Two concurrent CRITICAL exploits dominate: CVE-2026-31431 "Copy Fail" Linux LPE (every distro since 2017, 732-byte PoC public, CISA KEV deadline May 15) and CVE-2026-41940 cPanel pre-auth RCE targeting 1.5M servers including Southeast Asian military portals. Also: BlueHammer/RedSun Windows Defender zero-days (KEV deadline May 7 — tomorrow), Team PCP AI supply chain worm (PyTorch Lightning + LiteLLM SQLi), Lynx ransomware against healthcare, and Iranian ICS/OT PLC exploitation. Includes 8 KQL hunting queries and 5 high-fidelity detection rules.
Nation-state actors APT28 (PRISMEX + SLIMAGENT), Mustang Panda (LOTUSLITE v2), and BRICKSTORM remain active. New APT group TGR-STA-1030 has breached government organisations in 37 countries. Six ransomware groups active. Includes 12 KQL hunting queries, 10 detection rules, and full MITRE ATT&CK mapping.
cPanel CVE-2026-41940 (CVSS 9.8) was exploited for months before the patch. DPRK PromptMink npm supply chain operation targets crypto developers. Chrome WebGPU zero-day CVE-2026-5281 confirmed in the wild. Qilin ransomware claims 11 victims in a single 24-hour window.