Weekly Review - May 18, 2026

Covers 7 daily digests (2026-05-12 to 2026-05-18).

All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.

Top Stories

1. TeamPCP Mini Shai-Hulud campaign compromised npm and PyPI packages targeting OpenAI

4 outlets, 2026-05-12 to 2026-05-15 - severity 5/5

The TeamPCP threat actor group executed the Mini Shai-Hulud supply-chain campaign, compromising hundreds of npm and PyPI packages to steal developer credentials. The attack chain involved hijacking OpenID Connect (OIDC) tokens by using a GitHub fork of the TanStack/router repository to execute a pull_request_target workflow, which poisoned the GitHub Actions cache and allowed the publication of malicious packages with valid SLSA Build Level 3 provenance. The scope of the breach included organizations such as OpenAI, Mistral AI, UiPath, and OpenSearch, as well as the compromise of the Checkmarx Jenkins AST plugin via credentials stolen during a prior March attack on Trivy. Impacted systems included developer devices at OpenAI and Mistral AI, leading to the exfiltration of internal source code repository credentials and code-signing certificates for iOS, macOS, Windows, and Android. Following the incident, TeamPCP advertised the sale of approximately 450 Mistral AI repositories for $25,000.

Sources

• Shai Hulud attack ships signed malicious TanStack, Mistral npm packages - BleepingComputer, 2026-05-12 (quality: 19/21)
• Official CheckMarx Jenkins package compromised with infostealer - BleepingComputer, 2026-05-11 (quality: 20/21)
• TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack - SecurityWeek, 2026-05-12 (quality: 20/21)
• Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages - The Hacker News, 2026-05-12 (quality: 11/21)
• TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack - The Hacker News, 2026-05-11 (quality: 13/21)
• TeamPCP hackers advertise Mistral AI code repos for sale - BleepingComputer, 2026-05-14 (quality: 19/21)
• OpenAI confirms security breach in TanStack supply chain attack - BleepingComputer, 2026-05-14 (quality: 20/21)
• OpenAI Hit by TanStack Supply Chain Attack - SecurityWeek, 2026-05-15 (quality: 19/21)
• OpenAI asks macOS users to update after TanStack npm supply chain attack - The Record from Recorded Future News, 2026-05-14 (quality: 20/21)
• TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates - The Hacker News, 2026-05-15 (quality: 20/21)

2. Nitrogen ransomware group targets Foxconn manufacturing plants with data exfiltration attack

6 outlets, 2026-05-13 to 2026-05-15 - severity 4/5

The Nitrogen ransomware group targeted several Foxconn (Hon Hai Precision Industry) manufacturing plants in North America, claiming to have exfiltrated 8 terabytes of data comprising over 11 million files. The stolen data reportedly includes technical information, confidential instructions, and drawings belonging to various clients, including Apple, Google, Microsoft, Intel, Nvidia, and Dell. Nitrogen, a threat actor first observed in 2023, utilizes ransomware tools built from stolen Conti code and has previously used the ALPHV variant. The attack caused operational disruptions, such as network outages in Wisconsin that forced employees to use manual paper-based processes. Foxconn activated cybersecurity response mechanisms and implemented measures to ensure production continuity, and as of mid-May 2026, the affected North American factories were resuming normal production cycles.

Sources

• Foxconn confirms cyberattack impacting North American factories - The Record from Recorded Future News, 2026-05-12 (quality: 18/21)
• Foxconn confirms cyberattack claimed by Nitrogen ransomware gang - BleepingComputer, 2026-05-13 (quality: 18/21)
• Foxconn confirms cyberattack affecting some North American facilities - Cybersecurity Dive - Latest News, 2026-05-13 (quality: 20/21)
• Foxconn Confirms North American Factories Hit by Cyberattack - SecurityWeek, 2026-05-13 (quality: 16/21)
• Foxconn Attack Highlights Manufacturing's Cyber Crisis - darkreading, 2026-05-14 (quality: 20/21)
• Major tech manufacturer Foxconn confirms cyberattack hit North American factories - CyberScoop, 2026-05-14 (quality: 20/21)

3. Unnamed cybercrime group uses AI to bypass 2FA on web tool

5 outlets, 2026-05-12 - severity 4/5

An unnamed cybercrime group developed a Python-based zero-day exploit, likely utilizing an AI model, to bypass two-factor authentication (2FA) on an unnamed open-source web administration tool. The exploit leveraged a high-level semantic logic bug, and researchers identified AI-generated artifacts within the code, such as educational docstrings and a hallucinated CVSS score. Google Threat Intelligence Group identified the threat and coordinated with the software vendor, which released a patch to prevent a planned mass exploitation campaign. While the specific vulnerability remains unnamed, the discovery follows a trend of various threat actors, including APT45 and APT27, using large language models for vulnerability analysis and exploit development.

Sources

• AI used to develop working zero-day exploit, researchers warn - Cybersecurity Dive - Latest News, 2026-05-11 (quality: 18/21)
• Google: Hackers used AI to develop zero-day exploit for web admin tool - BleepingComputer, 2026-05-11 (quality: 16/21)
• Google spotted an AI-developed zero-day before attackers could use it - CyberScoop, 2026-05-11 (quality: 18/21)
• Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek, 2026-05-11 (quality: 20/21)
• Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation - The Hacker News, 2026-05-11 (quality: 12/21)

4. ShinyHunters targeted Instructure Holdings Inc via compromised accounts to steal data

7 outlets, 2026-05-12 to 2026-05-18 - severity 5/5

The extortion group ShinyHunters conducted two separate cyberattacks against Instructure Holdings, Inc. within a single week, targeting the Canvas learning management platform. The attackers utilized compromised "Free-For-Teacher" accounts to enter the system and escalate privileges, resulting in the theft of approximately 3.65 terabytes of data. This breach affected roughly 275 to 280 million student and staff records across more than 8,000 educational institutions, including various universities. In addition to data theft, the group defaced school login portals with extortion messages and forced the platform offline. Instructure reached an agreement with the threat actor to ensure the deletion of the stolen information, a move described by some researchers as a ransom payment. The U.S. House Committee on Homeland Security subsequently opened a formal investigation into the incident.

