Weekly Review - May 25, 2026

Covers 7 daily digests (2026-05-19 to 2026-05-25).

All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.

Top Stories

1. TeamPCP executes supply chain attacks targeting npm and PyPI using Shai-Hulud

9 outlets, 2026-05-19 to 2026-05-22 - severity 5/5

The threat actor TeamPCP executed a series of supply chain attacks targeting the npm and PyPI ecosystems using the Shai-Hulud malware family and its "Mini Shai-Hulud" worm variant. The attack chain involved the compromise of a Checkmarx Jenkins AST plugin to facilitate credential harvesting and the hijacking of TanStack's GitHub Actions CI/CD pipeline to distribute malicious packages with valid SLSA Build Level 3 provenance. The scope of the campaign expanded from initial targeting of the SAP developer ecosystem in late April 2026 to a coordinated wave on May 11, 2026, which published 84 malicious artifacts across 42 @tanstack packages. Beyond TanStack, the worm self-propagated to impact organizations and packages including GitHub, Grafana Labs, Nx, Bitwarden, Mistral AI, UiPath, and OpenSearch. The campaign utilized techniques such as poisoned VS Code extensions and malicious package forks to spread through the developer ecosystem. As of mid-May 2026, the source code for the Mini Shai-Hulud worm had been published to public GitHub repositories.

Sources

• TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th) - SANS Internet Storm Center, InfoCON: green, 2026-05-18 (quality: 20/21)
• Leaked Shai-Hulud malware fuels new npm infostealer campaign - BleepingComputer, 2026-05-18 (quality: 16/21)
• Shai-Hulud Worm Clones Spread After Code Release - darkreading, 2026-05-18 (quality: 20/21)
• Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account - The Hacker News, 2026-05-19 (quality: 11/21)
• The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20) - Unit 42, 2026-05-20 (quality: 17/21)
• GitHub links repo breach to TanStack npm supply-chain attack - BleepingComputer, 2026-05-21 (quality: 20/21)
• Grafana breach caused by missed token rotation after TanStack attack - BleepingComputer, 2026-05-20 (quality: 18/21)
• GitHub says internal repositories were impacted in poisoned VS Code extension attack - CyberScoop, 2026-05-20 (quality: 20/21)
• Compromised coding tool helped hackers breach thousands of GitHub repositories - Cybersecurity Dive - Latest News, 2026-05-20 (quality: 10/21)
• GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension - The Hacker News, 2026-05-21 (quality: 13/21)
• GitHub Confirms Breach, 4K Internal Repos Stolen - darkreading, 2026-05-20 (quality: 10/21)
• GitHub confirms breach of 3,800 repos via malicious VSCode extension - BleepingComputer, 2026-05-20 (quality: 19/21)
• GitHub investigates internal repositories breach claimed by TeamPCP - BleepingComputer, 2026-05-20 (quality: 18/21)
• GitHub confirms being hacked by TeamPCP, says customer data unaffected - The Record from Recorded Future News, 2026-05-20 (quality: 18/21)
• GitHub Confirms Hack Impacting 3,800 Internal Repositories - SecurityWeek, 2026-05-20 (quality: 19/21)
• GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos - The Hacker News, 2026-05-20 (quality: 20/21)
• Grafana Labs links GitHub environment breach to TanStack npm supply chain attack - Cybersecurity Dive - Latest News, 2026-05-21 (quality: 20/21)
• Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack - SecurityWeek, 2026-05-22 (quality: 18/21)

2. Fox Tempest used Microsoft Artifact Signing to compromise global networks and sectors

7 outlets, 2026-05-20 to 2026-05-21 - severity 4/5

The threat actor Fox Tempest operated a malware-signing-as-a-service (MSaaS) operation that utilized Microsoft Artifact Signing to generate fraudulent, 72-hour code-signing certificates. Cybercriminals used these certificates to sign malicious binaries, allowing ransomware and infostealer payloads to masquerade as legitimate software such as AnyDesk, Microsoft Teams, PuTTY, and Webex. This operation compromised thousands of machines and networks globally, impacting the healthcare, education, government, and financial services sectors. Microsoft’s Digital Crimes Unit and Microsoft Threat Intelligence, supported by Resecurity, disrupted the operation by revoking over 1,000 certificates and targeting the underlying infrastructure. The disruption included unsealing a legal case in the U.S. District Court for the Southern District of New York to target the campaign.

Sources

• Exposing Fox Tempest: A malware-signing service operation - Threat intelligence | Microsoft Security Blog, 2026-05-19 (quality: 20/21)
• Cybercrime service disrupted for abusing Microsoft platform to sign malware - BleepingComputer, 2026-05-19 (quality: 20/21)
• Microsoft disrupts cybercrime service that abused software verification systems en masse - CyberScoop, 2026-05-19 (quality: 20/21)
• Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs - The Record from Recorded Future News, 2026-05-19 (quality: 20/21)
• Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ - SecurityWeek, 2026-05-19 (quality: 19/21)
• Fake malware-signing service Fox Tempest dismantled by Microsoft - Malwarebytes, 2026-05-20 (quality: 12/21)
• Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks - The Hacker News, 2026-05-20 (quality: 14/21)

3. CISA contractor GitHub repository exposed sensitive credentials and AWS GovCloud keys

5 outlets, 2026-05-19 to 2026-05-23 - severity 4/5

A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository named "Private-CISA" that exposed plaintext credentials, cloud keys, tokens, and logs for numerous internal CISA systems and highly privileged Amazon Web Services (AWS) GovCloud accounts. The repository, active from November 2025 until its removal in May 2026, contained sensitive files such as "AWS-Workspace-Firefox-Passwords.csv" and details regarding CISA's internal software build, test, and deployment processes. The exposure included administrative access to three AWS GovCloud servers and credentials for CISA's internal artifactory. Following discovery by security researchers at GitGuardian, CISA removed the repository, though some AWS keys remained valid for approximately 48 hours after the account went offline, and an unrotated RSA private key was later identified and invalidated. In response to the leak, U.S. Senators and Representatives, including Maggie Hassan, Bennie Thompson, and Delia Ramirez, sent formal inquiries to CISA Acting Director Nick Andersen demanding briefings on the incident.

