Foxconn confirmed a cyberattack impacting North American factories, disrupting operations and prompting recovery efforts. The Nitrogen ransomware gang has claimed responsibility, alleging theft of 8 TB of data and over 11 million documents, including confidential customer projects and intellectual property. Affected facilities are resuming normal production as incident response continues. The attack underscores the escalating targeting of manufacturing supply chains, where threat actors exploit operational sensitivity and high-value data. Foxconn, a key supplier to major technology firms, faces potential downstream impact as stolen data may include sensitive documentation tied to clients like Apple, Intel, Google, Nvidia, and others. Industry data shows manufacturing as the most heavily targeted sector for ransomware in 2026, with nearly 70% more victims than any other industry, reflecting attackers' focus on organizations where downtime directly halts revenue and production.

Dell confirmed that a recent update to its SupportAssist Remediation service (version 5.5.16.0) is causing Windows blue-screen-of-death (BSOD) crashes across Dell and Alienware systems. The crashes stem from a critical process error (0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS) introduced in the update, prompting users to uninstall or disable the service as a temporary workaround. The issue has affected systems since late May 2026, with Dell engineering actively investigating a permanent fix.

A security researcher publicly disclosed two unpatched Windows vulnerabilities, YellowKey and GreenPlasma, including proof-of-concept (PoC) exploits, enabling BitLocker bypass and local privilege escalation (LPE) respectively. The researcher, known as Chaotic Eclipse or Nightmare Eclipse, criticized Microsoft's handling of prior disclosures, leading to these new disclosures ahead of the next Patch Tuesday. YellowKey exploits the Windows Recovery Environment (WinRE) to bypass BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025 systems, allowing unrestricted access to encrypted volumes without requiring user credentials. The attack leverages specially crafted 'FsTx' files placed on a USB drive or the EFI partition, triggering a shell upon recovery mode entry. The researcher emphasized that even TPM+PIN configurations do not mitigate YellowKey. GreenPlasma is an LPE flaw enabling SYSTEM-level access through arbitrary section creation in writable SYSTEM directories, with a partial PoC released. Microsoft has not yet patched either vulnerability and has not assigned a CVE identifier to GreenPlasma.

The proliferation of unmanaged AI agents in enterprise environments continues to escalate security risks, with most companies having 100 AI agents per human employee and 99% of these identities remaining unmanaged. A new study reveals that 93% of global organizations now use or plan to use AI agents for sensitive security tasks such as password resets and VPN access, despite the potential for serious breaches. Only 32% of organizations feel confident in regaining control after an AI-driven credential exposure, highlighting widespread unpreparedness. Traditional security tools prove ineffective at managing AI agents, which are often over-permissioned and abandoned as "zombie" identities. The industry is shifting toward agentic AI systems that operate autonomously, necessitating AI-driven SOC defense platforms and faster public-private partnerships to enhance national resilience. An upcoming webinar will provide a framework for securing AI agents, including strategies for governance, security-by-design, and aligning security with business goals.

The UK Information Commissioner’s Office (ICO) published a five-step plan to counter AI-powered cyber threats, emphasizing foundational cybersecurity controls, layered defenses, and AI-specific governance. The guidance targets AI-enhanced phishing, deepfake social engineering, automated exploitation, adaptive malware, and AI model poisoning. It aligns with the NCSC’s Cyber Assessment Framework and GDPR obligations, requiring organizations to implement Cyber Essentials controls, MFA, least-privilege access, and incident response testing, with explicit oversight of AI-driven security tools.

The alleged main administrator of the now-defunct dark web marketplace Dream Market, identified as Owe Martin Andresen (aka 'Speedstepper'), has been indicted in the U.S. on 12 counts of international concealment money laundering. Andresen, arrested in Germany, is accused of laundering over $2 million in proceeds from Dream Market operations between August 2023 and April 2025. The charges stem from the alleged movement of dormant marketplace cryptocurrency wallets’ funds into new wallets in late 2022, followed by the purchase of gold bars using those funds in August 2023. German authorities recovered approximately $1.7 million in gold bars, over $23,000 in cash, and evidence of additional proceeds totaling $1.2 million during searches of his residence and two other locations on May 7, 2026.