Sources

• The Canvas breach proved that prevention is no longer enough - CyberScoop, 2026-05-18 (quality: 17/21)
• 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand - SecurityWeek, 2026-05-18 (quality: 16/21)
• US govt seeks Instructure testimony on massive Canvas cyberattack - BleepingComputer, 2026-05-12 (quality: 19/21)
• Instructure pays ransom after Canvas incident as Congress announces investigation - The Record from Recorded Future News, 2026-05-12 (quality: 20/21)
• Government to Scrutinize Instructure Over Canvas Disruption, Data Breach - SecurityWeek, 2026-05-13 (quality: 19/21)
• Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities - GRAHAM CLULEY, 2026-05-13 (quality: 10/21)
• 11th May – Threat Intelligence Report - Check Point Research, 2026-05-11 (quality: 15/21)
• Weekly Update 504 - Troy Hunt, 2026-05-18 (quality: 11/21)

5. Equation Group uses fast16 malware to sabotage nuclear weapons testing simulations

1 outlet, 2026-05-18 - severity 5/5

The Lua-based fast16 malware, attributed to the Equation Group, was engineered to sabotage nuclear weapons testing simulations by corrupting uranium-compression data. The malware utilized 101 specific rules to tamper with mathematical calculations within engineering software, specifically targeting material densities exceeding 30 g/cm³ in programs such as LS-DYNA and AUTODYN. To ensure consistent tampered outputs, the malware employed an automatic spreading mechanism to infect other endpoints on the same network while actively avoiding detection by specific security products. Analysis of the framework, which includes components dating back to 2005, indicates a methodical operation capable of targeting up to 10 different versions of simulation software, including LS-DYNA version 970, PKPM, and MOHID.

Sources

• Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations - The Hacker News, 2026-05-18 (quality: 20/21)

6. IDF destroys Lebanese villages and homes to remove Hezbollah tunnel systems

1 outlet, 2026-05-14 - severity 5/5

The Israel Defense Forces (IDF) have heavily damaged or flattened at least 46 of 54 towns and villages within the "Yellow Line" area of southern Lebanon through the use of explosives and construction vehicles. Following the March 2026 US-Israeli attacks on Iran and subsequent IDF evacuation orders, large-scale demolitions occurred in locations such as Qantara and Aadshit, where the IDF detonated 450 tonnes of explosives to destroy Hezbollah tunnel systems. This destruction has resulted in the widespread obliteration of residential areas in villages including Naqoura, Kfar Kila, Beit Lif, and Kheim. The current situation involves the ongoing implementation of a demolition model intended to remove border threats by destroying homes near the Lebanese-Israeli border.

Sources

• Satellite Imagery Shows Ongoing Demolitions Across Southern Lebanon - bellingcat, 2026-05-14 (quality: 18/21)

7. Pwn2Own Berlin 2026 Researchers Exploit Zero-Day Vulnerabilities in Various Enterprise Technologies

2 outlets, 2026-05-15 to 2026-05-18 - severity 4/5

Security researchers at the Pwn2Own Berlin 2026 competition exploited 47 unique zero-day vulnerabilities across various enterprise and artificial intelligence technologies, earning a total of $1,298,250 in bounties. The exploits targeted a wide range of software and hardware, including Microsoft Exchange, Windows 11, Microsoft Edge, VMware ESXi, Red Hat Enterprise Linux, and NVIDIA components, as well as AI tools like OpenAI Codex, LiteLLM, and Cursor AI. Notable attack chains included Orange Tsai of the DEVCORE Research Team achieving remote code execution on Microsoft Exchange by chaining three bugs and a sandbox escape on Microsoft Edge using four logic bugs. The competition concluded with DEVCORE and StarLabs SG as the top-earning teams, having successfully demonstrated vulnerabilities in cloud-native, virtualization, and LLM environments. Vendors such as Microsoft, NVIDIA, and Red Hat have a 90-day window from the event's conclusion to release security patches for the disclosed flaws.

Sources

• Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026 - BleepingComputer, 2026-05-14 (quality: 18/21)
• Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own - BleepingComputer, 2026-05-15 (quality: 18/21)
• Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026 - BleepingComputer, 2026-05-18 (quality: 17/21)
• Hackers Earn $1.3 Million at Pwn2Own Berlin 2026 - SecurityWeek, 2026-05-18 (quality: 16/21)

8. Secret Blizzard evolves Kazuar backdoor into a modular P2P botnet architecture

3 outlets, 2026-05-15 to 2026-05-17 - severity 4/5

The Russian-linked threat actor Secret Blizzard, also associated with Turla and the FSB, has evolved the long-standing Kazuar backdoor into a modular peer-to-peer (P2P) botnet architecture. This evolution transitioned the malware from a monolithic framework into a distributed system comprising Kernel, Bridge, and Worker modules designed for stealthy, long-term espionage. The botnet utilizes a "leader election" process among Kernel modules to minimize external traffic, with an elected leader communicating via the Bridge module using protocols such as HTTP, WebSockets, or Exchange Web Services. Worker modules execute tasks including keylogging, screenshot capture, and filesystem harvesting, staging data in a dedicated directory for exfiltration. The malware employs advanced evasion techniques to bypass AMSI, ETW, and Windows Lockdown Policy, and supports 150 configuration options for managing tasking and process injection. Historically targeting government and diplomatic sectors in Europe, Central Asia, and Ukraine, the botnet remains an active threat for large-scale intelligence collection.

