Railway, a San Francisco-based cloud platform, has raised $100 million in a Series B funding round led by TQ Ventures, with participation from FPV Ventures. This funding will be used to challenge legacy cloud infrastructure, particularly in the context of artificial intelligence applications.
AI News
Claude Code, a terminal-based AI agent, offers coding capabilities for a monthly cost ranging from $20 to $200. Goose, another AI agent, provides similar functionality for free.
Listen Labs, a startup, has raised $69 million in funding. The company, which needed to hire over 100 engineers, used a billboard in San Francisco to attract talent.
Salesforce has released a rebuilt version of Slackbot, a workplace assistant that has been transformed into a fully powered AI agent. The new Slackbot can search enterprise data, draft documents, and take action on behalf of employees.
Anthropic has released Cowork, a new AI agent capability that extends the power of Claude Code to non-technical users. Cowork allows users to work with AI in their files without requiring coding.
Nous Research has released an open-source coding model called NousCoder-14B, which matches or exceeds several larger proprietary systems. The model was trained in four days using 48 Nvidia B200 graphics processors.
Boris Cherny, the creator of Claude Code, shared his workflow in a thread on X, which has been extensively analyzed by the engineering community. The thread is available at https://x.com/bcherny/status/2007179832300581177.
In the Musk v. Altman trial, lawyers questioned Elon Musk and OpenAI CEO Sam Altman's credibility, with Altman facing allegations of lying and self-dealing. Altman countered by portraying Musk as a power-seeker who wants to control development.
Chinese short dramas are being made entirely with AI, fueling the country's short drama industry. These bite-sized shows are built for smartphone scrolling and are often melodramatic and smutty.
The World Health Organization has published its 2026 global health statistics report, which assesses progress towards health targets set in 2015. The report indicates that the world is on track to miss its health targets.
AI Security
Turla, a Russian state-sponsored hacking group, has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet. This P2P botnet is designed for stealth and persistent access to compromised hosts.
Cybersecurity researchers have disclosed four security flaws in OpenClaw, collectively known as "Claw Chain," which can enable data theft, privilege escalation, and persistence. The flaws can be chained to allow an attacker to establish a foothold, expose sensitive data, and plant backdoors.
Researchers at Bitdefender analyzed 45 days of system logs and found that trusted utilities such as PowerShell, WMIC, and netsh are often used by both IT teams and modern threat actors. This suggests that the most common security risks may not be malware, but rather the misuse of trusted tools.
A supply chain attack known as Mini Shai-Hulud targeted TanStack, impacting two OpenAI employee devices in its corporate environment. The attack did not compromise any user data, production systems, or intellectual property.
Microsoft has disclosed a security vulnerability, tracked as CVE-2026-42897, impacting on-premise versions of Exchange Server with a CVSS score of 8.1. The vulnerability is a spoofing bug stemming from a cross-site scripting flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities (KEV) catalog. FCEB agencies are required to remediate the issue by May 17, 2026.
Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller, tracked as CVE-2026-20182, which has been actively exploited. The vulnerability carries a CVSS score of 10.0.
Cybersecurity researchers have identified malicious activity in three versions of the npm package node-ipc: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. These versions contain a backdoor known as "Stealer."
There are multiple security threats reported, including a PAN-OS remote code execution (RCE) vulnerability and a cURL bug known as the Mythos vulnerability.
Ghostwriter, a Belarus-aligned threat group, has been linked to a series of attacks targeting Ukrainian government organizations using geofenced PDF phishing and Cobalt Strike. Ghostwriter has been active since at least 2016 and has been tracked under various monikers, including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, and UAC-0057.
Cyber Attacks
A critical vulnerability in the Funnel Builder WordPress plugin is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. This vulnerability allows attackers to potentially steal credit card information.
Competitors at Pwn2Own Berlin 2026 exploited zero-day vulnerabilities in Windows 11 and Microsoft Exchange, collecting a total of $385,750 in cash awards. The vulnerabilities were among 15 unique zero-day vulnerabilities found in multiple products.
The node-ipc npm package has been compromised with credential-stealing malware in newly published versions. This is a supply chain attack targeting npm.
The Avada Builder WordPress plugin contains two vulnerabilities that allow hackers to read arbitrary files and extract sensitive information from the database. The plugin has an estimated one million active installations.
Microsoft is updating the Edge web browser to prevent it from loading saved passwords into process memory in clear text at startup. This change reverses a previous design decision.
The REMUS infostealer has evolved to prioritize the theft of browser sessions and authentication tokens, which are becoming increasingly valuable. This infostealer is designed for operational scalability, suggesting it is intended for large-scale malicious activities.
Microsoft is introducing a new capability to remotely roll back problematic Windows drivers delivered through Windows Update. This feature will automatically revert faulty drivers to a previous version.
Microsoft has identified a high-severity Exchange Server vulnerability that allows threat actors to execute arbitrary code via cross-site scripting (XSS). The vulnerability has been exploited in attacks targeting Outlook on the web users.
The TeamPCP hacker group is advertising Mistral AI code repositories for sale, threatening to leak the source code if a buyer is not found. The sale involves the Mistral AI project's source code repositories.
Hackers are exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin to gain admin-level access to websites. The vulnerability allows unauthorized access to websites that have the plugin installed.
Latest Breaches
This month's Patch Tuesday saw widely-used software makers, including Apple, Google, Microsoft, Mozilla, and Oracle, fix near-record volumes of security bugs. Artificial intelligence platforms have been effective in identifying vulnerabilities in human-made computer code.
