π¨ Showboat #Linux malware targets Middle East telecom.
https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
Active since at least mid-2022, the modular framework enables remote shells, file transfers, process hiding, and SOCKS5 proxying to access internal LAN systems.
https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
Active since at least mid-2022, the modular framework enables remote shells, file transfers, process hiding, and SOCKS5 proxying to access internal LAN systems.
π9π4π±4β‘1π₯1
π¨ Critical Alert: Cisco Secure Workload Hit with CVSS 10.0 Flaw.
https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.html
Unauthenticated attackers can exploit a REST API vulnerability (CVE-2026-20223) to steal sensitive data and make configuration changes across tenant boundaries with Site Admin privileges.
Affects both SaaS and on-prem deployments. No workarounds.
Patch immediately:
β’ 3.10 β 3.10.8.3
β’ 4.0 β 4.0.3.17
β’ 3.9 or older β Migrate now
https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.html
Unauthenticated attackers can exploit a REST API vulnerability (CVE-2026-20223) to steal sensitive data and make configuration changes across tenant boundaries with Site Admin privileges.
Affects both SaaS and on-prem deployments. No workarounds.
Patch immediately:
β’ 3.10 β 3.10.8.3
β’ 4.0 β 4.0.3.17
β’ 3.9 or older β Migrate now
π4π₯4β‘3
π¨ CISA just added two actively exploited vulns to its KEV catalog.
https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
Critical RCE in Langflow (CVE-2025-34291, CVSS 9.4) and directory traversal in Trend Micro Apex One (on-prem).
Patch now if you're using either.
https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
Critical RCE in Langflow (CVE-2025-34291, CVSS 9.4) and directory traversal in Trend Micro Apex One (on-prem).
Patch now if you're using either.
π₯4β‘3π3
A 23-year-old Canadian man has been arrested over the alleged operation of Kimwolf, a #DDoS botnet that infected photo frames, webcams, and other devices.
The botnet issued 25,000+ attack commands and peaked at 31.4 Tbps.
Full story π https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html
The botnet issued 25,000+ attack commands and peaked at 31.4 Tbps.
Full story π https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html
π9π6π4π€―2
Many vulnerable Windows drivers were considered 'safe' because their code only runs with matching hardware.
New research shows you can often trigger them from user mode alone β no hardware needed.
This makes far more drivers practical for BYOVD attacks (e.g. killing EDRs).
Details β https://thehackernews.com/2026/05/making-vulnerable-drivers-exploitable.html
New research shows you can often trigger them from user mode alone β no hardware needed.
This makes far more drivers practical for BYOVD attacks (e.g. killing EDRs).
Details β https://thehackernews.com/2026/05/making-vulnerable-drivers-exploitable.html
π₯10π4π3
β‘ Megalodon pushed malicious CI/CD workflows to 5,561 #GitHub repos in 6 hours.
https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
Attackers used throwaway accounts and forged CI bot names to inject GitHub Actions payloads designed to steal CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets.
Check recent workflow changes, audit PATs/deploy keys, and review unexpected CI bot commits.
https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html
Attackers used throwaway accounts and forged CI bot names to inject GitHub Actions payloads designed to steal CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets.
Check recent workflow changes, audit PATs/deploy keys, and review unexpected CI bot commits.
π6π₯5β‘3
Ghostwriter is phishing Ukraineβs government with Prometheus-themed malware lures.
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
Compromised-account emails deliver PDF links that lead to ZIP-based JavaScript malware: OYSTERFRESH β OYSTERBLUES/OYSTERSHUCK.
Cobalt Strike is assessed as the final payload.
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
Compromised-account emails deliver PDF links that lead to ZIP-based JavaScript malware: OYSTERFRESH β OYSTERBLUES/OYSTERSHUCK.
Cobalt Strike is assessed as the final payload.
π₯18π±4π3π€―2
π¨ First VPN, a criminal VPN used by at least 25 ransomware groups, has been dismantled.
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
Authorities say the service helped criminals hide the origin of ransomware attacks, data theft, scanning, fraud, and DDoS activity.
The May 19β20 operation seized 33 servers and domains, including 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org.
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
Authorities say the service helped criminals hide the origin of ransomware attacks, data theft, scanning, fraud, and DDoS activity.
The May 19β20 operation seized 33 servers and domains, including 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org.
π₯19π€―10π6π4
π¨ Drupal Core SQL injection is now actively exploited.
https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
CISA added CVE-2026-9082 to its KEV catalog after exploitation was detected in the wild.
Imperva observed:
β’ 15,000+ attack attempts
β’ Nearly 6,000 targeted sites
β’ Activity across 65 countries
β’ Gaming and financial services sites hit hardest, at nearly 50% of attacks
The flaw affects all supported Drupal Core versions and could allow privilege escalation and remote code execution via specially crafted requests.
