Weekly Review, 2026-05-11
Weekly Review - May 11, 2026
Covers 7 daily digests (2026-05-05 to 2026-05-11).
All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.
Top Stories
1. ShinyHunters breached Instructure Canvas using vulnerabilities to access millions of records
7 outlets, 2026-05-06 to 2026-05-11 - severity 5/5
The extortion group ShinyHunters executed a series of breaches targeting Instructure’s Canvas learning management system and Vimeo, as well as a separate incident involving GFN.am. In the Instructure attack, the threat actor exploited vulnerabilities related to "Free-For-Teacher" accounts and Canvas data export features to access an estimated 275 to 280 million records across approximately 9,000 educational institutions. The stolen data included names, email addresses, student ID numbers, and private messages, though Instructure stated that passwords and financial information remained unaffected. To contain the incident, Instructure temporarily took various Canvas services offline, revoked attacker access through patching and key rotation, and shut down "Free-For-Teacher" accounts. The breach caused significant operational disruption, preventing students and faculty from accessing course materials and grades during final exams. As of mid-May 2026, the situation involved an ongoing extortion attempt, with the threat actor threatening to leak data if a ransom was not paid by a specified deadline.
Sources
- Instructure hacker claims data theft from 8,800 schools, universities - BleepingComputer, 2026-05-05 (quality: 16/21)
- Vimeo data breach exposes personal information of 119,000 people - BleepingComputer, 2026-05-05 (quality: 19/21)
- Instructure Breach Exposes Schools' Vendor Dependence - darkreading, 2026-05-06 (quality: 20/21)
- Millions of students’ personal data stolen in major education breach - Malwarebytes, 2026-05-06 (quality: 13/21)
- Multiple universities forced to reschedule final exams after Canvas cyber incident - The Record from Recorded Future News, 2026-05-08 (quality: 20/21)
- ShinyHunters claims nearly 9,000 schools affected by Canvas data breach - CyberScoop, 2026-05-08 (quality: 15/21)
- Instructure confirms cybersecurity incident - Cybersecurity Dive - Latest News, 2026-05-08 (quality: 10/21)
- ShinyHunters Claims Second Attack Against Instructure - darkreading, 2026-05-08 (quality: 20/21)
- Canvas System Is Online After a Cyberattack Disrupted Thousands of Schools - SecurityWeek, 2026-05-11 (quality: 18/21)
2. RansomHouse claims responsibility for breaching Trellix source code repository
4 outlets, 2026-05-05 to 2026-05-09 - severity 4/5
The ransomware group RansomHouse claimed responsibility for a breach of Trellix's source code repository, alleging the intrusion occurred on April 17, 2025. The attackers published screenshots on their leak site demonstrating unauthorized access to the Trellix appliance management system and internal services. While the specific volume of stolen data remains unspecified, the breach involved a portion of the company's source code repository. Trellix engaged external forensic experts and law enforcement to investigate the incident, stating that they found no evidence that their source code distribution process was compromised or that the accessed code had been exploited. Some security analysts have noted a potential connection between this incident and a broader supply chain attack campaign involving the TeamPCP and Lapsus$ threat actors. As of the latest updates, Trellix is investigating the claims of responsibility made by RansomHouse.
Sources
- Trellix discloses data breach after source code repository hack - BleepingComputer, 2026-05-04 (quality: 16/21)
- Trellix Source Code Repository Breached - SecurityWeek, 2026-05-04 (quality: 9/21)
- Trellix investigating breach of source code repository - Cybersecurity Dive - Latest News, 2026-05-05 (quality: 17/21)
- Trellix Source Code Breach Highlights Growing Supply Chain Threats - darkreading, 2026-05-05 (quality: 9/21)
- Ransomware Group Takes Credit for Trellix Hack - SecurityWeek, 2026-05-08 (quality: 13/21)
- Trellix source code breach claimed by RansomHouse hackers - BleepingComputer, 2026-05-08 (quality: 16/21)
3. PCPJack malware targets cloud and developer services to harvest credentials
5 outlets, 2026-05-06 to 2026-05-08 - severity 4/5
The PCPJack malware framework targets exposed cloud, container, and developer services to harvest credentials, SSH keys, and tokens from platforms including AWS, Google Cloud, Azure, GitHub, and OpenAI. The attack chain utilizes a bootstrap.sh script to establish persistence and install Python modules, such as monitor.py for credential harvesting and cloud_scan.py for propagation via Kubernetes service account tokens, Docker sockets, and Redis. This framework specifically identifies and deletes artifacts associated with the TeamPCP threat actor, effectively evicting them from infected systems. The campaign exploits several vulnerabilities, including CVE-2025-29927 (Next.js), CVE-2025-55182 (React/Next.js), and CVE-2026-1357 (WordPress). Beyond cloud infrastructure, the broader threat landscape involves documented breaches of Polish water treatment facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmickie, and Sierakowo, with the Polish Internal Security Agency linking such escalations to Russian intelligence services.
