Cybersecurity News Roundup: Credentials, Classrooms, and Confidence Cracked this Week
Published on May 9, 2026
From ransomware operators landing in U.S. prisons to a DNSSEC failure briefly knocking millions of German websites offline, this week’s cyber landscape reflects attacks that hit everything from criminal networks to internet systems. Researchers uncovered phishing campaigns abusing cloud services, worms hunting Kubernetes credentials, and attackers reaching water treatment controls in Poland.
AI is at the center of the conversation, with security teams warning that faster, machine-driven attacks are becoming harder and why.
Mass cPanel Exploit Wave Leaves Over Half a Million Servers Exposed
A critical vulnerability in cPanel and WebHost Manager is being actively exploited at scale, putting more than 550,000 internet-facing servers at risk. The flaw allows attackers to bypass authentication and gain full control over hosting environments without valid credentials. Security data shows thousands of systems have already been compromised, with earlier figures reaching tens of thousands before partial remediation efforts. U.S. authorities formally flagged the issue as actively exploited, urging immediate patching across affected systems. Attackers are using the access to deploy Linux-based ransomware and take over websites. The exploitation began months before public disclosure.
Global Law Enforcement Effort Lands Conti-Linked Operator in Prison
International law enforcement authorities secured a 102-month prison sentence against Deniss Zolotarjovs, a Latvian national tied to ransomware and extortion linked to the Conti cybercrime activity. The group targeted more than 54 organizations using ransomware, including Conti, Akira, Karakurt, Royal, TommyLeaks, and SchoolBoys. Georgian authorities arrested Zolotarjovs in December 2023 before extraditing him to the United States. He later pleaded guilty to attacks that caused millions of losses and exposed personal and health-related data stolen from victims.
Emails Impersonate PayPal, McAfee Using Recycled VoIP Numbers
Cisco Talos researchers observed scam campaigns aggressively impersonating trusted consumer brands, including PayPal, McAfee, Norton LifeLock, and Geek Squad by embedding callback phone numbers inside fraudulent emails. Attackers reused the same VoIP-based phone numbers across unrelated lures, changing subject lines, attachment formats, and branding to make campaigns appear independent. Researchers tracked 1,652 unique phone numbers during the monitoring period and found that some remained active for nearly two weeks. The campaigns used PDF, JPEG, and HEIC attachments to distribute fake invoices, subscription renewal notices, and account alerts designed to pressure victims into calling scam operators.
Taiwan Arrests Student After TETRA Exploit Disrupts Rail Network
Taiwanese authorities arrested a 23-year-old university student in connection with a radio signal intrusion that disrupted Taiwan High Speed Rail operations in April. Investigators allege the suspect exploited vulnerabilities in the rail system’s TETRA communications network to transmit a rogue General Alarm signal near Taichung Station. The unauthorized alert forced three high-speed trains to halt under emergency operating procedures, causing a 48-minute disruption across the rail network. Police described the suspect as a radio enthusiast and said investigators recovered multiple radio devices, smartphones, a laptop, and suspected software-defined radio equipment during searches of his residence and workplace.
PCPJack Worm Hijacks Exposed Cloud to Steal Kubernetes
A cloud-focused worm dubbed PCPJack spreads across exposed infrastructure and harvests credentials from enterprise and developer environments. The framework targets Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications while removing artifacts linked to the TeamPCP threat group from compromised systems. Unlike many cloud intrusions tied to illicit cryptomining, PCPJack focuses entirely on stealing secrets, API keys, SSH credentials, Kubernetes tokens, Docker secrets, and cryptocurrency wallet data. The malware downloads payloads from an attacker-controlled Amazon S3 bucket.
AI-Driven Cyberwarfare is Outpacing Security Defenses
Armis’ 2026 Cyberwarfare Report warns that AI-driven cyber conflict is escalating faster than organizations can defend against it, with autonomous “agentic swarms” capable of discovering vulnerabilities and moving across networks at machine speed. The report, based on a survey of more than 1,900 IT decision-makers globally, found that 79% believe AI-powered attacks pose a major security threat. In contrast, 66% reported experiencing up to two cybersecurity breaches. Organizations remain overconfident in their readiness despite gaps in visibility and expertise. Ransomware payouts now exceed annual cybersecurity budgets for more than half of the surveyed organizations.
Former Federal Contractor Convicted After Deletion of Government Databases
A federal jury convicted Sohaib Akhter in a case involving the unauthorized deletion of approximately 96 U.S. government databases following his termination from a federal technology contractor. Akhter and his twin brother, Muneeb Akhter, accessed protected systems tied to dozens of federal agencies and removed critical database infrastructure hosted on enterprise servers in Virginia. They extracted credentials from an Equal Employment Opportunity Commission database. The contractor supported more than 45 federal agencies. Authorities arrested the brothers in December 2025.
Doxxing Case Brings Physical Risk From Personal Data
A North Carolina man pleaded guilty after prosecutors said he posted a Supreme Court justice’s home address online and made violent threats. The case highlights how doxxing can move from online exposure to real-world danger, especially for public officials. Prosecutors said Kyle Edwards also posted old addresses and neighborhoods of two other justices. The publicly accessible posts allegedly attracted other users who discussed attacks. Edwards faces up to five years in prison.