Sources

• Kazuar: Anatomy of a nation-state botnet - Threat intelligence | Microsoft Security Blog, 2026-05-14 (quality: 18/21)
• Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access - The Hacker News, 2026-05-15 (quality: 20/21)
• Russian hackers turn Kazuar backdoor into modular P2P botnet - BleepingComputer, 2026-05-16 (quality: 19/21)

Under the Radar

High-severity stories that received limited coverage this period.

TeamPCP uses Shai-Hulud malware clones for supply chain attacks targeting npm

2 outlets, 2026-05-18 - severity 4/5

The threat actor TeamPCP is utilizing clones of the Shai-Hulud malware to execute supply chain attacks targeting developer environments and package registries, including npm, PyPI, and Docker Hub. Following the release of the Shai-Hulud source code on GitHub, the malware propagates by stealing credentials, API keys, and tokens from infected machines and injecting itself into maintained packages. Recent activity includes the publication of four malicious npm packages, such as ‘chalk-tempalte’ and ‘axois-utils’, which have accumulated over 2,600 weekly downloads and utilize techniques like typo-squatting and the establishment of independent command-and-control servers. These campaigns have targeted hundreds of npm packages and potentially thousands of developers, with some identified clones also incorporating functionality to enroll infected machines into a distributed denial-of-service (DDoS) botnet.

Why it matters: Confirmed widespread supply chain exploitation targeting major registries (npm, PyPI, Docker Hub) to steal credentials and facilitate malware self-propagation.

Sources

• First Shai-Hulud Worm Clones Emerge - SecurityWeek, 2026-05-18 (quality: 18/21)
• Developer Workstations Are Now Part of the Software Supply Chain - The Hacker News, 2026-05-18 (quality: 17/21)

TeamPCP compromised open-source packages by exploiting GitHub Actions workflow permissions

1 outlet, 2026-05-13 - severity 4/5

The threat actor TeamPCP compromised hundreds of open-source packages, including widely used libraries like TanStack’s React Router, by exploiting overly broad permissions in GitHub Actions workflows. The attack chain involved pushing an "orphaned commit" to a repository fork to trigger automated release processes, which then injected a 2.3-megabyte obfuscated payload via a concealed dependency. The malware targeted developer workstations by embedding itself into Visual Studio Code and Anthropic Claude Code configurations to steal credentials for AWS, Google Cloud, Kubernetes, and HashiCorp Vault. To evade detection, the attackers used the Session messaging app for data exfiltration and spoofed activity to appear as automated commits from the Anthropic Claude bot. The campaign resulted in the theft of security keys and passwords, with the malware leaving ransom notes that threaten to wipe victim systems if access is revoked.

Why it matters: Widespread exploitation of automated pipelines compromised hundreds of packages, including high-traffic libraries, to steal critical cloud and developer credentials.

Sources

• ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack - CyberScoop, 2026-05-12 (quality: 20/21)

Fighting Ursa Exploits AD CS to Target Windows Enterprise Environments

2 outlets, 2026-05-12 - severity 4/5

The threat actor Fighting Ursa (also known as APT28 or Fancy Bear) conducted a cyberespionage campaign by exploiting Active Directory Certificate Services (AD CS) to escalate privileges and establish persistence within Windows enterprise environments. The attack chain involved using tools such as ADExplorer and Certipy to collect directory data, alongside the exploitation of misconfigured certificate templates—specifically those with the ENROLLEE_SUPPLIES_SUBJECT flag—and the use of shadow credentials via the msDS-KeyCredentialLink attribute. These techniques allowed the group to impersonate high-privileged accounts and maintain passwordless authentication that persists despite standard password resets. The campaign utilized known vulnerabilities such as CVE-2022-26923 to execute malicious files and facilitate domain dominance.

Why it matters: Confirmed use of AD CS misconfigurations in a documented cyberespionage campaign by a known nation-state actor (Fighting Ursa).

Sources

• Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools - Unit 42, 2026-05-11 (quality: 17/21)
• Why Changing Passwords Doesn’t End an Active Directory Breach - BleepingComputer, 2026-05-11 (quality: 11/21)

Tycoon2FA uses device-code phishing to hijack Microsoft 365 accounts

1 outlet, 2026-05-18 - severity 4/5

The Tycoon2FA phishing kit has implemented device-code phishing capabilities to hijack Microsoft 365 accounts by leveraging OAuth 2.0 device authorization grant flows. The attack chain utilizes Trustifi click-tracking URLs and Cloudflare Workers to redirect victims through multiple obfuscated JavaScript layers to a fraudulent Microsoft CAPTCHA page, where attackers steal OAuth tokens to register rogue devices. Successful exploitation grants unauthorized access to victim email, calendars, and cloud file storage. Despite a previous law enforcement disruption in March, the threat actor has rebuilt its infrastructure and increased its use of obfuscation to bypass security vendors and sandboxes.

Why it matters: The kit enables widespread exploitation of Microsoft 365 accounts via a significant, rapidly increasing OAuth-based attack campaign.

Sources

• Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing - BleepingComputer, 2026-05-17 (quality: 19/21)

