Microsoft released two open-source tools, RAMPART and Clarity, to integrate security testing and design validation directly into the AI agent development process. RAMPART is a Pytest-native framework for writing and executing safety and security tests against AI agents, addressing adversarial and benign issues including cross-prompt injections and data exfiltration risks. Clarity serves as an "AI thinking partner" to help developers clarify design intent, explore failure modes, and track decisions before code is written. Together, the tools aim to shift AI safety from post-build review to a continuous, lifecycle-integrated practice by making assumptions testable and incidents reproducible.

A critical command injection vulnerability (CVE-2026-8153) in Universal Robots PolyScope 5 Dashboard Server allows unauthenticated attackers with network access to execute arbitrary commands on the robot’s Linux-based controller, achieving remote code execution (RCE) and full administrative control. The flaw resides in improper input neutralization within the Dashboard Server interface, enabling attackers to manipulate OT environments where collaborative robots (cobots) are deployed across manufacturing, logistics, automotive, healthcare, and other industrial sectors. Exploitation risks sabotage of manufacturing workflows, production shutdowns, ransomware deployment, data destruction, and manipulation of robotic precision and calibration. Safety hazards include disabling safeguards, altering programmed movements, or interrupting safety logic, potentially endangering human operators and causing physical harm or environmental incidents. CVE-2026-8153 carries a CVSS 3.1 base score of 9.8 and requires the Dashboard Server to be enabled and reachable via its network port; direct internet exposure is not typical due to standard OT network segmentation practices.

GitHub confirmed the unauthorized access to internal repositories stemmed from a trojanized VS Code extension installed by an employee, affecting approximately 3,800 repos, with containment measures including removal of the malicious extension, device isolation, and critical secret rotation. TeamPCP claimed responsibility, offering the alleged GitHub data dump for sale with a minimum price of $50,000 and explicitly stating this is not a ransom operation, while also threatening free release if no buyer is found. TeamPCP expanded operations by compromising the durabletask PyPI package with a Linux infostealer targeting credentials across cloud environments and forming partnerships with extortion and ransomware actors including Lapsus$ and Vect ransomware. TeamPCP's malware campaign, known as Mini Shai-Hulud, has impacted multiple entities beyond GitHub, including Grafana Labs. Grafana Labs confirmed a breach was caused by a missed GitHub workflow token rotation following the TanStack npm supply-chain attack, resulting in the exfiltration of operational information such as business contact names and email addresses. No customer production systems or operations were compromised, and the company stated that the codebase was not modified and users are not required to take any action.

Quantum Bridge, a Toronto-based cybersecurity firm specializing in quantum-safe cryptography, announced $8 million in Series A funding, bringing total investment to $16 million. The company’s Distributed Symmetric Key Establishment (DSKE) protocol automates symmetric key creation and distribution using pre-shared random data and secret-sharing across Security Hubs, ensuring no single hub holds the complete key. This architecture mitigates both classical and quantum computing threats. Quantum Bridge’s Symmetric-Key Distribution System (SDS) combines DSKE with post-quantum cryptography (PQC) and quantum key distribution (QKD) into a crypto-agile platform deployable on existing network infrastructure via Ansible-based automation.

A 10-month Android malware campaign used nearly 250 counterfeit apps to enroll victims in premium services via carrier billing, targeting users in Malaysia, Thailand, Romania and Croatia. The operation, codenamed Premium Deception by Zimperium zLabs, ran from March 2025 to mid-January 2026 and maintained portions of its infrastructure online at the time of disclosure. Malware variants automated end-to-end subscription enrollment by exploiting legitimate Android APIs, hidden WebViews and operator-specific billing portals to bypass user interaction and detection.

The Mini Shai-Hulud supply chain campaign has escalated with a new wave of 639 compromised npm packages tied to the AntV ecosystem, including high-download dependencies such as echarts-for-react and timeago.js. The attack ran for roughly one hour on May 19, 2026, beginning at 01:56 UTC, publishing malicious versions from the compromised “atool” maintainer account that held rights for over 500 packages. Each compromised package added an obfuscated Bun bundle preinstall hook to harvest and exfiltrate credentials (cloud, CI/CD, SSH, Kubernetes, and password manager vaults) via GitHub repositories marked with Dune-themed names and the campaign's reversed signature. Earlier waves targeted TanStack and Mistral AI SDKs, SAP npm packages, and PyPI ecosystems (Lightning, intercom-client), while compromising GitHub Actions workflows ('actions-cool/issues-helper', 'actions-cool/maintain-one-comment') and hundreds of npm packages across multiple ecosystems. Affected organizations include OpenAI (two employee devices breached via TanStack), UiPath, Guardrails AI, OpenSearch, SAP, and hundreds of npm and PyPI packages. The malware harvests over 20 credential types, abuses OIDC tokens to forge Sigstore provenance attestations, implements self-propagation via stolen npm tokens, and includes a destructive sabotage payload targeting systems in Israel or Iran. The campaign is attributed to TeamPCP, which publicly released the Shai-Hulud source code, enabling rapid cloning and weaponization by other actors.