Sources

• CISA Admin Leaked AWS GovCloud Keys on Github - Krebs on Security, 2026-05-18 (quality: 20/21)
• CISA credential leak raises alarms, and Capitol Hill demands answers - CyberScoop, 2026-05-19 (quality: 18/21)
• Senator presses CISA for answers about alleged GitHub repository leak - The Record from Recorded Future News, 2026-05-20 (quality: 18/21)
• CISA Exposes Secrets, Credentials in 'Private' Repo - darkreading, 2026-05-19 (quality: 10/21)
• CISA Security Leak - Schneier on Security, 2026-05-22 (quality: 10/21)
• Lawmakers Demand Answers as CISA Tries to Contain Data Leak - Krebs on Security, 2026-05-22 (quality: 20/21)

4. Jacob Butler used Kimwolf botnet to launch DDoS attacks against DoD

6 outlets, 2026-05-22 to 2026-05-23 - severity 4/5

Jacob Butler, also known as "Dort," operated the Kimwolf botnet as a DDoS-for-hire service that infected over one million to two million devices, including Android-based streaming TV boxes, web cameras, and digital photo frames. The botnet leveraged vulnerabilities in residential proxy networks to launch large-scale distributed denial-of-service attacks, with some attacks reaching nearly 30 Terabits per second and issuing over 25,000 attack commands. Targets included the Department of Defense Information Network, and some victims suffered financial losses exceeding one million dollars. In March 2026, law enforcement agencies from the United States, Canada, and Germany seized the technical infrastructure for Kimwolf and several related botnets, including Aisuru, JackSkid, and Mossad. Following the unsealing of a criminal complaint in an Alaska district court, Canadian authorities arrested Butler in Ottawa in May 2026 pursuant to a U.S. extradition warrant.

Sources

• Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada - Krebs on Security, 2026-05-21 (quality: 20/21)
• US and Canada arrest and charge suspected Kimwolf botnet admin - BleepingComputer, 2026-05-22 (quality: 20/21)
• Alleged leader of Kimwolf, a sweeping botnet for cybercriminals, arrested in Canada - CyberScoop, 2026-05-21 (quality: 20/21)
• Canadian Man Arrested for Operating Kimwolf Botnet - SecurityWeek, 2026-05-22 (quality: 19/21)
• Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks - The Hacker News, 2026-05-22 (quality: 19/21)
• Canadian man arrested, charged for running KimWolf DDos botnet - The Record from Recorded Future News, 2026-05-22 (quality: 20/21)

5. Huawei router zero-day vulnerability caused nationwide POST Luxembourg telecommunications outage

1 outlet, 2026-05-20 - severity 5/5

An undocumented zero-day vulnerability in Huawei enterprise router software caused a nationwide telecommunications outage in Luxembourg on July 23, 2025. The attack utilized specially crafted network traffic to trigger a continuous restart loop in the routers, disrupting POST Luxembourg's landline, 4G, and 5G mobile networks for over three hours. This outage impacted emergency services and potentially hundreds of thousands of residents, though investigators found no evidence that the network provider was specifically targeted. The vulnerability lacks a CVE identifier and was not publicly disclosed in any database at the time of the incident.

Sources

• Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network - The Record from Recorded Future News, 2026-05-19 (quality: 20/21)

6. Attackers compromised Laravel-Lang PHP ecosystem via malicious Git tag rewrites

2 outlets, 2026-05-23 to 2026-05-25 - severity 4/5

Attackers compromised the Laravel-Lang PHP ecosystem by rewriting Git tags to point to malicious commits within a controlled fork, affecting over 700 historical versions of the laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions packages. This supply chain attack, which occurred between May 22 and May 23, 2026, utilized a malicious src/helpers.php file to fingerprint host machines and contact the command-and-control domain flipboxstudio[.]info to retrieve a PHP-based credential-stealing payload. The malware was designed to execute on Windows, Linux, and macOS to harvest a wide range of sensitive data, including AWS, GCP, and Azure cloud credentials, SSH private keys, Docker and Kubernetes configurations, and browser-based authentication tokens. Because the malicious code was registered via composer.json's autoloading feature, the backdoor could execute automatically during every PHP request handled by an affected application. Researchers from Socket, StepSecurity, and Aikido Security identified the attack pattern as a compromise of the release process, potentially involving unauthorized access to organization-level credentials or repository automation.

Sources

• Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer - The Hacker News, 2026-05-23 (quality: 20/21)
• Laravel-Lang Packages Poisoned for Malware Delivery - SecurityWeek, 2026-05-25 (quality: 20/21)

Under the Radar

High-severity stories that received limited coverage this period.

