π¨ Active exploit: LiteSpeed cPanel root flaw.
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html
CVE-2026-48172 is a CVSS 10.0 vulnerability in LiteSpeed User-End cPanel Plugin that lets any cPanel user run arbitrary scripts as root.
πΈ Affected: v2.3β2.4.4
πΈ Not affected: WHM plugin
πΈ Fix: upgrade to WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+
πΈ IOC: cpanel_jsonapi_func=redisAble
π₯8π6π4
π Supply Chain Attack Alert: 700+ Laravel-Lang package versions compromised.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
https://thehackernews.com/2026/05/laravel-lang-php-packages-compromised.html
The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files.
Laravel/PHP devs: check your composer.lock immediately.
π₯6β‘4π2
π¨ Anthropicβs Claude Mythos Preview found 10,000+ severe software flaws in one month.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html
The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.
The findings have already led to 97 patches and 88 advisories.
One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.
π₯28π€9π7β‘5π±5π4π3
β οΈ Supply chain attack hits Packagist.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
8 packages were compromised with malicious package.json postinstall scripts that downloaded and executed a Linux binary from GitHub Releases.
The payload was also linked to 777 GitHub files, including GitHub Actions workflow files.
Audit your dependencies and lockfiles.
π₯11π3
π₯ npm now requires human 2FA approval before staged package releases become installable β even from CI/CD workflows.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html
New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.
Requirements:
β’ npm CLI 11.15.0+
β’ 2FA enabled
β’ Existing npm package
β’ Use npm stage publish
npm also added new install controls:
--allow-file
--allow-remote
--allow-directory
The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.
π36π16π€6π₯2
π¨ TrapDoor supply chain attack hits npm, PyPI, and Crates-io.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.
The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.
π±13π₯4β‘3π1π€―1
π¨ Lazarus deployed a new memory-only RAT against crypto and financial organizations.
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hellβs Gate techniques to evade detection and maintain stealthy access.
https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hellβs Gate techniques to evade detection and maintain stealthy access.
π20π₯6π4π±1
π¨ Hackers breached 700+ Ghost CMS websites to serve ClickFix malware attacks.
Read π https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
The attackers exploited critical flaw CVE-2026-26980 to steal admin API keys and inject malicious JavaScript into legitimate sites, including university, AI, blockchain, and fintech platforms.
Visitors were shown fake CAPTCHA pages that tricked them into running malware.
Read π https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html
The attackers exploited critical flaw CVE-2026-26980 to steal admin API keys and inject malicious JavaScript into legitimate sites, including university, AI, blockchain, and fintech platforms.
Visitors were shown fake CAPTCHA pages that tricked them into running malware.
π12π₯7π±3
The alert firehose just met its match.
NDR has long been labeled noisy and overwhelming. But agentic AI is changing that β turning massive network data volume into a powerful advantage by autonomously correlating signals and surfacing prioritized, contextual threats.
Worth 45 seconds β https://thehackernews.com/2026/05/the-alert-firehose-finally-meets-its.html
NDR has long been labeled noisy and overwhelming. But agentic AI is changing that β turning massive network data volume into a powerful advantage by autonomously correlating signals and surfacing prioritized, contextual threats.
Worth 45 seconds β https://thehackernews.com/2026/05/the-alert-firehose-finally-meets-its.html
π₯7π1
axios had 70M weekly downloads. What's hiding in todayβs open source packages?
axios hit 70M weekly downloads before anyone knew it was compromised. ActiveState's free OSS Health Check maps the packages most common to your industry. Youβll know your exposure before the next axios attack hits.
Get Health Check: https://thn.news/activestate-healthcheck
axios hit 70M weekly downloads before anyone knew it was compromised. ActiveState's free OSS Health Check maps the packages most common to your industry. Youβll know your exposure before the next axios attack hits.
Get Health Check: https://thn.news/activestate-healthcheck
π₯12π1
β‘ Another week, another pile of βhow the hell is this still happening?β moments.
Full recap: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html
β οΈ Repo Worms
π§ Linux Flaws
π‘οΈ Defender 0-Days
π‘ Router Botnets
π¦ Supply Chain Hits
π£ Smarter Phishing
π€ AI-Found Vulns
π± NFC Banking Malware
π§° Fake Teams Apps
π Smart Contract C2
πΈ Tax Scam Lures
π₯ Active Exploits
Internetβs still running on bad configs, forgotten boxes, and pure luck.
Full recap: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html
β οΈ Repo Worms
π§ Linux Flaws
π‘οΈ Defender 0-Days
π‘ Router Botnets
π¦ Supply Chain Hits
π£ Smarter Phishing
π€ AI-Found Vulns
π± NFC Banking Malware
π§° Fake Teams Apps
π Smart Contract C2
πΈ Tax Scam Lures
π₯ Active Exploits
Internetβs still running on bad configs, forgotten boxes, and pure luck.
π₯15β‘4π2
π¨ One shared key. Every deployment at risk.
Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.
Read π https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.
Read π https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
π₯9π€―4π2π1
β οΈ Cybercriminals are flooding the web with FIFA World Cup 2026 scams β before the tournament even starts.
https://thehackernews.com/expert-insights/2026/05/before-whistle-ctm360-reveals-how.html
Security firm CTM360 uncovered over 7,000 themed domains, with 4,500+ registered in just the last 5 months. Already 1,000+ malicious sites and 1,000+ fake social accounts are live.
