Security Stuff

RubyGems, the official Ruby package hosting service, has temporarily suspended new account registrations after threat actors flooded the platform with over 500 malicious packages using bot accounts. The malicious packages, which included exploit code and attempted XSS attacks and data exfiltration, have been removed, and maintainers say existing packages were not compromised and end users were not targeted. Security researchers are concerned the attack could be masking something more sophisticated, as the site expects registrations to remain closed for another two to three days while implementing stricter rate limiting and additional protections.

Intel and AMD have released comprehensive security updates for May 2026 Patch Tuesday, collectively addressing 70 vulnerabilities across their product lines. Intel's most critical fix patches a buffer overflow in their Data Center Graphics Driver for VMware ESXi with a severity score of 9.3, while AMD's critical flaw involves their Device Metrics Exporter which improperly exposes network access, potentially allowing remote attackers to modify GPU configurations. The updates cover a wide range of products including drivers, firmware, processors, and software tools, with successful exploitation potentially leading to privilege escalation, code execution, and denial of service attacks.

Fortinet and Ivanti have released patches for a total of 18 vulnerabilities in their products, including three critical-severity bugs that could allow remote, unauthenticated attackers to execute code through crafted requests. The most serious flaws affect Fortinet's FortiAuthenticator and FortiSandbox products, as well as Ivanti's Xtraction tool, all with CVSS scores above 9. Both companies say they're not aware of any active exploitation in the wild, but the vulnerabilities could enable attackers to gain code execution or access sensitive files on affected systems.

Microsoft has patched a critical zero-click Outlook vulnerability that security researcher Haifei Li calls an "enterprise killer," allowing attackers to execute code simply by sending an email that's read or previewed, with no clicking required. The flaw, tracked as CVE-2026-40361, is a use-after-free bug affecting Outlook's email rendering engine that bypasses firewalls and directly targets executives' inboxes, though developing a full working exploit remains challenging. Li recommends immediate patching and notes that switching Outlook to plain text mode is the only effective mitigation aside from the security update.

Telehealth platform OpenLoop Health suffered a data breach in January 2026 that compromised personal information of 716,000 individuals, including names, addresses, email addresses, birth dates, and medical data. The unauthorized access occurred over two days beginning January 7th, though the company says Social Security numbers, financial information, and electronic health records were not affected. OpenLoop has terminated the unauthorized access, improved security controls, and is offering affected individuals one year of free credit monitoring, while a threat actor has reportedly claimed the breach involved data from 1.6 million people.

The US House Committee on Homeland Security is demanding answers from Instructure after hackers attacked its Canvas learning platform twice in early May, allegedly stealing 3.65 terabytes of data affecting 275 million students and teachers across about 9,000 schools. The notorious ShinyHunters extortion group claimed responsibility for the breach, which forced Instructure to shut down services multiple times, disrupting students during final exams at more than 8,000 institutions across 11 states. Instructure says it has now paid to have the stolen data returned and erased, and has temporarily disabled the Free-For-Teacher accounts that were exploited in the attacks.

SecurityWeek and Claroty are hosting a webinar today at 1 PM Eastern Time focused on demonstrating the return on security investment for cyber-physical security programs. The session will teach operational technology security teams how to quantify the financial impact of downtime and security risks, translating technical concerns into business language that finance and operations executives can understand. The webinar aims to help security teams move beyond being seen as cost centers and instead position themselves as drivers of business resilience.

Security researchers have discovered a massive supply chain attack called GemStuffer, where attackers compromised over 150 Ruby software packages, known as RubyGems, to steal data from U.K. council portal systems. The malicious packages were used to scrape and exfiltrate sensitive information from local government websites. This represents a significant supply chain security threat, as developers who unknowingly installed these compromised packages may have inadvertently exposed their systems to data theft.

Microsoft released its January 2025 Patch Tuesday update addressing 138 security vulnerabilities, including critical remote code execution flaws in DNS and Netlogon services that could allow attackers to compromise systems remotely. The security update includes fixes for eight actively exploited zero-day vulnerabilities that were being used in real-world attacks. IT administrators are urged to prioritize patching these critical flaws, particularly those affecting core Windows services, as they pose significant risks to enterprise networks.

A new report reveals a critical gap in cybersecurity practices: most remediation programs fail to verify that security fixes actually resolved the vulnerabilities they were meant to address. This oversight leaves organizations potentially exposed to the same threats they believed they had patched, highlighting a significant weakness in how companies manage their security response processes. The finding underscores the need for better validation and follow-up procedures in enterprise security workflows.