Threat actors exploit Ghost CMS vulnerability to target Harvard and Oxford

2 outlets, 2026-05-25 - severity 4/5

Threat actors are exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS versions 3.24.0 through 6.19.0 to inject malicious JavaScript into over 700 websites, including domains belonging to Harvard University, Oxford University, and DuckDuckGo. The attack chain involves stealing admin API keys to inject cloaking scripts that fingerprint visitors and present fake Cloudflare or CAPTCHA prompts, which trick users into executing commands that drop payloads such as DLL loaders or the UtilifySetup.exe malware. This ClickFix campaign has impacted various sectors, including fintech, media, and AI/SaaS, with researchers observing actors re-infecting cleaned domains or replacing existing malicious scripts. The vulnerability carries a CVSS score of 9.4, and remediation requires upgrading to Ghost CMS version 6.19.1 and rotating all potentially exposed credentials.

Why it matters: Confirmed widespread exploitation of a critical vulnerability affecting over 700 websites, including high-profile academic and technology organizations.

Sources

• Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign - BleepingComputer, 2026-05-24 (quality: 19/21)
• Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks - The Hacker News, 2026-05-25 (quality: 19/21)

build-bot injected malicious commits into GitHub repositories during Megalodon attack

1 outlet, 2026-05-25 - severity 4/5

The "Megalodon" supply chain attack involved the injection of over 5,700 malicious commits into more than 5,500 GitHub repositories during a six-hour window on May 18, 2026. The threat actor, using the identity 'build-bot', manipulated GitHub Actions workflows to create dormant backdoors and deploy payloads designed to exfiltrate AWS, GCP, and Azure credentials, SSH keys, and CI/CD tokens. The attack chain extended to the NPM registry between May 19 and May 21, when malicious versions of the Tiledesk package were published via a compromised GitHub repository. While the attack successfully targeted various cloud configurations and secrets, researchers noted that the compromise originated within the GitHub repositories rather than through direct NPM account hijacking.

Why it matters: Confirmed widespread supply chain exploitation involving thousands of repositories to steal critical cloud credentials and secrets via malicious GitHub Actions.

Sources

• Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack - SecurityWeek, 2026-05-25 (quality: 20/21)

Lazarus Group deploys RemotePE RAT to target financial and cryptocurrency organizations

1 outlet, 2026-05-25 - severity 4/5

The North Korea-linked Lazarus Group deployed a cross-platform, memory-only remote access trojan (RAT) called RemotePE to target financial and cryptocurrency organizations, including a decentralized finance (DeFi) entity. The attack chain begins with social engineering via Telegram, where actors use fraudulent scheduling domains to initiate contact before deploying the DPAPILoader. This loader utilizes the Windows Data Protection API (DPAPI) to decrypt and execute the RemotePE payload entirely in memory, a technique designed to evade endpoint detection and response (EDR) systems and avoid leaving filesystem artifacts. The malware features capabilities for managing processes, modifying command-and-control configurations, and performing secure file deletion by overwriting data seven times.

Why it matters: Confirmed use of a new, sophisticated malware family by a known APT to target the financial and cryptocurrency sectors.

Sources

• Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms - The Hacker News, 2026-05-25 (quality: 20/21)

Attackers hijacked Laravel Lang repositories to distribute DebugElevator credential-stealing malware

1 outlet, 2026-05-24 - severity 4/5

Attackers hijacked four Laravel Lang repositories by rewriting GitHub tags to point to malicious commits in attacker-controlled forks, distributing the DebugElevator credential-stealing malware via Composer packages. The attack chain utilized a malicious src/helpers.php file to download a second-stage PHP payload from flipboxstudio[.]info, which then executed processes to extract browser encryption keys and sensitive data such as AWS keys, GitHub tokens, and SSH private keys across Linux, macOS, and Windows. The compromise affected hundreds of package versions, including laravel-lang/lang, laravel-lang/http-statuses, and laravel-lang/attributes. Packagist has since removed the malicious versions and temporarily unlisted the affected packages to mitigate further distribution.

Why it matters: Confirmed widespread supply chain exploitation via hijacked packages distributing malware designed to steal critical cloud, CI/CD, and developer credentials.

Sources

• Laravel Lang packages hijacked to deploy credential-stealing malware - BleepingComputer, 2026-05-23 (quality: 20/21)

All Stories by Category

Vulnerabilities & Patches

• CVE-2024-12802 Patch Bypass Enables SonicWall SSL-VPN Exploitation (2026-05-20, 1 outlet, severity 4/5)
  • Patch bypass allows hackers to exploit prior flaw in SonicWall SSL-VPN - Cybersecurity Dive - Latest News
• Exchange Zero-Day, npm Worm, and Cisco Exploits Highlight Weekly Threats (2026-05-19, 1 outlet, severity 4/5)
  • ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More - The Hacker News
• Threat actors use vulnerability exploitation as primary initial access vector (2026-05-20, 3 outlets, severity 3/5)
  • Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches - CyberScoop
  • Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector - SecurityWeek
  • Verizon DBIR: Enterprises Face a Dangerous Vulnerability Glut - darkreading
• Underminr Exploit Enables Brand Hijacking via DNS and CDN Discrepancies (2026-05-22, 1 outlet, severity 3/5)
  • Content Delivery Exploit Opens Websites to Brand Hijacking - darkreading
• Claude Mythos Finds 23,000 Potential Vulnerabilities in Open Source Projects (2026-05-25, 1 outlet, severity 3/5)
  • Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects - SecurityWeek
• Microsoft Critical Vulnerabilities Double in 2026 Security Report (2026-05-20, 1 outlet, severity 3/5)
  • Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation - BleepingComputer
• CISA Implements New Nomination Form to Streamline Known Exploited Vulnerabilities Reporting (2026-05-22 to 2026-05-23, 2 outlets, severity 2/5)
  • CISA to allow researchers to report vulnerabilities to exploited bugs catalog - The Record from Recorded Future News
  • CISA asks cybersecurity community to alert it to vulnerability exploitation - Cybersecurity Dive - Latest News
• High-speed train hacks and robot lawnmower vulnerabilities discussed (2026-05-21, 1 outlet, severity 2/5)
  • Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers - GRAHAM CLULEY
• Google Chrome Vulnerability Spikes Amid Rise in AI-Driven Discoveries (2026-05-21, 1 outlet, severity 1/5)
  • Google’s Surge in Chrome Vulnerability Discoveries Likely Driven by AI - SecurityWeek