Microsoft’s Digital Crimes Unit (DCU), in collaboration with the FBI and Europol’s EC3, has disrupted Fox Tempest’s malware-signing-as-a-service (MSaaS) infrastructure that provided fraudulent code-signing certificates for ransomware and malware operations. The takedown involved legal action in the US District Court for the Southern District of New York, sinkholing malicious domains, disabling hundreds of virtual machines on Cloudzy, and suspending roughly 1,000 accounts. Fox Tempest’s MSaaS platform abused Microsoft’s Artifact Signing to issue short-lived certificates valid for 72 hours, sold at tiered pricing from $5,000 to $9,000. The group collaborated with multiple ransomware operations, including Rhysida (Vanilla Tempest), Storm-2501, Storm-0249, INC, Qilin, BlackByte, and Akira, with attacks targeting critical sectors across the U.S., France, India, and China. The service evolved in February 2026 to offer pre-configured Cloudzy VMs, streamlining malicious binary signing and distribution. Microsoft’s operation, codenamed OpFauxSign, includes ongoing efforts to identify and pursue the group’s operators through undercover engagements and legal mechanisms.

A growing body of evidence indicates that identity-centric security architectures are insufficient against increasingly sophisticated cyber threats, particularly when attackers weaponize AI-enhanced phishing kits and session hijacking. Multi-factor authentication (MFA) alone is being bypassed via real-time adversary-in-the-middle (AiTM) phishing, allowing attackers to proxy authentication and steal session tokens post-authentication. As organizations adopt SaaS, BYOD, and hybrid work models, a valid credential no longer guarantees a safe connection without ongoing validation of device security posture. Zero Trust frameworks, especially NIST SP 800-207, emphasize that access decisions must be dynamic and include continuous verification of both user identity and device health throughout the session lifecycle. Historically, identity verification was treated as a one-time event, creating a persistent blind spot where session tokens remain valid even on compromised or unmanaged endpoints. Many Zero Trust deployments have become overly identity-focused, with device posture checks inconsistently applied, limited to modern browser workflows, or absent for legacy protocols, remote access tools, and API integrations. This fragmentation enables attackers to maintain persistence using stolen credentials or intercepted tokens on unmanaged or non-compliant devices.

Drupal announced an imminent critical security update for core versions 8 and later, with exploitation expected within hours of public disclosure. Administrators are advised to prioritize updates between 17:00–21:00 UTC on May 20, 2026, migrating to supported versions where possible. Non-supported versions (Drupal 8, 9, 11.1x, 10.4x) receive last-minute hotfixes due to severity, while supported versions (10.6.x, 11.3.x) are strongly recommended. No technical details are available yet, and misleading claims online are cautioned against.

A China-aligned threat actor tracked as Webworm has deployed two new custom backdoors, EchoCreep and GraphWorm, using Discord and Microsoft Graph API respectively for command-and-control (C2) communications during 2025 activities. The group, active since at least 2022 and previously associated with RATs such as Trochilus, Gh0st, and 9002, has shifted toward stealthier (semi-)legitimate utilities including SOCKS proxies and custom proxy tools like WormFrp, ChainWorm, SmuxProxy, and WormSocket. Targeting spans government agencies and enterprises in Russia, Georgia, Mongolia, European countries including Belgium, Italy, Serbia, and Poland, and a university in South Africa, often blending operations using SoftEther VPN and GitHub-hosted malware staging. Initial access vectors remain unclear though brute-forcing of web server files and directories using open-source tools like dirsearch and nuclei has been observed.

Analysis of the Orchid Security Identity Gap: Snapshot 2026 released on May 19, 2026 reveals a critical imbalance in enterprise identity management landscapes. Visible identity elements constitute only 43% of total identities while 'identity dark matter'—unmanaged or invisible identities—now accounts for 57%, highlighting systemic gaps in IAM practices. This imbalance coincides with widespread enterprise adoption of Agent AI systems, which, by design, seek shortcuts to complete assigned tasks, often exploiting unmanaged credentials, excessive permissions, or orphan accounts to bypass intended access controls. The lack of intrinsic ethical or control mechanisms in AI agents amplifies the risk of unauthorized access or lateral movement, underscoring the need for robust identity governance as a prerequisite for safe Agent AI integration.

