Cybersecurity firm Trellix has been hit by a ransomware attack, with the RansomHouse group claiming responsibility and publishing screenshots showing access to internal services and management dashboards. Trellix confirmed that part of its source code repository was breached but says there's no evidence the code was exploited or that its distribution process was affected. The timing of the attack suggests a possible connection to a broader supply chain campaign that has also impacted other security firms like Checkmarx and Bitwarden, though that link hasn't been confirmed.

A new malware campaign called PCPJack is targeting systems already infected by the notorious TeamPCP hacking group, removing their tools before deploying its own credential-stealing framework. SentinelOne researchers believe this may be a former TeamPCP operator, as the malware targets similar cloud services and systems but focuses on stealing credentials for spam campaigns, financial fraud, and potential extortion. The sophisticated framework spreads by exploiting known vulnerabilities in web applications and cloud services, stealing everything from cryptocurrency wallets to enterprise credentials across platforms like AWS, Kubernetes, GitHub, and Slack.

The Canvas learning management system, used by thousands of schools and universities worldwide, went offline Thursday during a cyberattack claimed by the hacking group ShinyHunters. The outage came at a critical time as students prepare for final exams, with the hackers allegedly accessing billions of private messages and records from nearly 9,000 schools while threatening to leak the data unless extortion payments are made. Schools from Harvard to the University of Iowa scrambled to find workarounds, with some institutions like the University of Texas at San Antonio postponing finals scheduled for Friday.

AI evaluation platform Braintrust is urging customers to rotate their API keys after hackers breached an internal AWS account on May 4th, potentially exposing credentials used to access AI models from companies like OpenAI and Anthropic. While only one customer has confirmed impact so far, security experts warn the real risk extends to downstream organizations including Box, Cloudflare, Dropbox, and Stripe, whose AI provider credentials may have been stored in Braintrust's system. The incident highlights a new supply chain vulnerability where AI observability tools become credential warehouses and prime targets for attackers.

Poland's Internal Security Agency has reported that five water treatment plants were breached in 2025, with attackers gaining access to industrial control systems through weak passwords and internet-exposed systems. In some cases, hackers obtained the ability to modify operational parameters that could have directly threatened public water supplies. The agency attributes the attacks to Russian state-sponsored groups including APT28 and APT29, as well as Belarusian-linked actors, as part of a broader surge in cyberattacks targeting Poland's critical infrastructure.

Cybersecurity researchers have discovered a new Linux backdoor called PamDOORa that targets SSH credentials by exploiting PAM modules, which are Linux's authentication framework. The malware allows attackers to steal login credentials while maintaining persistent access to compromised systems, making it particularly dangerous for server environments. Security experts warn that this represents an increasingly sophisticated approach to credential theft on Linux systems, with organizations urged to monitor their PAM modules for unauthorized modifications.

A new analysis of 25 million security alerts reveals that organizations miss an average of one legitimate threat per week, primarily because low-severity warnings are overwhelming security teams. The data shows that the sheer volume of minor alerts creates blind spots, causing critical threats to slip through undetected as analysts struggle to prioritize what matters. This highlights a growing challenge in cybersecurity where alert fatigue is directly enabling attackers to exploit overlooked vulnerabilities.

Security researchers have discovered a new campaign using the Quasar Linux RAT malware specifically targeting software developers to steal their credentials and compromise the software supply chain. The malware is designed to infiltrate developer systems and extract authentication tokens and credentials that could allow attackers to inject malicious code into legitimate software products. This represents a growing threat trend where cybercriminals focus on compromising the development process itself rather than attacking end users directly.

WhatsApp has disclosed two medium-severity vulnerabilities that were patched earlier this year, both discovered through Meta's bug bounty program. The first flaw affected WhatsApp for Windows, allowing attackers to disguise malicious executables as harmless files, while the second impacted iOS and Android versions, potentially enabling attackers to redirect users to phishing sites or trigger custom URL schemes through improperly validated AI rich response messages for Instagram Reels. Meta says there's no evidence these vulnerabilities were exploited in the wild, and both issues were responsibly reported by security researchers.

Attackers are actively exploiting two critical vulnerabilities in enterprise software widely used in China. The first flaw in MetInfo, a content management system, allows remote code execution through unauthenticated PHP code injection, with exploitation surging over the weekend primarily targeting servers in Singapore. Separately, threat actors are exploiting a vulnerability in Weaver E-cology, an office automation platform, using exposed debug functionality as a persistent shell to execute arbitrary commands without needing authentication.