Ticker feed

Four widely-used Laravel localization packages were compromised in a supply chain attack starting May 22. Hackers rewrote Git tags across over 700 historical versions of laravel-lang/lang, http-statuses, attributes, and actions — without ever touching the official repos. Instead, they pointed tags to commits in a malicious fork they controlled.

The malware connected to a C&C server to deploy a PHP credential stealer targeting AWS, GCP, Azure keys, SSH private keys, Kubernetes tokens, browser passwords, crypto wallets, and more — across Windows, Linux, and macOS.

Any system that installed or updated these packages should be treated as compromised, and all secrets rotated immediately.

Source: SecurityWeek

A zero-day flaw in KnowledgeDeliver LMS (CVE-2026-5426) is being actively exploited to deploy BLUEBEAM, an in-memory web shell that leaves almost no forensic trace. Mandiant linked the attacks to a late-2025 breach, finding that hardcoded ASP.NET machine keys shared across customer installations let attackers forge malicious ViewState payloads and achieve remote code execution without authentication.

Once inside, attackers weakened file permissions, tampered with JavaScript files to push fake security alerts, and infected users with a targeted Cobalt Strike Beacon. The fix is straightforward but urgent: rotate machine keys to unique values per deployment immediately.

Source: Cybersecurity News

More than 5,500 GitHub repositories were infected with malware on May 18, 2026, in a supply chain attack called Megalodon. Attackers pushed 5,718 malicious commits across a six-hour window using two email addresses, injecting rogue GitHub Actions workflows designed to steal credentials, AWS keys, SSH private keys, API tokens, and dozens of other secrets from CI environments.

The attack was discovered after compromised versions of the Tiledesk npm package were published May 19–21. The maintainer unknowingly published from a poisoned source — the attacker never touched the npm account, only the GitHub repo. A dormant backdoor was also planted, triggerable later via the GitHub API using stolen tokens.

Source: SecurityWeek

Microsoft disclosed a zero-day vulnerability (CVE-2026-42897) in Exchange that's actively being exploited, but customers are still waiting for a patch four days later. The flaw affects Exchange Outlook Web Access and allows attackers to execute spoofing attacks through cross-site scripting.

Attackers can exploit this by sending specially crafted emails that execute malicious JavaScript when opened in OWA. The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, earning an 8.1 CVSS score from Microsoft.

Security experts warn successful attacks could compromise mailboxes, steal session tokens, and enable business email compromise or ransomware attacks. Microsoft offers two temporary mitigations: the Exchange Emergency Mitigation Service (recommended) and an updated mitigation tool, though both cause some functionality disruptions.

Source: Dark Reading

Cybercriminals have already cloned the Shai-Hulud malware just days after TeamPCP released its source code on GitHub. The original worm first hit the open source ecosystem in September 2025, stealing credentials and API keys from developers to spread through NPM packages.

Ox Security discovered four malicious NPM packages, including 'chalk-tempalte' - a direct clone of Shai-Hulud. The packages have been downloaded over 2,600 times weekly, targeting Axios users through typo-squatting attacks. One package even enslaves infected machines into a DDoS botnet.

Security researchers warn this marks the beginning of a major wave of supply chain attacks targeting the open source community.

Source: Security Week

A dangerous Windows privilege escalation vulnerability called "MiniPlasma" has surfaced with public exploit code available on GitHub. Security researcher Nightmare-Eclipse released the weaponized exploit on May 13, 2026, claiming Microsoft failed to properly fix a bug originally reported by Google Project Zero in 2020.

The flaw targets Windows' Cloud Filter driver and affects all Windows versions. Attackers can exploit it from standard user accounts to gain SYSTEM-level privileges on fully patched systems. The vulnerability manipulates registry key creation through a race condition, bypassing normal access restrictions.

The exploit's GitHub repository gained over 390 stars within days, highlighting serious security community concern. Since the Cloud Filter driver handles OneDrive and other cloud storage services, the vulnerable code runs on most Windows installations. Organizations face immediate risk until Microsoft releases patches.

Source: Cybersecurity News

Instructure, the company behind Canvas learning software, paid cybercriminals to delete stolen student data after a major hack disrupted 9,000 universities across the US, Canada, Australia, and UK last week.

The Shiny Hunters group threatened to release 3.5 terabytes of student and university data unless paid in bitcoin. Students taking exams were particularly affected, with some losing work mid-test when ransom messages appeared on their screens.

Instructure confirmed it "reached an agreement" with the hackers, who promised to delete the data and not extort institutions. However, paying ransoms goes against law enforcement advice and offers no guarantee data is actually destroyed. The breach was discovered April 29th, marking the third time Shiny Hunters has targeted Canvas.

Source: BBC

Instructure, the company behind Canvas software used by 9,000 universities worldwide, paid hackers to delete stolen student data after a major cyberattack last week. The breach by the Shiny Hunters group disrupted exams across the US, Canada, Australia, and UK when Canvas went offline.

The hackers stole 3.5 terabytes of data and threatened to publish it online. Instructure confirmed reaching an "agreement" with the criminals, who promised to delete the data and not extort students or institutions. While the company won't reveal payment details, such deals typically involve bitcoin ransoms.

Students like Mississippi State's Aubrey Palmer saw ransom messages mid-exam, causing widespread confusion. Security experts warn paying hackers fuels more attacks and offers no guarantee data is actually destroyed.

Source: BBC

Day two of Pwn2Own Berlin 2026 saw hackers unleash devastating attacks on enterprise software and AI tools, adding $385,750 in bug bounties to bring the total to $908,750.

Orange Tsai from DEVCORE stole the show with a brutal Microsoft Exchange exploit, chaining three vulnerabilities to achieve remote code execution with SYSTEM privileges. The attack earned $200,000 and highlights Exchange's role as a critical enterprise target.

Security researchers also compromised Windows 11 through an integer overflow bug and hit multiple AI coding platforms including Cursor IDE and OpenAI Codex. These AI tools are becoming prime targets due to their access to source code and developer workflows.

DEVCORE leads the competition with $405,000 in winnings, but the final day promises more zero-day discoveries as vendors scramble to patch newly exposed vulnerabilities.

Source: Cyber Security News

OpenAI disclosed that two employee devices were infected during the May 11 TanStack supply chain attack by TeamPCP hackers. The attackers exploited weaknesses in package publishing to release 84 malicious artifacts across 42 packages, infecting devices with the Shai-Hulud worm.

Limited credential material was stolen from internal source code repositories, but no customer data or intellectual property was compromised. OpenAI rotated all affected credentials and revoked user sessions.

The company is revoking code-signing certificates for all platforms and re-signing applications. macOS users must update their OpenAI apps by June 12, 2026, or risk losing functionality. The incident occurred during OpenAI's security transition following a previous March attack.

Source: Security Week