminal marketplace Crimenetwork which had been the largest online cybercrime marketplace in Germany, operating since 2012 and with 100,000 registered users. A 35-year-old German citizen suspected of administering the new Crimenetwork was arrested at his residence in Mallorca, Spain, by a special unit of the Spanish National Police under a European arrest warrant. The suspect is “accused of having built and administered a completely new technical infrastructure only a few days after the shutdown of the previous version of Crimenetwork and following the arrest of its former administrator in December 2024.
Virginia man convicted of deleting 96 government databases
A Virginia man, Sohaib Akhter, faces up to 21 years in federal prison for his role in deleting 96 government databases and stealing an individual’s password, leading their email account to be accessed without permission. He had “provided his twin brother Muneem, who also worked at the same unnamed company hosting government agencies’ data, with the password of someone who filed a discrimination complaint with the Equal Employment Opportunity Commission (EEOC). The complainant’s email account was then accessed without their consent, according to a Department of Justice press release. After the incident, Akhter’s employer learned that he had previously been convicted of felonies and fired both him and his brother. Government prosecutors stated that it was after this that the brothers “sought to harm their employer and its U.S. government customers by accessing computers without authorization, write-protecting databases, deleting databases and destroying evidence of their unlawful activities.”