🚨 Funnel Builder plugin versions before 3.15.0.3 are under active exploitation to inject payment skimmers into #WooCommerce checkout pages.

The plugin is used by 40,000+ stores.

Full details: https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html

🚨 Your Cisco firewall might still be owned… even after you patched it.

Meet FIRESTARTER — the backdoor that laughs at reboots, firmware updates, and patches. It hit a U.S. federal agency last year.

Learn more 👇https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html#:~:text=FIRESTARTER%20Backdoor%20Targets%20Cisco%20Devices

⚡ Grafana’s GitHub environment was accessed with an unauthorized token, allowing codebase download and an extortion attempt.

Even for open-source firms, GitHub access can expose private repos, secrets, or unreleased code.

What’s known so far: https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html

🚨 NGINX bug (CVE-2026-42945) now under active exploitation.

Critical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).

Patch now if using NGINX ≤1.30.0. Check rewrite/if/set rules.

Full details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

🔥 MiniPlasma, a Windows privilege escalation zero-day in cldflt.sys, can grant SYSTEM privileges on fully patched systems.

A PoC works reliably on Windows 11 with May 2026 updates; latest Insider Preview Canary appears unaffected.

Read details - https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html

☢️ Before Stuxnet, fast16 was designed to corrupt nuclear weapons simulations.

The Lua-based sabotage malware tampered with uranium-compression modeling in LS-DYNA and AUTODYN, activating during 💥 detonation runs above 30 g/cm³.

The framework may date back to 2005.

⚡ Read full story: https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html

⚠️ Four malicious npm packages with 3,006 downloads were found delivering infostealers and Phantom Bot DDoS malware.

One package clones leaked Shai-Hulud worm code, while others steal SSH keys, cloud credentials and wallet data.

Full details: https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html

🛑 Ivanti, Fortinet, SAP, VMware and n8n released fixes for flaws tied to auth bypass, RCE, SQL injection and privilege escalation.

The patches include CVSS 9.6 bugs in Ivanti Xtraction and SAP, plus five n8n RCE flaws.

See what was fixed: https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

🚨 Developer laptops just became the new front line of supply chain attacks.

Attackers are stealing GitHub tokens, cloud creds, SSH keys & registry tokens directly from dev workstations — then publishing malicious packages.

Three separate campaigns hit npm, PyPI, and Docker Hub in just 48 hours. Supply chain attacks now start before code reaches Git.

Full story → https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html

🚨 Clean-looking phishing emails are bypassing filters and hitting US orgs hard.

Fake invitations + CAPTCHA tricks lead to credential theft, OTP capture & RMM tools.

Full attack chain unfolds in just 40 seconds: https://thehackernews.com/2026/05/how-to-reduce-phishing-exposure-before.html

This Week in The Hacker News Weekly #Cybersecurity Recap:

⚠️ Exchange 0-day
🧬 npm worm
🎭 Fake AI repo
🛠️ Cisco exploit
🔐 RCS encryption
💸 Ransom deal
🧩 WordPress takeover
🚗 myAudi flaws
🤖 AI vuln hunt
🧰 New IR tool

One recap. All the risks worth tracking.

Read here: https://thehackernews.com/2026/05/weekly-recap-exchange-0-day-npm-worm.html

INTERPOL’s Operation Ramz led to 201 arrests across 13 MENA countries, with 382 suspects and 3,867 victims identified.

Authorities seized 53 servers while targeting phishing, malware, and cyber scam operations.

Full Details: https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html

⚠️ ALERT — Mini Shai-Hulud hit @antv npm packages via the compromised maintainer account “atool,” including echarts-for-react with ~1.1M weekly downloads.

The campaign embeds credential-stealing code in developer tools.

Full story: https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html

🚨 Popular GitHub Action compromised in supply chain attack.

All existing tags for actions-cool/issues-helper were moved to a malicious imposter commit that steals CI/CD credentials from GitHub Actions runners.

Full details: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html

Agentic attacks have been running since 2024 — chaining exploits in hours while most teams remediate in days.

That speed gap is the real kill chain.

Yochai Corem shares how one tertiary hospital slashed MTTR to 0.87 hours with zero IPS bypasses.

Why remediation is now the bottleneck → https://thehackernews.com/expert-insights/2026/05/agentic-attacks-arrived-over-year-ago.html

🚨 Compromised Nx Console 18.95.0 executed a credential-stealing payload after VS Code users opened workspaces.

The extension has 2.2M+ installs; affected users should update to 18.100.0 and rotate reachable secrets.

Read details here: https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html

Your tools obsess over human accounts — while 45 non-human identities (API keys, bots, AI agents) exist per employee.

Two-thirds of companies have already been breached by them. Your security tools are blind to this.

Rob Kraczek (Global Strategist, One Identity) calls it the Non-Human Identity Crisis — the biggest governance gap of 2026.

Must-read: https://thehackernews.com/expert-insights/2026/05/the-non-human-identity-crisis-why-your.html

🛑 Seven SEPPMail Secure E-Mail Gateway flaws could enable remote code execution, mail traffic access, and appliance takeover.

One path traversal bug carries a CVSS score of 10.0.

Details and patches: https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html