Pharmacist Accused of Spying on Nearly 200 People
Federal prosecutors charged former Maryland hospital pharmacist Matthew Bathula with using keyloggers, cookie theft, mailbox rules, and spyware to access victims’ accounts over eight years. The alleged victims included current and former hospital workers and people connected to them. Prosecutors and civil claims say he accessed services such as Gmail, iCloud, Google Photos, Microsoft 365, and even webcams. The alleged motive appears to be surveillance and privacy invasion, not financial theft, based on the accusations reported. Insider access can turn ordinary workplace systems into tools for personal harm.
Survey Warns Employees May Be More Open To Selling Logins
A Cifas workplace fraud survey found that 13% of UK employees said they had sold company logins or knew someone who had. The same share said selling access to company systems was justifiable, with higher tolerance reported among managers, directors, executives, and business owners. Possible reasons included financial pressure, disgruntlement, belief it was harmless, or confidence they would not be caught. The finding matters because stolen employee credentials remain one of the easiest ways into corporate systems. Even if UK-specific, the survey points to a broader insider-risk awareness problem.
SEBI Warns Market Entities About AI-Driven Vulnerability Risks
SEBI issued an advisory urging regulated entities to assess risks from emerging AI-based vulnerability detection tools. The advisory calls for faster patching, regular vulnerability assessments, API security, SOC monitoring, hardening, and updated asset inventories. It also asks entities to consider AI-enabled threats in risk scenarios and plan for AI-augmented SOC transformation. The impact is regulatory as much as technical, because financial-market entities may need to prove stronger cyber resilience around AI-led discovery and mitigation. This is best framed as a cyber governance and financial-sector resilience story.
Edge Password Claim Raises Browser Memory Security Concerns
A LinkedIn post by offensive security professional Tom Rønning claimed Microsoft Edge loads saved passwords into memory in cleartext even when users are not actively using them. The reported risk is sharper in shared environments such as terminal servers, where an attacker with administrative access could inspect other users’ browser process memory. Microsoft reportedly treated the behavior as “by design,” according to the post you shared. Since this is based on a researcher disclosure rather than a vendor advisory, wording should stay cautious. The awareness angle is clear: browser-stored passwords can become high-value targets after endpoint compromise.
DNSSEC Failure Knocks .de Domains Offline
Millions of German websites became unreachable after a DNS disruption affected Germany’s .de top-level domain. Cybernews reported that global resolvers returned SERVFAIL errors for several hours on May 5, disrupting sites such as Amazon.de and services including Deutsche Bahn’s app. Cloudflare pointed to apparent DNSSEC problems, while engineers suspected a botched signing-key rollover. The incident was not reported as a cyberattack, but its impact resembled a large outage across a national digital layer. It shows how fragile internet trust infrastructure can become when a single registry-level cryptographic process fails.
Hackers Reached Water Treatment Controls in Poland
Poland’s domestic intelligence agency said attackers breached water treatment facilities in five towns in 2025. In some cases, attackers gained access to industrial control systems and could alter technical parameters of devices. The agency did not publicly attribute the attacks, but it warned of intensified hostile cyber activity linked especially to Russian services. The impact could have been direct disruption to water supply operations. This is a strong critical-infrastructure awareness story because it moves beyond data theft into possible manipulation of physical systems.
Canvas Breach Escalates into Login-Page Defacements
KrebsOnSecurity reported that ShinyHunters’ data extortion campaign disrupted schools and colleges after Canvas login pages displayed a ransom demand. Instructure had earlier said stolen data included names, email addresses, student ID numbers, and user messages, but not passwords, government IDs, birth dates, or financial information based on its investigation. The disruption landed during final-exam season, raising the impact from data exposure to education continuity. TechCrunch later reported that Instructure said the defacement involved the same actors and an issue tied to Free-For-Teacher accounts.
‘GothFerrari’ Sentenced for Crypto Heist
Marlon Ferro, known as “GothFerrari,” was sentenced to 78 months in prison for his role in a cryptocurrency theft conspiracy. The DOJ said the group stole more than $250 million through database hacking, target identification, fraudulent calls, money laundering, and residential burglary. Prosecutors said Ferro was used when victims could not be tricked online and hardware wallets had to be stolen physically. The case is striking because it blends digital fraud with real-world break-ins. It shows that crypto theft is no longer only a screen-bound crime.
Former L3Harris Executive Ordered to Pay $10M Over Hacking Tool Theft
Former L3Harris/Trenchant executive Peter Williams was ordered to pay $10 million in restitution after previously being accused of stealing advanced hacking and surveillance tools. TechCrunch reported that Williams had headed Trenchant, a division that built hacking tools for the U.S. government and Five Eyes allies. The alleged sale to a Russian exploit broker makes the case especially serious because stolen tools can reappear in state or criminal operations. The impact goes beyond one company’s loss and touches national security supply chains. This is best framed as an insider threat meets cyber-weapons proliferation.
From Fake Brands to Insiders, Attackers Followed Trust
Impersonation, education disruption, and insider threats defined this week’s cyber activity. Attackers leaned heavily on trust, spoofing brands like PayPal and McAfee, while incidents tied to Canvas and the Taiwan rail disruption showed how schools and student ecosystems are increasingly caught in the crossfire. At the same time, law enforcement finally put a Conti-linked operator behind bars, a reminder that even ransomware gangs eventually hit the end of the road.
But the bigger pattern sat around access itself. From deleted federal databases and spyware abuse to employees growing more open to selling logins, this week showed that attackers are abusing credentials, insiders, and exposed identities to quietly open the door for them.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular