Cyber Intelligence Daily — May 03, 2026

The defining story this morning isn't a single breach — it's the collapse of patching windows. An Iran-linked group has been holding Canonical's infrastructure hostage for over a day, disrupting the security APIs that let admins find out about advisories. cPanel's authentication-bypass deadline expires tonight. And the Linux kernel team is now in a public fight about whether distributions should get any warning at all before a kernel CVE goes live — a fight that matters because Copy Fail's PoC is already on GitHub.

It's a quiet kind of bad day: nothing exotic, just every defensive assumption getting tested at once.

• CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared): authentication bypass, actively exploited, in CISA KEV with a federal remediation deadline that expires today (May 3). Mass scanning reported.
• CVE-2026-31431 — Linux Kernel ("Copy Fail"): KEV-listed as actively exploited, public PoC available, mainline fix committed but distribution packages still rolling. Federal remediation due May 15.
• CVE-2024-1708 — ConnectWise ScreenConnect: authentication path traversal, KEV-listed, exploitation reported by Kimsuky (DPRK). Federal due date May 12.
• CVE-2026-32202 — Microsoft Windows Shell: actively exploited, KEV-listed, stems from an incomplete patch for CVE-2026-21510 and is being chained by APT28. Federal due May 12.
• FUXA 1.2.8 — Auth Bypass + RCE: Working exploit for the open-source SCADA/HMI platform posted to Exploit-DB overnight. No CVE assigned, no vendor patch announced.
• CVE-2025-32463 PoC: Public proof-of-concept for sudo's chroot privilege-escalation flaw updated within the past hour. Local attacker to root on most Linux distributions.

If your patch-management tooling pulls Ubuntu Security Notices on a schedule, it's been flying blind since Thursday.

A Canonical spokesperson confirmed to The Register: "I can confirm that Canonical's web infrastructure is under a sustained, cross-border Distributed Denial of Service (DDoS) attack." The attacker is the self-styled "Islamic Cyber Resistance in Iraq — 313 Team," a group a March 2026 HawkEye threat advisory assesses has ties to Iran's Ministry of Intelligence and Security. More than a day into the assault, ubuntu.com and most of its subdomains remain disrupted, and crucially, the Ubuntu Security API — the endpoint sysadmins, patch automation, and CI pipelines query for CVE data — has been disrupted, according to Cybersecurity News.

Then the operation pivoted. In a Telegram message to Canonical, 313 Team wrote: "There is a simple way out. We have emailed you with our Session Contact ID. If you fail to reach out, we will continue our assault. You are in an awful position, don't be foolish." That's not hacktivism anymore — that's extortion with a political wrapper. SC Media reports the group is using a DDoS-for-hire service called Beamed that allegedly delivers north of 3.5 Tbps, the same service it claims to have used against eBay Japan, eBay US, and BlueSky in the past month.

If Canonical pays or negotiates, the model gets validated and other open-source foundations become priority targets. If Canonical holds and the attack burns out, watch whether 313 Team escalates to package repositories — that's where DDoS becomes a supply-chain problem. In the meantime, the Rankiteo advisory's recommendation is the right one: pull from NVD or OSV mirrors until Canonical's services stabilize.

The Mercor breach has been covered here before. What's new — and what's pushed the story back to the top of Hacker News this weekend — is that the people who pulled it off have publicly announced they're going to do it again.

Mercor, the $10 billion AI training-data startup whose customers include Anthropic, OpenAI, and Meta, confirmed to Fortune that the breach started with a supply-chain compromise: TeamPCP planted malicious code inside LiteLLM, an open-source AI gateway library that Snyk says is downloaded millions of times daily. The poisoned versions — 1.82.7 and 1.82.8 — were live on PyPI for roughly forty minutes on March 27 before being pulled, per Second Talent's reconstruction. That window was enough. Lapsus$ later posted the haul: 939GB of source code, a 211GB user database, and roughly 3TB of video interviews and ID verification documents covering more than 40,000 contractors.

The detail that's getting fresh attention this week, surfaced by Breacher.ai and ORAVYS: the voice samples aren't raw clips. They're structured, conversational profiles — two to five minutes per person, studio-grade — explicitly designed to train production voice models. Pair those with the matching driver's license or passport scan from the same dump, and you have something that doesn't behave like a stolen password. You can't rotate a voice. Fortune, citing Cybernews, reports TeamPCP has stated its intention to partner with ransomware and extortion crews to monetize the rest of the LiteLLM victim list — meaning Mercor was the proof of concept.