All Stories by Category

Vulnerabilities & Patches

• Threat Actors Exploit Cisco Catalyst SD-WAN Vulnerabilities via CVE-2026-20182 (2026-05-15, 1 outlet, severity 4/5)
  • Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities - Cisco Talos Blog
• Interlock group exploits Cisco Secure FMC vulnerability for arbitrary code execution (2026-05-18, 1 outlet, severity 4/5)
  • IT threat evolution in Q1 2026. Mobile statistics - Securelist
  • IT threat evolution in Q1 2026. Non-mobile statistics - Securelist
• PAN-OS RCE, Mythos cURL Bug, and AI Tokenizer Attacks Reported (2026-05-15, 1 outlet, severity 4/5)
  • ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories - The Hacker News
• DARPA AI Cyber Challenge tools uncover 83 critical software vulnerabilities (2026-05-18, 1 outlet, severity 3/5)
  • How a government contest launched a revolution in AI-based bug hunting - Cybersecurity Dive - Latest News
• Yarbo Fixes Security Flaws Allowing Remote Robot Hijacking (2026-05-12, 1 outlet, severity 3/5)
  • Yarbo responds to robot flaws that could mow down their owners - Malwarebytes
• Claude Mythos Finds Single Curl Vulnerability, Sparking Expert Debate (2026-05-12, 1 outlet, severity 2/5)
  • Claude Mythos Finds Only One Curl Vulnerability; Experts Divided on What It Really Means - SecurityWeek
• Remediation Programs Fail to Verify Effective Vulnerability Fixes (2026-05-13, 1 outlet, severity 2/5)
  • Most Remediation Programs Never Confirm the Fix Actually Worked - The Hacker News
• OpenAI launches Daybreak initiative to automate software vulnerability identification and patching (2026-05-12 to 2026-05-14, 3 outlets, severity 1/5)
  • OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation - The Hacker News
  • OpenAI launches Daybreak to combat cyber threats - Cybersecurity Dive - Latest News
  • Daybreak is OpenAI’s answer to the AI arms race in cybersecurity - CyberScoop
• Bitdefender GravityZone PHASR Identifies Risks From Exploited Internal Tools (2026-05-15, 1 outlet, severity 1/5)
  • What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface - The Hacker News
• Talos Researcher Philippe Laulheret Explains the Art of Vulnerability Research (2026-05-13, 1 outlet, severity 1/5)
  • Breaking things to keep them safe with Philippe Laulheret - Cisco Talos Blog
• Microsoft MDASH AI Discovers 16 Windows Vulnerabilities for Patch Tuesday (2026-05-14, 1 outlet, severity 1/5)
  • Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday - The Hacker News

Data Breaches

• THORChain loses over $10 million in vault security breach (2026-05-16, 1 outlet, severity 3/5)
  • More than $10 million stolen from crypto platform THORChain - The Record from Recorded Future News
• OpenLoop Health Breach Exposes Medical Data of 716,000 People (2026-05-13, 1 outlet, severity 3/5)
  • 716,000 Impacted by OpenLoop Health Data Breach - SecurityWeek
• HPE Operations Agent tools used in third-party provider breach (2026-05-13, 1 outlet, severity 3/5)
  • Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise - Threat intelligence | Microsoft Security Blog
• Škoda Auto online shop hack exposes customer personal data (2026-05-13, 1 outlet, severity 3/5)
  • Škoda warns of customer data breach after online shop hack - BleepingComputer
• Bahamas CIRT-BS Joins Have I Been Pwned to Monitor Breaches (2026-05-14, 1 outlet, severity 2/5)
  • Welcoming the Bahamian Government to Have I Been Pwned - Troy Hunt
• BGD e-GOV CIRT Joins Have I Been Pwned to Monitor Breaches (2026-05-12, 1 outlet, severity 2/5)
  • Welcoming the Bangladesh Government to Have I Been Pwned - Troy Hunt

Ransomware

• Cl0p ransomware group breached South Staffordshire Water Plc via phishing attack (2026-05-12 to 2026-05-13, 2 outlets, severity 3/5)
  • UK water company allowed hackers to lurk undetected for nearly two years, regulator finds - The Record from Recorded Future News
  • UK fines water supplier $1.3M for exposing data of 664k customers - BleepingComputer
• The Gentlemen RaaS administrator acknowledges leak of Rocket backend database (2026-05-14, 2 outlets, severity 3/5)
  • Thus Spoke…The Gentlemen - Check Point Research
  • Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak - darkreading
• The Com uses physical violence and arson to extort ransom (2026-05-14, 1 outlet, severity 3/5)
  • When ransomware gets physical: cybercriminals turn to threats of violence - GRAHAM CLULEY
• West Pharmaceutical Services faces operational disruptions after ransomware attack (2026-05-13, 1 outlet, severity 3/5)
  • West Pharmaceutical warns of ransomware attack impacting business operations - The Record from Recorded Future News
• EtherRat and TukTuk Malware Lead to The Gentlemen Ransomware (2026-05-12, 1 outlet, severity 3/5)
  • Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware - The DFIR Report
• Kaspersky Report: Post-Quantum Cryptography and EDR Killers Drive Ransomware (2026-05-12, 1 outlet, severity 3/5)
  • State of ransomware in 2026 - Securelist
• West Pharmaceutical Services suffers data theft and system encryption (2026-05-14, 1 outlet, severity 3/5)
  • West Pharmaceutical says hackers stole data, encrypted systems - BleepingComputer
• American Lending Center Ransomware Attack Exposes 123,000 People's Data (2026-05-15, 1 outlet, severity 3/5)
  • American Lending Center Data Breach Affects 123,000 Individuals - SecurityWeek
• West Pharmaceutical Services Restores Operations Following Ransomware Attack (2026-05-15, 1 outlet, severity 3/5)
  • West Pharmaceutical starts restoring operations after ransomware attack - Cybersecurity Dive - Latest News
• Criminals Use Ransomware Tactics to Execute Cyber-Enabled Cargo Theft (2026-05-15, 1 outlet, severity 3/5)
  • Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight - BleepingComputer

Supply Chain Attacks

• node-ipc npm package compromised to exfiltrate sensitive cloud credentials (2026-05-16, 1 outlet, severity 4/5)
  • Popular node-ipc npm package compromised to steal credentials - BleepingComputer
• Build Application Firewalls Target CI/CD Supply Chain Attack Risks (2026-05-12, 1 outlet, severity 4/5)
  • Build Application Firewalls Aim to Stop the Next Supply Chain Attack - SecurityWeek
• Four npm Packages by deadcode09284814 Spread Phantom Bot Malware (2026-05-18, 1 outlet, severity 3/5)
  • Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware - The Hacker News
• Kenneth Johnson Warns US Critical Minerals Supply Chain Faces Governance Risks (2026-05-18, 1 outlet, severity 2/5)
  • Critical Minerals Supply Chain Resilience Starts Upstream — Where US Policy Is Weakest - Corporate Compliance Insights
• SecurityScorecard Acquires Driftnet to Boost Supply Chain Threat Intelligence (2026-05-15, 1 outlet, severity 1/5)
  • SecurityScorecard Snags Driftnet to Level Up Threat Intelligence - darkreading