Sources
- PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale - SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms., 2026-05-07 (quality: 19/21)
- New PCPJack worm steals credentials, cleans TeamPCP infections - BleepingComputer, 2026-05-07 (quality: 19/21)
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials - SecurityWeek, 2026-05-08 (quality: 19/21)
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems - The Hacker News, 2026-05-07 (quality: 20/21)
- After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets - darkreading, 2026-05-07 (quality: 9/21)
4. UNC6353 uses DarkSword malware exploit chain to compromise iOS devices
1 outlet, 2026-05-05 - severity 5/5
The DarkSword malware exploit chain, utilized by commercial surveillance vendors and the threat actor UNC6353, employs six zero-day vulnerabilities to compromise iOS devices running versions 18.4 through 18.7. Since November 2025, these campaigns have targeted users in Saudi Arabia, Turkey, Malaysia, and Ukraine through techniques such as watering hole attacks. Successful exploitation enables the deployment of the GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER malware families to establish persistent access. Following the initial identification of the exploit chain, a version of the DarkSword malware leaked online, leading to broader use of the toolkit.
Sources
- DarkSword Malware - Schneier on Security, 2026-05-05 (quality: 14/21)
5. Trojanized DAEMON Tools installers compromise thousands of systems in supply-chain attack
4 outlets, 2026-05-06 to 2026-05-07 - severity 4/5
A supply-chain attack involving trojanized DAEMON Tools installers compromised thousands of systems across more than 100 countries starting on April 8, 2026. Attackers distributed malicious versions of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—all signed with legitimate AVB Disc Soft certificates—via the official software website. The attack chain utilized a first-stage information stealer to profile victims by collecting system data, followed by the deployment of a second-stage backdoor to high-value targets in the retail, scientific, government, and manufacturing sectors. While no specific threat actor has been attributed, researchers identified Chinese-language strings within the malware payload.
Sources
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor - BleepingComputer, 2026-05-05 (quality: 18/21)
- Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack - SecurityWeek, 2026-05-06 (quality: 20/21)
- DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware - The Hacker News, 2026-05-05 (quality: 13/21)
- DAEMON Tools devs confirm breach, release malware-free version - BleepingComputer, 2026-05-06 (quality: 20/21)
- Hackers compromise Daemon Tools in global supply-chain attack, researchers say - The Record from Recorded Future News, 2026-05-06 (quality: 20/21)
6. Silver Fox executed a supply chain attack on Hugging Face via typosquatting
2 outlets, 2026-05-05 to 2026-05-11 - severity 4/5
The threat actor Silver Fox executed a supply chain attack on Hugging Face by creating a typosquatted repository, Open-OSS/privacy-filter, which impersonated a legitimate OpenAI Privacy Filter project. The attack chain began when users cloned the repository and executed a loader.py script or start.bat file, which disabled SSL verification and used PowerShell to download secondary payloads from api.eth-fastscan[.]org. On Windows systems, the malware performed privilege escalation via UAC prompts, established scheduled tasks, and configured Microsoft Defender exclusions to deploy either the Sefirah or ValleyRAT information stealers. These stealers harvested sensitive data, including browser credentials, Discord tokens, cryptocurrency wallet seed phrases, and system metadata, exfiltrating the stolen information to recargapopular[.]com. The malicious repository reached the #1 trending position on Hugging Face and accumulated approximately 244,000 downloads before the platform removed the content. Researchers from HiddenLayer and Panther identified the campaign and noted overlaps between the infrastructure used in this attack and previous npm typosquatting campaigns.
Sources
- Fake OpenAI repository on Hugging Face pushes infostealer malware - BleepingComputer, 2026-05-09 (quality: 18/21)
- Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads - The Hacker News, 2026-05-11 (quality: 20/21)
7. Sohaib and Muneem Akhter Deleted Federal Government Databases via Unauthorized Access
2 outlets, 2026-05-08 to 2026-05-09 - severity 4/5
Sohaib Akhter and Muneem Akhter used unauthorized access to delete approximately 96 federal government databases, including Freedom of Information Act records and sensitive investigative documents, following their termination from a government contracting firm. After being fired in February 2025, the brothers accessed computers without authorization to wipe write-protected databases and destroy evidence of their activities, even using an artificial intelligence assistant to research methods for clearing system logs. The attack targeted a Washington, D.C.-based company providing software services to over 45 federal agencies, including the U.S. Department of State, the Department of Homeland Security, and the Equal Employment Opportunity Commission. In addition to the database destruction, Sohaib Akhter stole a password to access an individual's email account related to an EEOC discrimination complaint. Following an investigation by the FDIC-OIG and the Department of Justice, a jury found Sohaib Akhter guilty of conspiracy to commit computer fraud, password trafficking, and possession of a firearm by a prohibited person.
Sources
- Former govt contractor convicted for wiping dozens of federal databases - BleepingComputer, 2026-05-08 (quality: 19/21)
- Virginia man found guilty of deleting 96 government databases - The Record from Recorded Future News, 2026-05-08 (quality: 16/21)
Under the Radar
High-severity stories that received limited coverage this period.
