Ticker feed

Microsoft disclosed a zero-day vulnerability (CVE-2026-42897) in Exchange that's actively being exploited, but customers are still waiting for a patch four days later. The flaw affects Exchange Outlook Web Access and allows attackers to execute spoofing attacks through cross-site scripting.

Attackers can exploit this by sending specially crafted emails that execute malicious JavaScript when opened in OWA. The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, earning an 8.1 CVSS score from Microsoft.

Security experts warn successful attacks could compromise mailboxes, steal session tokens, and enable business email compromise or ransomware attacks. Microsoft offers two temporary mitigations: the Exchange Emergency Mitigation Service (recommended) and an updated mitigation tool, though both cause some functionality disruptions.

Source: Dark Reading

Cybercriminals have already cloned the Shai-Hulud malware just days after TeamPCP released its source code on GitHub. The original worm first hit the open source ecosystem in September 2025, stealing credentials and API keys from developers to spread through NPM packages.

Ox Security discovered four malicious NPM packages, including 'chalk-tempalte' - a direct clone of Shai-Hulud. The packages have been downloaded over 2,600 times weekly, targeting Axios users through typo-squatting attacks. One package even enslaves infected machines into a DDoS botnet.

Security researchers warn this marks the beginning of a major wave of supply chain attacks targeting the open source community.

Source: Security Week

A dangerous Windows privilege escalation vulnerability called "MiniPlasma" has surfaced with public exploit code available on GitHub. Security researcher Nightmare-Eclipse released the weaponized exploit on May 13, 2026, claiming Microsoft failed to properly fix a bug originally reported by Google Project Zero in 2020.

The flaw targets Windows' Cloud Filter driver and affects all Windows versions. Attackers can exploit it from standard user accounts to gain SYSTEM-level privileges on fully patched systems. The vulnerability manipulates registry key creation through a race condition, bypassing normal access restrictions.

The exploit's GitHub repository gained over 390 stars within days, highlighting serious security community concern. Since the Cloud Filter driver handles OneDrive and other cloud storage services, the vulnerable code runs on most Windows installations. Organizations face immediate risk until Microsoft releases patches.

Source: Cybersecurity News

Instructure, the company behind Canvas learning software, paid cybercriminals to delete stolen student data after a major hack disrupted 9,000 universities across the US, Canada, Australia, and UK last week.

The Shiny Hunters group threatened to release 3.5 terabytes of student and university data unless paid in bitcoin. Students taking exams were particularly affected, with some losing work mid-test when ransom messages appeared on their screens.

Instructure confirmed it "reached an agreement" with the hackers, who promised to delete the data and not extort institutions. However, paying ransoms goes against law enforcement advice and offers no guarantee data is actually destroyed. The breach was discovered April 29th, marking the third time Shiny Hunters has targeted Canvas.

Source: BBC

Instructure, the company behind Canvas software used by 9,000 universities worldwide, paid hackers to delete stolen student data after a major cyberattack last week. The breach by the Shiny Hunters group disrupted exams across the US, Canada, Australia, and UK when Canvas went offline.

The hackers stole 3.5 terabytes of data and threatened to publish it online. Instructure confirmed reaching an "agreement" with the criminals, who promised to delete the data and not extort students or institutions. While the company won't reveal payment details, such deals typically involve bitcoin ransoms.

Students like Mississippi State's Aubrey Palmer saw ransom messages mid-exam, causing widespread confusion. Security experts warn paying hackers fuels more attacks and offers no guarantee data is actually destroyed.

Source: BBC

Day two of Pwn2Own Berlin 2026 saw hackers unleash devastating attacks on enterprise software and AI tools, adding $385,750 in bug bounties to bring the total to $908,750.

Orange Tsai from DEVCORE stole the show with a brutal Microsoft Exchange exploit, chaining three vulnerabilities to achieve remote code execution with SYSTEM privileges. The attack earned $200,000 and highlights Exchange's role as a critical enterprise target.

Security researchers also compromised Windows 11 through an integer overflow bug and hit multiple AI coding platforms including Cursor IDE and OpenAI Codex. These AI tools are becoming prime targets due to their access to source code and developer workflows.

DEVCORE leads the competition with $405,000 in winnings, but the final day promises more zero-day discoveries as vendors scramble to patch newly exposed vulnerabilities.

Source: Cyber Security News

OpenAI disclosed that two employee devices were infected during the May 11 TanStack supply chain attack by TeamPCP hackers. The attackers exploited weaknesses in package publishing to release 84 malicious artifacts across 42 packages, infecting devices with the Shai-Hulud worm.

Limited credential material was stolen from internal source code repositories, but no customer data or intellectual property was compromised. OpenAI rotated all affected credentials and revoked user sessions.

The company is revoking code-signing certificates for all platforms and re-signing applications. macOS users must update their OpenAI apps by June 12, 2026, or risk losing functionality. The incident occurred during OpenAI's security transition following a previous March attack.

Source: Security Week

A sophisticated threat actor called UAT-8616 is actively exploiting a critical authentication bypass vulnerability (CVE-2026-20182) in Cisco's SD-WAN controllers. The bug earned a perfect 10/10 severity score, allowing attackers to gain administrative access without authentication.

This marks the second major Cisco SD-WAN vulnerability this year. In February, the same threat group exploited a nearly identical flaw (CVE-2026-20127) for years before detection. UAT-8616 appears undeterred by patches, quickly moving to exploit new vulnerabilities in the same product line.

The group targets critical infrastructure organizations, using compromised controllers to establish persistent access and escalate to root privileges. Researchers suggest potential Chinese state-sponsored connections. Cisco has released patches, but the pattern of recurring vulnerabilities in centralized network infrastructure highlights ongoing security challenges.

Source: Dark Reading

Electronics giant Foxconn, Apple's primary iPhone assembler, confirmed a cyberattack disrupted its North American factories. The Nitrogen ransomware group claims responsibility, allegedly stealing 8 terabytes of data across 11 million files containing confidential projects from Intel, Apple, Google, Dell, and Nvidia.

Foxconn's cybersecurity team quickly implemented measures to maintain production and delivery. The company said affected factories resumed normal operations as of Tuesday, though it didn't specify when the attack occurred or which systems were compromised.

Nitrogen, active since 2023, typically steals data before encrypting systems to maximize pressure on victims. However, security experts question whether the group is inflating its data theft claims to demand higher ransoms. The Taiwan-based manufacturer operates factories across Mexico, Wisconsin, Ohio, Texas, Virginia, and Indiana.

Source: CyberScoop

A frustrated security researcher has released two dangerous zero-day exploits targeting Windows systems after a dispute with Microsoft. The most severe, dubbed "YellowKey," completely bypasses BitLocker encryption on Windows 11 and Server 2022/2025 systems within minutes using just a USB stick or direct drive access.

The second exploit, "GreenPlasma," enables privilege escalation through the Windows CTFMON service, potentially giving attackers system-level control. Windows 10 remains unaffected by YellowKey due to different recovery architecture.

Microsoft hasn't patched these vulnerabilities yet. Security experts recommend using BitLocker PINs, strong BIOS passwords, and monitoring physical hardware access as immediate protection measures.

Source: Cyber Security News