A high-severity logic bug in the Linux XFRM ESP-in-TCP subsystem, tracked as CVE-2026-46300 and named Fragnasia, allows unprivileged local attackers to gain root privileges by corrupting the kernel page cache of read-only files, including critical binaries like /usr/bin/su. Discovered by William Bowling of Zellic, the vulnerability is the second known member of the Dirty Frag vulnerability class and provides a direct memory-write primitive to overwrite kernel page cache memory without requiring race conditions. All Linux kernels released before May 13, 2026 are affected. A proof-of-concept exploit has been publicly released, enabling attackers to achieve root shells on vulnerable systems.

A new Linux kernel local privilege escalation (LPE) vulnerability, codenamed Fragnesia and tracked as CVE-2026-46300 (CVSS 7.8), enables unprivileged local attackers to gain root access by corrupting the kernel page cache. The flaw resides in the XFRM ESP-in-TCP subsystem and allows arbitrary byte writes into the read-only page cache of files such as /usr/bin/su without requiring race conditions or host-level privileges. A proof-of-concept exploit has been publicly released, and patches are available across major Linux distributions including AlmaLinux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu. Mitigation strategies include disabling esp4, esp6, and related xfrm/IPsec functionality, restricting local shell access, and hardening containerized environments.

A critical heap-based buffer overflow vulnerability in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, tracked as CVE-2026-42945 (CVSS v4: 9.2) and codenamed NGINX Rift, has been disclosed. The flaw allows unauthenticated remote code execution (RCE) or denial-of-service (DoS) when specific crafted HTTP requests are sent to a vulnerable server. The vulnerability persists for 18 years and is exploitable via malformed rewrite directives containing unnamed PCRE capture groups and replacement strings with question marks. Successful exploitation corrupts the heap in the NGINX worker process, enabling code execution if ASLR is disabled or DoS via repeated worker crashes. Impact is severe due to the unauthenticated nature of the attack, absence of prerequisites, and potential to disrupt all services served by the affected NGINX instance.

A cyber intrusion against West Pharmaceutical Services, a U.S.-based pharmaceutical manufacturer with over 10,800 employees and annual revenues exceeding $3 billion, resulted in data exfiltration and partial system encryption. The compromise was detected on May 4, 2026, with an SEC filing on May 7, 2026 confirming material impact. The attacker accessed and stole data from the corporate network and encrypted select systems, triggering a global response that included containment measures, law enforcement notification, and engagement of external forensic experts. The incident disrupted global business operations, with core enterprise systems supporting shipping and manufacturing restored and partial manufacturing resumption achieved. Full system restoration remains incomplete, and no timeline or financial impact estimate has been provided.

The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (*sendit.sh*) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS.

Cybersecurity stakeholders are transitioning from static, annual compliance assessments toward continuous third-party and enterprise risk monitoring due to limitations of traditional checkbox-based governance, risk, and compliance (GRC) models. Threat actors exploit vulnerabilities and supply-chain attack vectors faster than annual audits can detect, rendering periodic questionnaires and paper-based compliance ineffective. Leading security professionals and organizations are adopting continuous monitoring platforms that integrate AI-driven evidence collection, attack surface visibility, and real-time control validation to assess and communicate risk more accurately.

A dual-pronged software supply chain attack continues to unfold, with initial compromise via poisoned Ruby gems and Go modules tied to the GitHub account “BufferZoneCorp” for credential theft and CI pipeline manipulation. Concurrently, the GemStuffer campaign abuses the RubyGems registry as a data transport channel, embedding scraped content from U.K. local government council portals (Lambeth, Wandsworth, Southwark) into over 150+ valid .gem archives and republishing them using hardcoded API keys. New vendor research highlights automated scraper-worm mechanics, noisy but intentional execution indicative of testing or registry abuse, and direct API uploads bypassing the gem CLI. Security teams are advised to audit /tmp folders, block unauthorized gem pushes in CI pipelines, and lock down systems allowed to publish to public registries.

The Russian ransomware-as-a-service (RaaS) operation known as The Gentlemen suffered a data breach of its internal infrastructure, resulting in the theft and public sale of 16 GB of sensitive data including communications, tooling, and operational documentation. The anonymous threat actors leaked a 44 MB sample proving authenticity, which Check Point Research analyzed to reveal detailed operational structure, tactics, techniques, and procedures (TTPs), payment models, and leadership dynamics of The Gentlemen. The group, led by a figure identified as "zeta88," has executed over 332 confirmed attacks in 2026 alone, making it the second most active ransomware group globally. The breach represents a significant reputational and operational risk, though immediate disruption to ongoing activities is not expected.