A data extortion attack on the Canvas education technology platform has disrupted classes and coursework at US schools and universities. The attack, which defaced the login page with a ransom demand, claims to involve data from 275 million students and faculty across nearly 9,000 institutions.
A Brazilian DDoS protection firm enabled a botnet that launched massive DDoS attacks against other network operators in Brazil. The firm's CEO attributes the malicious activity to a security breach, possibly orchestrated by a competitor.
Tyler Robert Buchanan, a 24-year-old British national, has pleaded guilty to wire fraud conspiracy and aggravated identity theft. He admitted involvement in text-message phishing attacks in 2022 that targeted major technology companies and resulted in the theft of tens of millions of dollars worth of cryptocurrency.
Microsoft released 167 security updates to address vulnerabilities in Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender. Additionally, Google Chrome fixed its fourth zero-day of 2026 and Adobe Reader received an emergency update to address an actively exploited flaw.
Russian hackers linked to military intelligence units are exploiting known flaws in older internet routers to steal Microsoft Office authentication tokens. The campaign has affected over 18,000 networks, allowing hackers to quietly harvest authentication tokens without deploying malicious software or code.
Daniil Maksimovich Shchukin, a 31-year-old Russian, has been identified as the head of the Russian ransomware groups GandCrab and REvil, operating under the handle "UNKN". He is accused of carrying out at least 130 acts of computer sabotage and extortion against victims in Germany between 2019 and 2021.
A financially motivated group has launched a "CanisterWorm" wiper attack targeting Iran, spreading through poorly secured cloud services. The attack affects systems using Iran's time zone or with Farsi set as the default language.
The U.S. Justice Department, along with authorities in Canada and Germany, has disrupted the online infrastructure behind four IoT botnets: Aisuru, Kimwolf, JackSkid, and Mossad. These botnets, comprised of over three million hacked IoT devices, are responsible for recent record-breaking DDoS attacks.
Iran-backed hackers are claiming responsibility for a wiper attack on Medtech firm Stryker. The attack resulted in Stryker sending home over 5,000 workers in Ireland.
Ransomware & Malware
Cisco has identified a critical SD-WAN flaw, tracked as CVE-2026-20182, which allows attackers to gain administrative privileges on compromised devices. This flaw has been actively exploited in zero-day attacks.
OpenAI has confirmed a security breach in the TanStack supply chain attack, which affected hundreds of npm and PyPI packages. Two of OpenAI's employee devices were compromised in the breach.
At Pwn2Own Berlin 2026, security researchers exploited zero-days in Windows 11 and Microsoft Edge, collecting a cash award. The total cash award collected by the researchers was $523,000.
An 18-year-old vulnerability in the NGINX open-source web server has been discovered, allowing for denial of service and potential remote code execution. The flaw was found using an autonomous scanning system.
Cargo theft is now often initiated through phishing emails and stolen credentials, allowing thieves to reroute and steal freight from supply chains. This shift marks a change in the tactics used in cargo crime, as previously hijackings were a common method.
At Pwn2Own Berlin 2026, security researchers earned $385,750 on day two, bringing the total to $908,750 and 39 vulnerabilities. The day's exploits targeted products including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux.
Microsoft has confirmed that a zero-day vulnerability, tracked as CVE-2026-42897, is being actively exploited in the wild. The vulnerability is an improper neutralization of input during web page generation, also known as cross-site scripting, in Microsoft Exchange.
ESET researchers have uncovered new activity from the APT group FrostyNeighbor, also known as Ghostwriter, targeting Ukrainian government organizations since at least March 2026. The campaign is similar to previous FrostyNeighbor campaigns.
Researchers Chaotic Eclipse, also known as Nightmare-Eclipse, have disclosed two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, affecting BitLocker and the CTFMON framework. The flaws allow attackers to bypass BitLocker protections and exploit the CTFMON framework.
At Pwn2Own Berlin 2026, 22 entries were made targeting various technologies, resulting in 24 unique zero-day vulnerabilities being demonstrated. Researchers earned a total of $523,000 in rewards on the first day of the event.
Vulnerabilities & CVEs
Threat actors have been observed attempting to exploit CVE-2026-44338, a missing authentication vulnerability in PraisonAI with a CVSS score of 7.3, within four hours of its public disclosure. CVE-2026-44338 exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke unauthorized actions.
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by generating highly confident yet incorrect outputs. These outputs occur when an AI model lacks certainty and generates the most probable response based on patterns in its training data.
An anonymous researcher, known by the alias Chaotic Eclipse, has disclosed two zero-day vulnerabilities affecting Windows: a BitLocker bypass and a privilege escalation in the Windows Collaborative Translation Framework (CTFMON). The vulnerabilities have been codenamed YellowKey and GreenPlasma.
A new Linux kernel vulnerability, codenamed Fragnesia and tracked as CVE-2026-46300, allows local attackers to gain root access via page cache corruption. The vulnerability is rooted in the Linux kernel's XFRM.
Cybersecurity researchers have disclosed a critical 18-year-old flaw in the ngx_http_rewrite_module of NGINX Plus and NGINX Open, which could enable unauthenticated remote code execution (CVE-2026-42945). The vulnerability has a CVSS v4 score of 9.2.
Microsoft has unveiled a new AI-driven system called MDASH, designed to facilitate vulnerability discovery and remediation at scale. MDASH has already identified 16 Windows flaws that were fixed in a recent Patch Tuesday update.
