An unpatched Gogs argument injection flaw in the Rebase before merging workflow can give an authenticated, non-admin user remote code execution on self-hosted servers. The issue affects Gogs 0.14.2 and 0.15.0+dev, and default deployments with open registration and unrestricted repository creation lower the barrier to reaching the vulnerable path. Public technical details describe server compromise risk, exposure of private repositories and secrets, and potential code tampering. The maintainers had acknowledged the report, but no patch or remediation timeline was available at disclosure time, while more than 2,400 Internet-facing Gogs servers were noted as exposed overall.

Microsoft is urging Coordinated Vulnerability Disclosure (CVD) and says it is developing security updates for Windows components including Defender and BitLocker after multiple zero-days were publicly disclosed. The response is aimed at reducing unnecessary risk for customers while Microsoft assesses impact and hardens affected systems. The company warned that releasing proof-of-concept details for unpatched vulnerabilities can create real-world consequences. The advisory posture is tied to active mitigation work and vendor coordination around the disclosed flaws.

Catalin Dragomir was sentenced to 56 months in federal prison for a cyber intrusion against the Oregon Department of Emergency Management and related victim networks. The sentence follows a February 19 guilty plea and extends the criminal exposure around a case that involved unauthorized access, resale of that access, and victim data taken from the compromised device. The proceeding also reflects a cross-border cybercrime case that moved from arrest in Romania to extradition and punishment in the United States.

Enterprise AI governance is shifting toward AI power users, personal accounts, and inline guardrails as sensitive-data exposure concentrates in a small share of workflows. The guidance targets unmanaged AI use across chatbots, extensions, copilots, and connectors, where visibility is weakest. Security leaders are urged to monitor high-risk users, block personal AI accounts, and inspect prompts, uploads, responses, and AI-driven actions in real time.

Google Cloud launched Google AI Threat Defense, an always-on autonomous security platform aimed at stopping AI-powered cyberattacks across enterprise environments. The system combines Mandiant, Wiz, Gemini, and CodeMender to prioritize risks, predict attack paths, and generate verified fixes faster. The launch pushes detection, remediation, and response toward machine-speed defense.

The NCSC repeated its call for organizations to begin migrating to quantum-resistant cryptography, tightening mitigation pressure against future encryption-breaking quantum risk.

GCHQ has drawn up plans for a world-first national cyber defense capability built on agentic AI to detect and flag threats to critical national infrastructure, airlines and telecoms firms. The capability is expected to be operational within five years, adding machine-speed defense to the UK’s public cyber posture. The plan turns a broad national-security warning into a concrete public-sector cyber program with a defined scope and timeline.

The AUDIOFIX and MiniRAT malware activity is targeting cryptocurrency firms and developer infrastructure on macOS with LinkedIn recruiter lures, a fake meeting/fix flow, and a Python-based stealer/RAT that masquerades as a system audio driver. Wiz says the activity is attributed to Jinx-0164, a previously unreported financially motivated cluster active since mid-2025, and that the payload steals Keychain, browser, SSH, and cloud credentials, plus data from 51 cryptocurrency wallet extensions. The operation also abuses GitHub tokens to poison CI/CD pipelines and trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT, expanding the risk from endpoint compromise to supply-chain propagation.

A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal credentials and reach internal development systems. The operator has been active since at least mid-2025 and uses Audiofix to harvest Keychain, browser, SSH, cloud, and wallet-extension data, then abuses GitHub tokens to tamper with CI/CD pipelines. Wiz also says the activity trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT. Defenders are urged to watch for suspicious VPN use, secret exfiltration from build workflows, and unverified commits.

A Ramanan Pathmanathan sextortion campaign targeted more than 145 children across the United States, using fake social accounts and video chats to coerce minors and capture blackmail material. The operation ran for eight years, from March 2014 to March 10, 2021, and relied on impersonating a teenage boy from New Jersey to reach victims. It created severe exploitation and extortion risk by recording sexual acts and threatening to leak them to friends and family.

Palo Alto Networks is rolling out patches for CVE-2026-0300, a critical PAN-OS zero-day that has already been exploited in the wild against PA and VM series firewalls. The flaw sits in the User-ID Authentication Portal (Captive Portal) and can let an unauthenticated attacker achieve root code execution with specially crafted packets. The vendor said exploitation has been limited and mainly involved portals exposed to untrusted IP addresses or the public internet. The first fixes are planned for May 13, with a second round of patches estimated for May 28.

U.S. prosecutors sentenced Ramanan Pathmanathan for a sextortion case involving more than 145 children, imposing a 33-year prison term and 10 years of supervised release. The conduct spanned eight years and affected minors across the United States. The outcome significantly raises punishment for a cross-border child exploitation scheme that relied on Instagram and Facebook Messenger.

Carnival Corporation confirmed a customer data leak that exposed personal information for 5,995,277 people, making this a large-scale privacy and identity-risk event. The exposed data included names, dates of birth, email addresses, genders, geographic locations, and loyalty program details. The leak followed a social engineering intrusion into an employee account and was later linked publicly to ShinyHunters. The disclosure matters because the stolen records create downstream risk for fraud, account abuse, and targeted extortion.

An unpatched zero-day in Gogs exposes Internet-facing instances to remote code execution and possible credential theft. The flaw is an argument injection bug in the Rebase before merging path, and it affects Gogs 0.14.2 and 0.15.0+dev. Because default configurations allow open registration and unlimited repository creation, a non-admin attacker can reach the exploit chain with basic account access.

