Threat Intelligence

Line-art illustration of a balance scale tilted toward a heavy bug icon labeled 31% and away from a light key icon labeled 13%, on slate-blue background with one red dot accent.

Threat Intelligence

Verizon DBIR 2026: Vulnerability Exploitation Just Overtook Credential Theft as the #1 Way Attackers Get In

Verizon's 19th DBIR re-baselines the threat model: vulnerability exploitation hit 31% of breaches up from 20% — now the #1 vector. Credential abuse fell to 13%. AI is shrinking patching windows from months to hours. Third-party breaches up 60% YoY.

19 May 2026

Line-art illustration of a glitched Luxembourg map with a fractured network signal and a question-marked Huawei router, on slate-gray background with one red dot accent.

Critical Infrastructure

Luxembourg's Entire Telecom Network Crashed in July 2024. Ten Months Later, the Huawei Zero-Day Behind It Still Has No CVE.

The Record disclosed that the July 23, 2024 nationwide outage of Luxembourg's POST mobile network — which knocked out 4G, 5G, landline, and emergency comms for 3+ hours — was caused by a Huawei enterprise router zero-day. Ten months later: no CVE, no Huawei acknowledgment.

19 May 2026

Line-art illustration of a fractured SEPPmail lockbox spilling envelopes marked "READ" with an Alpine mountain silhouette, on jade background with one red dot accent.

Application Security

SEPPmail Just Disclosed Seven CVEs. The Worst Lets Anyone on the Internet Read Your Email Traffic.

InfoGuard Labs disclosed seven CVEs in SEPPmail Secure E-Mail Gateway including CVE-2026-2743 (CVSS 10.0 path traversal to full appliance takeover) and CVE-2026-44128 (unauthenticated Perl eval() RCE). Patched in 15.0.2.1, 15.0.3, and 15.0.4.

19 May 2026

Line-art illustration of an npm package with a fractured green check-mark badge on teal background, with one flat red dot accent.

Application Security

Shai-Hulud Is Now Generating Valid Sigstore Provenance Badges for Its Malicious npm Packages

Mini Shai-Hulud pushed ~42 malicious packages through a compromised @antv maintainer account on May 19 with valid Sigstore Fulcio certificates and Rekor entries. The green "verified" badge defenders have been trusting now sits on malicious code.

19 May 2026

White line-art of a login screen with password and 2FA fields and a Python script icon on the 2FA gate, on copper background with one red dot.

AI Security

Google Just Caught the First AI-Built Zero-Day Used in the Wild — It Was a 2FA Bypass

Google Threat Intelligence Group disclosed the first known AI-developed zero-day used in the wild — a Python 2FA bypass intended for mass exploitation. Google identified the LLM fingerprint and coordinated a patch before the campaign could launch.

18 May 2026

White line-art illustration of an npm package cloning into four copies with a BreachForums label, on an oxblood background with a single red dot accent.

Application Security

TeamPCP Leaked the Shai-Hulud Source. Within a Week, a Copycat Pushed Clones to npm.

A single npm user account pushed four malicious packages, including a near-verbatim clone of the Shai-Hulud worm, within a week of TeamPCP open-sourcing the worm source on BreachForums. Mini Shai-Hulud has graduated from a campaign to an ecosystem capability.

18 May 2026

White line-art of a wireframe sphere compressed by inward arrows with a 30 g/cm cubed label, on a jade background with one red dot accent.

Nation-State Cyber Threats

Symantec Confirms Fast16: The 2005-Era Sabotage Tool That Quietly Poisoned Nuclear Weapon Simulations

Symantec independently confirmed Fast16, a 2005-era pre-Stuxnet sabotage framework first disclosed by SentinelOne. It silently corrupted LS-DYNA and AUTODYN finite-element solver outputs for nuclear weapons design, acting only when material density crossed 30 g/cm cubed.

18 May 2026

White line-art of the MENA region with thirteen flag pins and a seized server stack on a terracotta background, with one red dot accent.

Policy & Government

INTERPOL Just Arrested 201 Cybercriminals Across 13 MENA Countries — Operation Ramz Is the First of Its Kind

INTERPOL announced Operation Ramz, the first regional cybercrime enforcement operation focused on MENA. Active October 2025 – February 28, 2026: 201 arrests, 53 servers seized, 3,867 victims across 13 participating countries. Kaspersky and Group-IB contributed.

18 May 2026

Mustard-yellow background, white line art: a Windows shield struck from below by an arrow rising from a cldflt.sys driver block, with a flat red dot accent.

Vulnerabilities

MiniPlasma: A Researcher's SYSTEM Exploit Just Revealed Microsoft's 2020 Patch Was Silently Undone

Nightmare-Eclipse released MiniPlasma May 13, 2026 — a working SYSTEM-level exploit for cldflt.sys on fully patched Windows 11. The bug is CVE-2020-17103, patched by Microsoft in December 2020. The 2020 PoC still works — and no 2026 patch exists.

18 May 2026

White line-art illustration of a fingerprint between a hospital silhouette and a vendor server rack on a plum background, with one red dot accent.

Data Breaches

NYC Health + Hospitals Just Lost 1.8 Million People's Fingerprints in a Third-Party Breach

NYC Health + Hospitals confirmed an intrusion through an unnamed third-party vendor exposed personal and medical data of at least 1.8 million individuals, including stolen biometric fingerprint records. The first major US public-hospital disclosure to confirm biometric loss.

18 May 2026

AI Security

CrowdStrike Brought Falcon AIDR to Kubernetes. AI Runtime Security Is Now a Five-Vendor Market.

CrowdStrike extended Falcon AIDR to Kubernetes AI workloads with a 180-technique taxonomy and 99% sub-30ms benchmark — making AI runtime security a five-vendor category.

17 May 2026

Line-art illustration of a smartphone showing a Microsoft device login code being captured remotely, depicting the Tycoon2FA OAuth device-code variant.

Cyber Attacks

Tycoon2FA Came Back in Weeks. The OAuth Device-Code Variant Uses Microsoft's Own Login Page Against M365.

Tycoon2FA is back six weeks after the Microsoft/Europol takedown — now phishing OAuth device-code consents against M365 via a Trustifi-laundered relay.

17 May 2026

See all