Azerbaijani oil and gas company was targeted by a threat actor with affiliations to China in a "multi-wave intrusion" between late December 2025 and late February 2026. The activity was attributed to a hacking group known as FamousSparrow (aka UAT-9244) with moderate-to-high confidence.
Experts from Wiz will discuss how hackers create a "Lethal Chain" by connecting tiny flaws in code, pipelines, and cloud infrastructure to compromise data. This webinar aims to help attendees understand and break these attack paths.
Security teams have improved visibility into their environments, but struggle to confirm the effectiveness of remediation efforts, with median time to remediate edge device vulnerabilities at 32 days. The mean time to exploit vulnerabilities is estimated to be negative seven days, according to the Mandiant's M-Trends 2026 report and Verizon's 2025 DBIR.
Microsoft has released patches for 138 security vulnerabilities, including 30 Critical and 104 Important-rated flaws, across its product portfolio. The patches address vulnerabilities such as DNS and Netlogon RCE flaws.
Cybersecurity Trends
A popular npm package called node-ipc was compromised, with hackers publishing malicious versions that bundle credential stealing malware. The root cause of the compromise was an expired domain name tied to the package.
A zero-day vulnerability in Microsoft Exchange Server can be triggered by opening a malicious email. This vulnerability has been discovered and experts are urging caution.
Cisco has disclosed a max-severity authentication bypass vulnerability affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms. The flaw has already been found to be actively exploited.
Waymo has driven over 170 million autonomous miles without a serious crash or injury. This milestone marks a significant achievement in the development of autonomous systems.
The EU's Cyber Resiliency Act focuses on product safety rather than processes or cybersecurity measures. It will put IT leaders to the test.
No information is provided about the content of the article.
Researchers have discovered an 18-year-old remote code execution flaw in Nginx, a widely used web server, which is a heap buffer overflow. The vulnerability was found by an AI agent.
Linux admins have been affected by a third Linux kernel vulnerability in a month, named Fragnesia.
FlowerStorm, a phishing-as-a-service operation, has adopted virtual-machine obfuscation to evade email defenses. This involves using a browser-based virtual machine to conceal credential theft code.
A vulnerability in the open-source AI orchestration framework PraisonAI was disclosed, and it was scanned within 4 hours of the disclosure. The vulnerability is an authentication bypass flaw in PraisonAI.
Cloud & DevSecOps
The AWS AI Security Framework is a security framework designed to help security leaders secure AI workloads as they evolve from prototype to production to scale. It provides a structured approach to assessing and securing AI workloads through a phased framework, starting with foundational controls.
AWS IAM Identity Center now supports regional routing for access portals, allowing customers to implement custom vanity domains for their IAM Identity Center. This feature is part of IAM Identity Center's multi-Region replication, which enables customers to replicate their instance across multiple AWS Regions.
AWS has introduced the PQC Readiness Scanner, an automated tool that inventories and continuously monitors TLS configurations for Post-quantum cryptography (PQC) readiness across Application Load Balancer (ALB), Network Load Balancer (NLB), and Amazon API Gateway endpoints. The tool helps users understand their current TLS endpoint inventory and posture.
Amazon GuardDuty can be used to identify and mitigate cryptocurrency mining threats in AWS environments. This is achieved through GuardDuty's specialized detection capabilities.
AWS has released an updated User Guide to Governance, Risk, and Compliance for Responsible AI Adoption, aimed at supporting the financial services industry in its AI adoption. The guide addresses GRC considerations that arise from using AI solutions in this industry.
Amazon Web Services (AWS) has completed PCI PIN and PCI P2PE assessments for the AWS Payment Cryptography service, expanding its compliance portfolio. This validation makes AWS a component provider for Key Management (KMCP) and other compliance areas.
AWS Security Agent now offers a full repository code scanning feature in preview, allowing for deep, context-aware security analysis of entire code bases. This feature uses AI-driven capabilities to identify vulnerabilities and build working exploits.
Amazon Web Services (AWS) is enabling AI sovereignty for customers, allowing them control over their data and choices for how and where it is used. This move aims to unlock the full potential of cloud and AI technologies.
AWS is offering complimentary, virtual, hands-on workshops called Security Activation Days to provide practical experience with AWS security services. These workshops are designed to help organizations strengthen their security posture on Amazon Web Services.
AWS has released a monthly digest post featuring the latest security features, compliance updates, and hands-on resources. The April 2026 AWS Security Blog posts covered topics such as AI security, identity and access management, threat intelligence, data protection, and multicloud operations.
Privacy & Surveillance
Millions of people worldwide use EFF's Privacy Badger browser extension to block hidden trackers. The extension blocks trackers that are used by Big Tech, advertisers, scammers, and data brokers.
Lawmakers in various statehouses, including California, are pushing to ban social media for youth based on weak evidence. The exact nature of this weak evidence is not specified in the provided text.
Instagram has ended its opt-in end-to-end encrypted direct messaging feature. This move comes after the company publicly promised to provide end-to-end encryption across its platforms by default.
Apple has released iOS 26.5, which supports end-to-end encryption for Rich Communication Services (RCS) in beta. This update also brings end-to-end encryption to RCS on Android, allowing for encrypted conversations between users on both platforms.
The Electronic Frontier Foundation (EFF) has launched an offline campaign for Saudi Wikipedian Osama Khalid. Osama Khalid began contributing to Wikipedia Arabic at the age of 12 and was a prolific blogger during the blogging era.
