Dead.Letter: Critical Exim RCE Sparks XBOW's AI-vs-Human Exploit Race

XBOW disclosed a CVSS 9.8 unauthenticated RCE in Exim — and used the seven-day window to race its autonomous LLM exploit pipeline against human researchers.

Apache HTTP/2 Double-Free RCE: One Version Affected, Six Days to Patch

Apache HTTP Server 2.4.66 ships with a double-free in mod_http2 — exploitable on default Debian builds and patched six days later in 2.4.67.

TeamPCP's $25K Mistral Auction: Source Code, Seven Days, and a Confirmed Breach

Mistral AI confirmed a codebase management breach as TeamPCP listed ~450 repositories at $25K buy-it-now, with a seven-day leak deadline.

OpenAI Just Launched Daybreak — and the AI Vulnerability Discovery Market Now Has Four Vendors and Twenty-Plus Partners

OpenAI launched Daybreak on May 11, 2026 — an AI vulnerability discovery platform with three GPT-5.5 models and a 20+ partner roster including Cisco, Cloudflare, CrowdStrike, Palo Alto, Snyk, Tenable, and Rapid7. The AI defender market just formed.

Microsoft Confirmed an Exchange Server Zero-Day Is Under Active Attack — and the 2016/2019 Patch Will Only Reach Period 2 ESU Customers

Microsoft confirmed active exploitation of CVE-2026-42897, a high-severity XSS zero-day in on-prem Exchange OWA, with no permanent patch — only EEMS mitigation. The eventual fix for Exchange 2016 and 2019 will only reach Period 2 ESU customers.

Microsoft's MDASH Found 16 of This Month's Windows Bugs. Palo Alto Found 75 in One Scan.

Microsoft's MDASH AI found 16 of May's Patch Tuesday vulnerabilities, four critical. Palo Alto scanned its codebase with frontier models including Anthropic's Mythos and found 75 flaws across 26 CVEs. AI vulnerability discovery is now operational at vendor scale.

Three node-ipc Versions Hide a Stealer Backdoor — and the Attacker Took Over a Dead Maintainer's Domain to Publish Them

Three published versions of node-ipc — a package with 822,000 weekly downloads — hide an obfuscated stealer backdoor that exfiltrates 90 categories of developer and cloud secrets over DNS. The attacker hijacked a lapsed maintainer domain to publish them.

OpenAI Is Rotating Every Code-Signing Certificate It Has — Mini Shai-Hulud Reached Two Employee Laptops

OpenAI confirmed two employee devices were compromised in the Mini Shai-Hulud supply chain attack, exposing code-signing certificates for its apps. OpenAI is rotating every certificate, and macOS users must update before June 12, 2026.

A CVSS 10.0 Cisco SD-WAN Auth Bypass Is Under Active Attack — and UAT-8616 Has Been in This Code Since 2023

Cisco disclosed a maximum-severity authentication bypass in Catalyst SD-WAN, actively exploited as a zero-day by UAT-8616 — the same actor that has targeted this service since 2023. CISA added it to KEV, and there are no workarounds.

A Telehealth Platform Lost 716,000 People's Health Data in Two Days — and Took Four Months to Say So

OpenLoop Health confirmed a January 2026 intrusion that exposed the names, birth dates, and medical information of 716,000 telehealth users. A threat actor called Stuckin2019 claims to hold data on 1.6 million. Disclosure came roughly four months after the breach.

Kimsuky's PebbleDash Now Hits Defense Sectors in Three Countries — And Its New Backdoor Was Coded With AI

Kaspersky found something unusual in a North Korean backdoor: comments that look written by an LLM, not a human. Combined with Kimsuky's expansion into defense targets across three countries, it is documented evidence that state malware development is borrowing AI.

Microsoft's Kazuar Analysis Shows Russia's Secret Blizzard Wants Your Signal Desktop Files

Microsoft's new Kazuar analysis names one capability that ties it to the other Russian Signal operation in the news: Kazuar steals Signal Desktop message files. Encryption protects the conversation in transit — not the database on a compromised laptop.