⚠️ Four malicious npm packages with 3,006 downloads were found delivering infostealers and Phantom Bot DDoS malware.

One package clones leaked Shai-Hulud worm code, while others steal SSH keys, cloud credentials and wallet data.

Full details: https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html

🛑 Ivanti, Fortinet, SAP, VMware and n8n released fixes for flaws tied to auth bypass, RCE, SQL injection and privilege escalation.

The patches include CVSS 9.6 bugs in Ivanti Xtraction and SAP, plus five n8n RCE flaws.

See what was fixed: https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

🚨 Developer laptops just became the new front line of supply chain attacks.

Attackers are stealing GitHub tokens, cloud creds, SSH keys & registry tokens directly from dev workstations — then publishing malicious packages.

Three separate campaigns hit npm, PyPI, and Docker Hub in just 48 hours. Supply chain attacks now start before code reaches Git.

Full story → https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html

🚨 Clean-looking phishing emails are bypassing filters and hitting US orgs hard.

Fake invitations + CAPTCHA tricks lead to credential theft, OTP capture & RMM tools.

Full attack chain unfolds in just 40 seconds: https://thehackernews.com/2026/05/how-to-reduce-phishing-exposure-before.html

This Week in The Hacker News Weekly #Cybersecurity Recap:

⚠️ Exchange 0-day
🧬 npm worm
🎭 Fake AI repo
🛠️ Cisco exploit
🔐 RCS encryption
💸 Ransom deal
🧩 WordPress takeover
🚗 myAudi flaws
🤖 AI vuln hunt
🧰 New IR tool

One recap. All the risks worth tracking.

Read here: https://thehackernews.com/2026/05/weekly-recap-exchange-0-day-npm-worm.html

INTERPOL’s Operation Ramz led to 201 arrests across 13 MENA countries, with 382 suspects and 3,867 victims identified.

Authorities seized 53 servers while targeting phishing, malware, and cyber scam operations.

Full Details: https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html

⚠️ ALERT — Mini Shai-Hulud hit @antv npm packages via the compromised maintainer account “atool,” including echarts-for-react with ~1.1M weekly downloads.

The campaign embeds credential-stealing code in developer tools.

Full story: https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html

🚨 Popular GitHub Action compromised in supply chain attack.

All existing tags for actions-cool/issues-helper were moved to a malicious imposter commit that steals CI/CD credentials from GitHub Actions runners.

Full details: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html

Agentic attacks have been running since 2024 — chaining exploits in hours while most teams remediate in days.

That speed gap is the real kill chain.

Yochai Corem shares how one tertiary hospital slashed MTTR to 0.87 hours with zero IPS bypasses.

Why remediation is now the bottleneck → https://thehackernews.com/expert-insights/2026/05/agentic-attacks-arrived-over-year-ago.html

🚨 Compromised Nx Console 18.95.0 executed a credential-stealing payload after VS Code users opened workspaces.

The extension has 2.2M+ installs; affected users should update to 18.100.0 and rotate reachable secrets.

Read details here: https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html

Your tools obsess over human accounts — while 45 non-human identities (API keys, bots, AI agents) exist per employee.

Two-thirds of companies have already been breached by them. Your security tools are blind to this.

Rob Kraczek (Global Strategist, One Identity) calls it the Non-Human Identity Crisis — the biggest governance gap of 2026.

Must-read: https://thehackernews.com/expert-insights/2026/05/the-non-human-identity-crisis-why-your.html

🛑 Seven SEPPMail Secure E-Mail Gateway flaws could enable remote code execution, mail traffic access, and appliance takeover.

One path traversal bug carries a CVSS score of 10.0.

Details and patches: https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html

🚨 WATCH OUT ➜ Drupal will release core security updates tomorrow (May 20, 5-9 PM UTC) for supported branches.

Exploits could be developed within hours or days, and not all configurations are affected.

Update guidance and affected versions: https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html

Your pentest team found 100 critical vulnerabilities. Don’t let them die in a spreadsheet. Unassigned. Unprioritized. Unresolved.

Close the loop - from finding to fix - with automated workflows, bi-directional ticketing, and remediation tracking built in.

See why security teams are ditching the spreadsheet.

Request a demo ➜ https://thn.news/plextrac-demo

Apple spent 5 years & billions on MIE — hardware memory safety for M5 to kill kernel exploits.

A small team + Mythos Preview AI just dropped the first public one in 5 days: data-only user → root on M5 macOS with MIE enabled.

Read: https://thehackernews.com/2026/05/weekly-recap-exchange-0-day-npm-worm.html#:~:text=Flaw%20in%20Apple%27s%20Memory%20Integrity%20Enforcement

🛑 The phishing click that beats MFA isn’t a fake login page anymore. It’s a legit-looking “Approve” on an OAuth consent screen.

Enter a short code at microsoft's Device Login → complete real MFA → attacker gets a long-lived refresh token to your mailbox, files & calendar.

No password. No suspicious sign-in.

New EvilTokens PhaaS hit 340+ orgs in just 5 weeks.

Full story 👇 https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html

🚨 Public PoC exploit code is out for DirtyDecrypt, a patched Linux kernel flaw linked to CVE-2026-31635 that could allow local privilege escalation.

It affects CONFIG_RXGK-enabled systems, including Fedora, Arch Linux, and openSUSE Tumbleweed.

Details: https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html

🚨 Trapdoor used 455 malicious #Android apps to run a malvertising and ad fraud scheme that peaked at 659 Million bid requests per day.

The apps were downloaded over 24M times, with most traffic from the U.S.

Read: https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html