There is no explicit information in the provided snippet about the topic of a "Hackers Guide to Circumventing Internet Shutdowns". However, based on the title, a possible factual summary for a tech audience could be: A "Hackers Guide to Circumventing Internet Shutdowns" is a topic that may be discussed, but no specific information is provided in the snippet.
Canada's Bill C-22 is a rebranded version of last year's Bill C-2, which aimed to erode Canadian digital rights in the name of "border security." The details of Bill C-22 are not explicitly stated in the provided information.
The Electronic Frontier Foundation (EFF) filed an amicus brief in the U.S. Court of Appeals for the Fourth Circuit arguing that electronic device searches at the border require a warrant. The brief was filed alongside other organizations including the national ACLU and the National Association of Criminal Defense Lawyers (NACDL).
The Electronic Frontier Foundation (EFF) has expressed solidarity with RightsCon and the global digital rights community. RightsCon was abruptly canceled after Zambia required full alignment with national values.
Lawmakers have narrowed the GUARD Act, a bill aimed at restricting minors' access to certain AI systems. The bill's current form is not explicitly stated in the provided content.
IT Industry
Datacenters in the largest US energy market have increased energy prices by 75% due to high energy consumption. Energy watchdogs suggest that bringing your own power (BYO power) to AI datacenters may be a potential solution to alleviate the issue.
Google requires users to provide a phone number to access the full 15GB of free storage, otherwise they will be limited to 5GB. This is a condition for users to access the full storage capacity.
Anthropic, the maker of the Claude AI model, is urging the US government to implement stricter controls on chip and model exports to prevent China from advancing its AI capabilities. This warning is based on concerns that authoritarian regimes could set the rules for AI development unless the US takes action.
A vulnerability in Exchange Server has been exploited, allowing attackers to use Outlook Web Access (OWA) inboxes as script launchpads. Microsoft has released a mitigation to address the issue, but it may cause problems with inline images and calendar printing until a proper patch is available.
Open Source & Dev Tools
GitHub is piloting an experimental general-purpose accessibility agent. Details about the agent can be found in the post "Building a general-purpose accessibility agent—and what we learned in the process" on The GitHub Blog.
GitHub is updating its bug bounty program standards to prioritize quality submissions and clarify shared responsibility boundaries. The program will also evolve its reward system for low-risk findings.
In April 2026, GitHub experienced 10 incidents that resulted in degraded performance across its services. These incidents affected GitHub's overall availability.
The GitHub Issues team used client-side caching, smart prefetching, and service workers to improve navigation performance. This modernization effort aimed to make navigation feel instant.
Roguelikes are a type of game that can persist despite being abandoned or rewritten due to their dedicated communities. They often undergo forking, mutation, and revival as a result of community involvement.
GitHub is updating its individual plans for GitHub Copilot starting June 1. The changes include introducing flex allotments in the Pro and Pro+ plans, as well as a new Max plan.
A GitHub user used GitHub Copilot CLI to build an extension that turns any codebase into a unique, roguelike dungeon. The extension is procedurally generated.
GitHub has published a post titled "GitHub for Beginners: Getting started with OSS contributions" on their blog, which aims to help users find opportunities to contribute to the open source community. The post is available on GitHub's developer skills section.
Youth safety requirements are moving down the tech stack to operating systems and app stores. This shift raises new questions for open source developers.
Researchers used GitHub data to predict GDP, inequality, and emissions, revealing insights that traditional economic data may miss. This analysis was conducted using GitHub's Innovation Graph data, specifically with the Q4 2025 data release.
Threat Intelligence
Unit 42 has analyzed the evolution of Gremlin stealer, which now uses advanced techniques such as obfuscation, crypto clipping, and session hijacking to compromise data. The new variant of Gremlin stealer employs these tactics to evade detection.
Unit 42 analyzed AD CS exploitation through template misconfigurations and shadow credential misuse. They also offered behavioral detection methods for defenders.
Unit 42 has identified a buffer overflow vulnerability, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal. This vulnerability allows for unauthenticated remote code execution.
Copy Fail (CVE-2026-31431) is a critical Linux kernel Local Privilege Escalation (LPE) vulnerability that allows stealthy root access. This flaw impacts millions of systems.
Unit 42 has analyzed the npm supply chain evolution post-Shai Hulud, discovering various threats such as wormable malware and multi-stage attacks. The analysis is outlined in the post "The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)".
Unit 42 emphasizes the importance of a comprehensive security strategy that covers all IT zones. A post on their website explores the essential data sources for detection beyond the endpoint.
High-risk AI browser extensions, disguised as productivity tools, are stealing data, intercepting prompts, and exfiltrating passwords. These extensions are reading user input before generating responses, potentially compromising user security.
Unit 42 research reports that TGR-STA-1030 is an active threat, particularly in Central and South America. TGR-STA-1030 has been identified with new activity in these regions.
Security leaders are seeking answers on the next steps in the new age of frontier AI, with questions being addressed in a recent post. A post titled "Frontier AI and the Future of Defense: Your Top Questions Answered" aims to answer the top 10 questions customers are asking.
Unit 42 has revealed how multi-agent AI systems can autonomously attack cloud environments. This is discussed in a post titled "Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System".
NIST & Frameworks
The U.S. Small Business Administration has led National Small Business Week for over 60 years. NIST's mission includes driving U.S. innovation and global competitiveness, with the small business community being central to this mission.
Verifiable digital credential issuance involves structuring and sharing credentials, such as mobile driver's licenses (mDLs), using formats like ISO/IEC 18013-5 and -7 mobile documents (mdocs) or W3C Verifiable Credentials (VCs). The issuance process is a crucial step in creating functional digital credentials.
