DigiCert Breach Prompts Certificate Revocation; SAP, Lightning, Intercom Hit by Mini Shai-Hulud Worm; Ubuntu DDoS During Kernel Flaw Disclosure

DigiCert has revoked digital certificates that were stolen from the company's internal support portal. Following a malware incident involving a customer support team member, DigiCert conducted an investigation that revealed "the threat actor was able to procure initialization codes for a limited number of code signing certificates, few of which were then used to sign malware." The compromised certificates were revoked within 24 hours of their discovery, and the revocation date was set to the day they were issued. The incident began on April 2, 2026, when "a threat actor contacted DigiCert's support team via a customer chat channel and delivered a ZIP file disguised as a customer screenshot. The file contained a .scr executable with a malicious payload." While established security measures blocked four instances of the malware from being delivered, the fifth attempt compromised a support analyst's machine. A subsequent investigation found that a second machine had been compromised two days later. In all, DigiCert revoked 60 certificates. In a related story, Microsoft has addressed an issue in Microsoft Defender that was incorrectly flagging legitimate DigiCert root certificates as malicious. Microsoft told BleepingComputer that the issue was related to the DigiCert breach.

Cybersecurity researchers are reporting a campaign of supply chain attacks targeting packages in the PyPi, npm, and PHP ecosystems, including packages for SAP, PyTorch Lightning, and Intercom that were infected with a worm dubbed "Mini Shai-Hulud" due to similarities with the Shai-Hulud npm worm from September 2025. SAP's mbt v1.2.48, @cap-js/db-service v2.10.1, @cap-js/postgres v2.2.2, and @cap-js/sqlite v2.2.2 packages, whose combined downloads exceed half a million weekly, were poisoned on April 29, 2026. The Mini Shai-Hulud compromise involves "injecting malicious preinstall scripts that execute during dependency installation. The campaign leverages a multi-stage payload to harvest developer and CI/CD secrets across GitHub, npm, and major cloud providers, and exfiltrates the data via attacker-controlled GitHub repositories. It also contains code designed to propagate via compromised tokens." On April 30, the worm spread from SAP into PyTorch Lightning PyPI packages, and in turn propagated from dependencies into intercom-client npm packages. Based on a shared RSA public key as well as attacker tactics, techniques, and procedures (TTPs), researchers from Wiz attribute this campaign to TeamPCP. OX Security has observed stolen developer credentials in over 1,800 repositories since the compromise of SAP's packages. Wiz recommends that security teams search for affected package versions and malicious files, rotate all credentials including "GitHub tokens, npm tokens, cloud credentials, Kubernetes tokens, and CI/CD secrets," and audit GitHub activity for suspicious commits, new repositories, and the provided indicators of compromise (IoCs).

Ubuntu's servers are back online following about two days of outages caused by a "sustained, cross-border" distributed denial-of-service (DDoS) attack starting on April 30. This incident prevented users from accessing the distribution's website and resources for remediation following the simultaneous unrelated disclosure and published proof-of-concept exploit code for a privilege escalation flaw in the Linux kernel. Users were also reportedly prevented from downloading and updating the OS. Ubuntu is just one of several major distributions of Linux affected by the kernel flaw. At the time of this writing, all services on Ubuntu's status page are listed "Operational.” Neither Ubuntu nor its parent company Canonical have issued further information about the attack since May 1 or verified any threat actor's attribution claims.

A flaw disclosed by cPanel was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) on April 30, 2026, with a mitigation deadline of May 3, and organizations have since reported ransomware attacks exploiting the flaw. CVE-2026-41940, CVSS score 9.8, allows a remote unauthenticated attacker to gain access to the control panel by using carriage return line feed (CRLF) injection to bypass authentication in cPanel and WHM 11.40 and later, also affecting WP Squared before version 136.1.7. BleepingComputer was contacted by several sources reporting the presence of a Go-based Linux encryptor for "Sorry" ransomware after compromise through this flaw, also noting that hundreds of sites impacted by these compromises have been indexed by Google. On May 2, researchers from Ctrl-Alt-Intel also observed a targeted campaign employing Watchtowr's published proof-of-concept exploit against "government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States," as well as evidence of previous separate exploitations targeting an Indonesian defense training portal and Chinese railway data. On May 1 the Shadowserver Foundation estimated at least 44,000 IPs had been compromised, but that number has dropped into the low thousands in the days since; at the time of this writing, the highest concentration of compromises is in the US, followed by France, the Netherlands, the UK, and India. Daniel Pearson, CEO of KnownHost, stated shortly after cPanel's disclosure that his company has seen ongoing exploitation of CVE-2026-41940 since late February. cPanel's advisory gives instructions to users to upgrade to fixed cPanel and WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, and to WP Squared version 136.1.7. The advisory was updated on May 4 with a new detection script that was refined to remove false positives.

