Top news stories this week
- Patch now. Websites hosted on cPanel at risk of takeover.
- All that shines. Medtronic confirm system breach following Shiny Hunters attack.
- Firefighter required. Firestarter backdoor keeps burning after Cisco patches.
- Poisoned pipeline. Criminals target security tooling in destructive supply-chain attacks
- Vibe coding foreboding. Github exploit exposes millions of repositories.
- ANTS under attack. Data of 100K individuals leaked in South Korean golf course breach .
1. Critical cPanel vulnerability puts millions of websites at risk of takeover
Threat actors are actively exploiting a critical severity vulnerability (CVE-2026-41940) in cPanel and WebHost Manager (WHM) to take over websites, and in some cases leave behind ransom notes demanding payment in Bitcoin. cPanel is one of the most popular web hosting control platforms, meaning millions of websites are potentially at risk. The vulnerability allows a remote attacker to obtain root admin privileges without a password and impacts all versions after 11.40.
So what?
Organisations Organisation using cPanel and WHM should immediately apply the patch released by cPanel and conduct a forensic investigation to check for evidence of compromise.
[Researcher: James Tytler]
2. Shiny Hunters claim access to 9 million Medtronic records following breach
Medtronic, a global medical technology manufacturer, confirmed a systems breach impacting its corporate IT environment. The threat actor group, Shiny Hunters, which carried out the attack claims to have exfiltrated 9 million records of personally identifiable information. However, Medtronic has denied any impact to patient safety or products.
Separately, Shiny Hunters has also exfiltrated 5.5 million records following an attack targeting the home security firm ADT.
So what?
Data continues to be a target in cyberattacks, emphasising the importance of identifying critical data and reviewing controls in place to ensure appropriate protections.
[Researcher: Adelaide Parker]
3. Firestarter backdoor keeps burning after Cisco patches
A previously undisclosed backdoor malware, dubbed FIRESTARTER, has been discovered on Cisco ASA and Firepower firewall devices at a US federal agency. Attackers exploited critical vulnerabilities (CVE 2025 20333 and CVE 2025 20362) to gain persistent access. The malware can survive firmware updates and routine reboots, prompting CISA to warn that patching alone is insufficient; affected devices may need forensic analysis and power resets or reimaging to eliminate the threat.
So what?
The FIRESTARTER case reinforces that patching must be continuous and paired with verification, as advanced attackers can establish persistence before fixes are applied.
[Researcher: Jenny Eysert]
4. Criminals target security tooling in destructive supply-chain attacks
Application security firm Checkmarx experienced a data breach after the LAPSUS$ group gained access to its GitHub repositories. The breach originated from a prior supply‑chain attack on the Trivy security scanner by threat actor TeamPCP, when the criminals obtained credentials that ultimately allowed them to access Checkmarx’s GitHub environment.
Separately, victims of the Trivy supply chain attack have been extorted by the ransomware group Vect, who partnered with TeamPCP to carry out the campaign. Organisations that paid Vect's ransom demands likely failed to recover their data, as Vect's inadequately developed ransomware tools functioned more like a wiper, irreversibly deleting files.
SO WHAT?
Organisations should implement robust software development security processes to strengthen development pipelines and secure supply chain dependencies.
[Researcher: Milda Petraityte]
5. Github exploit exposes millions of repositories
In the wake of a Github exploit that allowed unauthorised access to millions of public and private repositories, commentators are warning that it is only a matter of time before a wave of ‘vibe-coded’ software enters production environments.
So What?
While a democratised, AI-driven, coding approach to software development allows speed and scale it remains crucial that software developed in this way is also subject to strict security evaluation.
[Researcher: Lester Lim]
6. Data of 100,000 individuals leaked in South Korean golf club breach
A South Korean golf club suffered a data breach exposing personal information of around 100,000 individuals, including names, birthdates, contact details, and passwords. Authorities believe the breach was caused by malware linked to a hacking group suspected of ties to North Korea.
SO WHAT?
Even relatively low-profile organisations like a golf club can be targeted by cyber threat actors. This underscores the persistent risk of data breaches and the need for strong baseline security controls.
[Researcher: Steve Ross]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