The NIST Cyber AI Profile Workshop received input on the Preliminary Draft in January, which is informing the development of the next draft. A full workshop summary capturing themes and highlights is being prepared for publication.
The NIST Cybersecurity for IoT Program is hosting a two-day workshop on March 31 - April 1, 2026, at their Gaithersburg campus to gather input on future directions. Registration and details can be found HERE, or attendees can email IoTSecurity[at]nist[dot]gov to participate.
The Cybersecurity Framework (CSF) 2.0 was published in 2024, marking two years since its release. The CSF 2.0 included the addition of a Govern Function and other updates.
Data Privacy Week is a global initiative led by the National Cybersecurity Alliance to spread awareness about online privacy and empower individuals and businesses to respect privacy, safeguard data, and enable trust. The NIST Privacy Engineering Program is reflecting on its recent work and looking ahead to future collaborations with its privacy stakeholder community in 2026.
The Verifiable Digital Credential (VDC) ecosystem can represent a wide range of credentials, including driver's licenses, diplomas, and proof of age. VDCs are being considered for use in various use cases due to their ability to present identity and attributes both in person and online.
Rodney Petersen has served as the Director of NICE at NIST for the past eleven years, focusing on advancing cybersecurity education and workforce development. He will be retiring from federal government service at the end of the 2025 calendar year.
The National Institute of Standards and Technology (NIST) has extended the comment period for the second public draft of NIST IR 8259 to December 10, 2025. NIST IR 8259 describes recommended pre-market and post-market activities for IoT product manufacturers to meet customer cybersecurity needs and expectations.
NIST has released Revision 4 of Special Publication 800-63, Digital Identity Guidelines, which is the culmination of a nearly four-year collaborative process involving foundational research, public drafts, and over 6,000 comments. This revision aims to address changes in the digital landscape since the last update.
Regulatory Compliance
A new variant of the Gremlin stealer has evolved into a modular toolkit with advanced evasion capabilities. This updated variant also features enhanced data theft capabilities.
Microsoft has reported a severe zero-day flaw in on-premises installations of Exchange Server, specifically affecting versions 2016, 2019, and Subscription Edition. The vulnerability is present in all versions of these Exchange Server iterations.
China-linked hackers have deployed a new malware called TencShell against the Indian branch of a global manufacturer. The attack utilized an open source offensive toolkit.
The Mustang Panda campaign has been linked to an updated FDMTP backdoor used in espionage attacks against networks in the Asia-Pacific region. The campaign targets networks in the Asia-Pacific and Japan.
Google has launched an Android Spyware Forensics Tool, a feature for Android Advanced Protection Mode that enables trusted security experts to investigate potential spyware infections. This tool is designed for high-risk users.
A new vulnerability, known as Fragnesia, has been discovered in the Linux kernel, allowing unprivileged local users to gain root access. This flaw affects Linux systems.
A Semperis study found that 74% of organizations believe AI will increase attacks on identity infrastructure.
The Information Commissioner's Office (ICO) has published a five-step plan to counter emerging AI-powered attacks. The guidance aims to help mitigate the risk of AI-powered attacks.
Instructure, the owner of Canvas, has reached an agreement with ShinyHunters following a ransomware attack on the Canvas system. The agreement pertains to the breach data.
A vulnerability in Avada Builder exposed one million WordPress sites to file read and SQL injection attacks. The issue allowed unauthorized access to sensitive data on affected sites.
Government & Policy
CISA has added CVE-2026-42897, a Microsoft Exchange Server Cross-Site Scripting Vulnerability, to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation. This vulnerability is a frequent attack vector.
Siemens ROS# contains a path traversal vulnerability in its file_server service prior to version 2.2.2, allowing an attacker to access arbitrary files with the user's rights. A new version, 2.2.2, has been released to address this issue.
Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability due to a third-party component, specifically the Axios HTTP client library. The vulnerability allows a "Gadget" attack chain that enables prototype pollution in other third-party libraries.
Siemens SIMATIC CN 4100 contains multiple vulnerabilities that could potentially lead to a compromise in availability, integrity, and confidentiality. Siemens recommends updating to the latest version of SIMATIC CN 4100 to address these vulnerabilities.
Siemens Ruggedcom Rox contains an input validation vulnerability in its Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands. Siemens has released new versions to address this vulnerability and recommends updating to the latest versions.
Siemens Ruggedcom Rox versions prior to v2.17.1 contain multiple third-party vulnerabilities. Affected versions include RUGGEDCOM ROX MX5000 with vers:intdot/<2.17.1.
Simcenter Femap is affected by a heap-based buffer overflow vulnerability in the Datakit library, which can be triggered when the application reads files in IPT format. This vulnerability could allow an attacker to perform remote code execution.
Universal Robots Polyscope 5 versions prior to 5.25.1 are affected by vulnerabilities that could allow an attacker to bypass authentication and execute code. Successful exploitation of these vulnerabilities could have security implications.
Siemens Ruggedcom Rox contains an input validation vulnerability that could allow an authenticated remote attacker to execute arbitrary commands with root privileges. Siemens has released new versions for the affected products and recommends updating to the latest version.
Siemens Teamcenter is affected by multiple vulnerabilities that could compromise availability, integrity, and confidentiality. Siemens has released new versions for the affected products and recommends updating to the latest versions.
Zero-Day Exploits
GemStuffer is a campaign that has targeted the RubyGems repository with over 150 gems used for data exfiltration, rather than malware distribution. The affected gems have little to no download activity and repetitive payloads.