Data Breaches

• NYC Health and Hospitals, Erie, and Florida breaches impact millions (2026-05-19, 1 outlet, severity 4/5)
  • Millions Impacted Across Several US Healthcare Data Breaches - SecurityWeek
• Vodafone Leak and THORChain Theft Highlight Weekly Cyber Threats (2026-05-19, 1 outlet, severity 4/5)
  • 18th May – Threat Intelligence Report - Check Point Research
• NYC Health + Hospitals Breach Exposes 1.8 Million Sensitive Records (2026-05-20, 1 outlet, severity 4/5)
  • Biometrics, diagnoses, and bank details exposed in major healthcare breach - Malwarebytes
• ShinyHunters Claims Responsibility for Charter Communications and DentaQuest Breaches (2026-05-24, 1 outlet, severity 4/5)
  • Weekly Update 505 - Troy Hunt
• Unimed breach exposes patient and billing data from German hospitals (2026-05-22, 1 outlet, severity 3/5)
  • Hackers steal patient and billing data from German hospitals via third-party provider - The Record from Recorded Future News
• ShinyHunters stole 7-Eleven franchisee documents and sensitive personal information (2026-05-21, 2 outlets, severity 3/5)
  • 7-Eleven hit by data breach - Cybersecurity Dive - Latest News
  • 7-Eleven confirms breach after ShinyHunters claims - The Record from Recorded Future News
• Radiology Associates of Richmond Breach Exposes 266,000 Patients' Private Data (2026-05-25, 1 outlet, severity 3/5)
  • 266,000 Affected by Data Breach at Radiology Associates of Richmond - SecurityWeek
• B1ack’s Stash Leaks 4.6 Million Stolen Credit Cards for Free (2026-05-19, 1 outlet, severity 3/5)
  • B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards - SecurityWeek
• ShinyHunters hacking group targets major institutions and retailers. (2026-05-20, 1 outlet, severity 3/5)
  • FBI warns students and staff that ShinyHunters may come knocking after Canvas breach - GRAHAM CLULEY
• DocketWise Data Breach Exposes Personal Info of 143,000 Individuals (2026-05-25, 1 outlet, severity 3/5)
  • DocketWise Data Breach Impacts 143,000 - SecurityWeek
• Processes and Culture Drive Most Recent Data Breaches (2026-05-21, 1 outlet, severity 2/5)
  • Processes and Culture Top Reasons Behind Data Breaches - darkreading

Supply Chain Attacks

• Nx Console Extension Compromise Steals Developer Credentials via Malicious Payload (2026-05-19, 1 outlet, severity 4/5)
  • Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer - The Hacker News
• TrapDoor Attack Uses Malicious Packages to Steal Developer Credentials (2026-05-25, 1 outlet, severity 3/5)
  • TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO - The Hacker News
• TamperedChef Clusters Distribute Malicious Software via Trojanized Productivity Apps (2026-05-20, 1 outlet, severity 3/5)
  • Tracking TamperedChef Clusters via Certificate and Code Reuse - Unit 42
• Packagist Supply Chain Attack Uses gvfsd-network Malware to Infect Packages (2026-05-24, 1 outlet, severity 3/5)
  • Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware - The Hacker News
• Oncology Institute Patient Data Compromised in Third-Party Vendor Breach (2026-05-25, 1 outlet, severity 3/5)
  • Oncology Institute Discloses Data Breach - SecurityWeek
• Grafana Labs GitHub Breach Exposes Source Code via npm Attack (2026-05-20, 1 outlet, severity 3/5)
  • Grafana GitHub Breach Exposes Source Code via TanStack npm Attack - The Hacker News
• actions-cool/issues-helper Tags Redirected to Steal GitHub CI/CD Credentials (2026-05-19, 1 outlet, severity 3/5)
  • Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials - The Hacker News
• Black Kite Report: Rising CVEs Outpace Supply Chain Visibility (2026-05-21, 1 outlet, severity 2/5)
  • Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility - SecurityWeek
• Key Drivers Shaping the Future Adoption of AI BOMs (2026-05-20, 1 outlet, severity 1/5)
  • What Will Make AI BOMs Real? - darkreading

