Cybersecurity Radar — 2026-05-04
A malicious software supply chain attack targeting widely-used npm packages (versions 2.6.2 and 2.6.3, published April 30, 2026) has emerged as the most critical fresh development of the day. Meanwhile, a new Windows attack technique dubbed "ConsentFix v3" is circulating on hacker forums, and AI-powered ransomware continues to reshape the global threat landscape — with victims reaching 7,831 in 2025, a staggering 389% increase.
Cybersecurity Radar — 2026-05-04
🔴 Critical Alerts
Malicious npm Package Supply Chain Attack (versions 2.6.2 and 2.6.3) Security researchers at OX Security, Socket, and StepSecurity confirmed that two malicious versions of a popular npm package — versions 2.6.2 and 2.6.3, both published on April 30, 2026 — contain embedded malware. Any developer or organization that pulled these versions into their pipeline in the past week is potentially compromised. Immediate action: audit your dependency trees, remove the affected versions, and rotate any secrets that may have been exposed in affected environments.
"ConsentFix v3" Windows Attack Technique Circulating on Hacker Forums BleepingComputer reported on May 2, 2026, that a new attack type dubbed "ConsentFix v3" has emerged on hacker forums. The technique builds on a previous exploit by adding automation and scaling potential, making it significantly more dangerous for widespread deployment. Organizations running Windows environments should monitor for suspicious consent prompt manipulation and review endpoint detection rules to cover this variant. The technique targets Windows user consent flows to escalate privileges.
Threat Landscape
AI-Powered Ransomware Reaches Record Victim Counts Global ransomware victims surged to 7,831 in 2025 — a 389% increase — as AI-powered crime tools dramatically lowered the barrier to sophisticated attacks. Reporting published around May 1, 2026, highlights how cybercrime has evolved into a highly organized ecosystem, with AI enabling threat actors to scale attacks that previously required substantial technical expertise. The manufacturing sector remains disproportionately affected, with ransomware responsible for up to 90% of cyber losses in that vertical.
KRYBIT Ransomware, BRICKSTORM Backdoors, and Deepfake Vishing Active As of May 1, 2026, the most reported active threats include KRYBIT ransomware, BRICKSTORM backdoors, and deepfake-powered vishing (voice phishing) campaigns. BRICKSTORM backdoors in particular are associated with sophisticated intrusion campaigns, while deepfake vishing represents a growing social engineering vector that bypasses traditional security awareness training. Organizations should brief employees on voice-based fraud and ensure out-of-band verification processes for financial or credential requests.
Critical Infrastructure and OT Under Sustained Attack A TechTarget news brief published May 2, 2026, documents that attacks on critical infrastructure and operational technology (OT) environments are "running rampant." The convergence of IT and OT networks continues to expand the attack surface, and nation-state actors have demonstrated capability to penetrate highly secured systems. Energy, water, and manufacturing OT environments are prime targets.
Vulnerabilities & Patches
Linux Kernel "Copy Fail" Zero-Day — Roots Every Major Distribution Since 2017 A critical zero-day vulnerability in the Linux kernel, disclosed approximately 4 days before this publication, enables any unprivileged local user to achieve root access on virtually every major Linux distribution shipped since 2017. This is an extreme-severity local privilege escalation flaw. Patch status is ongoing — monitor your distribution's security advisories for emergency kernel updates and apply them immediately. Restrict local user access where possible until patches are confirmed deployed.
cPanel Zero-Day CVE-2026-41940 — Exploited for Months Before Patch A critical vulnerability in the cPanel web hosting control panel (CVE-2026-41940) was exploited by attackers for months prior to a patch being released, Help Net Security reported. Any organization running cPanel-based hosting environments should apply the patch immediately and conduct a retrospective review for indicators of compromise dating back several months. This is especially urgent for managed hosting providers.
