The ugly pattern this morning is trust under pressure: hosting panels, education platforms, chat-native apps, and endpoint protection all became leverage points once defenders assumed the familiar path was the safe path.
Top line: Patch cPanel fast, treat Instructure-linked data as exposed until institutions prove otherwise, stop trusting Telegram Mini Apps that ask for deposits or APK installs, and verify Defender certificate health if May 3 alerts hit your Windows fleet.
CVE-2026-41940 in cPanel and WHM is already being mass-exploited. BleepingComputer reports at least 44,000 cPanel IPs were compromised in ongoing attacks, with intrusions quickly turning into deployments of the Go-based Linux "Sorry" ransomware that appends .sorry to encrypted files.
Instructure confirmed that user data was stolen in the cyberattack it disclosed on Friday. The company says exposed information includes names, email addresses, student ID numbers, and messages among users at affected institutions. Passwords, dates of birth, government identifiers, and financial data have not been found in scope so far, but the blast radius may still be enormous if the ShinyHunters claims are even partly right.
Researchers at CTM360 say the FEMITBOT operation uses Telegram bots plus Mini Apps to impersonate brands, fake balances, pressure victims into deposits, and in some cases push Android APKs posing as legitimate apps. The trick works because the phishing flow stays inside Telegram’s own interface, which makes it feel normal to the victim.
A Defender signature update wrongly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha and, on some systems, removed them from the Windows trust store. Microsoft says the issue is fixed in Security Intelligence version 1.449.430.0 or later, but this is the kind of defensive mistake that quietly breaks trust chains while teams waste time hunting ghosts.
Bottom line: The common failure mode today is misplaced trust in familiar infrastructure. Attackers exploited it in cPanel and Telegram, and defenders tripped over it in certificate handling. Either way, the teams that verify assumptions fastest will have the least damage.
KENSAI helps teams map risky internet-facing panels, SaaS dependencies, phishing surfaces, and trust-chain blind spots before they become incidents.
Start Free Scan →Stay sharp.
🗡️ KENSAI Security Team