The Lyceum: Cybersecurity Weekly — May 06, 2026

This was the week the trust infrastructure cracked. The company that issues the digital certificates your browser uses to decide what software is safe was hacked through a screensaver attachment in a support chat. A ransomware gang turned out to have been roaming inside Cisco's firewall management console for 36 days before anyone knew the door existed. Firefox's "private" mode was leaking a stable identifier that followed users even through Tor's most aggressive reset button. The systems we rely on to tell us what's trustworthy are themselves the targets — and attackers are getting to them through embarrassingly mundane front doors.

• CVE-2026-32201 — Microsoft SharePoint Server: actively exploited zero-day, CVSS 6.5, patched via Microsoft's out-of-band update. CISA's federal patching deadline was April 28, 2026, which has passed; if you run on-prem SharePoint and missed it, treat exposed servers as potentially compromised.
• CVE-2026-20131 — Cisco Secure Firewall Management Center: insecure Java deserialization granting unauthenticated root, patched March 4 but exploited by Interlock ransomware since January 26.
• CVE-2026-3854 — GitHub.com and GitHub Enterprise Server: authenticated RCE via a single git push. GitHub.com patched within two hours; Wiz reports roughly 88% of self-hosted GHES instances they observed remained unpatched at disclosure.
• CVE-2026-6770 — Firefox / Tor Browser: stable IndexedDB-derived identifier persisting across private windows and Tor's "New Identity" reset. Patched in Firefox 150, ESR 140.10, and Tor Browser 15.0.10.
• CVE-2025-32463 — Linux sudo (chwoot): local privilege escalation to root, weaponized PoC widely circulating, patches available in updated kernels and sudo packages.
• PyTorch Lightning 2.6.2 / 2.6.3 — Mini Shai-Hulud supply chain compromise; live on PyPI for 42 minutes on April 30 before quarantine, but stole credentials, env variables, and cloud secrets from any environment that imported it.
• DAEMON Tools trojanized installer — Official site distributed a backdoor starting April 8; Kaspersky reports thousands of infections across 100+ countries with selective second-stage deployment to retail, science, government, and manufacturing targets.

Sitting quietly behind almost every piece of software you've ever installed is something called a Certificate Authority — a company that issues the digital signatures your computer uses to decide whether a program is legitimate. DigiCert is one of the largest. This week, it confirmed it was hacked through a chat window.

On April 2, 2026, a sophisticated threat actor contacted DigiCert's customer support team through a Salesforce-based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot. Inside was a Windows screensaver file — a .scr, which Windows treats as an executable. CrowdStrike and other endpoint defenses blocked four consecutive delivery attempts. The fifth succeeded, according to Cybersecurity News, because one analyst's machine had a misconfigured security agent.

DigiCert didn't discover a second compromised machine until April 14 — a ten-day window of unrestricted access. During it, the attacker grabbed initialization codes for approved-but-undelivered Extended Validation code signing certificate orders. With those codes plus the existing approvals, you can simply walk out with valid, fully trusted certificates. They were promptly weaponized to sign Zhong Stealer malware, a credential and cryptocurrency stealer that researchers have linked to GoldenEyeDog (APT-Q-27), a Chinese e-crime group — though attribution for the DigiCert breach itself remains open, per Cybersecurity News.

DigiCert revoked 60 code signing certificates, 27 tied to the attacker. Then came the aftershock: on April 30, a faulty Microsoft Defender signature update started flagging two legitimate DigiCert root CA certificates as malicious and silently removing them from Windows trust stores. Microsoft pushed a fix within days, but for a stretch, an enterprise that trusted Microsoft Defender to defend it was breaking its own SSL/TLS validation across the fleet.

DigiCert publicly acknowledged it only after abused certificates were spotted in the wild and reported. That's a worrying definition of "detection."

The signal to watch: whether other Certificate Authorities disclose similar social engineering attempts. DigiCert's delayed detection raises the risk that other CAs could be scoped by similar chat-based vectors.

Imagine your security team patches every vulnerability the day it's announced. Diligent, by the book. Now imagine the attackers were already inside, using a flaw nobody had published. That's exactly what happened with the Interlock ransomware group and Cisco's firewall management console.