SANS Institute is promoting a webinar focused on identifying critical security vulnerabilities that standard AppSec tools often overlook, specifically what they call the "lethal path" in applications. The webinar aims to help security professionals build more comprehensive security strategies that can gain executive approval, alongside promoting their LDR514 leadership course and various cybersecurity education programs. This appears to be an educational marketing piece from SANS rather than breaking news about a specific security threat.

An Azerbaijani energy company has fallen victim to multiple cyberattacks exploiting vulnerabilities in Microsoft Exchange servers. The repeated exploitation highlights ongoing security challenges facing critical infrastructure organizations, particularly in the energy sector where outdated or unpatched systems remain vulnerable to known threats. The attacks underscore the importance of timely security updates and robust patch management strategies for companies operating essential services.

Microsoft's AI-powered security tool, MDASH, has successfully identified 16 vulnerabilities in Windows that were addressed in this month's Patch Tuesday update. The system represents a significant step forward in using artificial intelligence to proactively discover security flaws before they can be exploited by attackers. This marks a notable advancement in automated vulnerability detection, with Microsoft leveraging its own AI technology to strengthen Windows security.

A China-linked cyber espionage group called FamousSparrow has been discovered targeting an oil and gas company in Azerbaijan, marking the first time Chinese threat actors have been found operating in Azerbaijani industries. The group used sophisticated DLL sideloading techniques and repeatedly breached the company between December and February because the victim failed to patch a vulnerable Microsoft Exchange server after initially detecting and cleaning infected workstations. This attack represents China's expanding cyber operations into the South Caucasus energy corridor, a region traditionally within Russia's sphere of influence that has become increasingly important for European energy supplies.

Two cyberattack campaigns in Latin America are using AI agents to automate entire hacking operations, from initial reconnaissance to custom tool creation, targeting government and financial organizations in Mexico and Brazil. The attackers jailbroke AI assistants by claiming they were conducting authorized security tests, then used them to scan for vulnerabilities, generate custom malware on the fly, and even document their own attack workflows. While this AI-powered "vibe hacking" represents an evolution in automated cyberattacks, researchers note these efforts still struggle against organizations with strong security fundamentals like timely patching and zero-trust access controls.

Over 170 packages across major platforms including TanStack, Mistral AI, and UiPath were compromised in a sophisticated supply chain attack by the hacking group TeamPCP. The attackers exploited GitHub's authentication system by chaining three security vulnerabilities to publish malicious packages that appeared legitimate with valid security certificates, allowing them to steal developer credentials, API keys, and cryptocurrency wallets. The malware also attempted to spread itself by using stolen tokens to publish infected versions of other packages, affecting projects with millions of weekly downloads before being discovered and flagged by security researchers.

The traditional Security Operations Center model is becoming obsolete not due to lack of skilled analysts, but because cyber threats now operate at machine speed while SOCs remain human-centric workflows. Attackers are deploying AI-powered malware that rewrites itself in real-time and executes campaigns in mere seconds, far outpacing the manual triage and investigation processes that still dominate most SOCs. The solution, according to security experts, requires a fundamental architectural shift to AI-native systems with complete data access and sovereignty, where analysts guide autonomous systems rather than chase individual alerts.

Anthropic's restricted Claude Mythos AI model found only one low-severity vulnerability when testing the widely-used curl tool, despite the company's claims of discovering thousands of zero-days across various codebases. Curl's lead developer Daniel Stenberg says the results suggest Mythos performs no better than previous AI security tools, though some experts argue the limited findings reflect curl's mature and heavily-audited codebase rather than the AI's shortcomings. The debate intensified after Mozilla reported that Mythos helped discover over 270 Firefox vulnerabilities, though all could have been found by elite human researchers.

SAP has released 15 security patches in its May 2026 update, including fixes for two critical vulnerabilities in S/4HANA and Commerce, both rated 9.6 on the CVSS scale. The S/4HANA flaw is an SQL injection issue that could allow authenticated attackers to leak data, while the Commerce vulnerability involves a missing authentication check that enables unauthenticated users to execute arbitrary server-side code. SAP says there's no evidence of active exploitation, but the company urges users to apply the patches immediately, especially following a recent supply chain attack that compromised four SAP NPM packages.

