Application Security
Mini Shai-Hulud pushed ~42 malicious packages through a compromised @antv maintainer account on May 19 with valid Sigstore Fulcio certificates and Rekor entries. The green "verified" badge defenders have been trusting now sits on malicious code.
AI Security
Google Threat Intelligence Group disclosed the first known AI-developed zero-day used in the wild — a Python 2FA bypass intended for mass exploitation. Google identified the LLM fingerprint and coordinated a patch before the campaign could launch.
Application Security
A single npm user account pushed four malicious packages, including a near-verbatim clone of the Shai-Hulud worm, within a week of TeamPCP open-sourcing the worm source on BreachForums. Mini Shai-Hulud has graduated from a campaign to an ecosystem capability.
Nation-State Cyber Threats
Symantec independently confirmed Fast16, a 2005-era pre-Stuxnet sabotage framework first disclosed by SentinelOne. It silently corrupted LS-DYNA and AUTODYN finite-element solver outputs for nuclear weapons design, acting only when material density crossed 30 g/cm cubed.
Policy & Government
INTERPOL announced Operation Ramz, the first regional cybercrime enforcement operation focused on MENA. Active October 2025 – February 28, 2026: 201 arrests, 53 servers seized, 3,867 victims across 13 participating countries. Kaspersky and Group-IB contributed.
Vulnerabilities
Nightmare-Eclipse released MiniPlasma May 13, 2026 — a working SYSTEM-level exploit for cldflt.sys on fully patched Windows 11. The bug is CVE-2020-17103, patched by Microsoft in December 2020. The 2020 PoC still works — and no 2026 patch exists.
Data Breaches
NYC Health + Hospitals confirmed an intrusion through an unnamed third-party vendor exposed personal and medical data of at least 1.8 million individuals, including stolen biometric fingerprint records. The first major US public-hospital disclosure to confirm biometric loss.
AI Security
CrowdStrike extended Falcon AIDR to Kubernetes AI workloads with a 180-technique taxonomy and 99% sub-30ms benchmark — making AI runtime security a five-vendor category.
Cyber Attacks
Tycoon2FA is back six weeks after the Microsoft/Europol takedown — now phishing OAuth device-code consents against M365 via a Trustifi-laundered relay.
Cyber Attacks
Grafana caught a CoinbaseCartel breach via canary token, traced it to a pull_request_target Pwn Request, and refused to pay — the second Pwn Request hit in three weeks.
Threat Intelligence
CrowdStrike's 2026 Financial Services Threat Landscape Report logs $2.02B in DPRK theft, PRESSURE CHOLLIMA's $1.46B record heist, and AI-tripled CHOLLIMA tempo.
AI Security
XBOW disclosed a CVSS 9.8 unauthenticated RCE in Exim — and used the seven-day window to race its autonomous LLM exploit pipeline against human researchers.