Supply Chain Attack
An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, hiding secret-stealing payloads inside CI/CD workflow files. It weaponizes the merge — the most routine action in software development.
Social Engineering
The Based Apparel merchandise site was pulled offline on May 22 after reports it served a ClickFix attack: a fake Cloudflare check whose copy button placed a hidden shell command on the clipboard for visitors to paste into their own terminal.
Cybersecurity 101
A complete guide to the major types of cyberattacks — from malware and phishing to injection, credential, and AI-enabled attacks — and how to defend against each.
Vulnerabilities
Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload: insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin — full control of the microsegmentation platform built to contain attackers.
Policy & Government
A Europol- and Eurojust-coordinated operation dismantled First VPN — a service Europol calls the most widely used in the cybercrime underground — arresting an admin, seizing 33 servers, and identifying thousands of cybercrime-linked users. The intelligence yield is the story.
Vulnerabilities
Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.
Cyber Attacks
GitHub confirmed TeamPCP (UNC6780) exfiltrated roughly 3,800 internal repositories after an employee installed a poisoned Visual Studio Code extension. The same actor behind the Mini Shai-Hulud worm listed the data for $50,000+ on BreachForums — framed as a sale, not a ransom.
Nation-State Cyber Threats
ESET documented Webworm, a China-aligned APT that pivoted from Asia to European governments. Its two new backdoors — EchoCreep and GraphWorm — run command-and-control entirely on Discord and Microsoft OneDrive, hiding inside the trusted cloud traffic every enterprise allowlists.
Application Security
Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters at up to $9,500 per signed sample.
Threat Intelligence
Verizon's 19th DBIR re-baselines the threat model: vulnerability exploitation hit 31% of breaches up from 20% — now the #1 vector. Credential abuse fell to 13%. AI is shrinking patching windows from months to hours. Third-party breaches up 60% YoY.
Application Security
A single npm user account pushed four malicious packages, including a near-verbatim clone of the Shai-Hulud worm, within a week of TeamPCP open-sourcing the worm source on BreachForums. Mini Shai-Hulud has graduated from a campaign to an ecosystem capability.
Policy & Government
INTERPOL announced Operation Ramz, the first regional cybercrime enforcement operation focused on MENA. Active October 2025 – February 28, 2026: 201 arrests, 53 servers seized, 3,867 victims across 13 participating countries. Kaspersky and Group-IB contributed.