A cryptojacking malware operation is spreading through SEO-poisoned download pages and, in some cases, AI chatbot recommendations, putting high-performance Windows systems at risk of persistent compromise and GPU abuse. The payload installs ScreenConnect for follow-on access and uses stealth techniques to stay resident after infection. It then deploys GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield per compromised device.

Grandoreiro is running a new DLL side-loading campaign against banks in Portugal, extending a long-lived banking-malware operation into 2026. The latest wave uses WebRTC-related communications and STUN/ICE traffic to make monitoring harder. It continues to arrive through phishing emails and targets a wider financial set that includes institutions in Spain, Portugal, and Mexico. The campaign matters because it combines delivery evasion with credential theft against trusted financial institutions.

A high-severity stored XSS in Pretalx tracked as CVE-2026-41241 let registered speakers inject code that could run when an organizer searched a submission, creating organizer account compromise risk across many conference deployments.

Pretalx released version 2026.1.0 to patch CVE-2026-41241, a stored XSS flaw that could compromise organizer accounts in conference deployments. The update closes a path attackers could use through malicious submission content across Pretalx-powered events.

The Glassworm botnet had all four command-and-control channels disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructure used VPS-hosted servers, Google Calendar dead-drops, peer-to-peer lookup and Solana blockchain memo fields to stay resilient. Glassworm had been active since at least early 2025 and was tied to supply-chain poisoning against developer ecosystems on Windows, macOS and Linux. The disruption weakens immediate operator control, but the layered design shows how difficult the botnet was to dismantle.

Cyber professionals are showing elevated burnout and attrition risk, signaling a workforce resilience problem for cybersecurity teams. A poll of 101 cyber professionals found one in two experience burnout weekly or daily, and a study of 275 professionals linked targeted resilience training to improved sleep and lower burnout indicators. The findings point to operational capability degradation, not just a wellness concern.

Cybermindz is promoting targeted resilience training for cybersecurity teams as a practical way to reduce burnout, improve sleep, and strengthen operational resilience. A May 27 study links just eight hours of training to measurable gains, including a 16% improvement in sleep quality and a 71% reduction in attrition risk. The guidance reframes defender well-being as a measurable control that can reduce capability loss during sustained 24x7 pressure.

Cisco researchers found that multi-turn prompting can bypass safety guardrails in major LLMs, increasing the risk that enterprise AI deployments overestimate their protection. Tests across ChatGPT, Claude, Gemini, Nova and Grok showed that repeated reframing, roleplay, ambiguity and misdirection could push models toward disallowed actions. The findings suggest single-prompt safety benchmarks understate real-world attacker behavior across frontier models.

The GlassWorm malware activity is now under a coordinated C2 disruption, reducing its ability to deliver new instructions and payloads to infected developer systems. The operation spread through trojanized VS Code extensions and compromised npm and Python packages, exposing software developers and their repositories to supply-chain compromise. It has been built for credential harvesting, wallet theft, and host profiling, and it has already been used to poison more than 300 GitHub repositories. The activity also deploys GlassWormRAT and covert infrastructure for proxying and remote execution.

A Ghost Stadium fraud campaign has registered 4,300+ FIFA lookalike domains and is using paid Facebook ads to funnel 2026 FIFA World Cup fans into phishing and ticket scams. The operation clones fifa.com, mimics PingIdentity SSO, and uses shared tracking infrastructure to make the sites look legitimate. Group-IB says the broader event involves four independent threat actors running multiple fraud schemes at once, with most domains still dormant until demand peaks. The campaign has also fed credential theft, with roughly 2,500 FIFA logins already circulating on dark-web markets.

Around 2,500 FIFA logins have surfaced on dark-web markets, turning stolen credentials into an active exposure that can fuel account abuse and downstream fraud. The leak is tied to Vidar and Lumma infostealer infections, which gathered the credentials from a broader fraud ecosystem aimed at 2026 FIFA World Cup fans.

Researchers disclosed CVE-2026-27771 in Gitea, a flaw that let unauthenticated remote attackers pull private container images from affected deployments. The issue affects all versions prior to 1.26.2, which fixes the bug. The reported footprint spans more than 30,000 deployments across 30+ countries. Operators can upgrade to 1.26.2 or apply [service].REQUIRE_SIGNIN_VIEW=true as a temporary workaround.

LiteSpeed released urgent security updates for the cPanel user-end plugin after CVE-2026-48172 was found to be actively exploited, reducing exposure for systems running the bundled WHM plugin. The vendor told users to move the plugin to the latest version. The release targets a flaw that can give remote attackers root privileges.

The Dutch National Police arrested a 35-year-old man from Buren in a computer trespassing case tied to Ajax Amsterdam (AFC Ajax), escalating a criminal probe into repeated unauthorized access to the club's systems. Police said the suspect is believed to have intruded into Ajax's systems several times. The arrest connects the law-enforcement action directly to a cybercrime thread involving a named victim organization and alleged system compromise.

The PureLogs infostealer is being delivered through purchase-order-themed phishing emails, creating a Windows infection chain that steals browser credentials, Discord authentication data, and cryptocurrency wallet files and keys. The payload uses a malicious JavaScript file, then pivots through PowerShell and process hollowing to hide inside MsBuild.exe. The activity increases the risk of account takeover and wallet theft across targeted endpoints.

An active cryptojacking campaign is using SEO poisoning and, in some cases, AI chatbot recommendations to steer users toward malicious download pages for trusted utilities. The activity targets high-performance GPUs, delivers a ZIP payload from gleeze[.]com, and installs ScreenConnect for persistence before dropping GPU miners such as gminer, lolMiner, and SRBMiner-MULTI.