🔥 npm now requires human 2FA approval before staged package releases become installable — even from CI/CD workflows.

https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html

New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release.

Requirements:
• npm CLI 11.15.0+
• 2FA enabled
• Existing npm package
• Use npm stage publish

npm also added new install controls:
--allow-file
--allow-remote
--allow-directory

The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.

🚨 TrapDoor supply chain attack hits npm, PyPI, and Crates-io.

https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html

34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.

The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.

🚨 Lazarus deployed a new memory-only RAT against crypto and financial organizations.

https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html

The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hell’s Gate techniques to evade detection and maintain stealthy access.

🚨 Hackers breached 700+ Ghost CMS websites to serve ClickFix malware attacks.

Read 🠒 https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html

The attackers exploited critical flaw CVE-2026-26980 to steal admin API keys and inject malicious JavaScript into legitimate sites, including university, AI, blockchain, and fintech platforms.

Visitors were shown fake CAPTCHA pages that tricked them into running malware.

The alert firehose just met its match.

NDR has long been labeled noisy and overwhelming. But agentic AI is changing that — turning massive network data volume into a powerful advantage by autonomously correlating signals and surfacing prioritized, contextual threats.

Worth 45 seconds → https://thehackernews.com/2026/05/the-alert-firehose-finally-meets-its.html

axios had 70M weekly downloads. What's hiding in today’s open source packages?

axios hit 70M weekly downloads before anyone knew it was compromised. ActiveState's free OSS Health Check maps the packages most common to your industry. You’ll know your exposure before the next axios attack hits.

Get Health Check: https://thn.news/activestate-healthcheck

⚡ Another week, another pile of “how the hell is this still happening?” moments.

Full recap: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html

☠️ Repo Worms
🐧 Linux Flaws
🛡️ Defender 0-Days
📡 Router Botnets
📦 Supply Chain Hits
🎣 Smarter Phishing
🤖 AI-Found Vulns
📱 NFC Banking Malware
🧰 Fake Teams Apps
🌐 Smart Contract C2
💸 Tax Scam Lures
🔥 Active Exploits

Internet’s still running on bad configs, forgotten boxes, and pure luck.

🚨 One shared key. Every deployment at risk.

Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems.

Read 🠒 https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html

⚠️ Cybercriminals are flooding the web with FIFA World Cup 2026 scams — before the tournament even starts.

https://thehackernews.com/expert-insights/2026/05/before-whistle-ctm360-reveals-how.html

Security firm CTM360 uncovered over 7,000 themed domains, with 4,500+ registered in just the last 5 months. Already 1,000+ malicious sites and 1,000+ fake social accounts are live.

Don’t get scammed before the first whistle.

🚨 Iranian hackers deployed a new AI-assisted backdoor called MiniFast.

https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html

IRGC-linked group Nimbus Manticore targeted aviation, software, telecom, and energy sectors across the U.S., Europe, and the Middle East.

The campaigns used:
• Phishing lures
• SEO poisoning
• Trojanized Zoom and SQL Developer installers
• Fake meeting invites
• AppDomain hijacking

Activity was tracked between February and April 2026.

🚨 India’s CERT-In has directed organizations to patch known exploited vulnerabilities in internet-facing systems within 12 hours where feasible as AI tools accelerate cyber attacks.

The guidance cites faster vulnerability discovery, phishing, malware generation, and exploitation workflows.

Read: https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html

Your "second factor" isn't as safe as you think.

Attackers don’t need to steal your MFA code anymore — they just exhaust you until you approve it.

MFA Prompt Bombing is quietly becoming one of the most effective attacks right now.

Read → https://thehackernews.com/2026/05/mfa-prompt-bombing-why-your-second.html

⚠️ SharePoint RCE Vulnerability.

Details → https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html

CVE-2026-45659 allows authenticated attackers with only Site Member permissions to execute code remotely on SharePoint Server.

The CVSS 8.8 flaw affects SharePoint Server 2016, 2019, and Subscription Edition.

The Zero Knowledge vault myth is over.

ETH Zurich (USENIX ‘26) identifies 27 attacks against cloud password managers. Storing secrets = a $150M+ systemic risk.

Unixi uSSO kills the vault via KDA:
🔹No central DB
🔹No phishing
🔹100% enforcement

Details: https://thn.news/centralization-risk

⚡AI is making DDoS attacks faster and smarter — helping attackers find weak spots, create new attack vectors, and scale attacks more efficiently.

Watch this WEBINAR to see how it works → https://thehackernews.com/2026/05/new-ai-ddos-attacks-are-smarter-learn.html

What you’ll get:
• Real examples of today’s AI-enhanced attacks
• How to find & fix hidden weaknesses fast
• Practical defenses you can apply immediately

🚨 MuddyWater hit 9 countries.

Read → https://thehackernews.com/2026/05/muddywater-uses-dll-side-loading-in.html

The Iranian hacking group targeted 9 organizations using signed Fortemedia and SentinelOne binaries to sideload malware, steal Chrome data, and quietly maintain access inside victim networks.

One intrusion lasted a full week inside a major South Korean electronics company.

AI uncovered a 27-year-old bug in OpenBSD that survived decades of human audits.

RunSafe Security’s CEO Joseph M. Saunders warns: you can’t patch your way out of this anymore.

With AI flooding teams with discoveries and EU CRA regulations incoming, remediation backlogs just became unmanageable.

Full insights here: https://thehackernews.com/expert-insights/2026/05/you-cant-patch-your-way-out-of-this-one.html

🚨 AI chatbots are pushing cryptojacking malware.

Read → https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html

Attackers poisoned AI software recommendations to redirect users searching for tools like CrystalDiskInfo and HWMonitor to malicious download sites distributing ScreenConnect, rogue DLLs, and GPU mining malware.

More than 150 malicious domains were identified.

🚨 Gitea flaw exposes private container images without authentication.

https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html

CVE-2026-27771 affects all Gitea versions before 1.26.2 and likely impacts 30,000+ deployments worldwide. Attackers can pull private images without an account or password.

Update now or enable REQUIRE_SIGNIN_VIEW as a temporary workaround.

🧐 “Microsoft Teams” download from X? It’s likely malware.

Read: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=Fake%20Microsoft%20Teams%20Sites%20Deliver%20ValleyRAT

Fake sites push trojanized ZIPs. NSIS installer drops real Teams (looks clean) + uses legit Tencent GameBox.exe to sideload Utility.dll → deploys ValleyRAT (SilverFox group).

Adds Defender exclusions, in-memory decryption, hidden files, and _CCGDAT service for persistence.

🔥 GlassWorm disrupted.

Read - https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html

The malware poisoned 300+ GitHub repositories through:

• Malicious VS Code extensions
• Compromised npm packages
• Trojanized Python packages

Its infrastructure used Solana, BitTorrent DHT, Google Calendar, and VPS servers as resilient C2 layers — all now neutralized.