Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Attackers are exploiting CVE-2026-41940, a critical cPanel and WHM authentication bypass flaw that can give unauthenticated attackers administrative access to affected servers. Shadowserver reporting indicates more than 40,000 servers may already be compromised. This matters because cPanel often manages multiple websites, databases, and configurations from one place, so a single exposed server can become a broad compromise point for hosting providers, MSPs, and organizations running their own web infrastructure.
CISA says ‘Copy Fail’ flaw now exploited to root Linux systems
CISA warned that attackers are now exploiting CVE-2026-31431, the “Copy Fail” Linux kernel vulnerability that can let local users gain root privileges on unpatched systems. Public exploit code is available, and affected distributions reportedly include Ubuntu, Amazon Linux, RHEL, SUSE, and other Linux builds with vulnerable kernels going back years. Security teams should prioritize patching internet-facing Linux systems, shared hosting, CI runners, and Kubernetes environments where local privilege escalation can quickly turn limited access into full system control.
Trellix Confirms Source Code Breach With Unauthorized Repository Access
Trellix disclosed that an unauthorized party accessed a portion of its source code repository, though the company says it has found no evidence that its source code release or distribution process was affected. The incident is still worth attention because source code exposure can help attackers understand product internals, identify future exploit paths, or craft more convincing attacks against customers. Organizations using Trellix products should watch for vendor updates, review any published indicators, and keep product versions current.
Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
Acronis researchers found active abuse of AI distribution platforms, including Hugging Face and ClawHub, to deliver malware through malicious models, datasets, and agent extensions. The research identified more than 575 malicious OpenClaw skills across 13 developer accounts, with payloads including trojans, cryptominers, and AMOS stealer. The practical takeaway is that AI artifacts need the same supply chain scrutiny as npm, PyPI, browser extensions, and GitHub projects, especially when they can execute code or interact with local files, credentials, and developer environments.
Utility giant Itron confirms cyberattack, says internal systems were accessed
Itron, a major provider of smart meters, sensors, and utility data platforms, confirmed that attackers accessed parts of its internal IT network in April. The company said it activated its response plan, blocked the intrusion, and has not seen material disruption, customer impact, or evidence that sensitive data was compromised. This is still relevant for critical infrastructure readers because utility technology providers are high-value targets, and even contained IT intrusions can create downstream concern around third-party access, support systems, software integrity, and customer trust.
The post InfoSec News Nuggets 05/04/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