Two U.S. Nationals Sentenced for Operating Laptop Farms for North Korean Workers
2 outlets, 2026-05-08 - severity 4/5
Two U.S. nationals, Matthew Isaac Knoot and Erick Ntekereze Prince, were sentenced to 18 months in prison for operating "laptop farms" that allowed North Korean IT workers to fraudulently secure remote positions at nearly 70 American companies. The scheme utilized remote desktop software to mask the workers' true locations, making them appear as legitimate U.S.-based employees while hosting company-issued hardware at domestic residences. This operation generated approximately $1.2 million for the North Korean regime and involved the use of stolen identities to submit fraudulent tax and Social Security reports. The fraudulent activity resulted in victim companies paying over $1.19 million in salaries and associated costs to the North Korean-linked workers.
Why it matters: Confirmed widespread exploitation of nearly 70 U.S.
Sources
- Americans sentenced for running 'laptop farms' for North Korea - BleepingComputer, 2026-05-07 (quality: 19/21)
- American duo sentenced for hosting laptop farms for North Korean IT workers - CyberScoop, 2026-05-07 (quality: 19/21)
Karakurt negotiator sentenced for extortion operations against American organizations
2 outlets, 2026-05-05 - severity 4/5
Deniss Zolotarjovs, a negotiator for the Karakurt ransomware group, was sentenced to eight and a half years in prison for his role in orchestrating extortion operations against American organizations. Between June 2021 and March 2023, Zolotarjovs analyzed stolen personal and health information to apply psychological pressure on victims and negotiated ransom payments, receiving 10% of the proceeds in cryptocurrency. The Department of Justice identified at least 54 attacked companies, with 13 of those resulting in over $56 million in losses and an additional 41 companies paying approximately $13 million in ransom. These operations disrupted critical infrastructure, including a government 911 system, and involved the use of stolen children's health data to increase leverage during negotiations.
Why it matters: The sentencing follows confirmed widespread exploitation by Karakurt causing hundreds of millions in losses and disruption to critical 911 emergency services.
Sources
- Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison - BleepingComputer, 2026-05-05 (quality: 19/21)
- Karakurt Ransomware Negotiator Sentenced to Prison - SecurityWeek, 2026-05-05 (quality: 19/21)
UAT-8302 Targets South American and European Government Entities Using Cityworks Vulnerability
2 outlets, 2026-05-05 to 2026-05-06 - severity 4/5
The China-nexus advanced persistent threat (APT) group UAT-8302 has conducted a multi-year campaign targeting government entities in South America since late 2024 and government agencies in southeastern Europe throughout 2025. The group utilizes a diverse toolkit of custom-made malware families for post-exploitation, including NetDraft (a .NET-based variant of FinalDraft/SquidDoor), CloudSorcerer v3, VSHELL, SNOWLIGHT, and SNOWRUST. Technical activities involve information collection, credential extraction, and network proliferation, often employing tools like Draculoader which are shared with other threat actors such as Earth Estries and Earth Naga. The attack chain has also involved the exploitation of the Cityworks zero-day vulnerability (CVE-2025-0994) to deploy VSHELL. Cisco Talos is currently tracking these operations, which involve various threat actor clusters including Jewelbug, LongNosedGoblin, and Erudite Mogwai.
Why it matters: Confirmed exploitation of a zero-day vulnerability by a China-nexus APT targeting multiple government entities across two continents.
Sources
- UAT-8302 and its box full of malware - Cisco Talos Blog, 2026-05-05 (quality: 19/21)
- China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions - The Hacker News, 2026-05-05 (quality: 10/21)
OceanLotus used PyPI supply chain attack to deliver ZiChatBot malware
2 outlets, 2026-05-07 - severity 4/5
The threat actor OceanLotus conducted a supply chain attack on the Python Package Index (PyPI) by uploading malicious wheel packages, including uuid32-utils, colorinal, and termncolor, to deliver the ZiChatBot malware. The attack chain utilized these packages to drop terminate.dll on Windows or terminate.so on Linux, establishing persistence through registry auto-run entries or crontab jobs. The malware bypassed traditional command and control detection by using the REST APIs of the Zulip team chat application to receive shellcode and exfiltrate system information. While the specific number of victims was not disclosed, the campaign targeted both Windows and Linux platforms and has since been mitigated by the removal of the packages from PyPI and the deactivation of the associated Zulip organization.
Why it matters: A known APT (OceanLotus) executed a confirmed supply chain attack via PyPI to deliver malware to Windows and Linux targets.
