🚨 On-prem Microsoft Exchange Server CVE-2026-42897 is under active exploitation.

The CVSS 8.1 spoofing flaw stems from XSS and can allow arbitrary JavaScript execution when crafted emails are opened in Outlook Web Access under certain conditions.

Read: https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

🚨 Two OpenAI employee devices were impacted in the Mini Shai-Hulud supply chain attack via TanStack.

Limited credentials were exfiltrated from internal code repos, prompting macOS certificate revocation and required app updates before June 12, 2026.

Read: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html

Your biggest blind spot isn't malware. It's the trusted tools your team already uses every day.

PowerShell. Certutil. netsh.

Attackers love them too — and Bitdefender just proved it in 700,000+ incidents.

What happens when you watch your own tools for 45 days? Learn here → https://thehackernews.com/2026/05/what-45-days-of-watching-your-own-tools.html

🚨 Four OpenClaw vulnerabilities dubbed Claw Chain can be chained to steal sensitive data, escalate privileges, and establish persistence.

All four flaws are fixed in OpenClaw 2026.4.22.

Full technical breakdown of the attack chain and CVEs: https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html

⚠️ Turla has rebuilt Kazuar into a modular P2P botnet designed for stealth and persistent access.

The upgraded .NET backdoor uses Kernel, Bridge, and Worker modules to handle C2, tasking, collection, and exfiltration.

Learn more: https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html

🚨 Funnel Builder plugin versions before 3.15.0.3 are under active exploitation to inject payment skimmers into #WooCommerce checkout pages.

The plugin is used by 40,000+ stores.

Full details: https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html

🚨 Your Cisco firewall might still be owned… even after you patched it.

Meet FIRESTARTER — the backdoor that laughs at reboots, firmware updates, and patches. It hit a U.S. federal agency last year.

Learn more 👇https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html#:~:text=FIRESTARTER%20Backdoor%20Targets%20Cisco%20Devices

⚡ Grafana’s GitHub environment was accessed with an unauthorized token, allowing codebase download and an extortion attempt.

Even for open-source firms, GitHub access can expose private repos, secrets, or unreleased code.

What’s known so far: https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html

🚨 NGINX bug (CVE-2026-42945) now under active exploitation.

Critical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).

Patch now if using NGINX ≤1.30.0. Check rewrite/if/set rules.

Full details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

🔥 MiniPlasma, a Windows privilege escalation zero-day in cldflt.sys, can grant SYSTEM privileges on fully patched systems.

A PoC works reliably on Windows 11 with May 2026 updates; latest Insider Preview Canary appears unaffected.

Read details - https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html

☢️ Before Stuxnet, fast16 was designed to corrupt nuclear weapons simulations.

The Lua-based sabotage malware tampered with uranium-compression modeling in LS-DYNA and AUTODYN, activating during 💥 detonation runs above 30 g/cm³.

The framework may date back to 2005.

⚡ Read full story: https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html

⚠️ Four malicious npm packages with 3,006 downloads were found delivering infostealers and Phantom Bot DDoS malware.

One package clones leaked Shai-Hulud worm code, while others steal SSH keys, cloud credentials and wallet data.

Full details: https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html

🛑 Ivanti, Fortinet, SAP, VMware and n8n released fixes for flaws tied to auth bypass, RCE, SQL injection and privilege escalation.

The patches include CVSS 9.6 bugs in Ivanti Xtraction and SAP, plus five n8n RCE flaws.

See what was fixed: https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

🚨 Developer laptops just became the new front line of supply chain attacks.

Attackers are stealing GitHub tokens, cloud creds, SSH keys & registry tokens directly from dev workstations — then publishing malicious packages.

Three separate campaigns hit npm, PyPI, and Docker Hub in just 48 hours. Supply chain attacks now start before code reaches Git.

Full story → https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html

🚨 Clean-looking phishing emails are bypassing filters and hitting US orgs hard.

Fake invitations + CAPTCHA tricks lead to credential theft, OTP capture & RMM tools.

Full attack chain unfolds in just 40 seconds: https://thehackernews.com/2026/05/how-to-reduce-phishing-exposure-before.html

This Week in The Hacker News Weekly #Cybersecurity Recap:

⚠️ Exchange 0-day
🧬 npm worm
🎭 Fake AI repo
🛠️ Cisco exploit
🔐 RCS encryption
💸 Ransom deal
🧩 WordPress takeover
🚗 myAudi flaws
🤖 AI vuln hunt
🧰 New IR tool

One recap. All the risks worth tracking.

Read here: https://thehackernews.com/2026/05/weekly-recap-exchange-0-day-npm-worm.html

INTERPOL’s Operation Ramz led to 201 arrests across 13 MENA countries, with 382 suspects and 3,867 victims identified.

Authorities seized 53 servers while targeting phishing, malware, and cyber scam operations.

Full Details: https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html

⚠️ ALERT — Mini Shai-Hulud hit @antv npm packages via the compromised maintainer account “atool,” including echarts-for-react with ~1.1M weekly downloads.

The campaign embeds credential-stealing code in developer tools.

Full story: https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html

🚨 Popular GitHub Action compromised in supply chain attack.

All existing tags for actions-cool/issues-helper were moved to a malicious imposter commit that steals CI/CD credentials from GitHub Actions runners.

Full details: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html

Agentic attacks have been running since 2024 — chaining exploits in hours while most teams remediate in days.

That speed gap is the real kill chain.

Yochai Corem shares how one tertiary hospital slashed MTTR to 0.87 hours with zero IPS bypasses.

Why remediation is now the bottleneck → https://thehackernews.com/expert-insights/2026/05/agentic-attacks-arrived-over-year-ago.html

🚨 Compromised Nx Console 18.95.0 executed a credential-stealing payload after VS Code users opened workspaces.

The extension has 2.2M+ installs; affected users should update to 18.100.0 and rotate reachable secrets.

Read details here: https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html