Nation-State / APT

• Salt Typhoon and Twill Typhoon Deploy Updated FDMTP Malware Framework (2026-05-14, 1 outlet, severity 3/5)
  • Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns - SecurityWeek
• Kimsuky Uses PebbleDash-Based Tools to Target Organizations (2026-05-14, 1 outlet, severity 3/5)
  • Kimsuky targets organizations with PebbleDash-based tools - Securelist
• MuddyWater targets South Korean electronics manufacturer using DLL sideloading campaign (2026-05-14, 1 outlet, severity 3/5)
  • Iranian hackers targeted major South Korean electronics maker - BleepingComputer
• Ghostwriter uses geofenced PDF phishing to target Ukrainian government organizations (2026-05-15, 2 outlets, severity 3/5)
  • Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike - The Hacker News
  • 'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine - darkreading
• ODNI Appoints Officials to Combat 2026 Foreign Election Threats (2026-05-15, 1 outlet, severity 2/5)
  • ODNI taps officials to coordinate response to foreign election threats - The Record from Recorded Future News

Malware & Botnets

• GemStuffer used RubyGems to exfiltrate data from UK local government portals (2026-05-13 to 2026-05-14, 2 outlets, severity 3/5)
  • GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data - The Hacker News
  • Attackers Weaponize RubyGems for Data Dead Drops - darkreading
• Bot accounts targeted RubyGems with DDoS attack and malicious packages (2026-05-13, 2 outlets, severity 3/5)
  • Hundreds of Malicious Packages Force RubyGems to Suspend Registrations - SecurityWeek
  • RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded - The Hacker News
• mdrfckr campaign uses new libssh version to bypass detection (2026-05-15, 1 outlet, severity 3/5)
  • [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - SANS Internet Storm Center, InfoCON: green
• GhostLock tool uses Windows API to block file access (2026-05-12, 1 outlet, severity 3/5)
  • New GhostLock tool abuses Windows API to block file access - BleepingComputer
• REMUS Infostealer Evolves Into Sophisticated Malware-as-a-Service Platform (2026-05-16, 1 outlet, severity 3/5)
  • Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution - BleepingComputer
• Gremlin Stealer Uses .NET Resource Files to Evade Detection (2026-05-15, 1 outlet, severity 3/5)
  • Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files - Unit 42
• TrickMo Android Trojan Uses TON Network for Command-and-Control Pivoting (2026-05-13, 1 outlet, severity 3/5)
  • New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots - The Hacker News
• JDownloader installers compromised by malware via CMS security bug (2026-05-16, 1 outlet, severity 3/5)
  • Attackers replaced JDownloader installer downloads with malware - Malwarebytes
• Google rolls out Android Intrusion Logging to analyze spyware attacks (2026-05-13, 2 outlets, severity 2/5)
  • Google and Amnesty International teamed up to make it harder for spyware vendors to hide - CyberScoop
  • Android Adds Intrusion Logging for Sophisticated Spyware Forensics - The Hacker News
• Linux Rootkits, macOS Crypto Stealers, and WebSocket Skimmers Highlighted (2026-05-12, 1 outlet, severity 2/5)
  • ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More - The Hacker News

Phishing & Social Engineering

• Deepfake sextortion forces schools to scrub student photos from websites (2026-05-14, 1 outlet, severity 3/5)
  • Deepfake sextortion forces schools to remove student photos from websites - Malwarebytes
• KongTuke uses Microsoft Teams to deploy ModeloRAT malware via social engineering (2026-05-14, 1 outlet, severity 3/5)
  • KongTuke hackers now use Microsoft Teams for corporate breaches - BleepingComputer
• SEO Poisoning Attacks Use Fake Marketplaces to Steal Payment Data (2026-05-13, 1 outlet, severity 3/5)
  • [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th) - SANS Internet Storm Center, InfoCON: green
• Signal adds security warnings to combat Russian-linked phishing attacks (2026-05-13, 1 outlet, severity 3/5)
  • Signal adds security warnings for social engineering, phishing attacks - BleepingComputer
• Claude Search Scams Use ClickFix Attacks to Target Mac Users (2026-05-13, 1 outlet, severity 3/5)
  • Fake Claude search results lure Mac users into ClickFix attack - Malwarebytes
• Malwarebytes Blocks Risky Third-Party Redirects Within Yahoo Mail Interface (2026-05-14, 1 outlet, severity 2/5)
  • Why Malwarebytes blocks some Yahoo Mail redirects - Malwarebytes

Cloud & Infrastructure Security

• Microsoft to Automate Windows Driver Rollbacks via Cloud Recovery (2026-05-15, 1 outlet, severity 2/5)
  • Microsoft to automatically roll back faulty Windows drivers - BleepingComputer
• DPUs Protect Data Centers From ESXiArgs Malware via CPU Offloading (2026-05-15, 1 outlet, severity 2/5)
  • Enhancing Data Center Security Without Sacrificing Performance - SecurityWeek
• Cloudflare Turnstile Blocks 99.7% of Bot Requests, Analysis Shows (2026-05-12, 1 outlet, severity 1/5)
  • Why we use CAPTCHAs, (Mon, May 11th) - SANS Internet Storm Center, InfoCON: green

