Application Security
Trend Micro researchers disclosed Quasar Linux RAT (QLNX) on May 4 — a Linux implant purpose-built to harvest npm tokens, PyPI keys, AWS credentials, Kubernetes configs, and the rest of the developer credential file universe. Capabilities map to the LiteLLM compromise of March 2026.
shinyhunters
Cushman & Wakefield confirmed a vishing-related breach on May 5. ShinyHunters and Qilin both listed it on their leak sites within days. After negotiations failed, ShinyHunters posted a 50GB Salesforce dataset on May 8. The dual-claim attribution puzzle is the new operational story for SaaS-era IR.
Cyber Crime
A federal jury in Alexandria, Virginia convicted Sohaib Akhter on May 7, 2026 for his role in deleting roughly 96 U.S. government databases at federal contractor Opexus on the day he and his twin brother were fired in February 2025. The case is also notable for an unprecedented detail:
Application Security
RansomHouse claimed responsibility on May 7 for the Trellix breach the cybersecurity firm disclosed last week — and Cybernews researchers say screenshots posted by the group show internal VMware, Rubrik, and Dell EMC dashboards. That's a much wider compromise than Trellix's "portion of our source code
shinyhunters
ShinyHunters defaced Canvas login pages worldwide on May 7 — disrupting finals week at Harvard, Penn, Duke, and Virginia Tech. The group claims 275 million records from 9,000 schools and is now telling individual schools to negotiate ransom payments by May 12. Instructure had declared the May 1 incident contained
Application Security
WIRED's Andy Greenberg published an investigation on May 7, 2026 reporting that the Israeli cybersecurity firm RedAccess found roughly 380,000 publicly accessible web assets built with AI "vibe-coding" platforms — Lovable, Base44, Replit, and Netlify — of which around 5,000 exposed sensitive corporate data and another
Malware
Kaspersky disclosed on May 5, 2026 that Daemon Tools — disk-imaging software with millions of users worldwide — has been distributing trojanized installers from its official website since April 8, 2026. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across approximately 100 countries received a
Threat Intelligence
Dragos published an intelligence brief on May 6, 2026, documenting a cyber-attack against Servicios de Agua y Drenaje de Monterrey — a municipal water utility in northern Mexico — between December 2025 and February 2026 in which attackers used Anthropic's Claude and OpenAI's GPT to plan the operation,
Ransomware
The DOJ sentenced Latvian national Deniss Zolotarjovs to 102 months in prison on May 4, 2026 — the first U.S. prosecution of a Karakurt member ever. Court documents tie the Conti-affiliated negotiator to extortion of more than 54 organizations, $56 million in losses across 13 victims alone, and a deliberate
Threat Intelligence
ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the China-North Korea border. Trojanized Android APKs deploy a new BirdCall backdoor port. The APKs are still live.
Ransomware
World Leaks — the rebrand of Hunters International — published 8.5 terabytes and roughly 15 million files from Mediaworks, Hungary's pro-Orbán media giant. Mediaworks asked journalists not to report on the leak, citing criminal data-handling law. At least one Hungarian outlet refused. The data-extortion group World Leaks claimed responsibility
Cyber Attacks
Trellix — formed from McAfee Enterprise + FireEye, owned by Symphony Technology Group — confirms unauthorized access to its source code repository. Customers should monitor and ask, not panic.