The OnlyFans "340 Million-Record Leak" Was Compiled From Old Breaches, Not a Platform Hack

A threat actor advertised a 340 million-record OnlyFans dataset for 0.313 BTC on May 25, then privately admitted they did not breach the platform. The compilation stitches old breach data to public profiles, and the framing failure is itself the editorial story.

Carnival Confirms 6 Million-Person Breach, 38 Days After ShinyHunters Posted Ultimatum

Carnival Corporation began notifying 5,995,277 people on May 27, 2026 that their personal data was stolen in an April vishing breach — the corporate confirmation of an extortion claim ShinyHunters posted to its leak site 38 days earlier.

Wiz Disclosed JINX-0164, a New macOS Threat Actor Hitting Crypto Devs With Recruiter Lures

Wiz disclosed JINX-0164, a previously unreported actor running LinkedIn recruiter lures, custom macOS malware, and CI/CD hijacking against cryptocurrency developers. The playbook mirrors documented North Korean tradecraft, but Wiz preserves the attribution hedge.

Charter Confirms Breach as ShinyHunters Claims 42 Million Records via Salesforce Vishing

Charter Communications, the parent of Spectrum, confirmed a cybersecurity incident on May 26-27, 2026 after ShinyHunters claimed 42 million customer records via the same vishing-to-Microsoft-Entra-to-Salesforce playbook documented across the 2026 cluster at ADT, Amtrak, Odido, and Vimeo.

Rapid7 Finds Unpatched Argument-Injection RCE in Gogs — Any Authenticated User Owns the Server

Rapid7 Labs disclosed an unpatched CVSSv4 9.4 argument-injection (CWE-88) flaw in Gogs that lets any authenticated user achieve remote code execution by injecting --exec into git rebase via a malicious branch name. The second critical self-hosted-Git flaw in one week.

Microsoft Condemns Uncoordinated Zero-Day Disclosures, Says Customers at 'Unnecessary Risk'

Microsoft's MSRC publicly condemned a six-flaw run of uncoordinated zero-day disclosures, saying the leaks put customers at 'unnecessary risk.' It's a position shift after six weeks of researcher disclosures that forced emergency response. The story is the tension itself.

ESET APT Report: Sandworm's DynoWiper Hits Polish Energy, Lazarus Compromises Axios npm

ESET's October 2025 - March 2026 APT report names two findings defenders cannot ignore: a Polish energy company hit in December 2025 by a new wiper, DynoWiper, attributed to Sandworm with medium confidence, and the npm package axios compromised by attackers ESET ties to Lazarus.

A Tennessee Town Clerk Caught a Hack of Its Amazon Account — and Exposed a Municipal Cyber Gap

A City Hall clerk in Alexandria, Tennessee caught a hacker using the town's Amazon account to order three cameras and an iPad. The detection was a person noticing — no security control fired. Thousands of US municipalities are in the same posture.

What Is SQL Injection (SQLi)?

A complete guide to SQL injection — how SQLi attacks work, the main types, what attackers can do with them, and the proven ways to prevent them.

Apple Open-Sources Its corecrypto Post-Quantum Cryptography Implementations With Formal Proofs

Apple published the post-quantum cryptography implementations in corecrypto — the library behind iOS, iPadOS, and macOS — alongside formal proofs and verification tools. It does not change today's encryption posture, but it lets outside experts audit the math that will protect tomorrow's.

Google Cloud Launches AI Threat Defense, Pairing Gemini With Wiz and CodeMender

Google Cloud launched AI Threat Defense on May 27, 2026 — an automated platform that pairs Gemini, the Wiz cloud-security stack, and the CodeMender AI code-fixing agent to find, prioritize, and patch software vulnerabilities at machine speed.

Third-Party UK Visa Site Exposed About 100,000 Applicants' Passport Scans and Selfies

A site branded as 'UK Visa Portal' exposed at least 100,000 applicants' passport scans and selfies, TechCrunch reported May 26. The site is not affiliated with the UK government, and the operator sent attorneys rather than fix the leak.