Apple released sweeping security updates Monday addressing dozens of vulnerabilities across its operating systems, with iOS and iPadOS 26.5 patching over 60 security flaws including 20 WebKit issues that could lead to crashes and data exposure. The company also issued patches for macOS Tahoe resolving nearly 80 vulnerabilities, while rolling back a fix to older iOS versions for a flaw the FBI reportedly exploited to recover deleted Signal messages from devices. Apple says there's no evidence the other vulnerabilities have been exploited in the wild.

West Pharmaceutical Services, a Pennsylvania-based pharmaceutical packaging and delivery systems manufacturer, is working to restore operations following a ransomware attack on May fourth that disrupted business globally. The company proactively shut down affected systems, enlisted Palo Alto Networks' Unit 42 for incident response, and confirmed that attackers exfiltrated data before deploying ransomware, though they've since taken steps to mitigate the risk of that data being released—suggesting possible ransom negotiations. While core enterprise systems and some manufacturing operations have been restored, the company hasn't determined the full extent of the breach or its financial impact, and no ransomware group has publicly claimed responsibility.

Instructure, the company behind the widely-used Canvas educational platform, has reached a deal with hackers who stole data from nearly 9,000 schools and 275 million users during finals week. The hacking group ShinyHunters had threatened to leak the stolen information, which included student IDs, email addresses, and messages, unless schools paid a ransom by May 6th. Instructure says the hackers have provided "shred logs" as digital confirmation that all data copies were destroyed, though the company acknowledges there's no complete certainty when dealing with cybercriminals, and it hasn't disclosed whether the agreement involved a payment.

Cybercriminals are using the lure of free OnlyFans accounts to distribute CRPx0, a sophisticated cross-platform malware targeting Windows and macOS users. The malware operates in three stages: first stealing cryptocurrency by swapping wallet addresses in the clipboard, then exfiltrating sensitive data, and finally deploying ransomware that encrypts files with a ransom demand. The campaign has reportedly compromised 38 victims and is offering stolen data for 500 dollars in cryptocurrency on a dark web leaks site, demonstrating how social engineering combined with users' willingness to take risks for free content creates an effective attack vector.

Instructure has reached a ransom agreement with the hacking group ShinyHunters to prevent the leak of 3.65 terabytes of data from Canvas, its learning management platform. The massive data trove reportedly contained sensitive information from the widely-used educational software system. This marks another high-profile case of a company negotiating directly with cybercriminals to prevent data exposure rather than allowing stolen information to be released publicly.

Agentic AI, or AI systems that can act autonomously on behalf of users, is emerging as security's next major vulnerability because it operates with limited oversight while having significant access to sensitive systems and data. These AI agents can make decisions and take actions without explicit human approval in each instance, creating a new attack surface that organizations aren't adequately prepared to defend. Security teams need to develop new frameworks to monitor and control these autonomous systems before they become the next preferred entry point for cyber attackers.

A malicious worm dubbed "Mini Shai-Hulud" has successfully compromised multiple high-profile software packages including TanStack, Mistral AI, and Guardrails AI. The attack appears to target the software supply chain by infiltrating these widely-used developer tools and packages, potentially affecting numerous downstream applications and users who depend on these libraries.

A new webinar from Radiant Security addresses a critical problem in security operations centers: why the riskiest alerts often go unanswered. The presentation will explore how security teams can better prioritize and respond to high-risk threats that might otherwise slip through the cracks due to alert fatigue or resource constraints.

Cybersecurity researchers have discovered a new variant of the TrickMo Android malware that uses The Open Network as a command and control system and leverages SOCKS5 proxies to turn infected devices into network pivots. This advanced capability allows attackers to route malicious traffic through compromised Android phones, effectively using them as stepping stones to breach corporate networks and evade detection. The discovery highlights the growing sophistication of mobile malware in enabling broader network attacks beyond just stealing data from individual devices.

Dark Reading, celebrating its 20th anniversary, has profiled 20 influential figures who shaped the modern cybersecurity landscape and the chief information security officer role. The list includes pioneers like Steve Katz who formalized the CISO position at Citicorp, security researchers like Dan Kaminsky and Troy Hunt, and controversial figures including Edward Snowden and convicted cybercriminal Albert Gonzalez, whose massive retail payment card breaches marked a turning point in how law enforcement treated cybercrime as organized business. The retrospective highlights how cybersecurity evolved from technical defense into a board-level concern encompassing business resilience, compliance, and corporate trust.

German police have successfully shut down the second iteration of the Crimenetwork dark web marketplace just days after it was resurrected following an initial takedown in December 2024. The original marketplace, which operated for over 12 years with more than 100,000 users, facilitated the trade of stolen data, drugs, and falsified documents using cryptocurrency, generating an estimated 3.6 million euros in revenue. Authorities arrested a 35-year-old German suspect in Spain believed to be the marketplace's administrator and seized nearly 200,000 euros in assets along with extensive user and transaction data for further investigation.

