🚨 12 vulnerabilities in the vm2 Node.js library enable sandbox escape and arbitrary code execution.

Flaws (CVSS up to 10.0) affect versions up to 3.11.1; patches released through 3.11.2.

Read the full story: https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html

🚨 Phishing is now behind 60% of breaches—and often the first step in ransomware attacks.

In 2024, 32% of attacks led to payments totaling $813 million, as AI-crafted emails increasingly bypass security and exploit user trust.

Analysis by Austin O'Saben of Kaseya breaks it down.

Read: https://thehackernews.com/expert-insights/2026/05/from-phishing-to-recovery-breaking.html

🚨 Three PyPI packages uploaded July 16–22, 2025 delivered ZiChatBot malware on Windows and Linux.

The malware uses Zulip APIs as C2 and persists via registry and cron.

Read: https://thehackernews.com/2026/05/pypi-packages-deliver-zichatbot-malware.html

🔎 Incident response retainers still face delays during breaches without pre-provisioned access.

Short log retention and weak identity visibility increase attacker dwell time and impact.

See how this slows containment: https://thehackernews.com/2026/05/day-zero-readiness-operational-gaps.html

⚡ This week’s #ThreatsDay is a reminder that the internet is held together with duct tape.

• Fake AI apps stealing creds
• Poisoned packages hitting devs
• SMS scams everywhere
• Browser passwords sitting in memory
• Malware hiding in ads + GitHub repos
• AI shrinking exploit timelines to hours

Same attacks. Bigger blast radius.

Read: https://thehackernews.com/2026/05/threatsday-bulletin-edge-plaintext.html

🚨 PAN-OS flaw "CVE-2026-0300" exploited for unauthenticated RCE with root access.

Attacks began April 9, achieved within a week, followed by espionage and lateral movement by April 29.

Full details and timeline: https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

AI is your biggest compliance blind spot. And most teams don't know it yet.

New attack surfaces. AI-generated code hitting production. Vendor relationships that didn't exist six months ago. The SOC 2 framework wasn't built for any of this and patching it with manual processes isn't going to cut it.

Rippling just launched Automated Compliance for SOC 2 to help companies get ahead of exactly this problem. Now we're bringing together a panel of CISOs to go deeper: what does a modern compliance program actually look like when AI is embedded in how you build, hire, and operate?

Join Mandy Andress (CISO, Elastic), Yassir Abousselham (CISO, Calendly), and Adrian Ludwig (CISO, Rippling) on May 6 to get ahead of it.

If you own security at a growing company, this is the conversation you need to be in.

🎙Compliance in the AI Era: Rethinking SOC 2 & Beyond.

Reserve your seat → https://thn.news/compliance-webinar

🚨 PCPJack malware exploits 5 CVEs to spread across cloud systems.

Steals credentials from Docker, Kubernetes, AWS and more, exfiltrating via Telegram while moving laterally across networks.

Read details: https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html

🚨 Ivanti Endpoint Manager Mobile flaw (CVE-2026-6973) is being exploited in limited attacks, enabling remote code execution with admin access.

CISA has added it to its KEV catalog, with federal agencies ordered to patch by May 10, 2026.

Read: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

🚨 A new UNPATCHED Linux kernel “Dirty Frag” LPE flaw enables root access on Ubuntu, RHEL, Fedora and other distributions.

Researchers released a working proof-of-concept exploit capable of gaining root in a single command.

Details here: https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html

🚨 A new Linux backdoor “PamDOORa” is being sold on the cybercrime forum after its price dropped from $1,600 to $900.

The PAM-based malware enables persistent SSH access, steals credentials, and tampers with authentication logs on compromised systems.

Details: https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html

🚨 QLNX, a previously undocumented #Linux RAT, is targeting developers and DevOps systems to steal npm, PyPI, AWS, Kubernetes, Docker, and CI/CD credentials.

The malware uses fileless execution, PAM backdoors, eBPF rootkits, and 58 remote commands to maintain covert access and hijack software supply chains.

Learn more about QLNX here: https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html

🚨 Nearly 1% of confirmed enterprise incidents came from low-severity or informational alerts.

Analysis of 25M+ alerts reveals ~1 missed breach per week at average scale.

Forensic scans of 82,000 endpoints uncovered 2,600 active infections — 51% already marked "mitigated" by EDR.

Full report and findings: https://thehackernews.com/2026/05/one-missed-threat-per-week-what-25m.html

🚨 28 fraudulent apps on the Google Play Store racked up over 7.3 million downloads before removal.

They promised call, SMS, and #WhatsApp histories for any phone number — but delivered only fake data after users paid up to $80.

The CallPhantom scam mainly hit #Android users in India and Asia-Pacific.

Full read → https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html

🛑 REMINDER: Today, May 8, 2026 — #Instagram officially disabled end-to-end encryption for Direct Messages.

• Meta can now read all your chats.
• Download everything NOW or lose it.
• Switch to WhatsApp for encryption.

Details: https://thehackernews.com/2026/03/meta-to-shut-down-instagram-end-to-end.html

🚨 TCLBANKER, a previously undocumented Brazilian banking trojan, is targeting 59 banking, fintech, and #cryptocurrency platforms.

The malware spreads through #WhatsApp Web and Microsoft Outlook, using DLL side-loading, keylogging, and fake credential overlays to evade detection and steal banking credentials.

Read: https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html

🚨 cPanel and WHM patched three new vulnerabilities enabling file read, Perl code execution, privilege escalation, and DoS attacks.

The fixes follow recent exploitation of another cPanel zero-day to deploy Mirai variants and Sorry ransomware.

Details: https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html

🚨 CVE-2026-7482 in Ollama could let remote attackers leak process memory from more than 300,000 exposed servers using crafted GGUF files.

Separate unpatched Windows flaws enable persistent code execution through Ollama’s update mechanism.

Full details and mitigations: https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html

Your biggest security risk in 2026 isn’t malware.
It’s the tools you already trust.

Attackers are ditching malicious files and “living off the land” with PowerShell, WMIC, Certutil and native binaries that your security tools barely blink at.

84% of high-severity incidents now do this.

Read why → https://thehackernews.com/expert-insights/2026/05/your-biggest-security-risk-isnt-malware.html

🚨 WARNING: A malicious Hugging Face repository impersonating #OpenAI’s Privacy Filter model reached #1 trending with about 244,000 downloads in 18 hours while delivering a Rust-based infostealer to Windows users.

Hugging Face disabled the repo; researchers also linked the infrastructure to a ValleyRAT campaign.

Read: https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html

The internet had another normal week...

💀 Poisoned installers
🔥 Firewall zero-days
🐧 Linux rootkits
☁️ Cloud hijacks
🎣 OAuth theft
🪤 ClickFix traps
🤖 AI bug hunting
⚠️ Fake updates everywhere

⚡ Weekly cyber recap just dropped: https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html