Google has introduced an opt-in Android feature called Intrusion Logging, which stores forensic logs to aid in analyzing sophisticated spyware attacks. Intrusion Logging is available as part of Advanced Protection Mode.
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. The vulnerability, tracked as CVE-2026-45185, affects GnuTLS builds.
RubyGems has temporarily suspended new account signups due to a major malicious attack. Hundreds of malicious packages have been uploaded to the platform.
A new variant of the TrickMo Android banking trojan has been observed using The Open Network (TON) for command-and-control (C2) and SOCKS5 to create Android network pivots. This variant was actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria between January and February 2026.
A recent report from The Hacker News found that certain high-risk alert categories, including WAF, DLP, OT/IoT, dark web intelligence, and supply chain signals, consistently go uninvestigated. These alert categories are among the riskiest SOC alerts that go unanswered.
TeamPCP, a threat actor, has compromised several npm and PyPI packages, including TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI, as part of a Mini Shai-Hulud campaign. The compromised packages contain an obfuscated JavaScript file ("router_init.js") designed to profile execution.
Agentic AI is currently running in production environments across many organizations, executing tasks and consuming data without significant security involvement. The industry conversation around agentic AI has focused on policy decisions such as allowing or restricting its use.
Instructure, the parent company of Canvas, has reached an agreement with the decentralized cybercrime group ShinyHunters to stop the leak of 3.65TB of stolen information. The agreement was made after ShinyHunters breached Instructure's network and threatened to release the stolen data from thousands of schools and universities.
OpenAI has launched Daybreak, a cybersecurity initiative that utilizes AI model capabilities to help organizations identify and patch vulnerabilities. Daybreak combines OpenAI models with Codex Security to aid in vulnerability detection and patch validation.
Nation-State Attacks
Google Threat Intelligence Group has tracked an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand. The campaign involves vishing, a type of phishing attack that uses phone calls.
Since the February 2026 report, adversaries have leveraged AI for vulnerability exploitation, augmented operations, and initial access. This AI-related threat activity was observed and documented by Google Threat Intelligence Group.
Google Threat Intelligence Group identified a multistage intrusion campaign by UNC6692, which leveraged persistent social engineering to deploy a custom malware suite. The campaign involved a series of tactics by the threat group.
General-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. These models will eventually be integrated directly into the development cycle.
Germany has seen a significant surge in data leak site posts, with Google Threat Intelligence data showing a notable impact on German infrastructure. This surge is part of a global increase of almost 50% in data leak site posts in 2025.
There is not enough information provided to create a factual summary for a tech audience. The content appears to be an introduction to a guide about vSphere and BRICKSTORM malware, but it does not contain any technical information.
A North Korea-nexus threat actor has compromised the widely used Axios NPM package in a supply chain attack. The Axios NPM package is a widely used JavaScript library.
Mandiant observed a clear divergence in adversary pacing in 2025, which aligns with trends previously documented for defenders. This divergence occurred in the cyber threat landscape.
Google's Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leveraged multiple zero-day vulnerabilities to compromise devices. The exploit chain was first observed at least as early as November 2025.
Since 2018, financially motivated threat actors have shifted their monetization strategy to post-compromise ransomware deployments. This shift occurred when many threat actors began using ransomware as a tactic.
Dark Web & Underground
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in Cisco Catalyst SD-WAN, tracked as CVE-2026-20182, to its Known Exploited Vulnerabilities catalog. This flaw, with a CVSS score of 10.0, was previously fixed by Cisco.
A Linux kernel vulnerability, tracked as CVE-2026-46300, allows local attackers to gain root access through page cache corruption. The flaw affects the XFRM ESP-in-TCP subsystem.
Broadcom released a security update for VMware Fusion to address a high-severity vulnerability, CVE-2026-41702, which could allow local attackers to escalate privileges to root on affected systems. The flaw is a time-of-check time-of-use (TOCTOU) vulnerability.
Researchers have discovered a critical 18-year-old buffer overflow flaw, tracked as CVE-2026-42945, in NGINX, affecting both NGINX Plus and NGINX. The vulnerability, named NGINX Rift, was found by security researchers at depthfirst.
FamousSparrow, a Chinese-linked threat actor, conducted a multi-wave espionage campaign targeting an Azerbaijani oil and gas company from December 2025 to February 2026. The campaign reused the same compromised entry point in three separate intrusions during this time period.
AI/ML Security Research
Apple has released iOS 26.5, which includes support for end-to-end encrypted RCS messaging in beta. This feature is available to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages.
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace, and users should ensure they are using version 2.0.13-829.vc72453fa_1c16 or earlier. This version was published on December 17, 2025.
A threat actor named Mr_Rot13 has been exploiting the cPanel CVE-2026-41940 vulnerability to deploy a backdoor called Filemanager. The vulnerability, impacting cPanel and WebHost Manager (WHM), allows remote attackers to gain elevated control of the control panel.
Google has identified a zero-day exploit used by an unknown threat actor, which is believed to have been developed with an artificial intelligence (AI) system. This marks the first known instance of AI being used in the wild for vulnerability discovery and exploit generation in a malicious context.
A Linux rootkit was discovered, allowing unauthorized access to a system. A macOS crypto stealer was also reported, targeting user cryptocurrency.
A purple team, intended to simulate real-world attacks, often consists of a blue team and a red team working together in the same room, rather than being a distinct entity. This setup can hinder the effectiveness of the purple team due to the limitations and inefficiencies of the system it operates within.
