Application Security
Two page-cache write bugs chained for deterministic Linux root. Public exploit released after embargo break on May 7. AlmaLinux specifics matter; container workloads inherit host kernel exposure.
Artificial Intelligence (AI)
Google Threat Intelligence Group disclosed the first publicly confirmed AI-generated zero-day exploit caught in the wild on May 11. The Python script bypassed 2FA on a popular open-source admin tool and was destined for mass exploitation before Google disrupted it.
Threat Intelligence
Kaspersky disclosed cyber espionage group HeartlessSoul on May 11, targeting Russian aerospace firms and drone operators through SourceForge malvertising to steal GIS shape files, GPS data, and terrain models. The operational ground truth Russian analysts use is the prize.
Application Security
TeamPCP compromised the Checkmarx Jenkins AST Plugin on May 9, the third attack on Checkmarx in three months. The Dune-themed defacement reads "Checkmarx fails to rotate secrets again." Either secrets rotation was incomplete or TeamPCP retained access through an unremediated persistence mechanism.
Application Security
The cPanel CVE-2026-41940 story continues. A new threat actor has been named, the backdoor it deploys has been documented, and the most operationally relevant fact is that this group has been operating since 2020 with detection rates close to zero. BEIJING, CHINA — A new threat actor designated Mr_Rot13 has
Trending
Three of cybersecurity's most prominent voices used the RSA Conference in March to deliver a unified warning: AI is finding vulnerabilities faster than organizations can patch them, and the next two years will outpace anything the industry has seen.
Trending
Participants in the CyberCorps Scholarship for Service program face hundreds of thousands of dollars in potential debt as Trump administration hiring freezes have led federal agencies to rescind job and internship offers. The Trump administration has proposed cutting SFS funding by 65 percent.
Trending
More than 40 million people ask ChatGPT a healthcare-related question every day. OpenAI's ChatGPT Health and Anthropic's Claude for Healthcare are not HIPAA-compliant for consumers — and that is by design.
Trending
After more than a year of the second Trump administration, observers across the political spectrum told CyberScoop that CISA has been significantly diminished, losing roughly one-third of its personnel.
SentinelLABS disclosed PCPJack on May 7 — a Linux cloud worm that exploits 5 CVEs across Docker, Kubernetes, Redis, MongoDB, and RayML, then evicts rival TeamPCP malware before stealing credentials. The "PCP replaced" telemetry field is the editorial differentiator.
Schemata, a DoD contractor providing AI-powered training to US military customers, patched a zero-authorization API flaw on May 1, 2026 — 150 days after researcher Strix first disclosed it.
A breach of GFN.am, NVIDIA's authorized GeForce NOW partner in Armenia, exposed user data including roughly 6,000 customer payment cards. ShinyHunters claimed responsibility, but BleepingComputer and Cybernews assess the claimant as a likely impersonator.
Norwegian researcher Tom Jøran Sønstebyseter Rønning of Statnett SF demonstrated at the Palo Alto Networks Norway BIG Bite of Tech conference that Microsoft Edge keeps every saved password loaded in plaintext RAM during a browser session. Microsoft's response: by design.
Privacy researcher Alexander Hanff documented Chrome silently downloading a 4GB Gemini Nano model to user devices without consent.
Elastic Security Labs disclosed TCLBANKER on May 7 — a Brazilian banking trojan that targets 59 banks via DLL sideloading against Logitech's AI Prompt Builder, deploys WPF overlays for credential theft, and includes worm modules that hijack victims' WhatsApp Web and Outlook to spread itself.
LayerX disclosed ClaudeBleed on May 6 — a vulnerability in Anthropic's Claude Chrome extension that allowed any other Chrome extension, even one with zero permissions, to send messages to Claude and exfiltrate user data. Anthropic patched in v1.0.70 within 24 hours, but the patch is partial.
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) just after CVE-2026-41940 compromised an estimated 44,000 servers. The pattern is the story.
JDownloader's website was compromised between May 6 and 7, serving Windows installers signed under bogus publisher names that deployed a Python-based RAT. The CMS was the entry point — not the build pipeline. Anyone who installed during the window should reimage.
HiddenLayer disclosed on May 7 that a malicious Hugging Face repository, Open-OSS/privacy-filter, typosquatted OpenAI's legitimate Privacy Filter release and shipped a Rust-based infostealer called Boxter. The repo briefly hit #1 on Hugging Face and reached 244,000 downloads before takedown.
The Cybersecurity and Infrastructure Security Agency launched a new initiative on Tuesday, May 5, 2026, called CI Fortify that pushes critical infrastructure operators across all 16 federally-designated sectors to prepare for sustained operations during geopolitical conflict, including scenarios in which third-party connections become unreliable and adversaries gain partial access to
Trend Micro researchers disclosed Quasar Linux RAT (QLNX) on May 4 — a Linux implant purpose-built to harvest npm tokens, PyPI keys, AWS credentials, Kubernetes configs, and the rest of the developer credential file universe. Capabilities map to the LiteLLM compromise of March 2026.