Trellix, a cybersecurity incident detection and response company, has disclosed that intruders gained access to a portion of their source code repositories, and the company is currently investigating the incident with help from third-party forensic experts. Trellix has also notified law enforcement. Trellix was formed in January 2022 with the merger of FireEye and McAfee. Other cybersecurity companies have been similarly targeted over the past several months: Checkmarx reported a breach of its GitHub code repository in late April, and Cisco disclosed a breach of its internal development environment.

Progress Software has released updates to address a critical authentication bypass vulnerability (CVE-2026-4670) in MOVEit Automation. The updates also fix a high-severity privilege escalation vulnerability (CVE-2026-5174) in the same product. Progress warns that "exploitation may lead to unauthorized access, administrative control, and data exposure." Progress credits researchers at Airbus with finding the vulnerabilities. Users are urged to update to one of the following versions: MOVEit Automation 2025.1.5 or newer, MOVEit Automation 2025.0.9 or newer, and MOVEit Automation 2024.1.8 or newer. Progress notes that "Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running." Another Progress product, the MOVEit Transfer managed file transfer (MFT) solution, was targeted by threat actors in 2023, and reports of compromise via that vulnerability continue to trickle in: the State of New York's Department of Financial Services recently fined Delta Dental Insurance Company and Delta Dental of New York, Inc. $2.25 million over the companies' response to the MOVEit Transfer vulnerability; threat actors stole roughly 60,000 files from Delta Dental.

Educational technology company Instructure, which developed and maintains the Canvas learning management system (LMS), confirmed on May 1, 2026, that it experienced a security incident "perpetrated by a criminal threat actor." Instructure CISO Steve Proud stated in the original notice and in a May 2 update that upon learning of the attack, the company launched an investigation with external forensics experts, revoked credentials and access tokens associated with affected systems, deployed patches, rotated keys "even though there is no evidence they were misused," and increased monitoring across all platforms. The threat actor's unauthorized access affected data belonging to "users at affected institutions," including names, email addresses, student ID numbers, and messages among users, but there is no evidence yet of unauthorized access to dates of birth, government identifiers, or financial information. Because of the application key rotation, users must re-authorize access to certain tools: "Reissued application keys contain a timestamp in the name and will be visible to users during re-authorization. These are valid Instructure created keys and users should continue the authorization process." Instructure has published a separate notice about application key timestamps showing an example authorization screen for reference. At the time of this writing, Canvas Data 2 and Beta are available for all customers, but Canvas Test is under maintenance.

Two individuals have been sentenced to four years each in prison for deploying ransomware known as ALPHV BlackCat over a period of several months in 2023. Ryan Clifford Goldberg and Kevin Tyler Martin were both formerly employed in the cybersecurity industry: Goldberg worked in incident response at Sygnia and Martin was a ransomware negotiator at DigitalMint. The two along with a co-conspirator, Angelo John Martino III, who was also employed at DigitalMint, arranged with the ALPHV BlackCat administrators to use the ransomware and its extortion platform in exchange for 20 percent of any ransom payments they received. In December 2025, Goldberg and Ryan both pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion. Martino pleaded guilty to the came charge last month, and because of the nature of his involvement with the ransomware activity, is facing up to 20 years in prison when he is sentenced in July. DigitalMint has established new guardrails to ensure that negotiations are accurately audited and logged. These include "structured logging of all negotiation communications; clear audit trails for decision-making; defined oversight mechanisms throughout the engagement lifecycle, and ongoing refinement of processes as expectations evolve."

The Five Eyes countries have jointly published Careful adoption of agentic AI services, which "provides practical guidance to help organisations that design, develop, deploy and operate agentic AI systems, to make informed risk assessments and mitigations. The guidance concludes with actionable recommendations to help organisations prepare for and defend against emerging and future agentic AI threats." Authored by cybersecurity agencies in Australia, Canada, New Zealand, the UK, and the US, the document outlines agentic AI security risks with accompanying example scenarios, and offers best practices for securing agentic AI systems, including designing and developing secure AI agents, and deploying and operating agents securely.