⚠️ Microsoft says 35,000 users were targeted in an April 2026 phishing campaign across 13,000 organizations in 26 countries.

Attackers used AiTM phishing, CAPTCHA pages, and trusted email services to steal credentials and bypass MFA.

Full story: https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html

🚨 Critical RCE flaw (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 is under active exploitation.

Attackers use unauthenticated requests to execute commands; activity observed since March 17–31, 2026, with failed payload drops & MSI attempts.

Details 👉 https://thehackernews.com/2026/05/weaver-e-cology-rce-flaw-cve-2026-22679.html

⚠️ North Korea-linked ScarCruft breached sqgame[.]net in a supply chain attack, deploying BirdCall malware targeting ethnic Koreans in China.

Trojanized Android apps and earlier Windows updates enabled surveillance via cloud-based control systems.

Read: https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html

⚠️ A scan of 2M hosts found 1M exposed services, revealing widespread security gaps in self-hosted AI systems.

31% of 5,200 Ollama servers responded without authentication, and 90+ platforms were publicly accessible. Weak defaults and misconfigurations are driving exposure.

Read: https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html

⚠️ A critical MetInfo CMS flaw (CVE-2026-29014, CVSS 9.8) is under active exploitation, allowing unauthenticated remote code execution.

Attacks began April 25 and surged by May 1, targeting exposed systems globally.

Details: https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html

🚨 Stolen OAuth tokens enabled access to 700+ Salesforce environments, bypassing MFA in a Drift-linked breach.

45% of organizations still don’t monitor these tokens despite known risks.

Read more: https://thehackernews.com/2026/05/the-back-door-attackers-know-about-and.html

📣 MSPs 📣 Had enough M365 security firefighting? Let AI handle it.

Optimize365 gives MSPs a single screen to manage, protect, and PROVE VALUE across EVERY CLIENT:

🔸 40-second prospect scan
🔸 2-minute onboarding
🔸 Impact prediction that tells you what will break before you touch it

Your clients get BETTER SECURITY. Your team gets their TIME BACK. Your BUSINESS GROWS.

Start free at https://thn.news/optimize365-guide

#MSPs #M365 #M365security #AI

🛑 China-linked APT group UAT-8302 targeted government entities in South America since 2024 and Southeastern Europe in 2025, Cisco Talos says.

Researchers link its attacks to shared malware used across multiple China-aligned hacking groups.

Details: https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html

⚡AI Agents are now reaching Domain Admin in MINUTES.

While your team is still stuck in meetings & alert triage. Game over.

Learn from experts at Picus Security:

• Autonomous Exposure Validation
• Sync CTI, Red & Blue teams
• Remediation at machine speed

Watch this webinar now: https://thehacker.news/agentic-exposure-validation

🚨 ALERT - DAEMON Tools installers from its official site were trojanized in a supply chain attack starting April 8, 2026, Kaspersky says.

Thousands of infection attempts hit 100+ countries, with malware selectively deployed to about a dozen targets.

Read the full story: https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html

🚨 Apache patches CVE-2026-23918 (CVSS 8.8) in HTTP Server 2.4.66.

The HTTP/2 double-free flaw can trigger DoS and potentially enable remote code execution via crafted requests. Fixed in 2.4.67.

Details here: https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html

🚨 PAN-OS firewalls hit by active exploitation of CVE-2026-0300, enabling unauthenticated RCE with root access.

The unpatched flaw targets publicly exposed User-ID portals, affecting multiple versions. Fixes expected May 13, 2026.

Read the full story: https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html

🚨 CloudZ RAT exploits Microsoft Phone Link to intercept SMS and OTPs without infecting phones.

Active since January 2026, the attack enables credential theft and 2FA bypass via synced data.

Full details: https://thehackernews.com/2026/05/windows-phone-link-exploited-by-cloudz.html

🔐 Android apps after May 1, 2026 will be logged in a public cryptographic ledger to verify authenticity and detect tampering.

👏 The move targets supply chain attacks where signed software is secretly altered.

Read the full story: https://thehackernews.com/2026/05/android-apps-get-public-verification.html

🚨 84% of cyberattacks now blend in using legitimate tools, not malware, across 700,000 incidents, according to Bitdefender’s Cristian Iordache.

Up to 95% of access to risky tools is unnecessary, quietly expanding attack surfaces.

See how this shifts security risk: https://thehackernews.com/expert-insights/2026/05/your-biggest-security-risk-isnt-malware.html

⚡ AI agents are being deployed faster than enterprises can govern them.

About 50% of enterprise identity activity now occurs outside centralized IAM visibility, creating an unmanaged layer of “identity dark matter.”

This gap is expanding 📈 alongside AI adoption.

Read the full analysis: https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html

🔥 The Hacker News launches Cybersecurity Stars Awards 2026 — a global stage to spotlight excellence across companies, products, and professionals.

Built for credibility. Submissions now open.

Full details and how to apply: https://thehackernews.com/2026/05/the-hacker-news-launches-cybersecurity.html

✅ GRC Leader’s Checklist: MCP Server Deployment.

MCP gives your existing LLM direct, governed access to your live GRC data. No custom builds required.

✨ Get the GRC leader’s checklist for steps to deploy your server and start querying live data today: https://thn.news/grc-mcp-checklist

🚨 Iran-linked MuddyWater ran a false flag ransomware attack in early 2026.

Attackers used Microsoft Teams social engineering to steal credentials and bypass MFA, prioritizing data exfiltration and persistent access over encryption.

Read the full story: https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html

🚨 A Mirai-based botnet dubbed xlabs_v1 is exploiting exposed #Android Debug Bridge (ADB) services on port 5555 to hijack IoT devices.

It enables 21 DDoS attack methods and uses bandwidth profiling to tier attacks, targeting game servers.

Read: https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html