Cisco disclosed CVE-2026-20131 on March 4 — a critical insecure deserialization flaw in Cisco Secure Firewall Management Center, the dashboard IT teams use to manage their entire fleet of Cisco firewalls. According to Amazon's threat intelligence team, while researching the vulnerability they found Interlock had been exploiting it since January 26, 2026 — a 36-day head start before the patch existed.

Once inside, Interlock deployed PowerShell reconnaissance scripts to map the environment, then planted custom remote access trojans built in both JavaScript and Java alongside a memory-resident web shell. Confirmed victims include U.S. dialysis provider DaVita, the Kettering Health hospital network, Texas Tech University, and the city of Saint Paul, Minnesota, per SecurityToday. The group pairs encryption with data theft and explicit GDPR threats to crank up pressure.

The uncomfortable lesson: patching fast doesn't help during the window between exploit and disclosure — and that window can run more than a month. Organizations running Cisco FMC who applied the March 4 patch may still be compromised from January. The action item isn't confirming the patch landed; it's a compromise assessment going back to late January.

If you've ever opened a Firefox private window and assumed websites couldn't connect that activity to your regular browsing, sit down for this one. Researchers at Fingerprint discovered that Firefox's IndexedDB — a built-in browser database — returned database entries in an order that was unique to the running browser process. Any website could quietly create a few databases, observe the ordering, and derive a stable fingerprint.

In Firefox Private Browsing, that identifier persisted as long as the Firefox process kept running, even after every private window was closed. In Tor Browser, it survived the "New Identity" feature — the button specifically designed to be a clean break, the one journalists, dissidents, and activists rely on when they need to be sure they can't be linked to their previous session. It wasn't working.

To be precise: this is correlation, not direct cross-origin data theft, and a full browser restart did clear the identifier, per Penligent's analysis. But for the people who depend on Tor's privacy guarantees, "your reset button doesn't actually reset" is the kind of finding that requires immediate updates and uncomfortable retrospectives.

Mozilla patched it as CVE-2026-6770 in Firefox 150, ESR 140.10, and Thunderbird on April 21. The Tor Project released Tor Browser 15.0.10. What changes if you don't update: every Tor session you open in the same browser process can be linked together by any website you visit. What to watch: whether researchers find similar process-lifetime fingerprints in other browsers. The IndexedDB ordering trick is unlikely to be the last of its kind.

PyTorch Lightning is the library data scientists and ML engineers use to train AI models — hundreds of thousands of daily downloads, millions of monthly installs. On April 30, versions 2.6.2 and 2.6.3 went up on PyPI carrying what Semgrep dubbed "Mini Shai-Hulud" (a Dune reference; the original Shai-Hulud was a 2025 supply chain worm).

Socket's automated scanner flagged the packages as malicious 18 minutes after publication. Maintainers quarantined them 24 minutes after that. Total live window: 42 minutes, per Let's Data Science. That's the good news. The bad news is that 42 minutes is plenty for any team running automated dependency updates or CI pipelines on a schedule.

The malicious versions hid an obfuscated JavaScript payload in a _runtime directory that executed on import, harvesting credentials, authentication tokens, environment variables, and cloud secrets — exactly the high-value spoils sitting in AI training environments. Researchers at Kodem traced the propagation pattern: pyannote-audio depended on Lightning, which infected a developer's local environment, which leaked the npm tokens that let the attackers push poisoned packages into a different ecosystem entirely. One Python compromise, three ecosystems infected.

If you ran pip install lightning on April 30, treat that environment as compromised and rotate everything. The broader pattern — supply chain attacks targeting AI development infrastructure specifically — is the one to file away. The data, weights, and credentials concentrated in ML pipelines are now a recognized prize.

GitHub holds the world's source code. Hundreds of millions of repositories — open source, enterprise applications, the code running your bank. This week, Wiz Research disclosed that for a stretch earlier this year, any authenticated GitHub user could have run arbitrary commands on GitHub's own backend with one standard git push.

The root cause is almost embarrassingly tidy. When developers used custom push options, GitHub's internal protocol copied those values verbatim into a semicolon-delimited internal header — without escaping the semicolons. Inject a semicolon, append a malicious field, and downstream services trusted it. Remote code execution as root.