Sources
- OceanLotus suspected of using PyPI to deliver ZiChatBot malware - Securelist, 2026-05-06 (quality: 19/21)
- PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux - The Hacker News, 2026-05-07 (quality: 12/21)
All Stories by Category
Vulnerabilities & Patches
- Schemata API Flaw Exposed Military Records and Training Data (2026-05-07, 1 outlet, severity 4/5)
- Microsoft and Linux Vulnerabilities Surge in Q1 2026 Report (2026-05-07, 1 outlet, severity 3/5)
- Exploits and vulnerabilities in Q1 2026 - Securelist
- GDDRHammer and GeForge Attacks Enable Privilege Escalation on NVIDIA GPUs (2026-05-06, 1 outlet, severity 3/5)
- Rowhammer Attack Against NVIDIA Chips - Schneier on Security
- Low-Severity Alerts and Mimikatz Linked to 1% of Incidents (2026-05-08, 1 outlet, severity 3/5)
- HeroDevs Warns SCA Tools Miss EOL Software Vulnerabilities (2026-05-06, 1 outlet, severity 3/5)
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Miss - BleepingComputer
- Google Increases Android Pixel Chip Bounty to $1.5 Million (2026-05-05, 1 outlet, severity 2/5)
- Google now offers up to $1.5 million for some Android exploits - BleepingComputer
- Microsoft Edge Stores Passwords in Plaintext to Boost Performance (2026-05-09, 1 outlet, severity 2/5)
- NWHStealer, Microsoft Edge, and WhatsApp Vulnerabilities Highlight Weekly Threats (2026-05-11, 1 outlet, severity 2/5)
- A week in security (May 4 – May 10) - Malwarebytes
- Boost Security Secures $4M to Expand SDLC Defense Platform (2026-05-08, 1 outlet, severity 1/5)
- Boost Security Raises $4 Million for SDLC Defense Platform - SecurityWeek
- Weekly Update 503: No New Vulnerabilities or Security Details Reported (2026-05-11, 1 outlet, severity 1/5)
- Weekly Update 503 - Troy Hunt
Data Breaches
- DigiCert Revokes Certificates Following Support Portal Malware Breach (2026-05-05, 1 outlet, severity 4/5)
- DigiCert Revokes Certificates After Support Portal Hack - SecurityWeek
- World Leaks claims massive data breach of Mediaworks Hungary (2026-05-05, 1 outlet, severity 3/5)
- Ransomware group claims breach of pro-Orbán Hungarian media firm - The Record from Recorded Future News
- Skoda Online Shop Breach Exposes Customer Personal Information (2026-05-11, 1 outlet, severity 3/5)
- Skoda Data Breach Hits Online Shop Customers - SecurityWeek
- Keep Aware Report: Browser Activity Bypasses Traditional DLP Controls (2026-05-08, 1 outlet, severity 2/5)
- The Browser Is Breaking Your DLP: How Data Slips Past Modern Controls - BleepingComputer
- Costa Rica Government Joins Have I Been Pwned Breach Monitoring (2026-05-11, 1 outlet, severity 2/5)
Ransomware
- MuddyWater uses Chaos ransomware to mask Iranian espionage operations (2026-05-08, 1 outlet, severity 3/5)
- Iranian government hackers using Chaos ransomware as cover, researchers say - The Record from Recorded Future News
- LockBit 5.0 and The Gentlemen Drive Q1 2026 Ransomware Surge (2026-05-11, 1 outlet, severity 3/5)
- The State of Ransomware – Q1 2026 - Check Point Research
- Ransomware Targets Backup Systems to Prevent Data Recovery Efforts (2026-05-07, 1 outlet, severity 3/5)
- Why ransomware attacks succeed even when backups exist - BleepingComputer
- BlackFog Report: Most Ransomware Attacks Remain Undisclosed by Businesses (2026-05-08, 1 outlet, severity 2/5)
- Businesses hide vast majority of ransomware attacks, report finds - Cybersecurity Dive - Latest News
Supply Chain Attacks
- Mini Shai-Hulud Worm Compromises SAP, PyTorch, and Packagist Packages (2026-05-05, 1 outlet, severity 4/5)
- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th) - SANS Internet Storm Center, InfoCON: green
- Checkmarx Jenkins AST Plugin Targeted in TeamPCP Supply Chain Attack (2026-05-11, 1 outlet, severity 4/5)
- SailPoint GitHub Repositories Breached via Third-Party App Vulnerability (2026-05-11, 1 outlet, severity 3/5)
- SailPoint Discloses GitHub Repository Hack - SecurityWeek
- Joe FitzPatrick Warns of Security Risks in Overseas Hardware (2026-05-07, 1 outlet, severity 3/5)
- LABScon25 Replay | Please Connect to the Foreign Entity to Enhance Your User Experience - SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
- Strategies for Managing Third-Party and Ownership Risks (2026-05-09, 1 outlet, severity 2/5)
- A Practical Guide to Third-Party Cyber Risk Management - Corporate Compliance Insights
- 2026 Outlook: Navigating Third-Party Risk in the Pharmaceutical & Life Sciences Sector - Corporate Compliance Insights
- UBO Due Diligence: Ownership Transparency as Strategic Control - Corporate Compliance Insights
Nation-State / APT