The signal that tells you which way this goes: whether the next disclosed breach in the next 30 days names LiteLLM in its incident timeline. If it does, TeamPCP's franchise model is working, and every company that auto-installed dependencies on March 27 is exposed. If the wave doesn't materialize, it means defensive auditing caught the rest in time. Either way, anyone who recorded for an AI training platform should be having a conversation with their bank's fraud team and their family this week.

CVE-2026-41940 is the kind of bug that doesn't need a creative attacker. The flaw is an unauthenticated bypass in cPanel & WHM and WP2 (WordPress Squared) — the control panel that runs a substantial fraction of shared hosting on the internet. CISA added it to the Known Exploited Vulnerabilities catalog on May 1 with a federal remediation deadline of today, May 3.

Coverage from Abijita describes a weaponized exploitation tool circulating publicly under the name "cPanelSniper," and reporting attributes the activity to "Sorry" ransomware operators dropping a Go-based encryptor on compromised hosts. Internet-watch organizations have observed automated scanning at scale across tens of thousands of unique source IPs. Note: that scanning figure traces to a single press writeup citing Shadowserver and similar telemetry — treat the magnitude as directional rather than precisely confirmed, but the operational reality (active mass exploitation) is consistent across multiple independent reports.

The patch was released April 28. If you run cPanel directly, you should already be on the fixed build. If you're on shared hosting and your provider hasn't sent a notice, that's the conversation to have before Monday morning. Most coverage has focused on cPanel/WHM specifically — worth flagging that the same advisory covers WP2, which is sometimes excluded from internal patch inventories. The signal to watch: whether incident response firms start naming "Sorry" operators in mid-May breach disclosures. If they do, the May 3 deadline may have been the difference between "patched in time" and "had a bad weekend."

A post to the oss-security mailing list from a senior kernel contributor on April 30 — now generating heavy discussion — argues that Linux distributions are receiving no advance notice of kernel CVEs before public disclosure. The thread is a Tier 3 community signal, but it's coming from named maintainers on a primary-source list, and it lands at exactly the wrong moment for defenders.

Copy Fail (CVE-2026-31431) is a 732-byte local privilege escalation that affects every mainstream Linux kernel built since 2017. CISA confirmed active exploitation Friday and set a remediation deadline of May 15. CERT-EU's advisory notes the mainline fix was committed April 1 — but as of publication, distribution kernel packages were still pending, and CERT-EU is recommending the interim mitigation (disable the algif_aead kernel module, prioritize Kubernetes nodes and CI/CD runners) until patched kernels arrive.

The disclosure-process argument isn't academic. If the historical model — where Red Hat, Ubuntu, and SUSE got embargoed details to prepare downstream packages — has materially shifted, the gap between "PoC public" and "your distro patched" widens permanently. That's the gap defenders are sitting in right now. The signal to watch over the next two weeks: whether major distributions issue a coordinated statement on kernel embargo policy. If they do, it would indicate the disclosure process experienced problems. If they don't, the process will remain unchanged, and the next Copy Fail-class bug could arrive on the same terms.

Russian security outlet Xakep documents a threat cluster it tracks as HeartlessSoul, conducting targeted operations against Russian government agencies and industrial-sector organizations with a specific focus on harvesting geolocation and mapping data. The reporting characterizes the activity as intelligence-gathering rather than ransomware — no encryption, no extortion, just sustained collection of location and infrastructure mapping data from sensitive Russian targets. In a week dominated by Iran-aligned hacktivism running west, this is a reminder that the inverse traffic — sustained, quiet collection running east — continues without much Western coverage. SOC teams supporting Russia-facing operations should review Xakep's technical write-up for tactic descriptions before the activity gets a Western tracking designation. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep reports that the supply-chain compromise at security scanner vendor Checkmarx — partially disclosed in March — extended further than the original incident notice acknowledged. According to the Russian-language reporting, attackers exfiltrated data from private GitHub repositories belonging to Checkmarx, not just the developer-tooling pipeline previously discussed. The expanded scope matters: Checkmarx's customers run its scanner against their own source code, meaning a compromise of Checkmarx's private repositories could carry signal about customer environments and unfixed vulnerabilities those customers were scanning for. English-language press hasn't picked up the private-repo extension yet. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A pro-Iranian Telegram channel demanding negotiations with Canonical; 40,000 contractors discovering their voices are now permanent skeleton keys with matching photo ID; a kernel maintainer arguing on a public mailing list that nobody told the distros — and somewhere in there, cPanel's clock is running out tonight.

The patch window used to be measured in weeks, then days; this weekend it's measured in whether the API you query for advisories is still answering the phone.

Stay patched, stay paranoid.

If you know someone whose Sunday plans involve a cPanel server or a kernel they haven't updated, forward this — they'll thank you Monday.