Wiz reported it on March 4. GitHub patched GitHub.com within two hours, and according to The Hacker News, found no evidence of real-world exploitation on the cloud platform. But here's the part to flag: Wiz reports that, as of disclosure, roughly 88% of self-hosted GitHub Enterprise Server instances they observed were still unpatched. That's a vendor telemetry estimate, not a census, but it points at a familiar failure: cloud gets fixed in hours, self-hosted stays broken for months.

A footnote that's bigger than a footnote: Wiz disclosed that the bug was found using AI-assisted reverse engineering of GitHub's compiled internal binaries. They publicly described it as among the first critical bugs found in closed-source binaries with AI tooling. That capability shift cuts both ways — defenders and attackers now share the same accelerator.

If your organization runs a website, cPanel is probably nearby — the dashboard millions of admins use to manage hosting, domains, and servers. Late last week, cPanel's developers issued an emergency patch for a critical authentication bypass, and U.S. federal agencies were given an expedited remediation deadline.

According to BleepingComputer, the flaw is being mass-exploited in "Sorry" ransomware attacks, with Shadowserver telemetry showing tens of thousands of compromised cPanel-tied IPs. An authentication bypass means attackers don't need passwords or stolen sessions — they walk in as administrator. From there, full takeover of the hosting infrastructure follows.

The signal to watch: whether CISA adds this to its Known Exploited Vulnerabilities catalog. That elevation would force federal patching deadlines and likely accelerate cleanup across managed hosting providers, who often run cPanel at scale and have historically been slow to patch in lockstep with disclosure.

Check Point Research published an analysis of VECT, a malware strain designed to operate as ransomware that, due to fatal flaws in its encryption and decryption routines, irreversibly corrupts victim data. Paying the ransom does not — cannot — restore the files.

This is a bigger deal for incident response than it sounds. Insurance, legal posture, and triage all depend on whether an incident is "data encrypted, recoverable on payment" or "data destroyed, recovery impossible." A botched ransomware build that crosses into wiper territory turns a recoverable extortion event into total data loss while still looking, on the surface, like a normal ransomware note. The signal: if VECT's victim count climbs and recovery rates collapse, expect insurers and negotiators to start treating any new ransomware family as wiper-until-proven-otherwise — which would meaningfully shift the economics of the whole criminal market.

Russian security publication Xakep published a technical deep-dive demonstrating that modern large language models, paired with dynamic instrumentation tools like Frida, can dramatically accelerate the reverse engineering of obfuscated binaries — producing readable, functional code in hours where it used to take weeks. The piece argues that obfuscation as a protective measure is losing effectiveness against AI-assisted analysis, and walks through specific workflows that automate what was previously specialist labor. This pairs directly with Wiz's GitHub disclosure this week, which used AI-assisted reverse engineering to find a critical RCE in closed-source binaries. Defenders gain speed in malware analysis; attackers gain the same lever against proprietary code, DRM, and security products. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep reports that Checkmarx — a major application security vendor whose tools are used to scan corporate code for vulnerabilities — had data stolen from its private GitHub repositories. A security company's private repos typically contain vulnerability research, internal tooling, customer-specific configurations, and detection logic. Set against this week's DigiCert and Trellix incidents, the pattern is hard to ignore: the security industry's own infrastructure is being treated as a high-value intelligence target, not just a corporate one. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

CERT-UA Advisory #19542 documents an active campaign by UAC-0001 — the cluster Ukraine attributes to Russia's GRU-linked APT28 — using an exploit for CVE-2026-21509 against Ukrainian government targets and counterparts in EU member states. The advisory includes indicators of compromise and recommended detection rules. APT28's continued operational tempo against EU institutions, not just Ukraine, is the part Western coverage tends to underweight. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

This week: a screensaver file walked into a chat window and walked out with the keys to the internet's signature on every piece of software you trust; a ransomware gang spent 36 days reading your firewall's email before the firewall vendor even knew the lock was broken; and Tor's "New Identity" button turned out to be more of a polite suggestion than a reset. Somewhere in Pyongyang, two crypto-theft crews looked at this week's news, noted that DigiCert was compromised by a .zip of .scr, and quietly added "ask politely with a screensaver" to the playbook that's already netted them six billion dollars. Patch your stuff, rotate your tokens, and assume your private mode isn't.

Forward this to the friend who still thinks "private browsing" means private — they need to know before their next coffee shop session.