- Iranian Hackers Use Ransomware Decoys and Phishing for Attacks (2026-05-07, 4 outlets, severity 3/5)
- MuddyWater hackers use Chaos ransomware as a decoy in attacks - BleepingComputer
- Iran-sponsored threat group behind false flag social engineering campaign - Cybersecurity Dive - Latest News
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack - SecurityWeek
- MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack - The Hacker News
- HeartlessSoul Group Targets Aviation Firms to Steal Geospatial Data (2026-05-11, 1 outlet, severity 3/5)
- APT37 Uses BirdCall Malware to Target Ethnic Koreans in China (2026-05-07, 1 outlet, severity 3/5)
- North Korean hackers targeted ethnic Koreans in China with Android ‘BirdCall’ malware - The Record from Recorded Future News
- GRU-led Department 4 trains hackers at Bauman Moscow University (2026-05-09, 1 outlet, severity 3/5)
- Inside Department 4: Russia’s secret school for hackers - GRAHAM CLULEY
- Scattered Spider Arrest and New KYCShadow Android Malware Threats (2026-05-05, 1 outlet, severity 3/5)
Malware & Botnets
- PamDOORa Linux Backdoor and CloudZ Malware Target Microsoft Users (2026-05-09, 1 outlet, severity 4/5)
- TCLBanker malware targets banking and fintech platforms via Logitech MSI installer (2026-05-08 to 2026-05-09, 2 outlets, severity 3/5)
- New TCLBanker malware self-spreads over WhatsApp and Outlook - BleepingComputer
- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms - The Hacker News
- ScarCruft hackers use gaming platform to deploy BirdCall malware. (2026-05-05, 2 outlets, severity 3/5)
- ScarCruft hackers push BirdCall Android malware via game platform - BleepingComputer
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows - The Hacker News
- CloudZ malware uses Microsoft Phone Link to steal OTPs. (2026-05-05, 2 outlets, severity 3/5)
- CloudZ RAT potentially steals OTP messages using Pheno plugin - Cisco Talos Blog
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs - BleepingComputer
- JDownloader site hacked to distribute Python RAT malware via installers (2026-05-10, 1 outlet, severity 3/5)
- JDownloader site hacked to replace installers with Python RAT malware - BleepingComputer
- Claude.ai chats and Google Ads used to spread MacSync malware (2026-05-11, 1 outlet, severity 3/5)
- Hackers abuse Google ads, Claude.ai chats to push Mac malware - BleepingComputer
- GM to pay $12.75 million over California driver data privacy (2026-05-09, 1 outlet, severity 3/5)
- GM to pay over $12 million in California privacy settlement involving driver data - The Record from Recorded Future News
- CloudZ RAT Exploits Microsoft Phone Link to Steal Mobile Data (2026-05-06, 1 outlet, severity 3/5)
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs - The Hacker News
- TrickMo Android Malware Uses TON Blockchain for Stealthy Communications (2026-05-11, 1 outlet, severity 3/5)
- TrickMo Android banker adopts TON blockchain for covert comms - BleepingComputer
- Fake Claude AI Site Distributes Beagle Windows Malware (2026-05-07, 1 outlet, severity 3/5)
- Fake Claude AI website delivers new 'Beagle' Windows malware - BleepingComputer
- NWHStealer malware uses Bun JavaScript runtime to infect Windows systems (2026-05-07, 1 outlet, severity 3/5)
- Attackers adopt JavaScript runtime Bun to spread NWHStealer - Malwarebytes
- MicroStealer Malware and Eclipse BaSyx Vulnerabilities Highlight New Threats (2026-05-07, 1 outlet, severity 2/5)
- xlabs_v1 Mirai Botnet Exploits ADB to Hijack IoT Devices (2026-05-07, 1 outlet, severity 2/5)
- DShield Honeypot Update Adds Ubuntu 26.04 and New Cowrie Version (2026-05-05, 1 outlet, severity 1/5)
- DShield Honeypot Update, (Mon, May 4th) - SANS Internet Storm Center, InfoCON: green
Phishing & Social Engineering
- Operation HookedWing Phishing Campaign Targets Over 500 Global Organizations (2026-05-11, 1 outlet, severity 4/5)
- Over 500 Organizations Hit in Years-Long Phishing Campaign - SecurityWeek
- Microsoft Warns of Phishing Campaign Targeting US Organizations (2026-05-06, 1 outlet, severity 4/5)
- Microsoft Defender Uncovers AiTM Phishing Campaign Targeting 35,000 Users (2026-05-05, 1 outlet, severity 4/5)
- Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise - Threat intelligence | Microsoft Security Blog
- Phishing Campaign Uses RMM Tools to Target Global Organizations (2026-05-05, 2 outlets, severity 3/5)
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools - The Hacker News
- RMM Tools Fuel Stealthy Phishing Campaign - darkreading
- Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia - darkreading
- BO Team and Head Mare Coordinate Attacks Using BrockenDoor Malware (2026-05-09, 1 outlet, severity 3/5)