The China-linked APT group Webworm has expanded its targeting to include governmental organizations in Europe, compromising entities in Belgium, Italy, Poland, Serbia, and Spain, alongside a university in South Africa. The group has introduced two new backdoors—EchoCreep, leveraging Discord for C2, and GraphWorm, using Microsoft Graph API and OneDrive endpoints for command-and-control and data exfiltration. Initial access vectors include exploitation of a now-discontinued SquirrelMail vulnerability in at least one confirmed case. Webworm also employs a suite of custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) to expand its operational network, with ChainWorm specifically used to extend proxy infrastructure and WormFrp configured to retrieve configurations from an AWS S3 bucket.

A proof-of-concept exploit for the PinTheft Linux kernel privilege escalation vulnerability has been publicly released, enabling local attackers to gain root access on Arch Linux systems. The flaw is a zero-copy double-free bug in the Linux kernel's Reliable Datagram Sockets (RDS) implementation that allows page-cache overwrites through io_uring fixed buffers. Exploitation requires the RDS kernel module to be loaded, io_uring enabled, a readable SUID-root binary, and x86_64 support. Successful exploitation leads to arbitrary root shell acquisition via stolen FOLL_PIN references.

Between December 2024 and December 2025, threat actors evolved typosquatting into a supply chain attack vector by compromising developer credentials and injecting malicious code into widely used browser extensions and npm packages. Attackers exploited inherited trust in dependency chains by pushing trojanized versions of legitimate packages or extensions through official distribution channels, including the Chrome Web Store. Malicious payloads executed silently at runtime within users' browsers, intercepting sensitive data such as seed phrases, payment card information, and private keys before the legitimate application processed them. No server breaches or user misdirection were required; the compromise originated from within trusted software supply chains. Detection was evaded because existing security controls—firewalls, WAFs, EDR, and CSP—lack visibility into post-execution runtime behavior within the browser. The Trust Wallet Chrome extension incident in December 2025 resulted in $8.5 million stolen from 2,500 wallets within 48 hours. Similar attacks targeted npm packages like chalk/debug and @solana/web3.js, demonstrating scalability and cross-platform impact beyond cryptocurrency ecosystems.

A large-scale browser-based scareware campaign named CypherLoc has targeted approximately 2.8 million users since the start of 2026, locking browsers and coercing victims into contacting fraudulent technical support lines. The attack begins via phishing emails that direct victims to malicious web pages, which only activate the full scareware payload under specific conditions to evade detection. Once triggered, CypherLoc disables browser controls, displays fake security alerts, and bombards victims with popups and audio cues to escalate panic. The scareware retrieves the user’s IP address and presents a fake login prompt, while prominently displaying a fraudulent support phone number. Victims who call the number are connected to human operators posing as Microsoft support staff, continuing the social engineering scam via live interaction.

In 2025, unpatched vulnerabilities became the dominant access vector for confirmed data breaches, overtaking credential abuse for the first time in Verizon’s Data Breach Investigations Report (DBIR) series. Analysis of 31,000 security incidents (22,000+ confirmed breaches) revealed 31% of breaches stemmed from exploited unpatched flaws, while credential abuse accounted for 13%. Ransomware involvement rose to 48% of confirmed breaches, with median ransom payments dropping below $140,000. Threat actors increasingly weaponized AI to accelerate vulnerability exploitation, shrinking the defensive window from months to hours. Organizations’ median patching time increased to 43 days, with only 26% of CISA KEV catalog vulnerabilities patched in 2025. Third-party breaches surged 60%, reaching 48% of total incidents, driven by expanded attack surfaces and inadequate MFA enforcement. Gen-AI integration into attack chains and enterprise Shadow AI usage further strained defenses. Mobile-centric phishing attacks achieved a 40% higher success rate than email-based phishing in simulations.

A bypass technique dubbed YellowKey for Microsoft BitLocker Device Encryption was publicly disclosed, enabling attackers with physical access to bypass encryption on certain Windows systems. The technique abuses a Windows Recovery Environment (WinRE) behavior via specially crafted FsTx files on USB or EFI partitions, allowing unauthenticated shell access when triggering WinRE with the CTRL key. Microsoft issued mitigations and recommends switching from TPM-only to TPM+PIN protectors to neutralize the bypass.