A severe use-after-free vulnerability in Exim's BDAT message body parsing under GnuTLS configurations (CVE-2026-45185) allows unauthenticated attackers to trigger memory corruption and achieve code execution, impacting Exim versions 4.97 through 4.99.2. The flaw enables heap corruption via a single-byte write into freed allocator metadata during TLS shutdown, granting further exploitation primitives. Exploitation requires establishing a TLS connection and using the CHUNKING (BDAT) SMTP extension; no mitigations exist beyond upgrading to Exim 4.99.3. Exploitation could result in arbitrary code execution, access to Exim data and emails, and potential lateral movement depending on server permissions. The vulnerability was disclosed by Federico Kirschbaum of XBOW and patched in Exim version 4.99.3. A proof-of-concept exploit was developed by XBOW using AI-driven tools, achieving success on non-PIE binaries with and without ASLR.

On May 14, 2026 at 2:00 PM ET, BleepingComputer and Kaseya will host a live technical webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery." Led by Austin O'Saben and Adam Marget, the session will present advanced strategies for MSPs to integrate detection, response, and recovery to mitigate phishing-driven cyber incidents. Modern threat actors increasingly combine AI-generated phishing, business email compromise, ransomware, and SaaS abuse to bypass traditional defenses and disrupt operations. The webinar emphasizes that reliance on prevention alone is insufficient; instead, organizations must strengthen both security posture and recovery readiness, including SaaS backups and business continuity planning. Kaseya experts will detail how integrating backup and disaster recovery (BCDR) into security strategies is critical to reduce downtime and limit incident impact during such attacks. Building on prior coverage, a May 13, 2026 BleepingComputer article highlights that brand impersonation in AI-driven phishing is outpacing traditional email security, and that recovery delays after compromise can prolong operational disruption and increase recovery costs even after containment. Organizations are urged to prepare not only to defend against attacks but also to recover from them quickly. A separate May 7, 2026 article by The Hacker News promotes another webinar, "One Click, Total Shutdown: The 'Patient Zero' Webinar on Killing Stealth Breaches," which focuses on immediate breach containment strategies for AI-driven phishing attacks, including the "Patient Zero" concept and the 5-minute critical window for containment.

Microsoft has confirmed that the April 2026 KB5082063 security update for Windows Server 2025 is causing two distinct issues: BitLocker recovery prompts on first reboot for systems with PCR7-bound Group Policy configurations, and installation failures marked by 0x800F0983 errors on some devices. Both issues primarily impact enterprise-managed systems and require administrative intervention—either key entry for BitLocker recovery or troubleshooting update installation. Microsoft is investigating both problems and has provided temporary workarounds, including Known Issue Rollback (KIR) for BitLocker recovery and diagnostic reviews for update installation failures. Home users are unlikely to be affected by either issue. On May 13, 2026, Microsoft released KB5089549 to address the BitLocker recovery issue specifically for Windows 11 25H2 systems, though Windows 10 and Windows Server remain without a permanent resolution. The issue stems from invalid PCR7 configurations in TPM validation settings, and admins are advised to remove the 'Configure TPM platform validation profile for native UEFI firmware configurations' Group Policy before deploying April 2026 updates until a broader fix is available.

Sweet Security has launched Sweet Attack, a continuous agentic AI red teaming platform that autonomously discovers and prioritizes exploitable attack paths within enterprise infrastructure by analyzing runtime data. The system indexes live runtime topology, unencrypted Layer 7 exposure, deployed source code, identity paths, and application behavior to provide real-time contextual awareness. It identifies shadow IT and shadow AI components, including MCP servers, APIs, and SaaS integrations, and evaluates attack paths continuously as new components are introduced. Sweet Attack provides prioritized remediation timelines by distinguishing between inconsequential vulnerabilities and those with viable attack paths, enabling defenders to focus mitigation efforts on high-risk exposures.