- Pro-Ukraine BO Team and Head Mare hackers appear to team up in attacks against Russia - The Record from Recorded Future News
- Amazon SES Abuse Rising as Leaked AWS Keys Fuel Phishing (2026-05-05, 1 outlet, severity 3/5)
- Amazon SES increasingly abused in phishing to evade detection - BleepingComputer
- Threat actors used VoIP infrastructure for large-scale scam email campaigns (2026-05-06, 1 outlet, severity 3/5)
- Insights into the clustering and reuse of phone numbers in scam emails - Cisco Talos Blog
- ClickFix attacks use fake prompts to deploy Vidar Stealer malware (2026-05-08, 1 outlet, severity 3/5)
- Australia warns of ClickFix attacks pushing Vidar Stealer malware - BleepingComputer
- ShinyHunters Use Social Engineering to Breach Large Brand Data (2026-05-06, 1 outlet, severity 3/5)
- Weekly Update 502 - Troy Hunt
- How Fraudsters Use Social Engineering and Physical Access to Breach Credit Unions (2026-05-05, 1 outlet, severity 3/5)
- They don’t hack, they borrow: How fraudsters target credit unions - BleepingComputer
- Meta layoffs, Linux Copy Fail, and deepfake job scams. (2026-05-07, 1 outlet, severity 2/5)
Cloud & Infrastructure Security
- Braintrust Urges API Key Rotation Following AWS Account Breach (2026-05-08, 1 outlet, severity 3/5)
- ACI Alliance Launches to Protect U.S. Critical Infrastructure Security (2026-05-11, 1 outlet, severity 2/5)
- New cybersecurity industry alliance aims to lead US critical infrastructure protection - Cybersecurity Dive - Latest News
- CISA Urges Critical Infrastructure to Prioritize Isolation and Recovery (2026-05-06, 1 outlet, severity 2/5)
- Cloudflare Cuts 1,100 Jobs to Pivot Toward Agentic AI Era (2026-05-11, 1 outlet, severity 1/5)
Identity & Access Management
- CallPhantom Android Apps Scammed Users via Fake Call History Data (2026-05-09, 1 outlet, severity 3/5)
- Cifas Report: 13% of UK Workers Sell Company Passwords (2026-05-09, 1 outlet, severity 3/5)
- NHI Proliferation Threatens Enterprise Security and Identity Control (2026-05-11, 1 outlet, severity 2/5)
- Identity is the new perimeter as rapid NHI proliferation threatens visibility and control - Cybersecurity Dive - Latest News
- Cisco to Acquire Astrix Security to Combat Non-Human Identity Risks (2026-05-05, 1 outlet, severity 1/5)
AI & Machine Learning Security
- Claude AI Assisted TAT26-12 Hackers in Water Utility Intrusion (2026-05-07, 1 outlet, severity 3/5)
- Scan of 1 Million AI Services Reveals Critical Security Flaws (2026-05-05, 1 outlet, severity 3/5)
- AI Investment Scam Network Uses 15,500 Domains and Deepfakes (2026-05-08, 1 outlet, severity 3/5)
- Massive AI investment scam network spans 15,500 domains - Malwarebytes
- Anthropic’s Claude AI Used in Mexican Water Utility Cyberattack Attempt (2026-05-09, 1 outlet, severity 3/5)
- Anthropic’s Claude used in attempted compromise of Mexican water utility - Cybersecurity Dive - Latest News
- Claude Extension Vulnerability Risks Full AI Agent Takeover (2026-05-08, 1 outlet, severity 3/5)
- NIST to Evaluate Google, Microsoft, and xAI Models for Risks (2026-05-07, 1 outlet, severity 2/5)
- NIST will test three major tech firms’ frontier AI models for cybersecurity risks - Cybersecurity Dive - Latest News
- Joey Melo Explains AI Red Teaming and Prompt Injection Risks (2026-05-06, 1 outlet, severity 2/5)
- Hacker Conversations: Joey Melo on Hacking AI - SecurityWeek
- Agentic AI in Microsoft 365 and Salesforce Creates New Compliance Risks (2026-05-11, 1 outlet, severity 2/5)
- Your Next AI Risk Is Inside the Systems You Trust the Most - Corporate Compliance Insights
- Compliance Frameworks Miss Invisible Forces, but They Matter the Most - Corporate Compliance Insights
- Schumer Urges DHS to Coordinate AI Cyber Defense With Localities (2026-05-09, 1 outlet, severity 2/5)
- Google Chrome Silently Downloads 4GB Gemini Nano AI Model (2026-05-07, 1 outlet, severity 2/5)
- Google Chrome’s silent 4GB AI download problem - Malwarebytes
- Forbes to pay $10 million to settle California wiretapping lawsuit (2026-05-05, 1 outlet, severity 2/5)
- Forbes preliminarily agrees to pay $10 million to settle California wiretapping lawsuit - The Record from Recorded Future News
- LLMs Can Embed Hidden Messages Using Text-in-Text Steganography Techniques (2026-05-11, 1 outlet, severity 2/5)
- LLMs and Text-in-Text Steganography - Schneier on Security
- AI-Driven Cyberattack Fails to Breach SCADA Operational Technology Systems (2026-05-08, 1 outlet, severity 2/5)
- New AI-Powered Security Startups Secure $38 Million in Funding (2026-05-07, 1 outlet, severity 1/5)