Nation-State / APT

• Four-Faith Router Exploits and Iranian Gas Station Hacks Reported (2026-05-23, 1 outlet, severity 4/5)
  • In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking - SecurityWeek
• Calypso uses Showboat malware in cyber-espionage campaign targeting telecommunications providers (2026-05-22, 3 outlets, severity 3/5)
  • Chinese hackers target telcos with new Linux, Windows malware - BleepingComputer
  • Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks - darkreading
  • Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor - The Hacker News
• GhostWriter targets Ukrainian government officials using OysterFresh malware via phishing (2026-05-22, 2 outlets, severity 3/5)
  • Belarus-linked hackers use fake training certificates to target Ukrainian officials - The Record from Recorded Future News
  • China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts. - darkreading
• Ghostwriter Uses Prometheus Phishing and OYSTERBLUES to Target Ukraine (2026-05-23, 1 outlet, severity 3/5)
  • Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware - The Hacker News
• Nimbus Manticore Uses MiniFast Backdoor in Targeted Cyber Campaigns (2026-05-23, 1 outlet, severity 3/5)
  • Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict - Check Point Research
• Iran Breaches US Gas Station Fuel Tank Gauge Systems (2026-05-19, 1 outlet, severity 3/5)
  • Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive - darkreading
• Xi and Putin Vow Deeper AI and Satellite Cooperation (2026-05-21, 1 outlet, severity 3/5)
  • Xi and Putin pledge closer cooperation on AI, cyberspace and satellite systems - The Record from Recorded Future News
• Cloud Atlas Uses VBCloud and New Tools Against Russian Targets (2026-05-22, 1 outlet, severity 3/5)
  • Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload - Securelist
• Screening Serpens Uses MiniUpdate Malware for New Espionage Campaigns (2026-05-23, 1 outlet, severity 3/5)
  • Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns - Unit 42
• Iran-linked Hackers Target US and Allied Critical Infrastructure via Phishing (2026-05-23, 1 outlet, severity 3/5)
  • Iran-linked hackers target key US, allied sectors with sophisticated spear-phishing messages - Cybersecurity Dive - Latest News

Malware & Botnets

• BadIIS Malware Used by Chinese Cybercrime Groups for SEO Fraud (2026-05-22, 1 outlet, severity 4/5)
  • The art of being ungovernable - Cisco Talos Blog
• MSHTA Tool Abuse Drives Surge in Lumma Malware Attacks (2026-05-20, 1 outlet, severity 3/5)
  • Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks - SecurityWeek
• SHub Reaper malware uses fake Apple updates to steal data (2026-05-19, 1 outlet, severity 3/5)
  • SHub macOS infostealer variant spoofs Apple security updates - BleepingComputer
• Lucifer DaaS: How New Drainer-as-a-Service Models Target Crypto Wallets (2026-05-22, 1 outlet, severity 3/5)
  • Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet - BleepingComputer
• OtterCookie NPM Stealer Targets Windows, macOS, and Linux Systems (2026-05-22, 1 outlet, severity 3/5)
  • Cross-Platform NPM Stealer, (Fri, May 22nd) - SANS Internet Storm Center, InfoCON: green
• Webworm Uses Discord and MS Graph API for New Backdoors (2026-05-21, 1 outlet, severity 3/5)
  • Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API - The Hacker News
• Malicious Android Apps Use WebView Automation for Carrier Billing Fraud (2026-05-21, 1 outlet, severity 3/5)
  • Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs. - darkreading
• SHub Reaper Stealer Uses Fake Installers to Backdoor macOS (2026-05-20, 1 outlet, severity 3/5)
  • Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS - darkreading
• BadIIS Malware Used by lwxat for SEO Fraud Campaigns (2026-05-19, 1 outlet, severity 2/5)
  • From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat - Cisco Talos Blog
• Malwarebytes Launches Windows Webcam Monitoring to Block Spyware Access (2026-05-21, 1 outlet, severity 2/5)
  • Catch spyware in the act with Windows Webcam Monitoring - Malwarebytes

Phishing & Social Engineering

• Kali365 phishing campaign targets Microsoft 365 accounts to capture OAuth tokens (2026-05-23, 2 outlets, severity 3/5)
  • FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks - The Record from Recorded Future News
  • FBI warns about fast-growing phishing kit targeting Microsoft 365 users - CyberScoop
• Verizon Report: Healthcare Faces Surge in AI-Enhanced Social Engineering (2026-05-23, 1 outlet, severity 3/5)
  • Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks - darkreading
• Aldi meat box Facebook scam steals user payment information (2026-05-20, 1 outlet, severity 3/5)
  • Facebook scam promises cheap Aldi meat boxes, steals payment info instead - Malwarebytes
• Early Phishing Detection Prevents Major Business Disruption and Risk (2026-05-19, 1 outlet, severity 1/5)
  • How to Reduce Phishing Exposure Before It Turns into Business Disruption - The Hacker News

Cloud & Infrastructure Security

• Storm-2949 Exploits Microsoft Password Reset to Steal Azure Data (2026-05-20, 1 outlet, severity 4/5)
  • Microsoft Self-Service Password Reset abused in Azure data theft attacks - BleepingComputer
• Cloaked Ursa Uses ROADtools to Execute Cloud-Based Attacks (2026-05-22, 1 outlet, severity 3/5)
  • Paved With Intent: ROADtools and Nation-State Tactics in the Cloud - Unit 42
• ICS Security Experts Detail Real-World OT and Infrastructure Risks (2026-05-20, 1 outlet, severity 3/5)
  • Real-World ICS Security Tales From the Trenches - SecurityWeek
• Google Cloud API Keys Stay Active After Deletion Delay (2026-05-22, 1 outlet, severity 2/5)
  • Google API Keys Remain Active After Deletion - darkreading
• Discord implements DAVE end-to-end encryption for all voice and video calls (2026-05-20 to 2026-05-21, 2 outlets, severity 1/5)
  • Discord rolls out end-to-end encryption on voice, video calls - BleepingComputer
  • Discord migrates all users to end-to-end encryption by default - The Record from Recorded Future News
• Akamai Acquires LayerX for $205M to Boost Browser Security (2026-05-23, 1 outlet, severity 1/5)
  • Akamai Joins Growing Chorus of Vendors Betting Big on Secure Enterprise Browsers - darkreading
• Proofpoint Integrates Claude Compliance API for Enhanced Enterprise Data Security (2026-05-22, 1 outlet, severity 1/5)
  • Proofpoint Integrates with the Claude Compliance API to Extend Data Security and Governance to Claude - Proofpoint News Feed

