Key Takeaways
- Cybercriminals are abusing Telegram’s Mini App feature to distribute Android malware and impersonate major brands.
- CISA has ordered U.S. federal agencies to patch a critical cPanel vulnerability (CVE‑2026‑41940) after thousands of servers were already compromised.
- The UK’s NCSC warns that AI‑accelerated vulnerability discovery will trigger a “patch wave” that organizations must prepare for amid rising technical debt.
- A newly uncovered Linux kernel flaw, “Copy Fail” (CVE‑2026‑31431), affects virtually all major distributions released since 2017 and can grant full root access or container escape.
- Google is overhauling its Vulnerability Reward Programs, boosting Android bounties to $1.5 M while reducing Chrome payouts to encourage higher‑quality, actionable reports.
- Trellix disclosed a source‑code breach, though it claims no evidence of exploitation or data theft.
- Ask.com is shutting down its search service after 25 years, marking the end of the early‑era “Jeeves” brand.
Telegram Mini Apps Deliver Android Malware
Researchers from Bahrain‑based CTM360 have uncovered a large‑scale fraud operation dubbed FEMITBOT that leverages Telegram’s Mini App functionality to create convincing, app‑like experiences inside the messaging platform. By embedding malicious Mini Apps within seemingly legitimate bots, attackers trick users into downloading Android malware that can steal credentials, hijack crypto wallets, and impersonate trusted brands such as Apple, Coca‑Cola, Disney, eBay, IBM, and NVIDIA. The campaign highlights how attackers are repurposing legitimate platform features to bypass traditional security controls, underscoring the need for heightened user vigilance and tighter vetting of third‑party Mini Apps by Telegram administrators.
CISA Orders Federal Agencies to Patch cPanel Bug by Sunday
Following a Friday advisory, the Cybersecurity and Infrastructure Security Agency (CISA) directed all U.S. federal agencies to remediate a severe vulnerability in the cPanel/WHM web‑hosting control panel (CVE‑2026‑41940) by the end of Sunday. The flaw, rated CVSS 9.8, allows attackers to gain full server control, exfiltrate data, or deploy ransomware. Shadowserver reports that at least 44,000 IP addresses running cPanel have already been compromised in ongoing attacks, with threat actors observed exploiting the bug since Thursday to install a Go‑based Linux encryptor for the “Sorry” ransomware. Industry leaders such as Hosting.com and KnownHost pre‑emptively firewalled customers to avoid mass compromise, illustrating the rapid, widespread impact of unpatched critical flaws.
British Cyber Agency Warns of Looming ‘Patch Wave’ Due to Speedy AI Flaw Discovery
The UK’s National Cyber Security Centre (NCSC) CTO Ollie Whitehouse warned that AI‑enabled vulnerability research is accelerating the discovery and exploitation of software flaws, potentially triggering a relentless “patch wave” of updates. In a blog post, Whitehouse urged organizations to proactively harden their environments, manage technical debt, and establish rapid‑response patching processes before the surge arrives. He noted that skilled actors using AI tools can identify weaknesses at scale, shortening the window between disclosure and exploitation. Preparing now—through asset inventory, prioritized remediation, and automated patch deployment—will be essential to avoid being overwhelmed when the next wave of vulnerabilities hits.
Vanta Sponsor Message
Risk and compliance demands are intensifying, and customers now expect verifiable proof of security before engaging in business. Vanta’s AI‑powered platform unifies compliance, risk management, and trust‑building into a single automated solution. Whether preparing for a SOC 2 audit or scaling an enterprise GRC program, Vanta helps organizations maintain continuous security posture while keeping sales cycles moving. Learn more at vanta.com/ciso.
Nearly Every Linux System Built Since 2017 Vulnerable to ‘Copy Fail’ Flaw
Security researchers at Theori disclosed a long‑standing Linux kernel vulnerability, dubbed Copy Fail (CVE‑2026‑31431), which remains present in virtually all major distributions released since 2017—including Ubuntu, Red Hat Enterprise Linux, Amazon Linux, and SUSE. The flaw stems from three seemingly innocuous kernel changes made in 2011, 2015, and 2017 that, when combined, allow any local user with a basic account to escalate to full root privileges. Moreover, it enables escape from confined cloud containers, letting a compromised application break out and seize control of the host server. Given Linux’s dominance in cloud infrastructure, the discovery poses a significant risk to servers, containers, and any service relying on these distributions.
Google Revamps Bug Bounties
In response to the evolving landscape of AI‑driven vulnerability research, Google has overhauled its Vulnerability Reward Programs (VRP) for Android and Chrome. Android bounty rewards have been increased to a maximum of $1.5 million for high‑impact, actionable reports that include concrete proof of concept, feasible exploit demonstrations, and suggested fixes. Conversely, Chrome payouts have been reduced, reflecting a strategic shift to incentivize quality over quantity. The updated program aims to attract researchers who can deliver substantive, reproducible findings that directly improve product security, aligning bounty structures with the heightened speed and sophistication enabled by AI tools.
Trellix Confirms Source Code Breach
Trellix, the cybersecurity firm formed from the 2022 merger of McAfee Enterprise and FireEye, announced that attackers gained unauthorized access to a portion of its source code. The company did not disclose the specific data accessed or the identity and duration of the intrusion, but emphasized that there is currently no evidence that the source code has been altered, exfiltrated, or exploited in the wild. Trellix is owned by Symphony Technology Group, and the incident adds to a growing list of security vendors facing supply‑chain‑style exposures, reminding the industry that even defenders must rigorously protect their own development environments.
Goodbye, Jeeves. Ask.com Closes Down
After a quarter‑century of operation, Ask.com—formerly known as Ask Jeeves—has officially ceased its search business. Launched in 1996 with a natural‑language question‑and‑answer interface reminiscent of today’s AI assistants, the service struggled to compete with Google’s rising dominance. IAC, which acquired Ask Jeeves in 2005, gradually phased out the “Jeeves” branding, ultimately announcing on May 1, 2026, that the search platform would be discontinued as part of a strategic focus shift. The closure marks the end of an early internet era and underscores how rapidly evolving user expectations and technological advances can render once‑popular services obsolete.
Overall, the past week’s headlines illustrate a cybersecurity landscape where attackers are weaponizing legitimate platform features (Telegram Mini Apps), exploiting long‑latent software flaws (cPanel, Linux kernel “Copy Fail”), and leveraging AI to accelerate both discovery and exploitation. Defensive responses—ranging from urgent federal patching orders to proactive AI‑readiness warnings and enhanced bounty programs—reflect a shared recognition that speed, coordination, and continual improvement are essential to stay ahead of emerging threats.