Identity & Access Management

• Akhter twins delete 96 US government databases after termination (2026-05-13, 1 outlet, severity 4/5)
  • Twin brothers wipe 96 gov't databases minutes after being fired - security - Ars Technica
• CoinbaseCartel stole Grafana Labs codebase using a compromised GitHub token (2026-05-17 to 2026-05-18, 2 outlets, severity 3/5)
  • Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt - The Hacker News
  • Grafana Confirms Breach After Hackers Claim They Stole Data - SecurityWeek
• Sophos Report: Identity Breaches Drive 70% of Enterprise Attacks (2026-05-13, 1 outlet, severity 3/5)
  • Identity takes center stage as a leading factor in enterprise cyberattacks - Cybersecurity Dive - Latest News
• Cifas Study: 13% of Employees Have Sold Corporate Credentials (2026-05-12, 1 outlet, severity 3/5)
  • 1 in 8 employees have sold company logins or know someone who has - Malwarebytes
• Nick Polk Warns AI Integration Demands Prioritizing Identity Security (2026-05-15, 1 outlet, severity 2/5)
  • White House cyber official: identity security matters more than ever in the age of AI - CyberScoop

AI & Machine Learning Security

• AI-Driven Vulnerability Research May Trigger Massive Software Patching Surge (2026-05-15, 1 outlet, severity 4/5)
  • The time of much patching is coming - Cisco Talos Blog
• PROMPTFLUX Malware and AI Threats Render Traditional SOCs Obsolete (2026-05-12, 1 outlet, severity 4/5)
  • Is the SOC Obsolete, And We Just Haven’t Admitted It Yet? - SecurityWeek
• Advanced AI Models Increase Speed of Completing Autonomous Cybersecurity Tasks (2026-05-14, 2 outlets, severity 3/5)
  • Researchers say AI just broke every benchmark for autonomous cyber capability - CyberScoop
  • Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code - SecurityWeek
• Anthropic Claude Mythos Preview identifies software vulnerabilities causing federal agency scrutiny (2026-05-14, 2 outlets, severity 3/5)
  • How Dangerous Is Anthropic’s Mythos AI? - Schneier on Security
  • Closed briefing sets stage for House hearing on Anthropic’s Mythos and cyber risks - CyberScoop
• Hugging Face Tokenizer Vulnerability Allows Attackers to Hijack Model Outputs (2026-05-13, 1 outlet, severity 3/5)
  • Hugging Face Packages Weaponized With a Single File Tweak - darkreading
• Auschwitz Museum Warns AI Deepfakes Are Distorting Holocaust History (2026-05-18, 1 outlet, severity 3/5)
  • AI is distorting the Holocaust (Lock and Code S07E10) - Malwarebytes
• LatAm Vibe Hackers Use AI Agents to Create Custom Tools (2026-05-14, 1 outlet, severity 3/5)
  • LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly - darkreading
• XBOW testing shows Anthropic Mythos model effectively detects software vulnerabilities (2026-05-15, 2 outlets, severity 2/5)
  • Pentagon cyber official calls advanced AI ‘revolutionary warfare’ - CyberScoop
  • Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere - SecurityWeek
• Guardz Report: MSPs Must Use AI to Combat AI-Driven Attacks (2026-05-16, 1 outlet, severity 2/5)
  • MSPs need AI to fight AI-fueled cyberthreats: Guardz - Cybersecurity Dive - Latest News
• RSAC 2026: Agentic AI Risks and Government Absence Take Center Stage (2026-05-12, 1 outlet, severity 2/5)
  • AI and an absent government: Takeaways from RSAC 2026 - Cybersecurity Dive - Latest News
• Cisco Releases AI Security Spec Amid Global Cyber Threats (2026-05-16, 1 outlet, severity 2/5)
  • In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws - SecurityWeek
• Frontier AI Models Accelerate Discovery of Software Security Vulnerabilities (2026-05-15, 1 outlet, severity 2/5)
  • Frontier AI models reap rapid discovery of security vulnerabilities - Cybersecurity Dive - Latest News
• AI-Driven Fraud and Deepfakes Demand Rapid Enterprise Defense Models (2026-05-14, 1 outlet, severity 2/5)
  • Weaponized AI: The new frontier of fraud and identity spoofing - CyberScoop
• Agentic AI Deployment Creates New Critical Security Blind Spots (2026-05-12, 1 outlet, severity 2/5)
  • Why Agentic AI Is Security's Next Blind Spot - The Hacker News
• AI Coding Tools and Agents Increase Chained Vulnerability Risks (2026-05-18, 1 outlet, severity 2/5)
  • The Boring Stuff is Dangerous Now - darkreading
• AI Hallucinations Pose Critical Security Risks to Infrastructure Decision-Making (2026-05-14, 1 outlet, severity 2/5)
  • How AI Hallucinations Are Creating Real Security Risks - The Hacker News
• Fake Mustaches Can Bypass AI-Based Video Age-Verification Systems (2026-05-15, 1 outlet, severity 2/5)
  • Bypassing On-Camera Age-Verification Checks - Schneier on Security
• GPT-5.5 Matches Claude Mythos in Vulnerability Detection Performance (2026-05-13, 1 outlet, severity 2/5)
  • OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities - Schneier on Security
• AI-Driven Shifts Are Reshaping Cybersecurity Scaling and Venture Funding (2026-05-12, 1 outlet, severity 1/5)
  • AI is separating the companies built to scale from the ones built to sell - CyberScoop
• Sweet Security Launches Sweet Attack to Automate AI Red Teaming (2026-05-14, 1 outlet, severity 1/5)
  • Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ - SecurityWeek
• Guardrail Technologies Launches Traffic Light to Secure AI-Generated Code (2026-05-13, 1 outlet, severity 1/5)
  • Guardrail Technologies launches Traffic Light for Code & AI™; first security technology to verify & secure AI code and the people creating it - Cybersecurity Dive - Latest News
• Frame Security Secures $50M to Launch AI Human Risk Platform (2026-05-12, 1 outlet, severity 1/5)
  • Frame Security Emerges From Stealth With $50M for Awareness and Training Platform - SecurityWeek
• AI-Driven Security Investments Outpace M&A by Over $1 Billion (2026-05-15, 1 outlet, severity 1/5)
  • AI Drives Cybersecurity Investments, Widening 'Valley of Death' - darkreading
• Large Language Models Empower Hackers to Automate Complex Cyberattacks (2026-05-12, 1 outlet, severity 1/5)
  • Hackers Use AI for Exploit Development, Attack Automation - darkreading

