β οΈ Enterprise AI risk is heavily concentrated among a small group of power users and personal accounts.
LayerX Securityβs 2026 report shows the top 5% of employees generate 144+ conversations each. Nearly half of all enterprise AI conversations use personal identities. Over 6% contain sensitive data.
Most organizations lack full visibility.
Full report: https://thehackernews.com/2026/05/new-ai-usage-report-enterprise-ai-risk.html
LayerX Securityβs 2026 report shows the top 5% of employees generate 144+ conversations each. Nearly half of all enterprise AI conversations use personal identities. Over 6% contain sensitive data.
Most organizations lack full visibility.
Full report: https://thehackernews.com/2026/05/new-ai-usage-report-enterprise-ai-risk.html
β‘5π₯3π3
AI has changed phishing forever.
Todayβs attacks are polished, personalized and often AI-generated β making them harder to detect than ever before.
The old βspot the typoβ approach no longer works.
Modern phishing attacks can mimic executives, vendors and trusted brands with alarming accuracy, putting MSPs and their clients at greater risk.
To stay ahead, MSPs need:
β AI-powered threat detection
β Faster impersonation detection
β Real-time user coaching
β Layered cyber resilience
See how INKY by Kaseya helps stop advanced phishing and AI-powered email threats: https://thn.news/kaseya-inky-demo
Todayβs attacks are polished, personalized and often AI-generated β making them harder to detect than ever before.
The old βspot the typoβ approach no longer works.
Modern phishing attacks can mimic executives, vendors and trusted brands with alarming accuracy, putting MSPs and their clients at greater risk.
To stay ahead, MSPs need:
β AI-powered threat detection
β Faster impersonation detection
β Real-time user coaching
β Layered cyber resilience
See how INKY by Kaseya helps stop advanced phishing and AI-powered email threats: https://thn.news/kaseya-inky-demo
π€8
β‘ ThreatsDay Bulletin (May 28, 2026) β Security teams, here are the 17 key updates you need today.
Key updates:
β’ Anthropic launches #Claude code security plugin
β’ Kali365 kit bypasses Microsoft 365 MFA
β’ 1,300+ malicious C2 servers found in Middle East
β’ FIFA World Cup 2026 scam surge begins
β’ #Microsoft patches Azure AKS priv-esc flaw
β’ Silent Ransom Group impersonates IT support
β’ GhostTree bypasses Windows security tools
β’ CISA adds DAEMON Tools to KEV catalog
Plus 9 more: Apple post-quantum crypto release, WaSteal #WhatsApp stealer extensions, fake GitHub installers, and phishing campaigns.
Full bulletin here: https://thehackernews.com/2026/05/threatsday-bulletin-claude-security.html
Key updates:
β’ Anthropic launches #Claude code security plugin
β’ Kali365 kit bypasses Microsoft 365 MFA
β’ 1,300+ malicious C2 servers found in Middle East
β’ FIFA World Cup 2026 scam surge begins
β’ #Microsoft patches Azure AKS priv-esc flaw
β’ Silent Ransom Group impersonates IT support
β’ GhostTree bypasses Windows security tools
β’ CISA adds DAEMON Tools to KEV catalog
Plus 9 more: Apple post-quantum crypto release, WaSteal #WhatsApp stealer extensions, fake GitHub installers, and phishing campaigns.
Full bulletin here: https://thehackernews.com/2026/05/threatsday-bulletin-claude-security.html
π5π₯3
π₯ Microsoft Slams Public Zero-Day Disclosures for putting Windows users at risk.
A researcher recently disclosed multiple zero-days in Defender, BitLocker and other components. Three are now under active exploitation.
GitHub removed the researcherβs account. A new GitLab account was also blocked.
Read the full story: https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html
A researcher recently disclosed multiple zero-days in Defender, BitLocker and other components. Three are now under active exploitation.
GitHub removed the researcherβs account. A new GitLab account was also blocked.
Read the full story: https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html
π29π±10π₯7π3β‘2π1
β οΈ Threat actors are exploiting a critical FortiClient EMS flaw to push credential-stealing malware to entire networks of managed endpoints.
CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation.
Hackers disguise the payload as a legitimate Fortinet update.
Read full report: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html
CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation.
Hackers disguise the payload as a legitimate Fortinet update.
Read full report: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html
π₯6π3β‘2
β οΈ Critical UNPATCHED 9.4 RCE flaw in Gogs lets any authenticated user execute arbitrary code on the server.
An attacker can simply use a malicious branch name during the rebase-before-merge process. No admin rights or victim interaction needed.
Full compromise can expose every repository on the instance, including private ones from other users, and open the door to further network attacks.
Rapid7 has published a Metasploit module that automates the exploit. Strong recommendation to lock down user and repository creation until a fix arrives.
No CVE issued. Full report and mitigations: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
An attacker can simply use a malicious branch name during the rebase-before-merge process. No admin rights or victim interaction needed.
Full compromise can expose every repository on the instance, including private ones from other users, and open the door to further network attacks.
