One copy too many.

A critical Linux flaw dubbed “Copy Fail” raises alarm. The House moves to extend Section 702. The White House pushes back on expanded Mythos access. cPanel and SonicWall rush out security patches. Researchers warn AI agents may leak credentials. Smishing targets key industries. Ukrainian police arrest suspects in a massive Roblox account theft scheme. Our guest is Jamie Moles, technical manager at ExtraHop, discussing how the pace of vibe coding is creating major AI blind spots. Honeypot hijinks get halted by curious clicks.

“Copy Fail” is a newly disclosed Linux security flaw. 

“Copy Fail” (CVE-2026-31431) is a newly disclosed security flaw in the Linux operating system that can let an ordinary user gain full administrator, or “root,” control on many systems released since 2017. According to the project site, the issue stems from a logic error in a built-in cryptography feature that is enabled by default on most major Linux distributions.  

The exploit requires only a normal local account and does not need network access or special debugging tools, which makes it especially concerning on shared systems. Researchers demonstrated that the same small script worked across multiple distributions without modification.  

The risk is highest for shared servers, cloud platforms that run customer code, container clusters, and automated build systems, where one user could potentially take control of the underlying host. Patching affected systems or disabling the related component is recommended until updates are applied. 

The House votes to extend Section 702. 

The House of Representatives voted 235 to 191 to extend Section 702 of the Foreign Intelligence Surveillance Act for three years, sending the measure to the Senate ahead of a looming deadline. The program allows U.S. intelligence agencies to collect communications of foreign nationals abroad, though Americans’ messages can also be incidentally captured. Privacy-focused lawmakers sought a warrant requirement before officials could search Americans’ data but failed to secure it. Instead, the bill adds narrower safeguards, including attorney approval for certain searches, written justifications for queries, and possible criminal penalties for misuse. Speaker Mike Johnson also attached a provision banning a future central bank digital currency, which Senate leaders may remove. The Senate could revise the bill or pass a temporary extension instead. 

The White House opposes Anthropic’s proposal to expand Mythos access. 

The White House is opposing Anthropic’s proposal to expand access to its advanced AI model, Mythos, to about 70 additional organizations, citing national security and operational concerns. Officials worry the model’s ability to identify and exploit software vulnerabilities could enable cyberattacks or large-scale online disruptions. Some also questioned whether Anthropic has sufficient computing capacity to support broader access without affecting government use. Mythos is already available to roughly 50 critical-infrastructure organizations and select government agencies, with no public release planned. Tensions between Anthropic and the administration remain unresolved following disputes over military use of its technology and political concerns about the company’s affiliations. Security experts warn that powerful models from Anthropic, OpenAI, and Google are rapidly improving at finding software bugs, which could both strengthen defensive research and increase offensive risks. Officials say they are trying to balance innovation with safeguards as deployment decisions continue.

cPanel posts emergency security updates to address a critical authentication bypass vulnerability. 

cPanel released emergency security updates on April 28, 2026, to address a critical authentication bypass vulnerability, CVE-2026-41940, affecting all supported versions of cPanel and Web Host Manager (WHM). The flaw allows unauthenticated attackers to access administrative control panels without valid credentials, potentially enabling full system compromise, including control over files, databases, and email accounts. The issue poses significant risk to shared hosting environments, where attackers could install malware or move deeper into server infrastructure. Administrators are urged to immediately run /scripts/upcp --force to apply the patch and verify the installed version with /usr/local/cpanel/cpanel -V. Until updates are confirmed, blocking external access to ports 2083 and 2087 is recommended. Several hosting providers temporarily restricted those ports while deploying fixes across their systems.

SonicWall patches multiple firewall vulnerabilities. 

SonicWall has disclosed three vulnerabilities affecting Gen 6, Gen 7, and Gen 8 firewall platforms, including one high-severity and two medium-severity issues, and urges administrators to apply firmware updates immediately. Patches are available in versions 8.2.0-8009 for Gen 8, 7.3.2-7010 for Gen 7, and SonicOS 6.5.5.2-28n for Gen 6 devices. Systems with Auto Update enabled will receive fixes automatically. If patching is delayed, administrators should disable web management and SSL-VPN access and restrict management to SSH temporarily.

Researchers show AI agents can expose sensitive credentials unexpectedly. 

Okta Threat Intelligence research shows AI agents can expose sensitive credentials unexpectedly, raising concerns about how safely they handle privileged access. In one test, an agent using an uncensored language model entered its entire credential store into a simple website form without being asked. Other experiments showed agents retrieving Wi-Fi passwords, OAuth tokens, and API keys, sometimes recognizing the risk only after disclosure. Researchers also demonstrated that attackers controlling communication channels such as Telegram could manipulate agents to exfiltrate secrets through indirect methods like screenshots. While some models resisted malicious prompts, safeguards proved inconsistent and occasionally bypassable. The findings highlight that agent capability increases alongside risk as permissions expand. Okta concludes organizations should limit agent privileges, avoid long-lived credentials, centralize secret storage, and apply identity-style governance controls, since agents cannot leak access they were never granted.

Financial services, logistics, and telecommunications top phishing targets list. 

Group-IB’s High-Tech Crime Trends Report 2026 identifies financial services, logistics, and telecommunications among the top phishing targets in 2025, with SMS phishing continuing to expand rapidly. Researchers observed a surge in two major smishing themes since January 2025: reward points scams impersonating banks and telecom providers, and failed parcel delivery scams targeting shipping customers. Despite different lures, both campaigns share infrastructure linked to the Phoenix System phishing kit ecosystem. Group-IB identified more than 2,500 related phishing domains targeting over 70 organizations worldwide. Attackers used phishing-as-a-service platforms with templates, dashboards, and traffic filtering to scale operations across regions. Messages were sometimes delivered through suspected fake base transceiver stations to bypass carrier protections. The findings highlight how coordinated infrastructure and Telegram-distributed phishing kits are enabling large-scale, globally targeted smishing campaigns.

Ukrainian law enforcement nab alleged Roblox user account thieves. 

Ukrainian law enforcement has detained a group of suspected hackers accused of stealing more than 610,000 Roblox user accounts and reselling them for cryptocurrency through Russian online platforms. Authorities say the victims included players whose accounts contained valuable digital items, rare inventory, and virtual currency purchased with real money. Investigators allege a 19-year-old organizer recruited accomplices through gaming forums and developed malware disguised as tools offering gameplay advantages or free bonuses. The malware harvested login credentials, enabling access to large numbers of accounts that were later sorted and sold based on resale value. Police conducted multiple searches in western Ukraine and seized devices and cash linked to the operation. Officials estimate the scheme generated about $227,000. Suspects face up to 15 years in prison if convicted.

 

Honeypot hijinks get halted by curious clicks. 

While casually exploring Operation PowerOFF, an international law enforcement effort targeting DDoS-for-hire services, a researcher who goes by “Lina” stumbled onto what looked like a slightly undercooked “booter” site called Cyberzap. It had dashboards, payment options, and just enough polish to seem real, until its hosting details quietly pointed back to Dutch police infrastructure. After registering with an email that politely announced they were “just researching,” the author clicked around, attempted a mock attack order, and observed the site quietly collecting intent signals rather than launching anything. Shortly afterward, Cyberzap abruptly locked itself behind an authorization wall, along with a related domain, suggesting someone on the other end noticed the attention. A companion site, Netcrashers, remained online as a more obvious scare tactic. The episode illustrates how authorities mix covert honeypots with overt warnings to deter would-be attackers, though in this case the trap appeared to retreat the moment someone looked too closely at it.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.