End-of-Day report
Timeframe: Donnerstag 30-04-2026 18:00 - Montag 04-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
ConsentFix v3 attacks target Azure with automated OAuth abuse
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential.
https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target-azure-with-automated-oauth-abuse/
Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
Trellix: Angreifer erlangten Zugriff auf Quellcode
Trellix, das aus FireEye und McAfee hervorging, hat einen IT-Vorfall gemeldet. Angreifer haben Zugriff auf Quellcode erlangt.
https://www.heise.de/news/Trellix-Angreifer-erlangten-Zugriff-auf-Quellcode-11280743.html
Vorfall bei DigiCert: Malware-Autoren klauten Zertifikate
Die Zertifizierungsstelle DigiCert hat im April mehrere Zertifikate zur Signierung von Programmen (-Code Signing Certificate-) an Malware-Autoren ausgegeben. Diese hatten zuvor Kundendienstmitarbeiter bei DigiCert mit Schadsoftware angegriffen und deren Rechner übernommen. Weil verschiedene Schutzmaßnahmen versagten, erlangten die Kriminellen Zugriff auf ein geschütztes Kundenportal - inklusive aller notwendigen Informationen, um die Zertifikate abzurufen.
https://www.heise.de/news/Nach-Malware-Angriff-Kriminelle-nutzten-Codesigning-Zertifikate-von-DigiCert-11280757.html
Build a Decoy MCP Server to Catch AI Agent Attackers
Your AI agents MCP config can be a target for an attacker who reaches your machine. A decoy MCP server entry pointing at a Cloudflare Worker can reveal the attackers presence and their intent.
https://zeltser.com/decoy-mcp-server-honeypot
ESC-Tickets im Netz: Drittanbieter wie ticombo.com bergen ein hohes Risiko!
Für den ausverkauften Eurovision Song Contest tauchen immer wieder Ticketangebote bei Drittanbietern auf. Wir erklären, warum man besser die Finger davon lassen sollte.
https://www.watchlist-internet.at/news/esc-tickets-plattformen-wie-ticombocom-riskant/
That AI Extension Helping You Write Emails? It-s Reading Them First
Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser.
https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
EV-Zertifikate von Lenovo & Co. durch GoldenEyeDog missbraucht
Hersteller wie Lenovo, Kingston, Shuttle Inc. und Palit Microsystems sind von einem Zertifikatsproblem betroffen. Eine chinesische Hackergruppe namens GoldenEyeDog (APT-Q-27) war in der Lage, EV-Zertifikate im Namen der oben genannten Organisationen auszustellen und für kriminelle Zwecke zu missbrauchen.
https://borncity.com/blog/2026/05/03/ev-zertifikate-von-lenovo-co-durch-goldeneyedog-missbraucht/
Careful Adoption of Agentic AI Services
CISA, in collaboration with the Australian Signals Directorate-s Australian Cyber Security Centre (ASD-s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems.
https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
The Life-Dinner Principle in Detection
Cybersecurity has its own folk saying. You have heard it at conferences, on panels, in vendor decks, and in LinkedIn posts from CISOs who are -humbled- to announce something: -The attacker only has to be right once. The defender has to be right every time.-
https://detect.fyi/the-life-dinner-principle-in-detection-822169d9da2c
Evaluating our Threat Hunting Detection Rules (+ KQL Query Evaluation)
I really enjoy creating detection rules - they give me better visibility into current threats, help me stay proactive, and bring many other advantages. On the other hand, it-s a double-edged sword.
https://detect.fyi/evaluating-our-threat-hunting-detection-rules-kql-query-evaluation-5e8b6a77f2a2?source=rssd5fd8f494f6a4
Practical Package Security: The Unofficial Guide
Get actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early.
https://www.wiz.io/blog/practical-package-security-the-unofficial-guide
Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise
Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems.
https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-package-compromise
Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables
The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization.
https://socket.dev/blog/tanstack-brandsquat-compromise
NCSC Warns Organisations to Act Fast as Hidden Software Flaws Surface
Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives.
https://thecyberexpress.com/ncsc-vulnerability-patch-wave/
FBI Warns of Surge in Cyber-Enabled Cargo Theft Targeting Logistics Firms
The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo.
https://thecyberexpress.com/cyber-enabled-cargo-theft-fbi-issues-alert/
Vulnerabilities
Copy Fail Update #1: Kritische Linux-Kernel-Schwachstelle ermöglicht lokale Root-Rechte
04.05.2026 Wir haben den Hinweis erhalten, dass ein Workaround existiert, der auf Systemen greift, bei denen der betroffene Code in einem Kernel-Modul enthalten ist (wie unter anderem Debian-basierte Systeme wie Ubuntu). Dabei wird das Laden des Moduls verhindert.
https://www.cert.at/de/warnungen/2026/4/copy-fail-kritische-linux-kernel-schwachstelle-ermoglicht-lokale-root-rechte
Progress warns of critical MOVEit Automation auth bypass flaw
Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application.
https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
Netzwerkanalysetool Wireshark: Zahlreiche Sicherheitslücken geschlossen
In zwei aktuellen Versionen von Wireshark haben die Entwickler mehrere Schwachstellen geschlossen.
https://www.heise.de/news/Netzwerkanalysetool-Wireshark-Zahlreiche-Sicherheitsluecken-geschlossen-11280168.html
Tails 7.7.1: Notfallupdate für anonymisierendes Linux stopft Firefox-Lecks
Das anonymisierende Linux Tails schließt in Version 7.7.1 unter anderem Firefox-Sicherheitslücken im Tor-Browser.
https://www.heise.de/news/Tails-7-7-1-Notfallupdate-fuer-anonymisierendes-Linux-stopft-Firefox-Lecks-11280198.html
Bösartige npm-Pakete: SAP-Software kompromittiert
Mehrere npm-Pakete von SAP waren einer Supply-Chain-Attacke ausgesetzt. Dahinter steckt die Hackergruppe TeamPCP, sagen Sicherheitsforscher.
https://www.heise.de/news/Boesartige-npm-Pakete-SAP-Software-kompromittiert-11280683.html
LWN Security updates for Monday
https://lwn.net/Articles/1071167/