InfoSec News Nuggets 05/01/2026

By MaryOn May 1, 2026 US ransomware negotiators get 4 years in prison over BlackCat attacks Two former incident response employees were sentenced to four years in prison each for participating in BlackCat ransomware attacks against five U.S. companies in 2023. The case stands out because it turns the usual insider risk story on its head: people trusted to help victims instead used that access and expertise to aid extortion, which is likely to sharpen scrutiny around third-party responders and privileged access during incident handling.   Vimeo Confirms User and Customer Data Breach Vimeo said attackers stole user and customer data through a compromise involving a third-party vendor, and the ShinyHunters group is threatening to leak the files unless a ransom is paid. The main takeaway is the continued concentration of breach risk in vendor ecosystems, especially where customer data and support workflows intersect outside the primary environment.   CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March CISA disclosed that a U.S. agency was compromised through a Cisco firewall vulnerability and that attackers maintained access with malware called FIRESTARTER, which let them return months later without re-exploiting the original flaw. This is a useful reminder that patching the entry point doesn’t always remove persistence, particularly on edge devices where follow-on implants can survive well past initial remediation.   Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain Researchers say attackers are continuing to seed Open VSX with seemingly harmless VS Code extensions that spread self-propagating GlassWorm malware. The broader issue here is developer-environment trust: extensions, package feeds, and adjacent tooling are still attractive supply chain targets because they blend into normal workflows and can scale quietly across engineering teams.   Two new extortion crews are speedrunning the Scattered Spider playbook CrowdStrike says two The Com-linked groups are already using voice phishing and fake SSO pages to compromise SaaS environments and steal data for extortion, echoing tactics associated with Scattered Spider. The operational lesson is that identity-centric intrusion methods are diffusing fast, which means help-desk procedures, MFA reset controls, and SaaS admin workflows remain high-value defensive choke points.   CATEGORIESInfoSec News Nuggets TAGSAboutDFIRcisanews nuggetsThe Com-linked SHARE FACEBOOK TWITTER LINKEDIN PINTEREST STUMBLEUPON EMAIL