A Marimo notebook compromise led to credential theft, SSH access, and exfiltration of an internal PostgreSQL database, expanding a single initial intrusion into deeper post-compromise access. The intrusion used CVE-2026-39987 to reach a downstream SSH bastion server through harvested cloud credentials and AWS Secrets Manager. The attack chain was recorded on May 10, 2026 and included eight SSH sessions plus database theft completed in under two minutes at the bastion stage.

CVE-2026-39987 in Marimo is being exploited through the /terminal/ws endpoint to give unauthenticated attackers a shell on exposed notebook servers. The first observed abuse arrived about 9 hours and 41 minutes after disclosure and moved into manual reconnaissance and secret-harvesting against internet-facing instances. Marimo released 0.23.0 to fix the flaw, and CISA added CVE-2026-39987 to the KEV catalog with a 2026-05-07 remediation deadline. Available evidence does not quantify how many deployments were reached, but the observed behavior shows rapid weaponization against exposed systems.

French cybersecurity startup MokN raised $15 million in a Series A round led by Google Ventures, giving the company new capital to scale its identity-protection business. The financing will help expand the phish-back platform into the US and support new offices in the US and UK. MokN also plans to hire across sales, marketing, customer success, engineering, and R&D to widen its cybersecurity reach.

Underground DDoS sellers are shifting from scattered tools to packaged, resellable services, lowering the barrier for disruptive attacks and widening the buyer pool. Listings seen across 2023 to 2026 increasingly advertise panels, API access, monthly plans, customer support, and botnet-backed capacity instead of scripts or leaked tools. The market is now priced and marketed like a mature service business, with low-cost tests, premium tiers, and reseller options that make attacks easier to launch and redistribute.

The 17-million-device botnet was disrupted after authorities took its infrastructure offline, cutting off a network used to carry out cyberattacks across computers, tablets, and smartphones. The seizure of more than 200 servers in the Netherlands materially reduced the operation’s reach and availability. The event removes a large-scale malicious platform that could proxy traffic and support other criminal abuse.

Dutch police and the NCSC seized more than 200 servers and took offline a 17 million-device botnet, disrupting infrastructure used for cyberattacks. The action followed a joint investigation and targeted hosting at a local provider in the Netherlands. Authorities said the botnet controlled computers, tablets, and smartphones for criminal abuse.

The Silent Ransom Group (SRG) is escalating a campaign against US-based law firms, using IT impersonation, remote access tricks, and in-person access attempts to reach corporate systems. The operation has been active since 2023 and had evolved further by spring 2026, raising the risk of stealthy compromise and data theft across the legal sector.

Google's Chrome Device Bound Session Credentials (DBSC) is now generally available and rolling out to all users, reducing the risk of account takeovers from stolen session cookies. The feature binds cookies to a specific device so attackers cannot reuse exfiltrated cookies to bypass MFA. The rollout reaches Google Workspace customers, Workspace Individual subscribers, and people using personal Google accounts.

A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution for Ukraine-focused operations. The assessment links the group to Russian-speaking operators and suggests the blend of state tasking and criminal talent is shaping how the actor is organized and deployed. That hybrid profile matters because it weakens traditional clustering based on stable tooling and relationships.

Americans 60 and older filed over 200,000 fraud complaints in 2025, with complaint volume rising 37% from the prior year. The cohort also recorded nearly $7.8 billion in losses, a 59% year-over-year increase, and the average loss per complainant reached $38,500. The pattern signals sustained elder-fraud pressure across the country and a growing financial burden on older consumers.

Federal prosecutors sentenced Troy Murray to 121 months in prison in a wire fraud case tied to the sale of elderly Americans' personal information to scammers. The judgment also imposed three years of supervised release and a $5.2 million forfeiture.

