☕ Good Morning Security Gang,
Today’s episode is absolutely loaded.
We’re talking active ransomware outbreaks, supply chain worms hitting AI libraries, a nine-year-old Linux root flaw now weaponized, security vendor source code stolen, and even insiders turning into attackers.
👉 If there’s one theme today: every layer of trust—code, infrastructure, people—is under active assault.
Double espresso in hand, let’s get into it.
🧭 Executive Summary
Today’s landscape reflects a convergence of exploit velocity, supply chain compromise, insider threat, and AI-powered attack scaling. Attackers are exploiting vulnerabilities before disclosure, weaponizing developer ecosystems, and abusing legitimate platforms to bypass defenses.
We’re also seeing a dangerous shift where legacy vulnerabilities, insider access, and AI-enhanced tools combine, creating compounding risk across enterprise and critical infrastructure environments. The result is a threat environment where speed, scale, and trust exploitation define success for attackers.
📰 Top Stories & Deep Dive Analysis
"Today's through line is ecosystem trust under assault on every axis, all happening simultaneously. The AI training library millions depend on became a credential-stealing worm. The security vendor whose product you run to detect threats has its source code accessed. The incident responder you trusted during your worst day was in at least two documented cases, the attacker. Layer on CISA adding a 9-year-old Linux root escalation to KEV, a mass ransomware wave locking up 44,000 cPanel servers, China running multi-continent espionage while targeting journalists, and an AI-powered phishing platform that turns MFA into security theater. The message is perfectly clear." James Azar
🔥 cPanel Zero-Day – Ransomware Outbreak at Internet Scale
A critical cPanel vulnerability, actively exploited since February before disclosure, is now fueling a large-scale ransomware outbreak. Attackers are deploying the “Sorry” ransomware variant, encrypting systems and appending a .sorry extension, with encryption powered by ChaCha20 and protected via embedded RSA keys.
Over 44,000 compromised IPs have already been identified, with the vulnerability now added to CISA’s KEV catalog. Because cPanel serves as a centralized control layer for hosting environments, a single compromise can cascade across websites, databases, and email systems.
This is not just exploitation it’s industrial-scale ransomware propagation through shared infrastructure, where hosting providers and MSPs become force multipliers for attackers.
🐧 Linux “Copy Fail” Root Bug – A 9-Year Vulnerability Goes Live
A nine-year-old Linux kernel vulnerability has now been weaponized following public proof-of-concept release, allowing local privilege escalation to root across major distributions including Ubuntu, RHEL, SUSE, and Amazon Linux.
The exploit works by manipulating page cache behavior, enabling attackers to overwrite controlled memory and escalate privileges. In real-world incidents, attackers chained this flaw with Jenkins access to pivot from low-privileged service accounts directly to root.
“Speed is the attacker’s advantage, trust is their entry point.” James Azar
This is a classic but dangerous pattern: old vulnerabilities become critical the moment exploit code becomes reliable and accessible, turning dormant risk into immediate operational threat.
🧬 PyTorch Lightning Supply Chain Worm – AI Ecosystem Under Attack
A compromised version of the PyTorch Lightning library introduced a worm-like capability that steals credentials and propagates itself across both npm and PyPI ecosystems.
Once installed, the malware:
Exfiltrates developer credentials and cloud tokens
Identifies accessible repositories
Injects malicious code into other packages
Republishes infected versions automatically
This represents a new level of supply chain attack autonomous propagation across ecosystems, where one compromised environment can rapidly infect thousands of downstream projects.
The fact that this targets AI training libraries makes it even more critical, as these environments often hold sensitive data, models, and infrastructure credentials.
🛡️ Trellix Source Code Breach – Defenders Become Targets
Trellix confirmed unauthorized access to portions of its source code repository. While no customer data was impacted, the exposure of product code introduces significant downstream risk.
Attackers can now analyze detection logic, identify weaknesses, and develop evasion techniques tailored to the platform. This highlights a growing trend: security vendors themselves are high-value targets, as compromising them provides insight into defensive capabilities at scale.
Even without immediate exploitation, the long-term impact can be significant, as attackers refine their techniques based on stolen intelligence.
🌏 China’s ShadowPad Campaign – Multi-Continent Espionage
A China-aligned threat group conducted a widespread espionage campaign targeting government and defense sectors across Asia and extending into Europe.
