This week’s cyber threat landscape was dominated by nation-state espionage, a critical zero-day silently exploited for months, a fresh supply chain attack hitting developer tools, and ransomware groups going after major insurance companies. Spanning DNS hijacking at scale, dangerous AI platform vulnerabilities, and zero-day exploits hitting major services, we’ve compiled the week’s most important stories for small businesses and everyday users who need to know what’s happening, and what to do about it.
1. Russian State Hackers Compromise 18,000 Routers in Global DNS Hijacking Campaign
A Russian state-sponsored group known as APT28 (Forest Blizzard) has been quietly compromising home and small office routers worldwide since May 2025. By modifying DNS settings on MikroTik and TP-Link routers, attackers redirected internet traffic to spy on targets in government, military, and critical infrastructure sectors. At its peak in December 2025, over 18,000 infected routers from 120+ countries were communicating with Russian intelligence infrastructure. The FBI and DOJ disrupted the operation in what they called “Operation Masquerade.”
BET-R Actions: Check your router’s DNS settings (usually found in your router admin panel at 192.168.1.1 or 192.168.0.1). Your DNS servers should be set by your ISP or to a trusted provider like Google (8.8.8.8) or Cloudflare (1.1.1.1) and not an unfamiliar IP address. If your router firmware hasn’t been updated in over a year, update it now. If you use MikroTik or TP-Link routers specifically, change your admin credentials and verify your DNS settings immediately.
2. cPanel Zero-Day Exploited for Months Before a Patch Was Released (CVE-2026-41940)
A critical authentication bypass vulnerability in cPanel, the web-based control panel used by millions of website owners and hosting providers, was being exploited in the wild since at least February 2026, months before a patch was released on April 28. Attackers could use this flaw to gain full administrator-level access to any vulnerable cPanel server without a username or password. With approximately 650,000 cPanel instances exposed on the internet, this is a widespread and serious threat. CISA added it to its Known Exploited Vulnerabilities catalog on May 1.
BET-R Actions: If your website is hosted on a shared hosting platform (GoDaddy, Bluehost, HostGator, etc.), contact your hosting provider and ask if they’ve applied the CVE-2026-41940 patch. If you self-manage a cPanel/WHM server, update to the latest version immediately and verify cpsrvd has been restarted. Block external access to ports 2083, 2087, 2095, and 2096 at your firewall if you are not actively using them.
3. Developer Tools Poisoned in ‘Mini Shai-Hulud’ Supply Chain Attack Targeting SAP Packages
Attackers compromised four widely-used SAP npm packages on April 29, injecting credential-stealing malware that targeted developer credentials, cloud service secrets (AWS, Azure, GCP), GitHub tokens, and browser-saved passwords. The malware then self-propagated by injecting a malicious GitHub Actions workflow into every repository it could access, effectively spreading itself to downstream projects. Over 1,100 compromised repositories were identified. Notably, the malware also targeted AI coding tools like Claude Code and VS Code, marking one of the first known supply chain attacks to use AI agent configurations as a persistence vector.
BET-R Actions: If your development team uses SAP npm packages (mbt, @cap-js/db-service, @cap-js/postgres, or @cap-js/sqlite), audit your package versions immediately and update to the safe versions released after April 29. Rotate any GitHub tokens, npm tokens, and cloud credentials (AWS, Azure, GCP) that may have been present on affected developer machines. Review your GitHub Actions workflows for any unexpected additions.
4. Everest Ransomware Claims Liberty Mutual Breach: Policyholder Data at Risk
The Everest ransomware group (the same group that claimed breaches of Citizens Bank and Frost Bank last week) has now listed Liberty Mutual as a victim, claiming to have stolen thousands of individual policyholder records including sensitive personal and insurance data. A countdown clock threatening a full public data dump has been set. Liberty Mutual has not yet confirmed the breach details.
BET-R Actions: If you are a Liberty Mutual policyholder, monitor your email and the Liberty Mutual website for breach notification communications. Watch your credit reports and financial accounts for unusual activity. Consider placing a fraud alert with the major credit bureaus (Equifax, Experian, TransUnion) as a precaution. Do not respond to any emails claiming to be from Liberty Mutual asking you to verify information; wait for official, direct communication from the company.
5. Critical GitHub RCE Flaw (CVE-2026-3854): One Git Push Could Compromise Your Repo
Researchers discovered a critical Remote Code Execution vulnerability in GitHub (CVE-2026-3854) that could allow an attacker to compromise an entire repository with a single malicious Git push. With 88% of self-hosted GitHub servers reportedly exposed to this flaw, the risk to businesses that run their own GitHub Enterprise instances is significant. A patch has been released but must be applied manually by organizations running self-hosted GitHub servers.
BET-R Actions: If your business is building or using custom AI tools powered by MCP, have your development team review OX Security’s advisory immediately. If you’re using off-the-shelf AI tools, ask your vendor about their MCP exposure and patching status.
Recent Incidents This Week
Ransomware groups continued to escalate their targeting of financial and insurance companies, while supply chain attacks showed increasing sophistication in how they spread and persist.
- Liberty Mutual-claimed as a breach victim by the Everest ransomware group, which previously claimed Citizens Financial Group and Frost Bank last week. The group has posted a countdown threatening to publicly dump policyholder records.
What this means for you: Ransomware groups are now systematically targeting the insurance sector, companies that hold deep personal and financial data on millions of Americans. If you have any insurance policy, your data could be in the crosshairs. - The ‘Mini Shai-Hulud’ npm supply chain attack exposed a growing trend: attackers are now weaponizing AI coding tools (Claude Code, VS Code) as persistence and propagation vectors.
What this means for you: If your business relies on software vendors or contractors who use these developer tools, their compromised machines could introduce malicious code into software you rely on. Ask your vendors about their supply chain security practices.
How Individuals and Small Businesses Can Respond
This week’s threats span your router, your website hosting, your developer tools, and your insurance company. Here’s what to prioritize:
- Log into your router admin panel and verify your DNS settings are pointing to a legitimate provider
- Contact your web hosting provider and confirm the cPanel CVE-2026-41940 patch has been applied
- If you use Liberty Mutual insurance, monitor for breach notifications and consider a credit bureau fraud alert
- Rotate cloud credentials and GitHub tokens if any of your developers use SAP npm packages
- If you run a self-hosted GitHub server, apply the CVE-2026-3854 patch today
- Review your router’s firmware version, and if it’s more than a year old, update it
- Enable multi-factor authentication (MFA) on all accounts where it’s available
Citations:
Russian APT28 DNS Hijacking Campaign (Operation Masquerade) — The Hacker News
FBI Disrupts Russian GRU Router Espionage Network — Security Week
cPanel Zero-Day CVE-2026-41940 Actively Exploited — Help Net Security
Mini Shai-Hulud SAP npm Supply Chain Attack — The Hacker News
Everest Ransomware Claims Liberty Mutual Breach — Cybernews
Critical GitHub RCE CVE-2026-3854 — Help Net Security