Information Security News – 5/4/2026

Phishing Campaign Abuses Event Invitations to Target U.S. Firms 

Article Link: https://cyberpress.org/fake-invites-target-firms/ 

• A large-scale phishing campaign is impersonating corporate event invitations to target organizations in critical U.S. sectors like banking, government, healthcare, and tech.
• Victims receive fake event links that use CAPTCHA pages and AI generated registration sites. The attack then takes two paths, one of which is used for credential theft, including real-time theft of multi-factor authentication (MFA) codes.
• The other path silently installs remote monitoring and management (RMM) tools on the victim’s device to allow for remote access. The use of CAPTCHA and legitimate RMM tools makes the attack harder to identify. 
• Stealing credentials and MFA codes allows the attacker to fully compromise accounts. The RMM tools give the attacker persistent access into the system, allowing for long-term access to steal data and move laterally in the environment. 

PyPI Package With 1.1M Monthly Downloads Hacked to Push Infostealer 

Article Link: https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/ 

• A malicious version of the elementary data package was published in the official PyPI public repository that allowed malicious actors to steal SSH keys, cloud credentials, CI/CD secrets, and other sensitive data.  
• The attacker exploits a GitHubs Action injection flaw to execute malicious code, leak a GITHUB_TOKEN, and push a trusted release through the affected project’s pipeline.  
• The release pipeline automatically published to PyPI and its registries causing users to unknowingly pull the compromised update.  
• A new version replaced the malicious one, however any systems with the malicious version must rotate secrets and restore systems to address the vulnerability.  
• Additional Information: https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection  

Backdoored WordPress Plugin Uses Remote Updates for Code Delivery

Article Link: https://cyberpress.org/backdoored-wordpress-plugin-uses-remote-update/  

• A backdoor was discovered in the widely used Quick Page/Post Redirect WordPress plugin resulting in versions having modified code that was not a part of an official release. 
• The plugin contained two malicious parts, a hidden injection feature that added spam backlinks for site visitors and an update function that allowed attackers to push additional code disguised as updates.  
• The malicious activity was hidden from administrators and remained dormant when the attack server was offline, allowing them to maintain persistent access once the server was back online.             
• Attackers used the exploit to manipulate search rank, inject content on websites, and execute code to compromise the entire website.  

Critical GitHub Vulnerability Exposed Millions of Repositories

Article Link: https://www.securityweek.com/critical-github-vulnerability-exposed-millions-of-repositories/ 

• Wiz (a Google company) discovered a critical remote code execution vulnerability in GitHub that puts millions of repositories at risk across GitHub.com and Enterprise environments.  
• The vulnerability is the result of an injection flaw in an internal Git protocol, allowing any authenticated user to execute commands on backend servers without any specialized tools or privileges.  
• On GitHub Enterprise Server, attackers could compromise the server and access all repositories and secrets. On GitHub.com the vulnerability allows remote code execution on storage nodes, potentially exposing repositories belonging to other users and organizations.  
• Although authentication is required, the barrier to exploitation is low, any user with push access to a repository can exploit the flaw, creating significant risk to code integrity, intellectual property, and sensitive data. 
• GitHub quickly released a patch for the vulnerability and found no evidence of exploitation. However, a significant number of Enterprise Server instances remain unpatched, leaving many organizations potentially vulnerable. 
• Technical details: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 

‘Copy Fail’ Logic Flaw in Linux Kernel Enables System Takeover 

Article Link: https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html  

• A Linux local privilege escalation vulnerability deemed “Copy Fail” has been identified that allows any authenticated user to obtain full root access on affected systems.  
• A flaw in the Linux kernel’s algif_aead cryptographic subsystem enables attackers misuse certain crypto-related features to inject their own data into protected system files. These files then give the attacker elevated privileges on the affected system. 
• The exploit runs reliably and works across most major Linux distributions and containerized environments due to shared page cache behavior. It requires no special conditions beyond local user access. 
• Vendors have started to release security advisories and patches to address the vulnerability. Organizations are strongly advised to patch immediately given the ease of exploitation and the potential for full system compromise. 
• Additional information: https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/ 
• Technical details: https://ostechnix.com/debian-13-trixie-copy-fail-cve-2026-31431-vulnerability-fix/

Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak 

Article Link: https://www.securityweek.com/medtronic-hack-confirmed-after-shinyhunters-threatens-data-leak/

• Global medical technology company Medtronic confirmed a cyber-attack after the extortion group ShinyHunters claimed they stole millions of records from the organization.  
• The attackers claim to have breached Medtronic’s corporate IT network and exfiltrated data, they then demanded a ransom after threatening to publish the information.  
• The group then listed Medtronic on their leak website, claiming to have over 9 million records including personal information and internal corporate data.  
• Medtronic stated that its medical products, manufacturing capabilities, hospital systems, and patient safety systems were not affected by the breach due to network segmentation. They continue to investigate the breach to determine the scope of information that was accessed.  

TeamPCP-linked VECT 2.0 Ransomware Unintentionally Destroys Files Larger Than 128 KB 

Article Link: https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html 

• Researchers at Check Point found that VECT 2.0 ransomware, which is offered as ransomware-as-a-service (RaaS), contains a flaw that destroys files larger than 128 KB during encryption, making recovery impossible, even for the attackers. 
• A coding error in the encryption process overwrites essential decryption data when handling large files. Combined with poor implementation, this causes the ransomware to irreversibly corrupt data rather than properly encrypt it. 
• Additional coding issues were identified, but this flaw is the most severe, as it can result in complete data loss even if a ransom is paid. 
• The case highlights how rapidly emerging ransomware operations can appear polished while containing critical flaws. It also underscores the risk organizations take when paying ransoms, as data may be unrecoverable, even if the attackers intend to provide decryption.   

Hackers Earning Millions from Hijacked Cargo, FBI Says

Article Link: https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi

• The Federal Bureau of Investigation reports cargo theft reached nearly $725 million across the U.S. and Canada last year, driven by actors posing as brokers and carriers to reroute high-value shipments.
• Over the past two years, attackers gained access to broker and carrier systems, manipulated load boards, created fake listings, and used double-brokering to divert deliveries and collect goods.
• Losses rose 60% in 2025, with average theft values up 36%, affecting sectors from vaping products to auto dealers, where entire vehicle shipments have been diverted and taken.
• The FBI calls for stronger identity validation for brokers and carriers, deeper review of load (freight) board activity, and tracking of shipment changes to detect unauthorized rerouting.
• FBI PSA: https://www.ic3.gov/PSA/2026/PSA260430

Microsoft to Roll Out Entra Passkeys on Windows in Late April 

Article Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-to-roll-out-entra-passkeys-on-windows-in-late-april/ 

• Microsoft is introducing passkey support for Windows devices to enable phishing-resistant, passwordless sign-ins for Microsoft Entra–protected resources, including on personal and unmanaged devices. 
• Passkeys are not transmitted over the network making them more difficult to be stolen via phishing, credential stuffing, or malware, significantly reducing reliance on traditional passwords. 
• This increases protections against Entra SSO and software-as-a-service targeted credential theft campaigns.  
• Microsoft is extending passwordless authentication beyond corporate managed devices, allowing it to be implemented on personal systems as well.