Legal & Law Enforcement

• Speedstepper arrested for laundering Dream Market cryptocurrency via private keys (2026-05-14 to 2026-05-15, 3 outlets, severity 3/5)
  • US charges suspected Dream Market admin arrested in Germany - BleepingComputer
  • Alleged Dream Market admin arrested in Germany after US indictment - The Record from Recorded Future News
  • Suspected Dream Market kingpin arrested after gold bars sent to his home address - GRAHAM CLULEY
• Jorge Rodriguez Linked to Neo-Nazi Group Active Club Bogota (2026-05-12, 1 outlet, severity 3/5)
  • Unearthing a Colombian Politician’s Connections to Neo-Nazi Active Club Group - bellingcat
• DOJ Issues Legal Rationale for Nationwide Voter Data Collection (2026-05-14, 1 outlet, severity 3/5)
  • DOJ releases legal rationale for nationwide voter data collection - CyberScoop
• GM to pay $12.75M for illegal driver data sales (2026-05-12, 1 outlet, severity 3/5)
  • GM agrees to $12.75M California settlement over sale of drivers’ data - BleepingComputer
• Governor Polis Commutes Prison Sentence for Tina Peters (2026-05-16, 1 outlet, severity 3/5)
  • Colorado governor commutes prison sentence for election denier Tina Peters - CyberScoop
• JDownloader Malware, ClickFix Mac Attacks, and Texas Netflix Lawsuit (2026-05-18, 1 outlet, severity 3/5)
  • A week in security (May 11 – May 17) - Malwarebytes
• DOJ Declines Prosecution of Balt SAS Under New Corporate Enforcement Policy (2026-05-12, 1 outlet, severity 2/5)
  • Navigating Self-Reporting Under the DOJ’s New Corporate Enforcement Policy - Corporate Compliance Insights
  • Need for Speed: What DOJ’s New Approach to the CEP Means for Internal Investigations - Corporate Compliance Insights
• DOJ FOCUS Initiative Seeks Data Miners for FCA Whistleblower Lawsuits (2026-05-14, 1 outlet, severity 2/5)
  • The DOJ Wants Strong FCA Whistleblower Lawsuits From Data Miners - Corporate Compliance Insights

Policy & Regulation

• Texas Attorney General sues Netflix over unauthorized user data surveillance program (2026-05-12 to 2026-05-14, 2 outlets, severity 3/5)
  • Texas sues Netflix over alleged data practices that create ‘surveillance machinery’ without user consent - The Record from Recorded Future News
  • Texas sued Netflix over claims it secretly collected and sold users’ data - Malwarebytes
• FTC to Enforce Take It Down Act Against Deepfake Content (2026-05-16, 1 outlet, severity 3/5)
  • Here’s how the FTC plans to enforce the Take It Down Act - CyberScoop
• DOJ Enforcement Analysis Reveals Uncertainty in Timely Disclosure Standards (2026-05-13, 1 outlet, severity 3/5)
  • What the Enforcement Record Says About ‘Timely’ Disclosure - Corporate Compliance Insights
• Global Regulators Target AI Risks and Basel III Reforms in 2026 (2026-05-15, 1 outlet, severity 3/5)
  • What Are Global Financial Regulators Prioritizing in 2026? - Corporate Compliance Insights
• UK Proposes Computer Misuse Act Reforms to Protect Security Researchers (2026-05-14, 1 outlet, severity 3/5)
  • UK moves to shield security researchers in cybercrime law overhaul - The Record from Recorded Future News
• G7 and EU Release Guidance for AI Software Bill of Materials (2026-05-13 to 2026-05-14, 2 outlets, severity 2/5)
  • Major world economies spell out key elements of AI ‘ingredients list’ - CyberScoop
  • G7 Countries Release AI SBOM Guidance - SecurityWeek
• FCC Extends Deadline for Software Updates on Foreign-Made Routers and Drones (2026-05-12, 2 outlets, severity 2/5)
  • FCC pushes ban on security updates for foreign-made routers, drones to 2029 - The Record from Recorded Future News
  • FCC Softens Ban on Foreign-Made Routers - darkreading
• South Korea Implements New Laws to Curb Election Deepfakes (2026-05-18, 1 outlet, severity 2/5)
  • Can Laws Stop Deepfakes? South Korea Aims to Find Out - darkreading
• Frank Pallone Launches Inquiry Into Food Retailers' Surveillance Pricing (2026-05-13, 1 outlet, severity 2/5)
  • Congressman launches inquiry into how food retailers use surveillance pricing - The Record from Recorded Future News
• Theodora Monye Urges Pre-Deployment AI Governance and Accountability Frameworks (2026-05-14, 1 outlet, severity 2/5)
  • The Time to Set Rules Around AI Use Is Before — Not After — You Deploy It Everywhere - Corporate Compliance Insights
• European Commission Proposes New Law to Delay Teen Social Media Access (2026-05-14, 1 outlet, severity 2/5)
  • European Commission head pushes creation of new law delaying teens’ social media access - The Record from Recorded Future News
• MirrorWeb, Arctera, and FinScan Launch New AI-Driven GRC Tools (2026-05-15, 1 outlet, severity 1/5)
  • GRC News Roundup: MirrorWeb, Arctera, FinScan & More - Corporate Compliance Insights