Vibe-coded applications are leaking onto the public internet across organizations, creating a growing exposure trend for corporate, operational, and personal data. A May 2026 investigation found more than 380,000 publicly accessible web assets on leading AI development platforms, including more than 2,000 with sensitive data. The exposed apps were seen across six continents and every industry, with many reachable without basic access controls and some granting admin access by default. The pattern shows a broad governance gap in how employee-built AI apps are deployed and published.

A new vpmdhaj supply-chain campaign has surfaced in 14 malicious npm packages that use a preinstall credential harvester to steal AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD secrets from developer hosts. The packages were published on May 28, 2026 and were built to look like legitimate developer tooling. That turns ordinary installs into a high-risk entry point for downstream compromise and secret theft.

China-aligned FamousSparrow escalated a maritime and energy espionage campaign across the Middle East, putting regional shipping and infrastructure intelligence at greater risk. The operation also reached a Venezuelan governmental entity tied to maritime affairs, showing the targeting extended beyond one country. The multi-month pattern during October 2025 to March 2026 points to a sustained effort to track oil shipments and regional political developments.

The public leak of Charter Communications data exposed 4.9 million accounts, putting names, email addresses, phone numbers, and physical addresses into circulation. The stolen records came from a Salesforce instance and were later posted on a dark web leak site after ransom demands were rejected. A smaller employee-directory subset also added job titles to the exposed set.

Charter Communications confirmed a data breach tied to ShinyHunters extortion, with the company saying it is alerting authorities and that no sensitive personal information or CPNI was exfiltrated in recent activity. ShinyHunters claims the compromise began on April 1 through vishing that hit an employee's Microsoft Entra account and led to exports from Salesforce. Have I Been Pwned later analyzed leaked data and said the incident affected 4.9 million accounts, with exposed records including names, email addresses, phone numbers, and physical addresses.

The mouse5212-super-formatter npm package is a malicious infostealer that can siphon files from /mnt/user-data, putting Anthropic Claude user data at risk of unauthorized exfiltration. It runs in the postinstall stage, uses a GitHub token or fallback credential, and uploads local files to a threat actor-controlled GitHub account. The package also disguises theft with fake diagnostics and was still downloadable from npm at the time of discovery.

Malware-Slop is distributing mouse5212-super-formatter, a malicious npm package that steals local files from Anthropic's Claude workspace directory /mnt/user-data. The package runs in the postinstall stage, authenticates to GitHub, and uploads files to a threat actor-controlled GitHub account while writing a fake diagnostic log to mask the theft. OX Security reported that the package was still live on npm at the time of analysis and had about 676 downloads before removal. The linked GitHub account was created on 2026-05-26, shortly before the first malicious upload, and the package exposed a hardcoded fallback token that let researchers observe the exfiltration flow.

The Kimsuky campaign ran through March and April 2026, using spoofed security-installation pages and a fake Webex lure against South Korean military and corporate entities, raising the risk of remote compromise and staged payload delivery.

GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian, and business targets. The operation has been active since at least August 2025 and uses multiple lure-and-delivery chains to push phishing, malware, and credential-theft workflows. Researchers linked the activity to a likely Russian-aligned operator set, though the group’s exact state affiliation remains unconfirmed.

GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails, fake CAPTCHA/ClickFix pages, and fraudulent websites to deliver custom tooling including PhantomMail, PhantomRelay, PhantomRelayV1, LegionRelay, FallSpy, and WireGuard. The activity spans Windows remote access, browser and file theft, and Android spyware, broadening the operation from delivery into sustained compromise and surveillance.

BTMOB is an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with a builder that generates customized phishing payloads. The activity is mostly active in Brazil and Latin America, including campaigns that use localized lures and fake Google Play delivery. The malware can steal data, intercept financial transactions, capture screenshots, and abuse Android Accessibility Services for elevated access. ESET also ties the offering to $700 monthly pricing or a $5,000 lifetime license.