Instructure, the company behind the Canvas Learning Management System, confirmed a cybersecurity incident that began with an intrusion on April 25, 2026, attributed to the ShinyHunters extortion gang. The actor claimed to have stolen approximately 3.65 TB of data, including records from 8,809 educational institutions, and escalated its extortion campaign with a school-by-school ransom approach. ShinyHunters exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas’ Free-For-Teacher environment to gain access to authenticated admin sessions during a second intrusion on May 7, 2026. The threat actor defaced Canvas login portals with extortion messages demanding ransom negotiations by May 12, 2026, and temporarily took Canvas offline to contain the activity. No data was compromised during the defacement, but the 3.65 TB of exfiltrated data from the initial breach remained the primary concern. On May 13, 2026, Instructure reached an agreement with ShinyHunters, reporting that the stolen data had been returned with digital confirmation of destruction and assurances against further extortion. The company disclosed the breach originated from an undisclosed flaw in Free-For-Teacher support tickets, enabling the exfiltration of about 275 million records, including usernames, email addresses, course names, enrollment information, and messages. Course content, submissions, and credentials were not compromised. Instructure implemented further mitigations, including disabling Free-For-Teacher accounts, revoking credentials, rotating keys, and deploying additional controls. Researchers warned the leaked data could facilitate impersonation attacks, urging institutions to issue phishing advisories and direct communications to stakeholders. The incident follows Instructure’s 2025 breach involving a social engineering attack on its Salesforce instance, also attributed to ShinyHunters. Multiple universities have acknowledged awareness of the breach and initiated internal reviews. The education sector remains a high-value target due to the volume of sensitive student and staff data processed by such platforms.

Two vulnerabilities in the Avada Builder WordPress plugin—CVE-2026-4782 and CVE-2026-4798—have exposed approximately one million WordPress sites to arbitrary file read and unauthenticated SQL injection attacks. The arbitrary file read flaw (CVSS 6.5) in the fusion_get_svg_from_file function allows authenticated subscribers to access sensitive server files, including wp-config.php. The unauthenticated SQL injection flaw (CVSS 7.5) in the product_order parameter targets sites with previously installed and deactivated WooCommerce installations. The vendor released patches in versions 3.15.2 (April 13) and 3.15.3 (May 12) following coordinated disclosure.

Microsoft’s May 2026 Patch Tuesday addressed 138 CVEs, including 30 Critical-rated vulnerabilities, across its product portfolio, with 16 flaws discovered using the AI-driven MDASH system. Key flaws include CVE-2026-41089 (Windows Netlogon stack-based buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 RCE), alongside newly disclosed issues such as CVE-2026-33824 (double-free in ikeext.dll, CVSS 9.8) and CVE-2026-33827 (race condition in tcpip.sys, CVSS 8.1). The update also includes non-CVE changes requiring organizations to rotate Windows Secure Boot certificates to 2023 versions by June 26, 2026, to prevent boot-level security failures. Microsoft emphasized the growing role of AI in vulnerability discovery, noting that AI-assisted approaches like MDASH are expected to scale Patch Tuesday releases in the coming months. Earlier phases confirmed 120 CVEs addressed, 17 classified as Critical, and 16 discovered via the MDASH system, with specific focus on CVE-2026-41089, CVE-2026-41096, and CVE-2026-42898 as high-impact RCE and EoP flaws.

Threat actors in Latin America have operationalized AI agents to automate and accelerate full attack chains, including initial access, lateral movement, tool generation, and persistence, specifically targeting public sector, financial, aviation, and retail entities. Two campaigns—Shadow-Aether-040 and Shadow-Aether-064—were documented using AI-driven "vibe-hacking" techniques to compromise organizations in Mexico and Brazil between December 2025 and April 2026. AI agents were instructed via jailbroken interfaces to generate custom, dynamically produced tools, automate reconnaissance using Shodan and VulDB, deploy web shells, and maintain persistence through custom backdoors. Data theft was confirmed in some compromises. The adversaries exploited AI agent safeguards through iterative prompt engineering, enabling unauthorized red-team-style operations. Success varied based on target defenses; stronger security configurations impeded lateral movement and tool efficacy, underscoring the ongoing importance of foundational controls.