A new Linux vulnerability called Dirty Frag, which chains two flaws to allow unprivileged users to gain root access, may already be exploited in the wild according to Microsoft. The vulnerability was prematurely disclosed before patches were ready, affecting major Linux distributions and the IPsec and RxRPC kernel components with a notably high success rate since it doesn't require timing-based race conditions. Major Linux vendors including Red Hat, Ubuntu, and Amazon Linux are now rolling out patches after Microsoft detected limited in-the-wild activity potentially indicating exploitation.

Canvas, a widely-used online learning platform serving tens of thousands of schools globally, was knocked offline by a cyberattack just as students were preparing for final exams. A hacking group called ShinyHunters claimed responsibility, saying they accessed nearly 9,000 schools' data including billions of private messages, and demanded individual schools negotiate settlements directly. The platform operator Instructure has since restored service to most users after discovering the hackers exploited a vulnerability in free teacher accounts, though the company hasn't disclosed whether any ransom was paid or the full extent of data compromised.

Cybersecurity firm Checkmarx has warned that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace as part of an ongoing supply chain attack. The incident stems from a security breach that began in March when the TeamPCP hacker gang accessed Checkmarx's repositories through a separate Trivy supply chain attack, later followed by data exposure from the Lapsus dollar extortion group. Checkmarx has since released an updated, clean version of the plugin and is urging users to ensure they're running the latest secure iteration available on both GitHub and the Jenkins Marketplace.

Identity management provider SailPoint has disclosed that hackers gained unauthorized access to some of its GitHub repositories on April 20th through a vulnerability in a third-party application. The company says it quickly contained the breach and found no evidence that customer data in production or staging environments was compromised, though it did notify customers whose information was stored in the affected repositories. SailPoint has not identified the threat actors behind the attack or confirmed whether it's connected to the recent wave of supply chain attacks attributed to the TeamPCP hacking group.

Cloudflare is laying off more than eleven hundred employees worldwide as part of what executives are calling an AI-driven restructuring for the "agentic AI era." The company says AI usage by employees has surged over 600 percent in the past three months across departments like HR, marketing, finance, and engineering, prompting a reorganization they insist is not about cost-cutting or performance. Despite beating revenue forecasts, Cloudflare's stock dropped more than 20 percent following the announcement, and departing employees will receive severance equivalent to their full base salary through the end of 2026.

Skoda has disclosed a data breach at its online shop after hackers exploited a software vulnerability to access customer information including names, addresses, email addresses, phone numbers, and password hashes. The automaker, a subsidiary of Volkswagen Group, took the shop offline immediately, patched the vulnerability, and brought in external forensics experts, though the company says its protocols make it impossible to determine the full extent of data exfiltration. Skoda is urging customers to remain vigilant for phishing attempts and to change their passwords, especially if they use the same credentials across multiple services.

Google has detected what it believes is the first zero-day exploit developed using artificial intelligence, marking a significant milestone in cyber threats. According to a new report, a prominent cybercrime group used AI to create a Python script designed to bypass two-factor authentication on an open-source system administration tool, with the exploit showing telltale signs of large language model assistance including educational docstrings and a hallucinated security score. Google also found that Chinese and North Korean state-sponsored hackers have been particularly active in leveraging AI tools for vulnerability discovery and exploit development.

A malicious fake repository masquerading as an OpenAI privacy filter reached the number one spot on Hugging Face and was downloaded 244,000 times before being detected. The fraudulent package exploited users' trust in the popular AI model sharing platform, highlighting growing security concerns around open-source AI repositories. This incident underscores the vulnerability of developer communities to supply chain attacks targeting widely-used machine learning platforms.

Organizations claiming to have purple teams are often just placing their red and blue teams in the same room without true integration. The article argues that effective purple teaming requires more than physical proximity—it demands genuine collaboration where offensive security testers and defensive teams work together throughout exercises, sharing insights in real-time rather than after the fact. Without this deeper cooperation, companies miss the opportunity to accelerate their security improvement and simply end up with two teams operating independently under one label.

Security researchers have uncovered multiple threats this week including a new Linux rootkit targeting enterprise systems, a cryptocurrency stealer specifically designed for macOS devices, and sophisticated web skimmers that exploit WebSocket connections to steal payment data from e-commerce sites. These discoveries highlight the continued evolution of attack techniques across different platforms, with threat actors adapting their malware to target Linux servers, Apple's desktop operating system, and real-time web communications used by online retailers.