Identity & Access Management

• CoinbaseCartel stole Grafana Labs codebase using a stolen access token (2026-05-19, 3 outlets, severity 3/5)
  • Grafana says stolen GitHub token let hackers steal codebase - BleepingComputer
  • Grafana Labs says hacker gained access to codebase through leaked token - Cybersecurity Dive - Latest News
  • Grafana refuses to pay ransom after codebase theft - The Record from Recorded Future News
• Odesa teen linked to theft of 28,000 online accounts (2026-05-21, 1 outlet, severity 3/5)
  • Ukraine identifies infostealer operator tied to 28,000 stolen accounts - BleepingComputer
• Palo Alto Networks Finds Identity Weaknesses in 90% of Incidents (2026-05-21, 1 outlet, severity 3/5)
  • When Identity is the Attack Path - The Hacker News
• npm Introduces 2FA Publishing and Install Controls to Prevent Attacks (2026-05-24, 1 outlet, severity 2/5)
  • npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks - The Hacker News
• Device Posture Assessment Must Complement Identity to Prevent Token Theft (2026-05-21, 1 outlet, severity 2/5)
  • Identity Alone Isn't Enough: Why Device Security Has to Share the Load - BleepingComputer
• AI Agents Reshaping Identity Security Budgeting and Resource Allocation (2026-05-22, 1 outlet, severity 1/5)
  • AI Agents Are Shifting Identity Security Budget Dynamics - darkreading

AI & Machine Learning Security

• Apple blocked billions in fraudulent App Store transactions using AI detection (2026-05-21 to 2026-05-22, 2 outlets, severity 3/5)
  • Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention - SecurityWeek
  • Apple blocked over $11 billion in App Store fraud in 6 years - BleepingComputer
• Claude Mythos AI Discovers 10,000 High-Severity Software Vulnerabilities (2026-05-23, 1 outlet, severity 3/5)
  • Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software - The Hacker News
• Verizon DBIR: AI Accelerates Exploitation and Increases Third-Party Breaches (2026-05-22, 1 outlet, severity 3/5)
  • Defenders fall behind, as AI rewrites the rules of a data breach - GRAHAM CLULEY
• Evolving AI BOMs Must Track Agentic Runtime Behaviors and Permissions (2026-05-22, 1 outlet, severity 2/5)
  • How CISOs Should Prep for Agentic-Ready AI BOMs - darkreading
• Microsoft releases Rampart and Clarity tools to secure agentic software (2026-05-21, 2 outlets, severity 2/5)
  • Meet Rampart and Clarity, Microsoft’s new red team combo AI agents - CyberScoop
  • Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development - The Hacker News
• AI-Generated Bug Reports Overwhelm Triage Despite Improved Accuracy Models (2026-05-19, 1 outlet, severity 2/5)
  • AI might cut false positives, but it won’t stop the slop - CyberScoop
• OpenAI’s New Financial Integration Raises Major Privacy and Security Concerns (2026-05-19, 1 outlet, severity 2/5)
  • Experts warn of privacy risks as AI firms looks to connect to financial accounts - The Record from Recorded Future News
• Emergence AI agents commit crimes in virtual town simulations (2026-05-21, 1 outlet, severity 2/5)
  • Researchers left AI agents alone in a virtual town and watched it all unravel - Malwarebytes
• Decoding Stack String Obfuscation Techniques in High-Level Languages (2026-05-23, 1 outlet, severity 2/5)
  • An Example of Stack String in High Level Language, (Sat, May 23rd) - SANS Internet Storm Center, InfoCON: green
• Cyber Readiness Paradox: False Confidence Leaves Organizations Vulnerable to AI (2026-05-21, 1 outlet, severity 2/5)
  • The readiness paradox: Why a false sense of cyber confidence is becoming a liability - CyberScoop
• Securing AI Applications After Moving From Experimentation to Production (2026-05-20, 1 outlet, severity 2/5)
  • Caught Off Guard: Securing AI After It Hits Production - SecurityWeek
• Managing Shadow AI: Five Steps to Secure Corporate Data (2026-05-19, 1 outlet, severity 2/5)
  • 5 Steps to Managing Shadow AI Tools Without Slowing Down Employees - BleepingComputer
• AI Coding Tools and Agents Increase Chained Vulnerability Risks (2026-05-19, 1 outlet, severity 2/5)
  • The Boring Stuff Is Dangerous Now - darkreading
• New Assurance Processes Needed to Measure AI Security and Privacy (2026-05-21, 1 outlet, severity 2/5)
  • On AI Security - Schneier on Security
• Vera Cherepanova: Ethical Governance is Vital for Deploying AI Agents (2026-05-20, 1 outlet, severity 1/5)
  • How You Handle AI Agents Says More Than You Might Think About Your Company’s Values - Corporate Compliance Insights
• Cybersecurity Pros Divided Over AI’s Role as Threat and Tool (2026-05-21, 1 outlet, severity 1/5)
  • Cyber Pros Can't Decide If AI Is a Good or a Bad Thing - darkreading