China-linked advanced persistent threat (APT) group FamousSparrow conducted a targeted cyberespionage campaign against an Azerbaijanian oil-and-gas company in the South Caucasus region between December 2025 and February 2026. The intrusion leveraged a novel two-stage DLL side-loading technique to deploy the Deed remote access trojan (RAT), evading detection mechanisms by splitting malicious payloads across legitimate application execution paths. The operational technology (OT) networks remained unaffected. Initial access was gained through an unpatched Microsoft Exchange server, with the attackers returning twice despite initial remediation on workstations. The campaign reflects a strategic expansion of Chinese cyber operations into Russia’s traditional sphere of influence, coinciding with increased energy corridor significance for the European Union.

A Chinese-nexus threat actor attributed to FamousSparrow (UAT-9244) conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, leveraging the ProxyNotShell exploit chain for initial access despite remediation efforts. The campaign involved three distinct waves deploying Deed RAT (a ShadowPad successor) and TernDoor (recently observed in South American telecom attacks), with repeated re-exploitation of the same Microsoft Exchange Server entry point. Attackers refined evasion techniques, including DLL side-loading via LogMeIn Hamachi with two-stage trigger design, to deploy payloads and maintain persistence. Lateral movement and redundant footholds were established to ensure operational resilience.

In April 2026, an AI system codenamed Mythos, operating within a restricted sandbox, autonomously generated 181 working Firefox exploits within 14 days, including previously unknown zero-days affecting major operating systems and browsers; over 99% of these vulnerabilities remain unpatched in production environments. A separate campaign in February 2026 demonstrated that a single low-skill operator using AI-driven tools compromised 2,516 FortiGate devices across 106 countries within minutes, exploiting only known CVEs and misconfigurations. These incidents underscore that offensive operations now execute at machine speed, rendering traditional vulnerability response cycles obsolete. Defensive strategies must shift from compliance-driven assessments to continuous, evidence-based validation to identify what adversaries can actually exploit and how far they can move laterally before any human-driven remediation can occur.

A 2026 survey of 750 CISOs in the United States and United Kingdom revealed that 58% would consider paying a ransom demand following a ransomware attack, prioritizing faster system recovery over compliance risks. Regional differences show higher willingness in the US (63%) compared to the UK (47%), attributed to stricter legal guidance, GDPR complexities, and lower confidence in data recovery post-payment in the UK. Operational downtime is identified as the most significant concern, with 83% of CISOs expressing confidence in recovery speed despite 77% reporting restoration periods of up to two weeks.

A configuration change introduced via a recent service update to Windows 365 Cloud PCs is preventing some enterprise users from downloading and installing Microsoft Office on Windows 365 Enterprise and Business devices. The issue affects users relying on Azure Virtual Desktop-based Windows Cloud PCs, disrupting normal provisioning and software deployment workflows. Microsoft has acknowledged the problem and is developing a fix, though remediation timelines remain unspecified.

Security teams continue to rely on isolated AppSec tools that generate high volumes of low-risk alerts, failing to detect multi-stage attack chains that exploit sequential vulnerabilities across development and cloud environments. Attackers increasingly construct "Lethal Chains" by combining multiple seemingly minor flaws—such as a code-level bug and a cloud misconfiguration—into a direct, undetected path to sensitive data. Traditional tools that analyze code or cloud environments in isolation miss these interconnected attack paths, leaving organizations vulnerable to sophisticated intrusions that bypass existing safeguards.

Security programs continue to fail validating the effectiveness of remediation efforts, leaving confirmed vulnerabilities unaddressed despite faster patching cycles. Industry metrics indicate median time to remediate edge device vulnerabilities remains at 32 days while adversaries can exploit newly disclosed flaws within a negative seven-day window, underscoring a critical gap between remediation speed and outcome verification. Organizations frequently mark exposures as 'fixed' based on incomplete validation—such as unverified patch application, fragile workarounds, or configuration changes that do not eliminate underlying attack paths—leaving exploitable conditions intact for AI-accelerated threat actors.

Government cybersecurity agencies from the G7 nations and EU Commission released a unified Software Bill of Materials (SBOM) framework for artificial intelligence systems on 12 May 2026. The document defines seven mandatory clusters of minimum elements to improve transparency across AI supply chains, covering metadata, system-level properties, models, datasets, KPIs, infrastructure, and security controls. It emphasizes that SBOMs alone are insufficient for supply chain security and recommends integration with vulnerability management tools and adaptive cybersecurity tooling.