Microsoft Just Took Down a Code-Signing-as-a-Service Operation. Five Ransomware Crews Were the Customers.

Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters at up to $9,500 per signed sample.

Operation Endgame 2.0: Europol Just Took Down 300 Servers and 20 Operators of the Ransomware Supply Chain

Europol and Eurojust executed Operation Endgame 2.0 May 19-22: 300+ servers dismantled, 650 domains, 20 international arrest warrants, €3.5M crypto seized across seven countries. The strategic target is the initial-access-broker layer that supplies ransomware affiliates.

'The Worst Leak I've Witnessed': CISA Contractor Left AWS GovCloud Admin Keys on Public GitHub for Six Months

GitGuardian discovered a public GitHub repo named 'Private-CISA' holding 844 MB of plaintext passwords, AWS GovCloud admin tokens, and Entra ID SAML certs belonging to CISA — public since November 2025. The Nightwing contractor engineer manually disabled push-protection.

Verizon DBIR 2026: Vulnerability Exploitation Just Overtook Credential Theft as the #1 Way Attackers Get In

Verizon's 19th DBIR re-baselines the threat model: vulnerability exploitation hit 31% of breaches up from 20% — now the #1 vector. Credential abuse fell to 13%. AI is shrinking patching windows from months to hours. Third-party breaches up 60% YoY.

Luxembourg's Entire Telecom Network Crashed in July 2024. Ten Months Later, the Huawei Zero-Day Behind It Still Has No CVE.

The Record disclosed that the July 23, 2024 nationwide outage of Luxembourg's POST mobile network — which knocked out 4G, 5G, landline, and emergency comms for 3+ hours — was caused by a Huawei enterprise router zero-day. Ten months later: no CVE, no Huawei acknowledgment.

SEPPmail Just Disclosed Seven CVEs. The Worst Lets Anyone on the Internet Read Your Email Traffic.

InfoGuard Labs disclosed seven CVEs in SEPPmail Secure E-Mail Gateway including CVE-2026-2743 (CVSS 10.0 path traversal to full appliance takeover) and CVE-2026-44128 (unauthenticated Perl eval() RCE). Patched in 15.0.2.1, 15.0.3, and 15.0.4.

Shai-Hulud Is Now Generating Valid Sigstore Provenance Badges for Its Malicious npm Packages

Mini Shai-Hulud pushed ~42 malicious packages through a compromised @antv maintainer account on May 19 with valid Sigstore Fulcio certificates and Rekor entries. The green "verified" badge defenders have been trusting now sits on malicious code.

Google Just Caught the First AI-Built Zero-Day Used in the Wild — It Was a 2FA Bypass

Google Threat Intelligence Group disclosed the first known AI-developed zero-day used in the wild — a Python 2FA bypass intended for mass exploitation. Google identified the LLM fingerprint and coordinated a patch before the campaign could launch.

TeamPCP Leaked the Shai-Hulud Source. Within a Week, a Copycat Pushed Clones to npm.

A single npm user account pushed four malicious packages, including a near-verbatim clone of the Shai-Hulud worm, within a week of TeamPCP open-sourcing the worm source on BreachForums. Mini Shai-Hulud has graduated from a campaign to an ecosystem capability.

Symantec Confirms Fast16: The 2005-Era Sabotage Tool That Quietly Poisoned Nuclear Weapon Simulations

Symantec independently confirmed Fast16, a 2005-era pre-Stuxnet sabotage framework first disclosed by SentinelOne. It silently corrupted LS-DYNA and AUTODYN finite-element solver outputs for nuclear weapons design, acting only when material density crossed 30 g/cm cubed.

INTERPOL Just Arrested 201 Cybercriminals Across 13 MENA Countries — Operation Ramz Is the First of Its Kind

INTERPOL announced Operation Ramz, the first regional cybercrime enforcement operation focused on MENA. Active October 2025 – February 28, 2026: 201 arrests, 53 servers seized, 3,867 victims across 13 participating countries. Kaspersky and Group-IB contributed.

MiniPlasma: A Researcher's SYSTEM Exploit Just Revealed Microsoft's 2020 Patch Was Silently Undone

Nightmare-Eclipse released MiniPlasma May 13, 2026 — a working SYSTEM-level exploit for cldflt.sys on fully patched Windows 11. The bug is CVE-2020-17103, patched by Microsoft in December 2020. The 2020 PoC still works — and no 2026 patch exists.