Cyber Attacks
Tycoon2FA is back six weeks after the Microsoft/Europol takedown — now phishing OAuth device-code consents against M365 via a Trustifi-laundered relay.
Cyber Attacks
Grafana caught a CoinbaseCartel breach via canary token, traced it to a pull_request_target Pwn Request, and refused to pay — the second Pwn Request hit in three weeks.
Threat Intelligence
CrowdStrike's 2026 Financial Services Threat Landscape Report logs $2.02B in DPRK theft, PRESSURE CHOLLIMA's $1.46B record heist, and AI-tripled CHOLLIMA tempo.
AI Security
XBOW disclosed a CVSS 9.8 unauthenticated RCE in Exim — and used the seven-day window to race its autonomous LLM exploit pipeline against human researchers.
Cyber Attacks
Apache HTTP Server 2.4.66 ships with a double-free in mod_http2 — exploitable on default Debian builds and patched six days later in 2.4.67.
Cyber Attacks
Mistral AI confirmed a codebase management breach as TeamPCP listed ~450 repositories at $25K buy-it-now, with a seven-day leak deadline.
AI Security
OpenAI launched Daybreak on May 11, 2026 — an AI vulnerability discovery platform with three GPT-5.5 models and a 20+ partner roster including Cisco, Cloudflare, CrowdStrike, Palo Alto, Snyk, Tenable, and Rapid7. The AI defender market just formed.
Cyber Attacks
Microsoft confirmed active exploitation of CVE-2026-42897, a high-severity XSS zero-day in on-prem Exchange OWA, with no permanent patch — only EEMS mitigation. The eventual fix for Exchange 2016 and 2019 will only reach Period 2 ESU customers.
AI Security
Microsoft's MDASH AI found 16 of May's Patch Tuesday vulnerabilities, four critical. Palo Alto scanned its codebase with frontier models including Anthropic's Mythos and found 75 flaws across 26 CVEs. AI vulnerability discovery is now operational at vendor scale.
Three published versions of node-ipc — a package with 822,000 weekly downloads — hide an obfuscated stealer backdoor that exfiltrates 90 categories of developer and cloud secrets over DNS. The attacker hijacked a lapsed maintainer domain to publish them.
OpenAI confirmed two employee devices were compromised in the Mini Shai-Hulud supply chain attack, exposing code-signing certificates for its apps. OpenAI is rotating every certificate, and macOS users must update before June 12, 2026.
Cisco disclosed a maximum-severity authentication bypass in Catalyst SD-WAN, actively exploited as a zero-day by UAT-8616 — the same actor that has targeted this service since 2023. CISA added it to KEV, and there are no workarounds.
OpenLoop Health confirmed a January 2026 intrusion that exposed the names, birth dates, and medical information of 716,000 telehealth users. A threat actor called Stuckin2019 claims to hold data on 1.6 million. Disclosure came roughly four months after the breach.
Kaspersky found something unusual in a North Korean backdoor: comments that look written by an LLM, not a human. Combined with Kimsuky's expansion into defense targets across three countries, it is documented evidence that state malware development is borrowing AI.
Microsoft's new Kazuar analysis names one capability that ties it to the other Russian Signal operation in the news: Kazuar steals Signal Desktop message files. Encryption protects the conversation in transit — not the database on a compromised laptop.
An autonomous AI was pointed at the NGINX source code and found a critical RCE that survived 18 years of human review — plus three more CVEs in the same six-hour session. NGINX runs a third of the internet's top sites. The discovery method is the bigger story.
Ghostwriter built operational security into its phishing lure. Send the campaign's malicious PDF to a Ukrainian IP and it triggers the attack chain. Send it anywhere else — including to the analysts investigating it — and they get a harmless document.
Salt Typhoon spent three months inside an Azerbaijani oil and gas company — a target type it normally ignores. Bitdefender's assessment of why is the part that matters: Chinese APT targeting now follows energy geopolitics in real time.
Russian government hackers tried to hijack the Signal account of the wrong person. Donncha Ó Cearbhaill investigates spyware for a living — so he reverse-engineered the campaign and found himself one of 13,500+ targets. The 'snowball' methodology is the lesson.
RubyGems temporarily turned off new signups after what its security partner called a major malicious attack — hundreds of packages, DDoS, spam, and exploits hitting at once. The halt is the response model defenders should remember.
Germany's top cybersecurity official told lawmakers that China is close to building an AI model with superhacking capabilities — developed in secret. The warning lands a month after Anthropic gated Mythos. AI cyber capability is now great-power competition.