Legal & Law Enforcement

• First VPN Dismantled in Operation Saffron Targeting Ransomware Groups (2026-05-23, 1 outlet, severity 4/5)
  • First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups - The Hacker News
• Dutch authorities seize Stark Industries servers used for cyberattacks (2026-05-23, 1 outlet, severity 4/5)
  • Netherlands seizes 800 servers of hosting firm enabling cyberattacks - BleepingComputer
• Interpol Operation Ramz Disrupts Cybercrime Services Targeting Middle East and North Africa (2026-05-19, 3 outlets, severity 3/5)
  • Interpol leads cybercrime crackdown across 13 countries in Middle East, North Africa - CyberScoop
  • More than 200 arrested in cyber raids aimed at Middle East scam networks - The Record from Recorded Future News
  • 201 Arrested in Crackdown on Cybercrime in Middle East, North Africa - SecurityWeek
• Young and Gevirtz Provided Infrastructure for India-based Tech Support Fraud Scheme (2026-05-22 to 2026-05-23, 2 outlets, severity 3/5)
  • Two Americans plead guilty to assisting India-based tech support scam centers - The Record from Recorded Future News
  • Former US execs plead guilty to aiding tech support scammers - BleepingComputer
• Italian authorities dismantle CINEMAGOAL app stealing streaming authentication codes (2026-05-24, 1 outlet, severity 3/5)
  • Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes - BleepingComputer
• Chatrie Case Could Redefine Fourth Amendment Privacy and Geofence Warrants (2026-05-23, 1 outlet, severity 3/5)
  • Why the Supreme Court's Chatrie case could change the meaning of privacy in America - The Record from Recorded Future News
• FTC Warns 12 Tech Firms Over Take It Down Act Violations (2026-05-21, 1 outlet, severity 3/5)
  • FTC warns 12 major tech firms of violating Take It Down Act - The Record from Recorded Future News
• Meta settles lawsuit with Breathitt County School District over addiction (2026-05-23, 1 outlet, severity 3/5)
  • Meta settles school district lawsuit claiming addictive design harmed students' mental health - The Record from Recorded Future News
• FBI Reports $388 Million Lost to Crypto ATM Scams (2026-05-20, 1 outlet, severity 3/5)
  • FBI: Americans lost over $388 million to scams using crypto ATMs in 2025 - BleepingComputer
• Ukraine investigates teen for stealing from California online shoppers (2026-05-21, 1 outlet, severity 3/5)
  • Ukraine probes teen suspect in cyber theft scheme targeting California online shoppers - The Record from Recorded Future News
• Venezuela Energy Reforms and New OFAC Licenses Boost Investment Opportunities (2026-05-19, 1 outlet, severity 1/5)
  • Venezuela Energy Reform and US Sanctions Relief Are Moving Together. Here’s What That Means. - Corporate Compliance Insights

Policy & Regulation

• FTC and Congress Investigate AI-Driven Surveillance Pricing Practices (2026-05-22, 1 outlet, severity 3/5)
  • Surveillance Pricing: You’re Watching Consumers — and Government Is Watching You - Corporate Compliance Insights
• EU Regulation 2024/3015 Turns Forced Labor Into Trade Compliance Risk (2026-05-20, 1 outlet, severity 3/5)
  • The EU Is Making Forced Labor a Trade Compliance Problem, Not Just an ESG Issue - Corporate Compliance Insights
• Ofcom to Mandate Tech Firm Removal of Deepfakes and Intimate Images (2026-05-20, 1 outlet, severity 3/5)
  • UK regulator to require tech firms to tackle deepfakes, non-consensual intimate images - The Record from Recorded Future News
• EU AI Act: Misidentifying Your Role Risks Major Compliance Failures (2026-05-25, 1 outlet, severity 3/5)
  • The Most Overlooked Risk in the EU AI Act: Misunderstanding Your Role - Corporate Compliance Insights
• AI BOM Adoption Grows Amid New US and EU Regulations (2026-05-19, 1 outlet, severity 2/5)
  • Is 2026 the Year AI Bills of Materials Get Real? - darkreading
• Donald Trump Postpones Executive Order Targeting Frontier AI Model Testing (2026-05-22, 1 outlet, severity 2/5)
  • Trump postpones executive order focused on AI security - CyberScoop
• Bacon and Walkinshaw Oppose CISA Budget Cuts Amid Rising Threats (2026-05-22, 1 outlet, severity 2/5)
  • Lawmakers from both parties say CISA cuts have gone too far - CyberScoop
• NYDFS Urges Financial Institutions to Strengthen Cybersecurity Defenses (2026-05-23, 1 outlet, severity 2/5)
  • New York regulator calls for additional cyber mitigation amid heightened threat environment - Cybersecurity Dive - Latest News
• Meta, Snap, and Roblox Pledge New Safety Measures to Ofcom (2026-05-22, 1 outlet, severity 2/5)
  • Tech giants promise British regulator they will tweak platforms to protect kids online - The Record from Recorded Future News
• TikTok, YouTube, and Roblox Under Fire Over Child Safety Risks (2026-05-21, 1 outlet, severity 2/5)
  • TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety - Malwarebytes
• AutoRek’s Jim Sadler: Solving the Compliance Provability Deficit (2026-05-21, 1 outlet, severity 2/5)
  • Compliant But Unprovable: Why Controls That Work Fail Examinations - Corporate Compliance Insights
• PwC and AlixPartners Surveys Show Low Executive Board Confidence (2026-05-22, 1 outlet, severity 1/5)
  • Fewer Than Half of Execs Say Their Board Excels - Corporate Compliance Insights
• FaceUp Secures $5M Series A to Expand Global Compliance Suite (2026-05-22, 1 outlet, severity 1/5)
  • FaceUp Raises $5M Series A Round - Corporate Compliance Insights
• Awaris’s Chris Tamdjidi: Why Physiological Intelligence Outperforms AI in Compliance (2026-05-25, 1 outlet, severity 1/5)
  • Why the Human Body Still Matters in an AI-Driven Workplace - Corporate Compliance Insights
• Fenergo, Bloomberg, and ComplyAdvantage Launch New GRC Technology Features (2026-05-22, 1 outlet, severity 1/5)
  • GRC News Roundup: Fenergo, Bloomberg, Sovos & More - Corporate Compliance Insights