BTMOB is an Android RAT sold as malware-as-a-service on the clearweb and in private Telegram channels, with a no-code APK builder that generates customized phishing payloads. The activity targets users mainly in Brazil and Latin America, uses phishing sites that mimic streaming services, cryptocurrency mining platforms, and Google Play, and has included lures themed as an Argentinian government agency. Once installed, the malware can exfiltrate data, capture screenshots, and abuse Android Accessibility Services for deeper access. ESET says the builder lets operators tailor permissions and behavior without coding, increasing the pace of payload generation and making defense harder.

BTMOB phishing activity is using localized fake-app lures to target users in Brazil and Latin America, increasing the risk of malicious installs and account compromise. The operation has been seen impersonating an Argentinian government agency and other trusted themes to make the download path look legitimate. The recurring lure pattern shows an active regional campaign rather than a one-off phishing attempt.

BTMOB has been exposed as a malware-as-a-service Android trojan with a builder interface, making it easier for cybercriminals to mass-produce tailored phishing payloads and expand mobile fraud operations. Its clearweb advertising and Telegram sales channels lower the barrier to entry for buyers seeking ready-made Android attack infrastructure. The service's customization features and regional focus increase the scale and flexibility of credential-theft and transaction-fraud activity.

The FBI warned on May 28, 2026 that fake FIFA websites are being used to steal data and sell fraudulent tickets and hospitality packages ahead of the 2026 World Cup. The PSA points to typosquatted domains such as fiffa[.]com and fake portals like jobs-fifa[.]com and fifa-hiring[.]com. The warning tells fans and online users to verify URLs and avoid suspicious links as the tournament approaches.

CVE-2026-35616 is an actively exploited improper access control flaw in FortiClient Enterprise Management Server (EMS) that lets unauthenticated attackers execute code or commands via specially crafted requests. In May 2026, Arctic Wolf observed attacks abusing EMS management paths to modify configuration and deliver EKZ, an undocumented credential stealer, through FortiClient-managed VPN scripting workflows. The payload was disguised as a Fortinet endpoint update, launched through fortitray.exe and cmd.exe, and used PowerShell to exfiltrate browser data to an attacker-controlled VPS over HTTP. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6, and later addressed the flaw in FortiClient EMS 7.4.7 and later.

Fortinet FortiClient EMS is a security-patch release happening centered on CVE-2026-35616 and CVE-2026-21643. Fortinet issued an out-of-band emergency hotfix after confirming that CVE-2026-35616 was exploited in the wild. The vendor said the flaw is a critical CVSS 9.1 improper access control issue that could let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet also stated that customers running EMS 7.4.5 and 7.4.6 should install the fix immediately and that 7.4.7 would include the remediation as well. Follow-on reporting in May 2026 shows attackers abusing the same FortiClient Endpoint Management Server (EMS) management path to deliver malware to managed endpoints. Arctic Wolf observed a disguised FortiEndpoint_Patch.exe update, execution through fortitray.exe and cmd.exe, and a Base64-encoded PowerShell chain that downloaded a credential stealer and exfiltrated browser data to 83.138.53[.]110 over HTTP POST.

A new EKZ Infostealer delivery chain is using FortiClient EMS abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware is being launched through FortiClient-managed VPN scripting workflows after attackers modify EMS configuration and policies. It targets Chromium and Firefox data stores, including saved credentials, cookies, and payment details, which raises account-takeover risk. The payload is also exfiltrating stolen data to an attacker-controlled VPS over HTTP.

FortiClient EMS exploitation around CVE-2026-35616 has moved from critical flaw disclosure into observed abuse of endpoint-management infrastructure to push a disguised credential stealer across managed devices. Attackers used the pre-authentication access bypass to gain privileged control over EMS settings and launch a PowerShell-based chain through trusted Fortinet processes, with stolen browser data sent to 83.138.53[.]110. Fortinet issued fixes for affected 7.4.5 and 7.4.6 deployments and directs customers to 7.4.7 or later, while the vulnerability is also listed in CISA KEV. Available exposure tracking found more than 2,000 internet-accessible EMS instances online, so patching needs to be paired with compromise review rather than treated as a routine update.