Other Cybersecurity

• European Tech Firms Export Surveillance Tools to Human Rights Abusers (2026-05-13, 1 outlet, severity 3/5)
  • European countries are exporting surveillance tech to countries with poor human rights records, report says - The Record from Recorded Future News
• Meta Introduces Incognito Chat While Removing Instagram End-to-End Encryption (2026-05-16, 1 outlet, severity 3/5)
  • Meta’s confusing new approach to chat privacy - Malwarebytes
• Taiwan Bullet Trains Halted by Student Using Radio Technology (2026-05-15, 1 outlet, severity 3/5)
  • Taiwan Incident Highlights Cybersecurity Gaps in Rail Systems - darkreading
• M23-Controlled Rubaya Mines Suffered Deadly Landslides, Bellingcat Investigation Finds (2026-05-12, 1 outlet, severity 2/5)
  • DRC’s Coltan Belt: Verifying Deadly Landslides At Mines Under M23 Control - bellingcat
• Worldwide threat actors bypass static assessments through evolving modern risk landscapes (2026-05-14, 1 outlet, severity 2/5)
  • Checkbox Assessments Aren't Fit to Measure to Risk - darkreading
• EY Report: CISOs Increasingly Managing Rising Physical Security Budgets (2026-05-15, 1 outlet, severity 2/5)
  • More money is going to physical security, but it’s often CISOs that oversee it: EY - Cybersecurity Dive - Latest News
• Using Proxifier to Intercept TLS 1.3 Traffic from Windows EXEs (2026-05-13, 1 outlet, severity 2/5)
  • Proxying the Unproxyable? Sending EXE traffic to a Proxy, (Wed, May 13th) - SANS Internet Storm Center, InfoCON: green
• iOS 26.5 Enables Encrypted RCS Messaging Between iPhone and Android (2026-05-12, 1 outlet, severity 2/5)
  • iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android - The Hacker News
• Exaforce secures 125 million dollars to scale its agentic SOC platform (2026-05-13 to 2026-05-14, 2 outlets, severity 1/5)
  • Exaforce Raises $125 Million for Agentic SOC Platform - SecurityWeek
  • Exaforce Raises $125M for AI cybersecurity platform - Corporate Compliance Insights
• 20 Leaders and Pioneers Who Shaped the Modern CISO Era (2026-05-12, 1 outlet, severity 1/5)
  • 20 Leaders Who Built the CISO Era: 2 Decades of Change - darkreading
• No specific threat actor or target identified in intelligence updates (2026-05-13 to 2026-05-15, 1 outlet, severity 1/5)
  • ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930, (Wed, May 13th) - SANS Internet Storm Center, InfoCON: green
  • ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934, (Fri, May 15th) - SANS Internet Storm Center, InfoCON: green
• Akamai to Acquire LayerX for $205 Million to Boost Security (2026-05-15, 1 outlet, severity 1/5)
  • Akamai to Acquire AI and Browser Security Firm LayerX for $205 Million - SecurityWeek
• Prakash Kakarla identifies marketing compliance failures due to ineffective operational controls (2026-05-15, 1 outlet, severity 1/5)
  • Why Marketing Compliance Reviews Happen Too Late to Matter - Corporate Compliance Insights
  • Enterprise Vault Becomes Standalone Business in Cloud Software Group - Corporate Compliance Insights
• Windows 11 Insider Preview Tests Adjustable Taskbar and Start Menu (2026-05-18, 1 outlet, severity 1/5)
  • Microsoft testing adjustable taskbar, Start menu in Windows 11 - BleepingComputer
• Sean Plankey Appointed CEO of Defense Startup UFORCE (2026-05-18, 1 outlet, severity 1/5)
  • Former CISA nominee Sean Plankey named US CEO of defense startup - CyberScoop
• LABScon25 Researchers Study Stock Volatility Following Cyber Breach Disclosures (2026-05-15, 1 outlet, severity 1/5)
  • LABScon25 Replay | Breach Alpha: Trading on Cyber Fallout - SentinelLabs - We are hunters, reversers, exploit developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime across all platforms.
• Optro Acquires Midship to Integrate AI-Native SOX Automation Software (2026-05-14, 1 outlet, severity 1/5)
  • Optro Acquires AI Auditing Platform Midship - Corporate Compliance Insights
• Cybersecurity Experts Reflect on Two Decades of Dark Reading Columns (2026-05-15, 1 outlet, severity 1/5)
  • Cyber Pioneers Ponder Past as Prologue - darkreading
• Proofpoint Launches 365 Total Protection and New MSP Business Unit (2026-05-13, 1 outlet, severity 1/5)
  • Proofpoint Launches Dedicated MSP Business Unit and Introduces 365 Total Protection for North America - Proofpoint News Feed
• Friday Squid Blogging: Exploring the Bigfin Squid Security News (2026-05-16, 1 outlet, severity 1/5)
  • Friday Squid Blogging: Bigfin Squid - Schneier on Security
• Potsdam and Nuremberg Conferences Lead Upcoming 2026 Speaking Schedule (2026-05-15, 1 outlet, severity 1/5)
  • Upcoming Speaking Engagements - Schneier on Security
• Dark Reading Marks 20 Years of Cybersecurity Industry Leadership (2026-05-14, 1 outlet, severity 1/5)
  • Dark Reading Celebrates 20 Years as a Leading Authority on Cybersecurity, Highlighting the People, Events, Ideas, and Technologies Shaping the Modern Risk Landscape - darkreading
• ISC Stormcast May 14: Daily Cybersecurity Threat Update (2026-05-14, 1 outlet, severity 1/5)
  • ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932, (Thu, May 14th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast May 12: Johannes Ullrich Reports Green Threat Level (2026-05-12, 1 outlet, severity 1/5)
  • ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928, (Tue, May 12th) - SANS Internet Storm Center, InfoCON: green

Reported Data Breaches

Breaches reported via Have I Been Pwned this period.

• ShinyHunters Conducted Data Theft and Extortion Against Abrigo and Instructure (2026-05-14)
• Cushman & Wakefield Breach Compromises Over 310,000 User Accounts (2026-05-12)