Rapid7 has published a Metasploit module that automates the exploit. Strong recommendation to lock down user and repository creation until a fix arrives.
No CVE issued. Full report and mitigations: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
π₯14π6β‘2
β οΈ Kimsuky is hitting South Korean military and corporate targets with HTTPSpy RAT through fake security software pages and spoofed Webex meetings.
The group is also expanding its arsenal with HelloDoor backdoor and VS Code tunneling for stealthier attacks.
Read full report: https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
The group is also expanding its arsenal with HelloDoor backdoor and VS Code tunneling for stealthier attacks.
Read full report: https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
π8π±5π€―2π1
β οΈ Two new #Android NFC relay malware families β DevilNFC and NFCMultiPay β are targeting banking customers in Europe and Latin America.
These tools, developed with possible AI assistance, steal card PINs. DevilNFC even locks victims in a fake interface using Kiosk Mode while relaying card data.
Local threat actors are now building their own tools instead of relying on Chinese MaaS platforms.
Read this story: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=DevilNFC%20and%20NFCMultiPay%20Android%20NFC%20Relay%20Malware
These tools, developed with possible AI assistance, steal card PINs. DevilNFC even locks victims in a fake interface using Kiosk Mode while relaying card data.
Local threat actors are now building their own tools instead of relying on Chinese MaaS platforms.
Read this story: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=DevilNFC%20and%20NFCMultiPay%20Android%20NFC%20Relay%20Malware
π8π₯2π€2
β οΈ Malicious Sicoob NuGet steals Brazilian bank credentials while npm packages target AWS and CI/CD secrets.
The fake "Sicoob.Sdk" versions 2.0.0β2.0.4 exfiltrate client IDs, PFX certificates, and passwords. It was downloaded nearly 500 times.
Multiple npm packages from one actor also steal cloud and pipeline secrets.
Full report: https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html
The fake "Sicoob.Sdk" versions 2.0.0β2.0.4 exfiltrate client IDs, PFX certificates, and passwords. It was downloaded nearly 500 times.
Multiple npm packages from one actor also steal cloud and pipeline secrets.
Full report: https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html
π5π1π€1
β οΈ A previously unknown threat actor has been quietly targeting #Ukraine since at least August 2025.
GREYVIBE uses spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom #malware to military, government, civilian, and business targets.
Researchers also found evidence of AI-assisted malware development and links to the cybercrime ecosystem.
Full report: https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html
GREYVIBE uses spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom #malware to military, government, civilian, and business targets.
Researchers also found evidence of AI-assisted malware development and links to the cybercrime ecosystem.
Full report: https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html
π8π5π₯2
β‘ AI is making DDoS attacks faster, smarter, and far more dangerous.
Attackers are now using AI to discover weak spots, create new attack vectors, and scale assaults with terrifying efficiency.
Join our next expert webinar: "A New Perspective on #DDoS Attacks in the Age of AI"
Learn real-world examples of AI-powered attacks and practical ways to defend against them β before they hit you.
π Register Now (Free): https://thehacker.news/ai-ddos-attacks
Attackers are now using AI to discover weak spots, create new attack vectors, and scale assaults with terrifying efficiency.
Join our next expert webinar: "A New Perspective on #DDoS Attacks in the Age of AI"
Learn real-world examples of AI-powered attacks and practical ways to defend against them β before they hit you.
π Register Now (Free): https://thehacker.news/ai-ddos-attacks
π10β‘1π1
β οΈ Attackers used an LLM agent for post-exploitation after breaching a public Marimo notebook via CVE-2026-39987, a pre-auth RCE flaw affecting versions β€0.20.4.
The intrusion stole cloud credentials, retrieved an SSH key from AWS Secrets Manager, and exfiltrated a PostgreSQL database via eight SSH sessions in under two minutes.
Full report: https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
The intrusion stole cloud credentials, retrieved an SSH key from AWS Secrets Manager, and exfiltrated a PostgreSQL database via eight SSH sessions in under two minutes.
Full report: https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
π±7π₯4π€―3π2
β οΈ A new technique called "ChatGPhish" turns OpenAIβs ChatGPT into a #phishing tool.
No special prompt required... simply summarizing a malicious web page can cause #ChatGPT to display phishing links, fake security alerts, QR codes, and attacker-hosted images in its trusted interface.
Full story: https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
No special prompt required... simply summarizing a malicious web page can cause #ChatGPT to display phishing links, fake security alerts, QR codes, and attacker-hosted images in its trusted interface.
Full story: https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
π€―24π8π8π4π₯1
π¨ CVE-2026-0257, a PAN-OS and Prisma Access authentication bypass flaw, is under active exploitation.
The CVSS 7.8 bug can enable unauthorized VPN access and, in some observed cases, access to internal networks.
Patch immediately or apply mitigations.
Details: https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
The CVSS 7.8 bug can enable unauthorized VPN access and, in some observed cases, access to internal networks.
Patch immediately or apply mitigations.
Details: https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
π₯6π4π4π€―1