Other Cybersecurity

• Delve Accused of Fabricating SOC 2 Audit Reports by DeepDelver (2026-05-21, 1 outlet, severity 3/5)
  • SOC 2 Is Broken. The Delve Scandal Is Showing Us How. - Corporate Compliance Insights
• Trapdoor Android Scheme Processes 659 Million Daily Ad Bid Requests (2026-05-20, 1 outlet, severity 3/5)
  • Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps - The Hacker News
• Microsoft Driver Quality Initiative to Boost Windows 11 Stability (2026-05-20, 1 outlet, severity 2/5)
  • Microsoft plans to improve Windows 11 driver quality in 2026 - BleepingComputer
• YouTube expands AI likeness detection to combat deepfake videos (2026-05-19, 1 outlet, severity 2/5)
  • YouTube wants your face to fight deepfakes - Malwarebytes
• Linux Methods for Implementing Selective HTTP Proxying via Network Namespaces (2026-05-22, 1 outlet, severity 2/5)
  • Selective HTTP Proxying in Linux, (Thu, May 21st) - SANS Internet Storm Center, InfoCON: green
• Telecom Sector Launches New Private Information Sharing and Analysis Center (2026-05-20, 1 outlet, severity 2/5)
  • Telecom sector launches its own private ISAC - Cybersecurity Dive - Latest News
• Ocean, Socket, and Quantum Bridge Secure New Cybersecurity Platform Funding (2026-05-21, 1 outlet, severity 1/5)
  • Ocean Emerges From Stealth With $28M for Agentic Email Security Platform - SecurityWeek
  • Socket Raises $60 Million at $1 Billion Valuation - SecurityWeek
  • Quantum Bridge Raises $8 Million for Quantum-Safe Key Distribution Solution - SecurityWeek
• Flipper One seeks community help for open Linux hardware platform (2026-05-21, 1 outlet, severity 1/5)
  • Flipper One project needs community help to build open Linux platform - BleepingComputer
• Agentic AI Revolutionizes NDR Platforms to Combat Alert Fatigue (2026-05-25, 1 outlet, severity 1/5)
  • The Alert Firehose Finally Meets Its Match - The Hacker News
• Laurie Anderson Uses Roger Needham’s Tech-Skeptic Quote in Music (2026-05-19, 1 outlet, severity 1/5)
  • Laurie Anderson Is Quoting Me - Schneier on Security
• Integrating Cyber Resilience Into Modern Business Continuity Planning (2026-05-19, 1 outlet, severity 1/5)
  • Cyber Resilience is the New Business Continuity Plan - SecurityWeek
• Threat Detection & Incident Response Summit Explores AI and Fraud (2026-05-20, 1 outlet, severity 1/5)
  • Virtual Event Today: Threat Detection & Incident Response Summit - SecurityWeek
• Cybersecurity Evolution: From Perimeter Defense to Assume-Breach Strategies (2026-05-20, 1 outlet, severity 1/5)
  • Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber Evolution - darkreading
• IPQS’s Alexander Hall: Why Chargebacks Alone Fail to Measure Fraud (2026-05-23, 1 outlet, severity 1/5)
  • Why Chargebacks are Just One Piece of the Fraud Puzzle - BleepingComputer
• ISC Stormcast May 21st: Daily Security Updates and SANS Training (2026-05-21, 1 outlet, severity 1/5)
  • ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940, (Thu, May 21st) - SANS Internet Storm Center, InfoCON: green
• SPRFMO Implements New Regulations for South Pacific Squid Fishing (2026-05-23, 1 outlet, severity 1/5)
  • Friday Squid Blogging: Regulating Squid Fishing in the South Pacific - Schneier on Security
• ISC Stormcast Daily Cybersecurity Threat Update for May 20, 2026 (2026-05-20, 1 outlet, severity 1/5)
  • ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938, (Wed, May 20th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast Daily Cybersecurity Threat Update for May 19, 2026 (2026-05-19, 1 outlet, severity 1/5)
  • ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936, (Tue, May 19th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast Weekly Cybersecurity Update for May 22, 2026 (2026-05-22, 1 outlet, severity 1/5)
  • ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942, (Fri, May 22nd) - SANS Internet Storm Center, InfoCON: green

Reported Data Breaches

Breaches reported via Have I Been Pwned this period.

• 7-Eleven Data Breach Exposes Over 185,000 Customer Accounts (2026-05-24)
• Dragonica Lunaris Breach Compromises Over 126,000 User Accounts (2026-05-21)
• Windows93 and Myspace93 Breach Exposes 46,105 User Accounts (2026-05-21)
• CTT Breach Exposes Over 468,000 User Accounts (2026-05-19)
• ShinyHunters breach of Addi exposes 34 million user accounts (2026-05-19)