- Autonomous Offensive Security Firm XBOW Raises $35 Million - SecurityWeek
- Herd Security Raises $3 Million for AI-Powered Training Platform - SecurityWeek
- CISA leverages AI automation to enhance threat analysis and operations (2026-05-06, 1 outlet, severity 1/5)
- AI-Driven Autonomous Agents Must Replace Manual Purple Teaming Workflows (2026-05-11, 1 outlet, severity 1/5)
- Your Purple Team Isn't Purple — It's Just Red and Blue in the Same Room - The Hacker News
- IGEN’s Ryan Padget: Balancing AI Automation With Human Expertise (2026-05-08, 1 outlet, severity 1/5)
- Why Experience Still Matters in an Automated Finance World - Corporate Compliance Insights
- Prophet Security: AI-Driven Investigation Overcomes SOC Alert Fatigue (2026-05-09, 1 outlet, severity 1/5)
- Why More Analysts Won’t Solve Your SOC’s Alert Problem - BleepingComputer
- Proofpoint Launches Prism Investigator to Automate AI-Driven Digital Investigations (2026-05-06, 1 outlet, severity 1/5)
Legal & Law Enforcement
- Marlon Ferro Sentenced for Role in $230 Million Crypto Heist (2026-05-07, 1 outlet, severity 4/5)
- Crypto gang member gets 6.5 years for role in $230 million heist - BleepingComputer
- Latvian national sentenced for involvement in Conti ransomware attacks. (2026-05-06, 2 outlets, severity 3/5)
- Conti, Akira ransomware affiliate given 8-year sentence - The Record from Recorded Future News
- Latvian national sentenced for ransomware attacks run by former Conti leaders - CyberScoop
- German authorities dismantle Crimenetwork marketplace and arrest suspected administrator (2026-05-11, 2 outlets, severity 3/5)
- Police shut down reboot of Crimenetwork marketplace, arrest admin - BleepingComputer
- Resurrected ‘Crimenetwork’ Marketplace Taken Down, Administrator Arrested - SecurityWeek
- Kingdom Market administrator sentenced to 16 years for dark web crimes (2026-05-09, 1 outlet, severity 3/5)
- Kingdom Market administrator given 16-year sentence - The Record from Recorded Future News
- Sri Lankan Police Arrest 37 Chinese Citizens in Scam Raid (2026-05-08, 1 outlet, severity 3/5)
- Sri Lanka makes 37 arrests as it raids another scam centre - GRAHAM CLULEY
- Kyle Edwards Pleads Guilty to Doxxing Supreme Court Justices (2026-05-08, 1 outlet, severity 3/5)
- North Carolina man pleads guilty to doxxing Supreme Court justices - The Record from Recorded Future News
- Australia Launches Cyber Incident Review Board for Post-Attack Analysis (2026-05-06, 1 outlet, severity 2/5)
- Australia launches cyber review board modeled on version disbanded in US - The Record from Recorded Future News
- Elon Musk Sues OpenAI Leaders Over Artificial Intelligence Mission Breach (2026-05-08, 1 outlet, severity 2/5)
- Gavril Sandu Extradited to US for Decade-Old VoIP Hacking Scheme (2026-05-06, 1 outlet, severity 2/5)
- Meete sued for using TikTok videos to target college students (2026-05-05, 1 outlet, severity 2/5)
- StoneTurn Warns Regulators Won't Accept AI Errors as Defense (2026-05-11, 1 outlet, severity 2/5)
- ‘Blame the Bot’ Won’t Cut It in Front of Regulators - Corporate Compliance Insights
- ICE Develops Facial Recognition Smart Glasses for Law Enforcement Use (2026-05-07, 1 outlet, severity 2/5)
- Smart Glasses for the Authorities - Schneier on Security
Policy & Regulation
- FTC bans data broker Kochava from selling sensitive location data. (2026-05-06, 2 outlets, severity 3/5)
- FTC to ban data broker Kochava from selling Americans’ location data - BleepingComputer
- FTC bans data broker Kochava from selling sensitive location info - The Record from Recorded Future News
- CISA’s CI Fortify initiative targets resilience against Volt Typhoon attacks (2026-05-07, 1 outlet, severity 3/5)
- New CISA initiative aims for critical infrastructure to operate offline during cyberattacks - The Record from Recorded Future News
- Rep. Summer Lee Demands Briefing on Federal Graphite Spyware Use (2026-05-07, 1 outlet, severity 3/5)
- Meta Faces $375M Penalty Over New Mexico Consumer Protection Violations (2026-05-06, 1 outlet, severity 3/5)
- $375M Meta Verdict Shows States Don’t Have to Make a Federal Case to Have an Impact - Corporate Compliance Insights
- CISA urges critical infrastructure fortification against rising global cyber threats. (2026-05-06, 2 outlets, severity 2/5)
- CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict - CyberScoop
- CISA urges critical infrastructure firms to ‘fortify’ before it’s too late - Cybersecurity Dive - Latest News
- SEC Proposes Allowing Public Companies to Skip Quarterly Reporting (2026-05-07, 1 outlet, severity 2/5)
