CISA Tells Critical Infrastructure Operators to Plan for Weeks of Cyber Isolation

The Cybersecurity and Infrastructure Security Agency launched a new initiative on Tuesday, May 5, 2026, called CI Fortify that pushes critical infrastructure operators across all 16 federally-designated sectors to prepare for sustained operations during geopolitical conflict, including scenarios in which third-party connections become unreliable and adversaries gain partial access to

A New Linux RAT Was Built to Steal npm and PyPI Tokens, and It's the Tool the Next LiteLLM Was Waiting For

Trend Micro researchers disclosed Quasar Linux RAT (QLNX) on May 4 — a Linux implant purpose-built to harvest npm tokens, PyPI keys, AWS credentials, Kubernetes configs, and the rest of the developer credential file universe. Capabilities map to the LiteLLM compromise of March 2026.

Cushman & Wakefield Got Hit by Two Ransomware Groups in Three Days. ShinyHunters Just Posted 50 Gigabytes.

Cushman & Wakefield confirmed a vishing-related breach on May 5. ShinyHunters and Qilin both listed it on their leak sites within days. After negotiations failed, ShinyHunters posted a 50GB Salesforce dataset on May 8. The dual-claim attribution puzzle is the new operational story for SaaS-era IR.

A Federal Jury Just Convicted One of the Brothers Who Wiped 96 Government Databases After Being Fired by Video Call

A federal jury in Alexandria, Virginia convicted Sohaib Akhter on May 7, 2026 for his role in deleting roughly 96 U.S. government databases at federal contractor Opexus on the day he and his twin brother were fired in February 2025. The case is also notable for an unprecedented detail:

RansomHouse Claims the Trellix Breach, and the Screenshots Show More Than Source Code

RansomHouse claimed responsibility on May 7 for the Trellix breach the cybersecurity firm disclosed last week — and Cybernews researchers say screenshots posted by the group show internal VMware, Rubrik, and Dell EMC dashboards. That's a much wider compromise than Trellix's "portion of our source code

Two Pro-Ukraine Hacktivist Groups Are Now Sharing Infrastructure — and It Looks Quasi-State-Sponsored

Kaspersky researchers reported on May 7-8 that pro-Ukraine hacktivist groups BO Team (also known as Black Owl) and Head Mare appear to be coordinating their cyber operations against Russian organizations — sharing infrastructure including command-and-control systems on the same compromised host. BO Team had previously operated more autonomously than other hacktivist

Canvas Defaced Worldwide: ShinyHunters Tells Schools to Pay Up Individually by May 12

ShinyHunters defaced Canvas login pages worldwide on May 7 — disrupting finals week at Harvard, Penn, Duke, and Virginia Tech. The group claims 275 million records from 9,000 schools and is now telling individual schools to negotiate ransom payments by May 12. Instructure had declared the May 1 incident contained

WIRED Found 380,000 Vibe-Coded Apps on the Open Web — and 5,000 of Them Were Leaking Corporate Data

WIRED's Andy Greenberg published an investigation on May 7, 2026 reporting that the Israeli cybersecurity firm RedAccess found roughly 380,000 publicly accessible web assets built with AI "vibe-coding" platforms — Lovable, Base44, Replit, and Netlify — of which around 5,000 exposed sensitive corporate data and another

A 404 Media Reporter Watched Someone Else Become Him, Live, on Microsoft Teams

404 Media's Joseph Cox published an investigation on May 7, 2026 in which he obtained, installed, and personally tested Haotian AI — a Chinese realtime deepfake software marketed to scammers — and watched a Cambodia-based operator's face shapeshift into his own during a live Microsoft Teams call. Haotian

Australia Warns That Fake Cloudflare CAPTCHAs on Real Australian Websites Are Pushing Vidar Stealer

The Australian Signals Directorate's Australian Cyber Security Centre published an advisory on May 7, 2026 warning that pro-criminal threat actors are using compromised legitimate Australian WordPress websites as launch pads for ClickFix social-engineering attacks delivering the Vidar Stealer information-stealing malware. Visitors to compromised Australian business websites are shown

Daemon Tools Was Trojanized for a Month — and the Installer Was Properly Signed

Kaspersky disclosed on May 5, 2026 that Daemon Tools — disk-imaging software with millions of users worldwide — has been distributing trojanized installers from its official website since April 8, 2026. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across approximately 100 countries received a

Ivanti EPMM Has a Third Zero-Day This Year — and CISA Just Gave Federal Agencies Three Days to Patch

Ivanti disclosed CVE-2026-6973 on May 7 — a CVSS 7.2 EPMM flaw under active exploitation. CISA gave federal agencies just three days to patch (May 10 deadline). It's the third EPMM zero-day of 2026, and Ivanti hints attackers are using credentials stolen during January's campaign. On