Patch now:
β’ Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10.
β’ Drupal 9.5 and 8.9 require manual patching.
https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
CISA added CVE-2026-9082 to its KEV catalog after exploitation was detected in the wild.
Imperva observed:
β’ 15,000+ attack attempts
β’ Nearly 6,000 targeted sites
β’ Activity across 65 countries
β’ Gaming and financial services sites hit hardest, at nearly 50% of attacks
The flaw affects all supported Drupal Core versions and could allow privilege escalation and remote code execution via specially crafted requests.
Patch now:
β’ Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10.
β’ Drupal 9.5 and 8.9 require manual patching.
π₯8π€―3π2π1
π¨ Active exploit: LiteSpeed cPanel root flaw.
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
π₯8π6π4
π Supply Chain Attack Alert: 700+ Laravel-Lang package versions compromised.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
π₯6β‘4π2
π¨ Anthropicβs Claude Mythos Preview found 10,000+ severe software flaws in one month.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
π₯28π€9π7β‘5π±5π4π3
β οΈ Supply chain attack hits Packagist.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
π₯11π3
π₯ npm now requires human 2FA approval before staged package releases become installable β even from CI/CD workflows.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
π36π16π€6π₯2
π¨ TrapDoor supply chain attack hits npm, PyPI, and Crates-io.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
π±13π₯4β‘3π1π€―1
π¨ Lazarus deployed a new memory-only RAT against crypto and financial organizations.
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hellβs Gate techniques to evade detection and maintain stealthy access.
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hellβs Gate techniques to evade detection and maintain stealthy access.
π20π₯6π4π±1
π¨ Hackers breached 700+ Ghost CMS websites to serve ClickFix malware attacks.
Read π https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
The attackers exploited critical flaw CVE-2026-26980 to steal admin API keys and inject malicious JavaScript into legitimate sites, including university, AI, blockchain, and fintech platforms.
Visitors were shown fake CAPTCHA pages that tricked them into running malware.
Read π https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
The attackers exploited critical flaw CVE-2026-26980 to steal admin API keys and inject malicious JavaScript into legitimate sites, including university, AI, blockchain, and fintech platforms.
Visitors were shown fake CAPTCHA pages that tricked them into running malware.
π12π₯7π±3
The alert firehose just met its match.
NDR has long been labeled noisy and overwhelming. But agentic AI is changing that β turning massive network data volume into a powerful advantage by autonomously correlating signals and surfacing prioritized, contextual threats.
Worth 45 seconds β https://thehackernews.com/2026/05/the-alert-firehose-finally-meets-its.html
NDR has long been labeled noisy and overwhelming. But agentic AI is changing that β turning massive network data volume into a powerful advantage by autonomously correlating signals and surfacing prioritized, contextual threats.
Worth 45 seconds β https://thehackernews.com/2026/05/the-alert-firehose-finally-meets-its.html
π₯7π1
axios had 70M weekly downloads. What's hiding in todayβs open source packages?
axios hit 70M weekly downloads before anyone knew it was compromised. ActiveState's free OSS Health Check maps the packages most common to your industry. Youβll know your exposure before the next axios attack hits.
Get Health Check: https://thn.news/activestate-healthcheck
axios hit 70M weekly downloads before anyone knew it was compromised. ActiveState's free OSS Health Check maps the packages most common to your industry. Youβll know your exposure before the next axios attack hits.
Get Health Check: https://thn.news/activestate-healthcheck
π₯12π1
β‘ Another week, another pile of βhow the hell is this still happening?β moments.
Full recap: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html
β οΈ Repo Worms
π§ Linux Flaws
π‘οΈ Defender 0-Days
π‘ Router Botnets
π¦ Supply Chain Hits
π£ Smarter Phishing
π€ AI-Found Vulns
π± NFC Banking Malware
π§° Fake Teams Apps
π Smart Contract C2
πΈ Tax Scam Lures
π₯ Active Exploits
Internetβs still running on bad configs, forgotten boxes, and pure luck.
Full recap: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html
β οΈ Repo Worms
π§ Linux Flaws
π‘οΈ Defender 0-Days
π‘ Router Botnets
π¦ Supply Chain Hits
π£ Smarter Phishing
π€ AI-Found Vulns
π± NFC Banking Malware
π§° Fake Teams Apps
π Smart Contract C2
πΈ Tax Scam Lures
π₯ Active Exploits
Internetβs still running on bad configs, forgotten boxes, and pure luck.
π₯16β‘4π2
π¨ One shared key. Every deployment at risk.
Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.
Read π https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.
Read π https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
π₯9π€―4π2π1