The attackers exploited known vulnerabilities in Microsoft Exchange and IIS, deployed web shells for persistence, and used ShadowPad malware for long-term access.
This campaign demonstrates a dual approach:
Technical exploitation of infrastructure
Targeted phishing of civil society groups
This combination allows for both system compromise and human intelligence gathering, reinforcing the complexity of nation-state operations.
🎓 Canvas Breach – Sensitive Student Data Exposed Again
Instructure, the company behind Canvas, disclosed its second breach in eight months, exposing student data including private messages, accommodation requests, and mental health disclosures.
This is particularly concerning due to the sensitivity of the data and the regulatory implications. The breach also highlights a recurring issue: attackers returning to previously compromised organizations, exploiting gaps left after initial remediation efforts.
This creates both legal and reputational risk for institutions and raises concerns about persistent vulnerabilities in educational platforms.
🤖 BlueKit Phishing-as-a-Service – AI Supercharges Fraud
BlueKit, a new phishing-as-a-service platform, is introducing AI-powered capabilities including voice cloning, adversary-in-the-middle templates, and automated campaign generation.
The platform supports multiple AI models to create highly convincing phishing content and bypass MFA through real-time token interception.
This represents the industrialization of phishing, where advanced capabilities are now accessible to low-skill operators, dramatically increasing the scale and effectiveness of attacks.
🧑💼 Insider Threat – Security Professionals Turned Ransomware Operators
Two cybersecurity professionals were sentenced for conducting ransomware attacks against clients their firms were hired to protect.
"The irony and danger cannot be overstated. Goldberg himself worked as an incident responder, the professional called in during your worst day was conducting the attacks. Zero trust of privileged insiders, including your own security vendors and your IR firms, is no longer paranoia. It's now hygiene." James Azar
This case highlights the reality that insider threat is not theoretical—it’s operational. Individuals with deep knowledge of defensive systems can become highly effective attackers, bypassing controls and exploiting trust.
It reinforces the need for zero trust principles even within security teams and incident response ecosystems.
🚛 Cargo Theft Surge – Cyber Meets Physical Supply Chain
The FBI warned of a surge in cyber-enabled cargo theft, with losses exceeding $725 million in 2025. Attackers are compromising logistics platforms, altering shipment records, and impersonating legitimate carriers.
This is a clear example of cyber attacks translating into physical-world impact, where digital compromise leads directly to theft of goods.
It underscores the expansion of the attack surface into operational and supply chain systems, where traditional cybersecurity controls may not be sufficient.
📱 Facebook Phishing Campaign – Trusted Platforms Abused
A phishing campaign hijacked over 30,000 Facebook accounts using Google AppSheet infrastructure to send legitimate-looking emails.
Because the emails originated from trusted domains, they bypassed traditional spam filters and relied on user interaction to capture credentials.
This is part of a broader trend of legitimate service abuse, where attackers use trusted platforms as delivery mechanisms, undermining traditional security controls based on reputation.
🛠️ Action Items for Security Leaders
🔐 Patch cPanel systems immediately and restrict management access
🐧 Apply Linux kernel updates and verify patched versions are active
🧬 Rotate all credentials exposed through AI and package ecosystems
🚀 Audit CI/CD pipelines for unauthorized package modifications
🛡️ Monitor security vendor advisories for potential downstream risks
🌏 Conduct threat hunting for ShadowPad and web shell activity
🎓 Strengthen data protection controls for sensitive user information
🤖 Implement phishing-resistant MFA and advanced email filtering
🧑💼 Enforce zero trust and monitoring for privileged insiders
🚛 Secure logistics and supply chain systems against account compromise
🧠 James Azar’s CISOs Take
What stood out to me today is how attackers are chaining together multiple layers of trust. A supply chain compromise leads to credential theft, which leads to infrastructure access, which leads to ransomware deployment. At the same time, insider threats and AI-powered phishing are exploiting the human side of the equation. This isn’t just about one vulnerability—it’s about how everything connects.
The second takeaway is that we need to rethink how we define security. It’s no longer enough to secure systems in isolation. We have to secure ecosystems—developers, vendors, infrastructure, and users all at once. Because attackers are already thinking that way, and if we don’t, we’re always going to be reacting instead of leading.
🔥 Stay Cyber Safe.
