⚠️ Update: Mini Shai-Hulud is spreading across ecosystems.

→ intercom-client (npm) and intercom-php (Packagist) compromised
→ Install-time hooks deploy credential stealer

Attack targets GitHub tokens, cloud creds, SSH keys, Kubernetes, Vault, Docker, and .env files.

Read: https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html#intercom-npm-and-packagist-package-compromised-as-part-of-mini-shai-hulud

Campaign linked to TeamPCP and earlier Lightning compromise.

😬 Poisoned Ruby gems + Go modules used in a supply chain attack.

• Steal AWS creds, SSH keys, configs
• Tamper GitHub Actions via fake binaries
• Add SSH access for persistence

Read → https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html

🛑 Two cybersecurity professionals were sentenced to four years each for helping deploy BlackCat ransomware across the U.S. in 2023.

They took a share of ransom payments, including about $1.2 million in Bitcoin from one victim.

Read → https://thehackernews.com/2026/05/two-cybersecurity-professionals-get-4.html

Cybersecurity market: $38 B → $69 B by 2030

Yet MSPs still lose deals:
• 77% can’t create urgency
• 66% face cost pushback
• 8+ decision-makers per deal

Fix: sell outcomes, not tech

Read more → https://thehackernews.com/2026/05/top-five-sales-challenges-costing-msps.html

⚠️ China-linked hackers targeted governments across Asia + a NATO state (Poland), exploiting Exchange/IIS flaws to deploy ShadowPad.

At the same time: journalists & activists hit with phishing campaigns.

Two ops. Same priorities.

Details here → https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html

⚠️ Two cybercrime groups are executing rapid SaaS attacks with minimal trace.

Cordial Spider and Snarky Spider use vishing and AiTM phishing to steal credentials, bypass MFA, and access multiple platforms through SSO.

Read: https://thehackernews.com/2026/05/cybercrime-groups-using-vishing-and-sso.html

🛑 30,000 Facebook accounts compromised in a phishing campaign using Google AppSheet emails.

A Vietnamese-linked operation called AccountDumpling targeted Facebook Business users, stole credentials, sent data to Telegram, and resold accounts.

Read: https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html

🚨 Cybersecurity firm Trellix confirms a breach.

Attackers accessed part of its source code repository; no exploitation or release impact found. Investigation ongoing with forensic experts and law enforcement.

Details ➜ https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html

🚨 New analysis reveals browser extensions legally selling user data.

80 extensions affect 6.5M+ users—ad blockers and streaming tools included—collecting and reselling browsing, viewing, and demographic data.

All disclosed in privacy policies.

Read: https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html#extensions-legally-sell-user-data

⚠️ A new #Linux flaw is now under active exploitation.

CISA added CVE-2026-31431 to its KEV list. The bug lets low-privilege users gain full root access. Patches released.

Fix deadline: May 15, 2026.

Read: https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

276 suspects arrested in a global crackdown on crypto investment scams.

Dubai Police, FBI, and Chinese authorities shut down 9 scam centers targeting Americans. $701 M in crypto seized. FBI alerts helped save $562 M for nearly 9,000 victims.

Read: https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html

CVE-2026-41940 (cPanel) exploited within 24h

• 44,000 IPs linked to scanning/brute-force activity
• Targets: Southeast Asia gov/military + MSPs
• Enables auth bypass → full system control
• Mirai variants and Sorry ransomware observed

Read: https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html

🚨 Silver Fox targets India & Russia with phishing attacks. 1,600+ emails spread ValleyRAT + new ABCDoor backdoor via tax-themed lures.

Uses RustSL loader, geofencing, and reboot-based persistence.

Read: https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html

AI is accelerating cybercrime at a dangerous pace.

2025 data:
🔸 454,600 malicious packages
🔸 Exploit time down to 44 days
🔸 28.3% of vulnerabilities hit within 24 hours
🔸 Even nontechnical actors are launching major attacks.

Read ⬇️ https://thehackernews.com/2026/05/2026-year-of-ai-assisted-attacks.html

SOC 2 compliance has been a second job for too long.

Procure the tools. Wire the integrations. Chase the evidence. File the ticket. Wait. Follow up. Audit anyway.

Today, that changes.

Introducing Rippling Automated Compliance for SOC 2: the first compliance solution built directly into the platform that already runs your HR, IT, and access controls. Integrate your data to allow evidence collection to begin. Issues get fixed at the source. Your audit doesn't have to be a fire drill.

Other tools sit on top of your stack and report on what's broken. Rippling IS the stack to help you stay audit-ready.

SOC 2 built in. Not bolted on.

Learn about Automated Compliance for SOC 2 → https://thn.news/compliance-automation

⚡ The internet took a beating this week.

• cPanel servers wiped
• Linux 100% kernel hack
• TeamPCP supply chain storm
• GitHub one-push RCE
• AI-powered phishing kits
• Ransomware +389%
• Scattered Spider arrest

...and many MORE STORIES.

Full recap 👇 https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html

⚠️ Critical flaws hit MOVEit Automation.

A CVSS 9.8 bug allows authentication bypass, while another enables privilege escalation. Progress Software has issued patches—no exploitation reported yet.

Read: https://thehackernews.com/2026/05/progress-patches-critical-moveit.html

🚨 A phishing campaign is quietly breaching dozens of organizations.

Since April 2025, VENOMOUS#HELPER has hit 80+ targets — mostly in the U.S. Attackers use legitimate RMM tools like SimpleHelp & ScreenConnect to gain persistent, stealth access.

Read: https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html

AI just crossed a new security threshold.

According to Augusto Barros at Prophet Security , “Claude Mythos” autonomously executed full corporate network takeovers — succeeding 30% of the time.

Tasks that take human experts ~20 hours… now happen in minutes. Attacker speed is collapsing.

Read the full analysis: https://thehackernews.com/expert-insights/2026/05/mythos-is-coming-what-next-six-months.html

⚠️ Microsoft says 35,000 users were targeted in an April 2026 phishing campaign across 13,000 organizations in 26 countries.

Attackers used AiTM phishing, CAPTCHA pages, and trusted email services to steal credentials and bypass MFA.

Full story: https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html

🚨 Critical RCE flaw (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 is under active exploitation.

Attackers use unauthenticated requests to execute commands; activity observed since March 17–31, 2026, with failed payload drops & MSI attempts.

Details 👉 https://thehackernews.com/2026/05/weaver-e-cology-rce-flaw-cve-2026-22679.html