Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On April 30, 2026, two malicious releases of the popular lightning PyPI package were published, affecting the deep learning framework formerly distributed as pytorch-lightning. Versions 2.6.2 and 2.6.3 ship a hidden _runtime directory that downloads the Bun JavaScript runtime from GitHub at import time and uses it to execute an ~11 MB obfuscated credential stealer. The last clean release is 2.6.1, published January 30, 2026.

A critical vulnerability CVE-2026-41940 has been identified in cPanel, WHM, and WP Squared, affecting cPanel & WHM versions after 11.40, as well as WP Squared. These web hosting control panels are commonly used to manage websites, email, databases, and server configurations, making unauthorized access a serious security concern.

On April 28, 2026, cPanel patched a critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940. The issue stems from a flaw in the login and session handling process that allows Carriage Return Line Feed (CRLF) injection, enabling remote threat actors to bypass authentication and gain unauthorized access to the control panel.

A new Linux kernel LPE disclosed by Theori/Xint lets any unprivileged local user become root with a 732-byte Python script. Works first try, no race, no per-kernel offsets. CVSS 7.8 (High), effectively critical for shared-kernel and multi-tenant environments.

Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities.

On March 11, 2026, the Iranian hacktivist group Handala Hack Team claimed responsibility for compromising the American healthcare technology company Stryker. Public reporting suggests more than 200,000 systems were impacted and up to 50TB of data exfiltrated. While these figures remain unverified, the scale of operational disruption alone places this incident among the most significant enterprise cyber events of the year so far.

Modern development teams are currently drowning in security debt, often trapped in a manual, fragmented cycle of "find and fix" that slows down innovation. Even when equipped with high-fidelity vulnerability data, traditional workflows require developers to constantly context-switch between Jira tickets and their codebases to manually implement and test patches.

The Thymeleaf vulnerability with a CVSS score of 9.1 grabs your attention, as it should. But before you call the cavalry and claim this as the new Log4shell, read this first. CVE-2026-40478 is a server-side template injection vulnerability in Thymeleaf. Thymeleaf is a templating engine in Java that is used for server-side webpage rendering. The sandbox that normally prevents arbitrary code execution got bypassed using a tab character. And yes, this can lead to a remote code execution if exploited.

On April 29, 2026, attackers published malicious versions of four npm packages in the SAP development ecosystem: mbt, @cap-js/db-service, @cap-js/sqlite, and @cap-js/postgres. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime from GitHub Releases and uses it to execute an ~11.6 MB obfuscated credential stealer.