A malicious Hugging Face repository, Open-OSS/privacy-filter, impersonated OpenAI's Privacy Filter open-weight model and reached the top of the platform's trending list, garnering 244K downloads. The repository was a Rust-based information stealer targeting Windows users.
A critical security vulnerability, tracked as CVE-2026-7482, has been discovered in Ollama, allowing a remote, unauthenticated attacker to leak its entire process memory. The flaw, codenamed Bleeding Llama, has a CVSS score of 9.1 and is estimated to impact over 300,000 servers globally.
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM), including CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. The vulnerabilities could be exploited to achieve privilege escalation, code execution, and denial-of-service.
Threat hunters have identified a previously undocumented Brazilian banking trojan called TCLBANKER, which targets 59 banking, fintech, and cryptocurrency platforms. The malware is assessed to be a major update of the Maverick family, which leverages a worm called SORVEPOTEL.
IoT & OT Security
Cybersecurity researchers discovered 28 fraudulent apps on the Google Play Store that falsely claimed to offer access to call histories, resulting in over 7.3 million downloads. These apps tricked users into joining a subscription that provided fake data and incurred financial loss.
Hackers are using AI to make initial infections in cybersecurity breaches nearly impossible to spot, starting with a single employee's "first click". This can lead to a compromised laptop taking down an entire network.
A previously undocumented Linux implant, Quasar Linux RAT (QLNX), targets developers' systems to steal credentials and facilitate various post-compromise functionalities. QLNX specifically targets developers and DevOps credentials across the software supply chain.
A recent report analyzed over 25 million security alerts across live enterprise environments, revealing that defenders often ignore low-severity risks. The dataset behind the findings includes 10 million monitored systems and devices.
Researchers have disclosed a new Linux backdoor called PamDOORa, which uses Pluggable Authentication Module (PAM) modules to enable persistent SSH access. The backdoor is being advertised on the Rehub Russian cybercrime forum for $1,600.
A new, unpatched local privilege escalation (LPE) vulnerability, dubbed Dirty Frag, has been discovered in the Linux kernel. It is described as a successor to the recently disclosed Copy Fail (CVE-2026-31431) LPE flaw.
A high-severity vulnerability, CVE-2026-6973, has been identified in Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1, allowing a remotely authenticated user with administrative access to achieve remote code execution. The vulnerability has a CVSS score of 7.2.
Researchers have identified a credential theft framework called PCPJack that exploits 5 CVEs to spread across cloud systems. PCPJack targets exposed cloud infrastructure and harvests credentials from various services, including cloud, container, developer, productivity, and financial services.
Palo Alto Networks has disclosed a critical security flaw, CVE-2026-0300, in its PAN-OS software, which is a buffer overflow vulnerability in the User-ID Authentication Portal service. This vulnerability has a CVSS score of 9.3/8.7 and could allow an unauthenticated attacker to gain root access.
Here's a 1-2 sentence factual summary for a tech audience: Attackers are exploiting common vulnerabilities such as shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins to gain unauthorized access. These attack chains are being shared through various channels, including Discord.
Quantum & Cryptography
There is no specific tech-related information provided in the given text. However, it mentions a blog moderation policy update at Schneier's blog, stating that a new policy has been implemented.
Some AI-based video age-verification checks can be bypassed using a fake mustache. This method has been reported to successfully fool certain age-verification systems.
A speaker is scheduled to give a virtual talk on "The Security of Trust in the Age of AI" hosted by the Financial Women's Association of New York on May 21, 2026, at 6:00 PM ET. They will also speak at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany, from June 24- (exact date not specified).
Anthropic's Claude Mythos Preview AI model is capable of finding security vulnerabilities in software. The company has chosen not to release it to the general public, instead making it available to a select group of companies to scan and fix their own software.
The UK's AI Security Institute found that OpenAI's GPT-5.5 is comparable to Claude Mythos in terms of its ability to find security vulnerabilities. GPT-5.5 is generally available.
A Linux kernel vulnerability known as "copy.fail" (CVE-2026-31431) has been disclosed, allowing for local privilege escalation. The vulnerability exploits the kernel crypto API and splice() function to write data into the page cache of a file.
Researchers have found that Large Language Models (LLMs) are effective at hiding text messages within other text messages using a technique called text-in-text steganography. This is based on a study published at arxiv.org with the reference 2510.20075.
Researchers have found evidence of giant squid living in the waters of Western Australia by analyzing DNA in the seawater. This discovery was made through DNA analysis.
Analysis by the Anti-Corruption Data Collective found that long-shot bets on Polymarket had an average win rate of around 52 percent in markets on military and defense actions. Long-shot bets on Polymarket are defined as wagers of $2,500 or more at odds of 35 percent or less.
ICE is developing its own version of smart glasses that incorporates facial recognition technology. The smart glasses will be linked to various databases.
Healthcare Security
A survey of cybersecurity leaders found that over half would consider paying hackers to restore encrypted systems. The survey suggests that a majority of CISOs would strongly consider this option.
The G7 Cybersecurity Working Group has released a new Software Bill of Materials (SBOM) for AI guidance, outlining seven key data clusters. This move aims to boost transparency and security across AI supply chains.
The UK cybersecurity market has expanded to £14.7bn in revenue, driven by growth in AI security firms. This growth is attributed to increased investment and rising employment across the industry.
OpenAI has launched 'Daybreak' to help build secure software by design. Daybreak aims to utilize OpenAI's frontier AI models to deploy secure software from the ground up.