A cyber espionage group called HeartlessSoul is targeting aerospace firms and drone operators through sophisticated phishing campaigns designed to steal geospatial mapping data, GPS coordinates, and terrain models. The attackers use fake aviation software installers to compromise systems and exfiltrate GIS files, primarily from Russian organizations, giving adversaries insight into infrastructure, strategic assets, and even how victims view their own intelligence landscape. Cybersecurity experts say the campaign shows nation-state level sophistication and recommend organizations protect critical GIS data with zero-trust security measures and network segmentation.

Cybercriminals are now leveraging large language models to take their operations to the next level, using AI not just as a basic tool but to actually write exploits and coordinate sophisticated, multi-stage attacks. This marks a significant evolution in the threat landscape, as hackers automate and accelerate what were once time-consuming manual processes. Security experts warn that AI-powered attack development could dramatically increase the speed and scale of cyber threats.

A critical vulnerability in Ollama, a popular platform for running large language models locally, has been discovered that could allow attackers to remotely read process memory through an out-of-bounds read exploit. The security flaw potentially exposes sensitive information stored in the application's memory to unauthorized access. Users are advised to update to the latest version of Ollama to protect against this vulnerability.

cPanel and WHM have released critical security patches addressing three newly discovered vulnerabilities that users need to install immediately. The web hosting management platforms, widely used by hosting providers worldwide, issued the fixes to prevent potential exploitation of these security flaws. System administrators are being urged to apply these updates without delay to protect their hosting infrastructure from possible attacks.

Cybersecurity firm Trellix has been hit by a ransomware attack, with the RansomHouse group claiming responsibility and publishing screenshots showing access to internal services and management dashboards. Trellix confirmed that part of its source code repository was breached but says there's no evidence the code was exploited or that its distribution process was affected. The timing of the attack suggests a possible connection to a broader supply chain campaign that has also impacted other security firms like Checkmarx and Bitwarden, though that link hasn't been confirmed.

A new malware campaign called PCPJack is targeting systems already infected by the notorious TeamPCP hacking group, removing their tools before deploying its own credential-stealing framework. SentinelOne researchers believe this may be a former TeamPCP operator, as the malware targets similar cloud services and systems but focuses on stealing credentials for spam campaigns, financial fraud, and potential extortion. The sophisticated framework spreads by exploiting known vulnerabilities in web applications and cloud services, stealing everything from cryptocurrency wallets to enterprise credentials across platforms like AWS, Kubernetes, GitHub, and Slack.

The Canvas learning management system, used by thousands of schools and universities worldwide, went offline Thursday during a cyberattack claimed by the hacking group ShinyHunters. The outage came at a critical time as students prepare for final exams, with the hackers allegedly accessing billions of private messages and records from nearly 9,000 schools while threatening to leak the data unless extortion payments are made. Schools from Harvard to the University of Iowa scrambled to find workarounds, with some institutions like the University of Texas at San Antonio postponing finals scheduled for Friday.

AI evaluation platform Braintrust is urging customers to rotate their API keys after hackers breached an internal AWS account on May 4th, potentially exposing credentials used to access AI models from companies like OpenAI and Anthropic. While only one customer has confirmed impact so far, security experts warn the real risk extends to downstream organizations including Box, Cloudflare, Dropbox, and Stripe, whose AI provider credentials may have been stored in Braintrust's system. The incident highlights a new supply chain vulnerability where AI observability tools become credential warehouses and prime targets for attackers.

Poland's Internal Security Agency has reported that five water treatment plants were breached in 2025, with attackers gaining access to industrial control systems through weak passwords and internet-exposed systems. In some cases, hackers obtained the ability to modify operational parameters that could have directly threatened public water supplies. The agency attributes the attacks to Russian state-sponsored groups including APT28 and APT29, as well as Belarusian-linked actors, as part of a broader surge in cyberattacks targeting Poland's critical infrastructure.

Cybersecurity researchers have discovered a new Linux backdoor called PamDOORa that targets SSH credentials by exploiting PAM modules, which are Linux's authentication framework. The malware allows attackers to steal login credentials while maintaining persistent access to compromised systems, making it particularly dangerous for server environments. Security experts warn that this represents an increasingly sophisticated approach to credential theft on Linux systems, with organizations urged to monitor their PAM modules for unauthorized modifications.