A critical authentication bypass vulnerability (CVE-2026-45829) in ChromaDB, a widely used open-source vector database for AI applications, allows unauthenticated attackers to remotely execute arbitrary code on exposed servers. The flaw stems from an improperly placed authentication check in the Python FastAPI implementation, enabling attackers to force the system to load and execute a malicious model from Hugging Face before authentication is enforced. Impacted deployments are those exposing the ChromaDB API over HTTP, with nearly 14 million monthly downloads of the PyPI package at risk. Local deployments or those using the Rust frontend are unaffected.

Regulatory and industry momentum for AI BOMs has accelerated with concrete tooling, standards extensions, and enforcement timelines. Standards bodies OWASP and the Linux Foundation have released AI-specific extensions to their SBOM frameworks, while organizations like the OpenSSF formalized model-signing specifications. Commercial platforms such as Manifest Cyber, Cycode, and JFrog now integrate AI BOM generation, and regulatory pressure is intensifying with the EU AI Act’s August 2026 deadline and new US mandates for defense contractors and financial sector examinations. Cyber insurers are also signaling AI governance as a coverage prerequisite. This follows prior emphasis on AI BOMs as a critical tool for managing AI supply chain risks, with regulatory bodies in the EU and US requiring documentation for high-risk systems and the G7 outlining minimum AI BOM elements. The open-source ecosystem’s rapid growth and documented threats like backdoored models have underscored the urgency for visibility tools, while standards bodies such as CISA, NIST, OWASP, and the Linux Foundation converge on core AI BOM elements including model artifacts, data lineage, and deployment context.

Discord has rolled out default end-to-end encryption (E2EE) for all voice and video calls across its platform, completing deployment in March 2026. The encryption layer covers direct messages, group chats, voice channels, and Go Live streams, while excluding Stage channels due to their public broadcast nature. The implementation leverages the DAVE protocol, an open-source framework extended to support all client platforms, including desktop, mobile, web browsers, PlayStation, Xbox, and SDKs. E2EE is now active by default, with unencrypted fallback client code being removed. This shift impacts approximately 200 million monthly active users and 690 million registered accounts globally, elevating privacy protections for real-time communications amid growing concerns over surveillance and data exposure risks in collaboration platforms.

Criminals exploited cryptocurrency ATMs to defraud U.S. victims of over $388 million in 2025, according to the FBI’s Internet Crime Complaint Center (IC3). Victims—often directed by fraudsters via phone, email, or social media—were instructed to deposit cash at standalone crypto kiosks, which converted funds into attacker-controlled wallets. Losses surged 58% year-over-year, with over 13,400 complaints filed, disproportionately affecting individuals over 50. The scam vector relies on the irreversible nature of crypto transactions and the relative anonymity of kiosks, which often lack robust identity verification. States including Minnesota, Indiana, and Tennessee moved to ban crypto ATMs in response, citing consumer protection and money laundering risks.

A newly identified threat actor, tracked as Storm-2949, is actively targeting Microsoft 365 and Azure production environments to exfiltrate sensitive data using legitimate applications and administration features. The actor employs social engineering to compromise privileged accounts, primarily by abusing the Microsoft Entra ID Self-Service Password Reset (SSPR) flow. After tricking victims into approving multi-factor authentication (MFA) prompts, the attacker resets passwords, removes MFA controls, and enrolls their own device in Authenticator. This enables persistent access to Microsoft 365 applications, including OneDrive and SharePoint, where VPN configurations and IT operational files are targeted for data theft. Storm-2949 subsequently pivots to Azure infrastructure, compromising identities with privileged RBAC roles to extract secrets from Key Vaults, Azure SQL databases, and Storage accounts, and to deploy remote access tools such as ScreenConnect. The actor also modifies firewall rules, creates rogue administrator accounts, and disables security protections to evade detection.

A large-scale Android ad fraud and malvertising operation named Trapdoor was uncovered, utilizing 455 malicious utility-style apps and 183 threat actor-owned C2 domains to generate 659 million daily bid requests. The campaign operated as a self-sustaining revenue cycle, where initial app installs triggered malvertising that coerced users into downloading secondary apps, which then performed hidden ad fraud via automated touch fraud and concealed WebView ad requests. Traffic was predominantly U.S.-based, accounting for over 75% of volume, and the operation peaked at 24 million total app downloads. Selective activation techniques ensured fraudulent behavior was triggered only for users acquired through threat actor-run ad campaigns, while organic downloads remained unaffected. Google removed all identified malicious apps from the Play Store following responsible disclosure.