Donβt get scammed before the first whistle.
https://thehackernews.com/expert-insights/2026/05/before-whistle-ctm360-reveals-how.html
Security firm CTM360 uncovered over 7,000 themed domains, with 4,500+ registered in just the last 5 months. Already 1,000+ malicious sites and 1,000+ fake social accounts are live.
Donβt get scammed before the first whistle.
π₯5π1
π¨ Iranian hackers deployed a new AI-assisted backdoor called MiniFast.
https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
IRGC-linked group Nimbus Manticore targeted aviation, software, telecom, and energy sectors across the U.S., Europe, and the Middle East.
The campaigns used:
β’ Phishing lures
β’ SEO poisoning
β’ Trojanized Zoom and SQL Developer installers
β’ Fake meeting invites
β’ AppDomain hijacking
Activity was tracked between February and April 2026.
https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
IRGC-linked group Nimbus Manticore targeted aviation, software, telecom, and energy sectors across the U.S., Europe, and the Middle East.
The campaigns used:
β’ Phishing lures
β’ SEO poisoning
β’ Trojanized Zoom and SQL Developer installers
β’ Fake meeting invites
β’ AppDomain hijacking
Activity was tracked between February and April 2026.
π€15β‘6π5π1π₯1
π¨ Indiaβs CERT-In has directed organizations to patch known exploited vulnerabilities in internet-facing systems within 12 hours where feasible as AI tools accelerate cyber attacks.
The guidance cites faster vulnerability discovery, phishing, malware generation, and exploitation workflows.
Read: https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html
The guidance cites faster vulnerability discovery, phishing, malware generation, and exploitation workflows.
Read: https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html
π10π€5π2π±2π₯1
Your "second factor" isn't as safe as you think.
Attackers donβt need to steal your MFA code anymore β they just exhaust you until you approve it.
MFA Prompt Bombing is quietly becoming one of the most effective attacks right now.
Read β https://thehackernews.com/2026/05/mfa-prompt-bombing-why-your-second.html
Attackers donβt need to steal your MFA code anymore β they just exhaust you until you approve it.
MFA Prompt Bombing is quietly becoming one of the most effective attacks right now.
Read β https://thehackernews.com/2026/05/mfa-prompt-bombing-why-your-second.html
π±6π4β‘2π1π₯1
β οΈ SharePoint RCE Vulnerability.
Details β https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
CVE-2026-45659 allows authenticated attackers with only Site Member permissions to execute code remotely on SharePoint Server.
The CVSS 8.8 flaw affects SharePoint Server 2016, 2019, and Subscription Edition.
Details β https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
CVE-2026-45659 allows authenticated attackers with only Site Member permissions to execute code remotely on SharePoint Server.
The CVSS 8.8 flaw affects SharePoint Server 2016, 2019, and Subscription Edition.
π3π2π₯1
The Zero Knowledge vault myth is over.
ETH Zurich (USENIX β26) identifies 27 attacks against cloud password managers. Storing secrets = a $150M+ systemic risk.
Unixi uSSO kills the vault via KDA:
πΉNo central DB
πΉNo phishing
πΉ100% enforcement
Details: https://thn.news/centralization-risk
ETH Zurich (USENIX β26) identifies 27 attacks against cloud password managers. Storing secrets = a $150M+ systemic risk.
Unixi uSSO kills the vault via KDA:
πΉNo central DB
πΉNo phishing
πΉ100% enforcement
Details: https://thn.news/centralization-risk
π₯6π€3π1
β‘AI is making DDoS attacks faster and smarter β helping attackers find weak spots, create new attack vectors, and scale attacks more efficiently.
Watch this WEBINAR to see how it works β https://thehackernews.com/2026/05/new-ai-ddos-attacks-are-smarter-learn.html
What youβll get:
β’ Real examples of todayβs AI-enhanced attacks
β’ How to find & fix hidden weaknesses fast
β’ Practical defenses you can apply immediately
Watch this WEBINAR to see how it works β https://thehackernews.com/2026/05/new-ai-ddos-attacks-are-smarter-learn.html
What youβll get:
β’ Real examples of todayβs AI-enhanced attacks
β’ How to find & fix hidden weaknesses fast
β’ Practical defenses you can apply immediately
π8π5β‘2π±2π₯1
π¨ MuddyWater hit 9 countries.
Read β https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html
The Iranian hacking group targeted 9 organizations using signed Fortemedia and SentinelOne binaries to sideload malware, steal Chrome data, and quietly maintain access inside victim networks.
One intrusion lasted a full week inside a major South Korean electronics company.
Read β https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html
The Iranian hacking group targeted 9 organizations using signed Fortemedia and SentinelOne binaries to sideload malware, steal Chrome data, and quietly maintain access inside victim networks.
One intrusion lasted a full week inside a major South Korean electronics company.
π₯10π±3π2β‘1
AI uncovered a 27-year-old bug in OpenBSD that survived decades of human audits.
RunSafe Securityβs CEO Joseph M. Saunders warns: you canβt patch your way out of this anymore.
With AI flooding teams with discoveries and EU CRA regulations incoming, remediation backlogs just became unmanageable.
Full insights here: https://thehackernews.com/expert-insights/2026/05/you-cant-patch-your-way-out-of-this-one.html
RunSafe Securityβs CEO Joseph M. Saunders warns: you canβt patch your way out of this anymore.
With AI flooding teams with discoveries and EU CRA regulations incoming, remediation backlogs just became unmanageable.
Full insights here: https://thehackernews.com/expert-insights/2026/05/you-cant-patch-your-way-out-of-this-one.html
π13π5π±4β‘1