- SEC Formally Proposes Making Quarterly Reporting Optional for Public Companies - Corporate Compliance Insights
- CISA and SBA Should Support Fractional CISO Models for SMBs (2026-05-11, 1 outlet, severity 2/5)
- The missing cybersecurity leader in small business - CyberScoop
- Trump Administration Rebrands CyberCorps Scholarship Program to Focus on AI (2026-05-08, 1 outlet, severity 2/5)
- State AGs Drive New Wave of Multistate Antitrust Enforcement (2026-05-06, 1 outlet, severity 2/5)
- Q&A: State AGs Increasingly Taking the Lead on Antitrust Enforcement - Corporate Compliance Insights
- Zoho Report: Businesses Unprepared to Deploy AI-Powered Security Tools (2026-05-07, 1 outlet, severity 2/5)
- Businesses eager but unprepared for AI to transform their security strategies - Cybersecurity Dive - Latest News
- Online Safety Act Fails to Stop Children Bypassing Age Checks (2026-05-07, 1 outlet, severity 2/5)
- California Prop. 65 Amendments Mandate Specific Chemical Warning Language (2026-05-08, 1 outlet, severity 1/5)
- Changes Coming to California Prop. 65 Warnings - Corporate Compliance Insights
Other Cybersecurity
- SMB Price Hikes Driven by Rising Data Breach Costs (2026-05-05, 1 outlet, severity 3/5)
- Cyberattacks are raising your prices (Lock and Code S07E09) - Malwarebytes
- Student Hacked Taiwan High Speed Rail to Trigger Emergency Brakes (2026-05-06, 1 outlet, severity 3/5)
- Student hacked Taiwan high-speed rail to trigger emergency brakes - BleepingComputer
- SANS Intern Uses Claude to Build Adaptive Honeypot Analytics UI (2026-05-07, 1 outlet, severity 2/5)
- An Adaptive Cyber Analytics UI for Web Honeypot Logs [Guest Diary], (Wed, May 6th) - SANS Internet Storm Center, InfoCON: green
- Polymarket Defense Bets Show Suspiciously High Win Rates (2026-05-09, 1 outlet, severity 2/5)
- Insider Betting on Polymarket - Schneier on Security
- Kaspersky Launches New Web Filtering to Block Undefined Trust Sites (2026-05-06, 1 outlet, severity 2/5)
- FTI Consulting Experts Outline Strategy for Navigating Geopolitical Volatility (2026-05-05, 1 outlet, severity 1/5)
- Engineering Corporate Resilience in an Era of Geopolitical Volatility - Corporate Compliance Insights
- Cameron Routh Named New Eventus CEO as Founder Exits (2026-05-11, 1 outlet, severity 1/5)
- Eventus Names New CEO; Founder Exits - Corporate Compliance Insights
- Evan Kramer Named New CEO of Traliant (2026-05-11, 1 outlet, severity 1/5)
- Traliant Appoints New CEO - Corporate Compliance Insights
- ISC Stormcast Podcast Delivers Daily Cybersecurity Threat Intelligence Updates (2026-05-08, 1 outlet, severity 1/5)
- ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924, (Fri, May 8th) - SANS Internet Storm Center, InfoCON: green
- ISC Stormcast Daily Security News Digest for May 7, 2026 (2026-05-07, 1 outlet, severity 1/5)
- ISC Stormcast For Thursday, May 7th, 2026 https://isc.sans.edu/podcastdetail/9922, (Thu, May 7th) - SANS Internet Storm Center, InfoCON: green
- ISC Stormcast Daily Security News Digest for May 6, 2026 (2026-05-06, 1 outlet, severity 1/5)
- ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920, (Wed, May 6th) - SANS Internet Storm Center, InfoCON: green
- ISC Stormcast Delivers Daily Security Updates for May 11, 2026 (2026-05-11, 1 outlet, severity 1/5)
- ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926, (Mon, May 11th) - SANS Internet Storm Center, InfoCON: green
- DNA Analysis Confirms Giant Squid Presence in Western Australia (2026-05-09, 1 outlet, severity 1/5)
- Friday Squid Blogging: Giant Squid Live in the Waters of Western Australia - Schneier on Security
- Tom Parker Rumored as Potential New CISA Director (2026-05-08, 1 outlet, severity 1/5)
- Has CISA Finally Found Its New Leader in Tom Parker? - darkreading
- UC Berkeley CLTC Provides Cybersecurity Tools to Under-Resourced Groups (2026-05-06, 1 outlet, severity 1/5)
- Security Leadership: The Key to Effective Penetration Testing Results (2026-05-06, 1 outlet, severity 1/5)
- Why Security Leadership Makes or Breaks a Pen Test - darkreading
- Stuxnet to ChatGPT: 20 Milestones Defining Two Decades of Cybercrime (2026-05-06, 1 outlet, severity 1/5)
- Airbus, Cyera, and Palo Alto Networks Lead April Cybersecurity M&A (2026-05-05, 1 outlet, severity 1/5)
- Cybersecurity M&A Roundup: 33 Deals Announced in April 2026 - SecurityWeek
- ISC Stormcast Podcast Covers Daily Cybersecurity Updates for May 5th (2026-05-05, 1 outlet, severity 1/5)
- ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918, (Tue, May 5th) - SANS Internet Storm Center, InfoCON: green
Reported Data Breaches
Breaches reported via Have I Been Pwned this period.