Microsoft Teams users on macOS have reported undismissible location permission prompts appearing repeatedly since May 14, 2026, despite selecting 'Don't Allow'. Microsoft attributed the issue to a recent macOS security update that fails to retain location-permission selections for Teams, causing persistent dialogs. The company is collaborating with Apple to resolve the root cause and investigating a Teams-side mitigation. Affected users are advised to temporarily enable location access via macOS Privacy & Security settings as a workaround until a fix is implemented.

DirtyDecrypt (CVE-2026-31635), a Linux kernel local privilege escalation vulnerability, has seen its proof-of-concept exploit publicly released, enabling attackers to gain root access on systems with CONFIG_RXGK enabled. The flaw stems from a missing copy-on-write (COW) guard in the rxgk module’s rxgk_decrypt_skb function, allowing writes to privileged memory pages or sensitive file caches such as /etc/shadow or /etc/sudoers. Discovered by Zellic and V12 on May 9, 2026, the vulnerability was later found to duplicate a flaw already patched in the mainline kernel on April 25, 2026. DirtyDecrypt is part of a broader wave of recent Linux root-escalation flaws, including Copy Fail, Dirty Frag, and Fragnesia, all of which leverage pagecache write primitives. The disclosure follows an embargo breach that accelerated public release of related techniques, while new mitigation strategies like a runtime kernel killswitch and Rocky Linux’s optional security repository are being explored to address the rapid exploitation of such vulnerabilities.

Microsoft disclosed 1,273 vulnerabilities in 2025, a slight decrease from 1,360 in 2024, but critical vulnerabilities doubled year-over-year from 78 to 157, reversing a multi-year downward trend. Elevation of Privilege (EoP) vulnerabilities accounted for 40% of all CVEs, while Information Disclosure flaws rose by 73%, indicating a shift in attacker focus toward stealth, reconnaissance, and lateral movement. Cloud platforms such as Microsoft Azure and Dynamics 365 saw critical vulnerabilities spike from 4 to 37, highlighting escalating risks in identity and access management (IAM) and control planes. On endpoints and servers, Windows Server vulnerabilities increased to 780, with 50 classified as critical, while Microsoft Office vulnerabilities surged 234% year-over-year, rising to 157 total and 31 critical vulnerabilities, reflecting broader exploitation of productivity software for initial access.

The EU’s Cyber Resilience Act (CRA), now in force and set to apply obligations from December 2027, is being interpreted as requiring organizations to adopt AI-powered vulnerability scanning and remediation as part of security-by-design and security-by-default practices. ENISA’s chief cybersecurity officer stated that AI tools such as Claude Mythos and OpenAI’s CPT5.4-Cyber now enable enterprises to detect and fix software vulnerabilities at unprecedented scale, eliminating claims of unawareness. The CRA mandates reporting obligations starting September 2026, and ENISA emphasizes that failure to proactively secure software may result in litigation and business penalties. Industry leaders warn that organizations not integrating AI into vulnerability management risk operational and legal exposure as adversaries exploit unpatched flaws.

A live webinar scheduled for June 2, 2026, will address systemic gaps in network incident response workflows that exacerbate incident escalation despite existing monitoring and security tooling. The session, titled "From alert to resolution: Fixing the gaps in network incident response," is hosted by BleepingComputer in partnership with Tines and will be presented by Edgar Ortiz, a Solutions Engineering Leader and Computer Scientist at Tines. It highlights how reliance on manual triage, alert routing, and coordination across disparate systems—rather than visibility limitations—drives incident escalation and service disruption during high-pressure scenarios.

Threat actors are leveraging agentic AI to significantly accelerate attacks against customer-facing mobile applications, reducing the time, skill, and cost barriers required to compromise targets. In 2026, 87% of monitored applications across sectors such as financial services, healthcare, automotive, and telecommunications faced attacks, up from 55% in 2022, correlating with the proliferation of AI models post-ChatGPT. The rise in AI-assisted reverse engineering and automated exploit generation has narrowed the attack gap between iOS and Android platforms, with iOS attacks surging to 86% in 2026 from roughly half the volume of Android attacks in 2023. Applications are now compromised within hours of appearing in online stores, posing challenges for security teams as these apps often reside on uncontrolled employee devices.

The B1ack’s Stash dark web carding marketplace released 4.6 million stolen credit card records for free after sellers violated platform policies by reselling card data purchased from the marketplace on competing platforms. The data dump includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses, likely originating from e-skimming or phishing operations. Approximately 70% of the cards are from the US, with additional records from Canada, the UK, France, and Malaysia. The release is part of a recurring pattern by B1ack’s Stash to distribute stolen card data for free to attract users and expand its market presence.