A multinational law enforcement operation dubbed Operation PowerOFF dismantled infrastructure supporting commercial distributed denial-of-service (DDoS)-for-hire services, seizing 53 domains, taking four people into custody and executing about 25 search warrants. Authorities from 21 countries, coordinated by Europol and partners, recovered databases containing more than 3 million user accounts and sent warning emails and letters to over 75,000 suspected users identified from the seized systems. The crackdown also removed more than 100 advertising URLs for booter services from search results and ran targeted search ads to deter would-be users. Officials said the action disrupted IP stressors and other technical components that allowed non-technical criminals to launch attacks on websites, servers and networks — activities tied to extortion, hacktivism and disruption of online services. The operation builds on earlier takedowns and follows a recent pattern of law enforcement targeting easily accessible DDoS-for-hire tools that can inflict large-scale outages and economic harm.

OpenAI has launched Advanced Account Security (AAS), an opt-in, phishing-resistant protection tier for ChatGPT and Codex accounts announced April 30–May 1, 2026. AAS removes password and email/SMS recovery routes, requiring two passkeys, two FIDO2 hardware keys, or a combination; it shortens session lengths, issues login alerts, and automatically opts enrolled accounts out of model training. OpenAI partnered with Yubico to offer co-branded YubiKey bundles (YubiKey C NFC and YubiKey C Nano) at a discounted two-pack price to lower adoption barriers. The company says AAS targets high-risk users — journalists, political dissidents, researchers, elected officials — but is available to all tiers, including free users. Members of OpenAI’s Trusted Access for Cyber program must enable AAS or demonstrate equivalent phishing-resistant auth by June 1. AAS also carries a trade-off: if users lose registered keys and recovery material, OpenAI cannot restore account access, potentially making chat histories irretrievable. The rollout follows broader industry and OpenAI moves toward stronger account defenses amid rising credential theft and targeted phishing campaigns.

Security researchers and hosting providers warned on April 28–30, 2026 that a critical authentication bypass in cPanel and WebHost Manager (CVE-2026-41940) is being actively exploited in the wild. The flaw, rated 9.8 CVSS, affects all supported cPanel/WHM versions after 11.40 and WP Squared builds, and allows attackers to forge authenticated sessions via a CRLF injection and session-token manipulation to gain root-level access. Rapid7 scans indicate roughly 1.5 million cPanel instances exposed online, though the number of vulnerable systems is unknown. Evidence suggests exploitation began as early as February 23, and a public proof-of-concept and technical writeups have been released. cPanel published emergency patches across multiple version branches and supplied detection scripts; several major hosts (including Namecheap and HostGator) temporarily blocked cPanel ports and applied fixes. CISA added the CVE to its Known Exploited Vulnerabilities list. Recommended mitigations include immediate patching, restarting cPanel services, blocking ports 2083/2087/2095/2096, and running detection tools to hunt for indicators of compromise.

A cybersecurity researcher has found a publicly accessible cloud repository holding 86,859 screenshots, private messages and personal documents apparently collected via stalkerware from a European celebrity’s phone. Jeremiah Fowler of Black Hills Information Security discovered the open, unprotected dataset and says the files — spanning mid‑2024 to mid‑2025 — included intimate photos, chat logs from Instagram, Facebook, TikTok and WhatsApp, invoices, partial payment details and phone numbers of the victim’s contacts. Fowler reported the exposure to the cloud host and local law enforcement; he did not name the victim or the hosting company. The repository’s name and characteristics point to Cocospy, an off‑the‑shelf spy app previously taken offline after earlier breaches. Researchers warn the incident shows the compounded danger of stalkerware: not only are primary victims surveilled, but the data collected can create secondary victims when insecure storage is breached. The researcher attempted to contact affected contacts and urged authorities and the host to secure the data.

Google has released emergency patches to fix a maximum-severity (CVSS 10.0) remote code execution flaw in its Gemini command-line interface and the google-github-actions/run-gemini-cli workflow, warning that unpatched CI/CD pipelines processing untrusted inputs could be exploited. The vulnerability, disclosed by researchers Elad Meged of Novee Security and Dan Lisichkin of Pillar Security and detailed publicly on April 30, 2026, stemmed from Gemini CLI’s headless mode automatically trusting workspace folders and loading configuration and environment variables before sandboxing. An attacker could plant malicious config files via a pull request and achieve command execution on the host, exposing secrets, credentials and source code. Google patched @google/gemini-cli in versions 0.39.1 and 0.40.0-preview.3 and the GitHub Action in 0.1.22. The fix removes implicit workspace trust and tightens tool allowlisting (including changes to --yolo behavior). Operators who pinned versions or relied on previous permissive behavior should review workflows: defaulting to the newest CLI release may cause some pipelines to fail unless workflows are updated to explicitly trust folders or harden against untrusted inputs.

A widespread supply-chain campaign dubbed “Mini Shai-Hulud” compromised popular npm and PyPI packages on April 29-30, 2026, stealing developer and cloud credentials and spreading through developer tooling. Security firms Wiz, Socket, SafeDep, Aikido Security and others linked the operation to the cybercrime group TeamPCP. Poisoned npm releases included mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2 and @cap-js/sqlite@2.2.2 (collectively ~572,000 weekly downloads), plus intercom-client@7.0.4/7.0.5 (~360,000 weekly downloads). PyPI package lightning@2.6.2/2.6.3 was also tainted. Malicious preinstall hooks and import-time payloads harvested GitHub tokens, npm credentials, GitHub Actions secrets, and cloud credentials for AWS, Azure, GCP and Kubernetes. Attackers encrypted stolen data and exfiltrated it to public GitHub repositories created under victims’ accounts, then used stolen tokens to add malicious Actions workflows and publish further poisoned releases. Analysts say the campaign abused npm OIDC trusted publishing and, troublingly, persisted via Visual Studio Code and Claude Code configuration files, expanding attack surfaces beyond build systems into developer workstations and AI-assisted coding tools.