A ransom note demanding 0.1 BTC appeared on Naturalsciences[.]org, with the site briefly down for construction and later returning online. The attack is described as linked to the CPanel/WHM vulnerability identified as CVE-2026-41940, though not all victims managed their own CPanel, and a Reddit thread is cited as illustrating this. Some X[.]com posters warned victims not to pay, and there is no evidence that anyone who paid recovered their data; the article notes it is unclear how many people paid in total.
The ransom note includes a Bitcoin wallet address bc1q9nh4revv6yqhj2gc5usncrpsfnh7ypwr9h0sp2 and a tweet handle ty15b6TOTuBuzUhfypJeagHl4e2sAs26, while a wallet balance of $81.92 was observed at the time of checking. BleepingComputer is cited as having reported that cPanel published a security bulletin with updates and that administrators should run the command /scripts/upcp –force to install safe versions. According to BleepingComputer, the bulletin lists several product versions and the update guidance.