Cybersecurity News | Daily Recap [05 May 2026]

Daily Recap, today’s cybersecurity headlines cover regulatory actions against Kochava over location data, and privacy settlements tied to Forbes, while data-exposure incidents affected Vimeo and Canvas. The report also flags critical vulnerabilities, such as Bleeding Llama (CVE-2026-7482) in Ollama and MOVEit flaws, plus active phishing and threat campaigns like VENOMOUS#HELPER and BirdCall, along with the Karakurt extortion group. #Kochava #Forbes #Vimeo #Canvas #ShinyHunters #BirdCall #Karakurt #Conti #BlackCat #Trellix #AstrixSecurity #ShaiWorm #VENOMOUS_HELPER #BleedingLlama #Ollama #MOVEit #PixelTitanM2

The FTC is set to block data broker Kochava from selling Americans’ location data, tightening rules around sensitive geolocation collection and resale – Kochava ban
Forbes preliminarily agreed to pay about $10 million to settle a California wiretapping case over website trackers, while Vimeo said ShinyHunters stole personal data for more than 119,200 people via abused Anodot access and later leaked a 106GB archive – Forbes settlement, Vimeo breach
Infrastructure, the company behind Canvas, reported a cyber incident that exposed user information at some educational institutions, with ShinyHunters claiming it stole 3.6 TB of data from more than 9,000 schools – Canvas incident
A dating-app lawsuit accuses Meete of using a woman’s TikTok video and geofencing to target men near her dorm, seeking $750,000 in damages – Meete lawsuit

Google raised rewards for high-end Android and Chrome exploits to as much as $1.5 million for a zero-click Pixel Titan M2 chain and $250,000 plus a $250,128 bonus for Chrome process exploits – Google bounty
A critical unauthenticated flaw in Ollama (CVE-2026-7482), dubbed Bleeding Llama, could expose sensitive heap data across roughly 300,000 internet-facing deployments, and users should upgrade to 0.17.1 – Bleeding Llama
Android received a fix for a critical remote code execution vulnerability, while Progress patched a critical MOVEit Automation bug that could enable authentication bypass – Android RCE, MOVEit patch
Weaver E-cology CVE-2026-22679 has been actively exploited since March for unauthenticated remote command execution through an exposed debug API, and Copy Fail (CVE-2026-31431) is being abused on Linux to gain root via local privilege escalation – Weaver exploit, Copy Fail
A weekly recap highlighted active exploitation of cPanel (CVE-2026-41940), the Copy Fail kernel bug, and broader attacks against control panels, kernels, CI/CD pipelines, and SaaS sessions – Weekly recap

CloudZ malware’s Pheno plugin abuses Microsoft Phone Link on Windows to steal SMS and OTPs, using a fake ScreenConnect update and loaders with anti-analysis checks – CloudZ Pheno
Amazon SES is being abused for high-volume phishing by attackers using exposed AWS access keys, often harvested from GitHub repos, .env files, Docker images, backups, and S3 buckets – Amazon SES abuse
A phishing campaign dubbed VENOMOUS#HELPER used legitimate SimpleHelp and ScreenConnect tools to gain persistent access and hit more than 80 organizations, mainly in the U.S. – VENOMOUS#HELPER
A backdoored PyTorch Lightning package (lightning==2.6.3) on PyPI dropped a credential stealer identified as ShaiWorm, prompting a warning to rotate secrets after import – ShaiWorm package
ScarCruft hackers pushed BirdCall Android malware through a game platform, extending mobile espionage activity tied to the North Korea-linked threat group – BirdCall Android

World Leaks, the rebrand of Hunters International, claimed a breach of Hungarian media firm Mediaworks and said it stole and published nearly 8.5 terabytes of payroll, contract, and internal data – World Leaks breach
A Latvian national, Deniss Zolotarjovs, was sentenced to 8.5 years for acting as a “cold case” negotiator for the Karakurt extortion gang, using stolen health data to pressure victims and coordinating with groups like Conti and BlackCat – Karakurt sentencing
Hudson Rock and Ransomware.live launched a dashboard showing how Infostealer infections feed ransomware, with one campaign dubbed the Coinbase Cartel using stolen credentials to attack more than 100 companies – Infostealer link

Trellix disclosed unauthorized access to part of its source code repository, said it is working with forensics and law enforcement, and the incident may be tied to wider supply-chain activity associated with LAPSUS$ – Trellix breach, Trellix disclosure
Cisco announced plans to acquire Astrix Security for roughly $400 million to secure non-human identities such as API keys, service accounts, and OAuth tokens used by apps and AI agents – Astrix acquisition

Security researcher Joey Melo described a control-first approach to AI red teaming, focusing on conversation manipulation, jailbreaking, and data poisoning rather than source-code changes – Joey Melo
A broader recap also noted how attackers are increasingly using AI-powered tactics, trusted commits, and long-lived SaaS access to stay embedded inside environments – AI recap

SHARE THIS STORY