Apple has started rolling out end-to-end encrypted RCS messaging between iPhone and Android devices in iOS 26.5. This feature allows for secure messaging between users on different platforms.
ReliaQuest researchers have identified a combination of open-source tools, specifically ClickFix and PySoxy proxying, being used by attackers to maintain persistent access. This exploitation of open-source tools allows attackers to maintain access after an initial social engineering attack.
South Staffordshire Water has been fined £1m by the ICO for data protection failings. The fine is related to a data breach.
Financial Security
NEW
Here's a 1-2 sentence factual summary for a tech audience: Nvidia experienced a cloud gaming data breach, and the FBI issued a warning after ShinyHunters hacks Canvas. Additionally, Android 17 included security upgrades.
Microsoft has shared mitigations for CVE-2026-42897, a zero-day vulnerability in Exchange Server, until a permanent patch can be released. The vulnerability is being exploited in the wild.
A ransomware attack on American Lending Center led to a data breach affecting 123,000 individuals. The lender completed its investigation into the incident nearly one year after the attack was discovered.
OpenAI was hit by a TanStack supply chain attack, resulting in two employee devices being compromised and credential material being stolen from their code repositories. The attack targeted OpenAI's code repositories.
TeamPCP has released the source code for the Shai-Hulud worm, and is encouraging hackers to use it in supply chain attacks, offering monetary rewards. The group has made the worm's source code publicly available.
Chrome 148 has resolved critical-severity use-after-free and other types of bugs in various browser components. The update patches these critical vulnerabilities.
Cisco has patched a zero-day vulnerability, tracked as CVE-2026-20182, in its SD-WAN product. This is the sixth zero-day exploited in 2026.
For AI data centers, security and performance are no longer mutually exclusive. This is stated in the article "Enhancing Data Center Security Without Sacrificing Performance".
A new Linux kernel vulnerability, tracked as CVE-2026-46300, has been discovered, allowing root privilege escalation. This vulnerability is similar to previously disclosed exploits named Dirty Frag and Copy Fail.
Independent benchmarking found Mythos to be highly effective for source code audits, reverse engineering, and native-code analysis. Its exploit validation and reasoning capabilities, however, remain inconsistent.
Critical Infrastructure
Siemens Solid Edge SE2026 before Update 5 is vulnerable to two file parsing vulnerabilities that can be triggered when reading specially crafted PAR files. A new version has been released to address these vulnerabilities.
A vulnerability was discovered in the web server of the Siemens SENTRON 7KT PAC1261 Data Manager, specifically in versions before V2.1.0, which could allow an attacker to retrieve authorization tokens. Siemens has released a new version to address this issue.
Siemens Opcenter RDnL is affected by a missing authentication vulnerability in the 'ActiveMQ Artemis' critical function. An unauthenticated attacker within the adjacent network can use the Core protocol to force a target broker to establish an outbound connection to a rogue broker.
Siemens' Ruggedcom Rox product contains an improper access control vulnerability that allows an authenticated remote attacker to read arbitrary files with root privileges. Siemens has released new versions to address this issue and recommends updating to the latest versions.
Siemens SIMATIC S7 PLCs contain multiple vulnerabilities in their web server that could allow cross-site scripting attacks. Siemens has released new versions for affected products and recommends updating to the latest versions.
CISA has added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation.
Siemens SIMATIC HMI Unified Comfort Panels before V21.0 have a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability can be exploited if the web browser is not protected by security mechanisms.
Siemens Industrial Devices have released new versions to address a vulnerability that could allow an attacker to cause a denial of service condition. The affected products require updating to the latest versions to mitigate the issue.
Siemens SIPROTEC 5 devices have a vulnerability where they do not use sufficiently random numbers to generate session identifiers, potentially allowing a brute-force attack. This could enable an unauthenticated remote attacker to hijack a valid user session.
A vulnerability in Fuji Electric Tellus version 5.0.2 allows an attacker to elevate privileges from user to system, potentially enabling temporary denial of service, file opening, or file deletion. The affected version is Tellus 5.0.2.
Security Tools & Research
Unit 42 research has identified AirSnitch attacks that can bypass WPA2/3 Wi-Fi encryption. These attacks also compromise client isolation.
Unit 42 research indicates that frontier AI models can enhance vulnerability discovery, acting as full-spectrum security researchers. These models enable autonomous zero-day discovery and faster N-day patching.
Unit 42 has observed recent Iranian cyberattack activity, including phishing, hacktivist activity, and cybercrime. This activity is detailed in a threat brief published by Unit 42.
CVE-2023-33538 is a vulnerability in TP-Link routers that allows for command injection. Exploitation attempts have been observed with payloads characteristic of Mirai botnet malware.
Unit 42 has discovered "Agent God Mode" in Amazon Bedrock AgentCore, which grants broad IAM permissions. This vulnerability poses risks of privilege escalation and data exfiltration.
The Gentlemen is a relatively new ransomware-as-a-service (RaaS) operation that emerged around mid-2025, advertising its service across multiple underground forums. Its operators invite penetration testers and other technically skilled actors to join as affiliates.
Instructure, a US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages.
In Q1 2026, over 70 active data leak sites listed 2,122 new ransomware victims, representing a 12.2% decline from the previous quarter's record. This figure is the second-highest Q1 on record, with a 117% increase compared to the same period in previous years.
Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems, with an unauthorized party accessing data. The company reported no impact on its products, operations, or financial systems.
VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. It claimed its first two victims in January 2026.