Incomplete Windows Patch Opens Door to Zero-Click Attacks (APT28 Link) An incomplete Microsoft Windows patch has left systems exposed to zero-click attacks capable of exposing sensitive information, The Register reported. Notably, the original vulnerability was exploited by Russia-linked APT28 (Fancy Bear) in campaigns against Ukraine and EU countries. Despite a patch attempt, attackers can still exploit the flaw. CISA has ordered federal agencies to patch this vulnerability. Organizations should verify their Windows patch status and consult Microsoft's latest security advisories.
Breaches & Incidents
April 2026 Major Incidents — Diverse Sectors Hit CM-Alliance's April 2026 incident review, published within the past week, documents another surge in cyberattacks and ransomware incidents affecting diverse sectors. The report emphasizes the continued need for robust cyber resilience across industries including healthcare, finance, and manufacturing. Organizations should review incident response plans and ensure backup integrity.
OT/Critical Infrastructure Incidents Running Rampant Multiple critical infrastructure organizations have been compromised in attacks documented through early May 2026, per TechTarget reporting. The incidents span both IT-facing and OT-facing systems, with some attackers demonstrating persistence within operational networks for extended periods before detection. Affected sectors include energy and utilities.
Industry & Policy
CISA Mandates Federal Windows Patching for Zero-Day Flaw The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive ordering federal civilian agencies to patch the actively exploited Windows flaw linked to APT28 activity against Ukraine and EU targets. The order reflects the severity of the incomplete patch situation and the active exploitation of the vulnerability in geopolitically motivated campaigns. Private sector organizations are strongly advised to follow the same patching guidance.
AI Lowering Barrier to Sophisticated Attacks — Government and Public Sector at Risk Trend Micro's Q1 2026 intelligence report (published approximately 4 weeks ago, still operationally relevant) warns that AI is simultaneously lowering the barrier to sophisticated attacks while expanding the attack surface through rapid adoption of AI-enabled government services. Nation-state actors have demonstrated ability to penetrate even the highest-security government environments. This trend is materializing in real attacks observed through early May 2026.
Software Supply Chain Security Under Fresh Scrutiny The discovery of malicious npm package versions 2.6.2 and 2.6.3 (published April 30, 2026) has renewed urgent attention on software supply chain security. Security vendors OX Security, Socket, and StepSecurity were credited with identifying the malicious packages. This incident underscores the need for organizations to implement automated dependency scanning, software composition analysis (SCA), and verification of package integrity before deployment.
What to Watch
- Supply chain attacks via package repositories are escalating. The npm incident involving versions 2.6.2 and 2.6.3 is the latest in a pattern — expect more malicious packages to be discovered in npm, PyPI, and other registries in coming days as researchers investigate related artifacts.
- Linux kernel patching window is critical. The "Copy Fail" zero-day affects virtually every major distribution since 2017. Expect distribution vendors (Red Hat, Ubuntu, Debian, etc.) to push emergency kernel updates imminently — track your vendor channels and apply patches the moment they become available.
- ConsentFix v3 adoption likely to accelerate. Now that the technique is circulating on hacker forums with automation built in, expect to see it deployed in phishing and initial-access campaigns targeting Windows enterprise environments within days to weeks.
Reader Action Items
-
Audit npm dependencies immediately. If any project or pipeline pulled package versions 2.6.2 or 2.6.3 published around April 30, 2026, treat the environment as compromised: rotate all secrets, audit logs for lateral movement, and remove the malicious packages. Enable automated SCA scanning to catch future supply chain incidents.
-
Patch Linux systems and Windows endpoints now. Apply emergency Linux kernel patches as they become available from your distribution vendor to address the "Copy Fail" privilege escalation zero-day. Simultaneously, verify that the Windows patch addressing the zero-click APT28-linked vulnerability is fully applied — CISA has mandated this for federal agencies.
-
Brief employees on deepfake vishing and harden OT network segmentation. With deepfake vishing actively in the wild, update employee security awareness training to include voice-based fraud recognition and enforce out-of-band verification for sensitive requests. For OT environments, audit network segmentation between IT and OT systems to limit blast radius from the wave of critical infrastructure attacks documented this week.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
