Cyber Attacks
Apache HTTP/2 Double-Free RCE: One Version Affected, Six Days to Patch
Apache HTTP Server 2.4.66 ships with a double-free in mod_http2 — exploitable on default Debian builds and patched six days later in 2.4.67.
AI Security
OpenAI Just Launched Daybreak — and the AI Vulnerability Discovery Market Now Has Four Vendors and Twenty-Plus Partners
OpenAI launched Daybreak on May 11, 2026 — an AI vulnerability discovery platform with three GPT-5.5 models and a 20+ partner roster including Cisco, Cloudflare, CrowdStrike, Palo Alto, Snyk, Tenable, and Rapid7. The AI defender market just formed.
Cyber Attacks
Microsoft Confirmed an Exchange Server Zero-Day Is Under Active Attack — and the 2016/2019 Patch Will Only Reach Period 2 ESU Customers
Microsoft confirmed active exploitation of CVE-2026-42897, a high-severity XSS zero-day in on-prem Exchange OWA, with no permanent patch — only EEMS mitigation. The eventual fix for Exchange 2016 and 2019 will only reach Period 2 ESU customers.
AI Security
Microsoft's MDASH Found 16 of This Month's Windows Bugs. Palo Alto Found 75 in One Scan.
Microsoft's MDASH AI found 16 of May's Patch Tuesday vulnerabilities, four critical. Palo Alto scanned its codebase with frontier models including Anthropic's Mythos and found 75 flaws across 26 CVEs. AI vulnerability discovery is now operational at vendor scale.
Application Security
Three node-ipc Versions Hide a Stealer Backdoor — and the Attacker Took Over a Dead Maintainer's Domain to Publish Them
Three published versions of node-ipc — a package with 822,000 weekly downloads — hide an obfuscated stealer backdoor that exfiltrates 90 categories of developer and cloud secrets over DNS. The attacker hijacked a lapsed maintainer domain to publish them.
Cyber Attacks
OpenAI Is Rotating Every Code-Signing Certificate It Has — Mini Shai-Hulud Reached Two Employee Laptops
OpenAI confirmed two employee devices were compromised in the Mini Shai-Hulud supply chain attack, exposing code-signing certificates for its apps. OpenAI is rotating every certificate, and macOS users must update before June 12, 2026.
Cyber Attacks
A CVSS 10.0 Cisco SD-WAN Auth Bypass Is Under Active Attack — and UAT-8616 Has Been in This Code Since 2023
Cisco disclosed a maximum-severity authentication bypass in Catalyst SD-WAN, actively exploited as a zero-day by UAT-8616 — the same actor that has targeted this service since 2023. CISA added it to KEV, and there are no workarounds.
Application Security
An AI Found an 18-Year-Old NGINX RCE in Six Hours — CVE-2026-42945 'NGINX Rift'
An autonomous AI was pointed at the NGINX source code and found a critical RCE that survived 18 years of human review — plus three more CVEs in the same six-hour session. NGINX runs a third of the internet's top sites. The discovery method is the bigger story.
Supply Chain Attack
RubyGems Just Shut Down New Signups After 'Hundreds' of Malicious Packages Hit the Registry
RubyGems temporarily turned off new signups after what its security partner called a major malicious attack — hundreds of packages, DDoS, spam, and exploits hitting at once. The halt is the response model defenders should remember.
Application Security
Three Unrelated Threat Actors Just Arrived at the Same Conclusion — Your Developers Are the Beachhead
Three unrelated threat actors arrived at the same conclusion in March and April: the developer workstation is the best ROI beachhead. CSO Online's framing — the Developer Credential Economy — is the editorial line CISOs should adopt this quarter.
Data Breaches
Comcast's $117.5M Xfinity Settlement Puts a Price Tag on Citrix Bleed — $10K Per Customer
Comcast just agreed to write a $117.5 million check over a vulnerability it didn't write. The Xfinity settlement is the first major Citrix Bleed bill to come due — the precedent it sets for shared customer-vendor liability is the part defenders should read twice.
Application Security
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, and 170 Packages
TeamPCP's Mini Shai-Hulud worm hit 170+ packages May 11, including TanStack, Mistral AI, and Guardrails AI. First npm worm to ship valid SLSA Build Level 3 provenance for malicious code.