Security Intelligence

19 May 2026Multiple organisations across Middle East and North Africa

INTERPOL Operation Ramz dismantles 53 malware and phishing servers across MENA region with 200+ arrests

INTERPOL's coordinated law enforcement operation across the Middle East and North Africa resulted in the seizure of 53 malware and phishing servers and over 200 arrests. This represents a significant disruption to cybercriminal infrastructure in a region with historically high threat actor density.

OpenClaw Vulnerability Chain Enables Sandbox Escape and Persistent Backdoor Installation

Four chained vulnerabilities in OpenClaw permit attackers to extract credentials, bypass sandbox isolation, and establish persistent backdoor access. This represents a complete compromise pathway from initial execution to system persistence.

18 May 2026OpenClaw

18 May 2026US Healthcare Organisations, HHS-regulated entities

US Healthcare Sector Faces Coordinated Breach Wave Affecting Millions

Multiple US healthcare organisations have suffered data breaches affecting millions of individuals, with incidents logged across the HHS Office for Civil Rights tracker. This represents a sustained attack pattern against a high-value, regulated sector with significant compliance and operational implications.

18 May 2026Ivanti Xtraction, Fortinet, SAP +2

Multi-vendor RCE patch wave signals coordinated disclosure cycle with Ivanti Xtraction critical flaw leading

Ivanti, Fortinet, SAP, VMware, and n8n have released patches for multiple remote code execution and privilege escalation vulnerabilities, with Ivanti Xtraction's CVE-2026-8043 (CVSS 9.6) enabling arbitrary code execution through external file name control. This coordinated patch release suggests these flaws were likely discovered through vulnerability coordination channels.

CVE-2026-8043

18 May 2026Windows 11, BitLocker

YellowKey BitLocker Bypass Requires Physical Access, Significantly Reduces Enterprise Disk Encryption Assurance

YellowKey, a publicly disclosed exploit, reliably bypasses Windows 11 BitLocker default configurations by exploiting TPM-based key storage, but requires physical device access. This substantially weakens encryption guarantees for organisations relying on BitLocker as a mandatory protection.

18 May 20267-Eleven, Salesforce (customer data exposure)

7-Eleven Breach Exposes 600k Salesforce Records; ShinyHunters Escalates Ransom Operations

ShinyHunters ransomware group claims to have stolen over 600,000 Salesforce records from 7-Eleven, including personal and corporate data, with confirmed breach details now public. This represents a significant compromise of a major retail organisation's customer and operational data.

criticalSupply ChainResolved

Coordinated Supply Chain Attacks Target Developer Credentials Across npm, PyPI, and Docker Hub

Three separate campaigns hit major package repositories within 48 hours, targeting secrets and credentials stored in developer workstations and CI/CD pipelines. The shift from code injection to credential theft represents a fundamental escalation in supply chain attack sophistication.

18 May 2026npm, PyPI, Docker Hub +1

18 May 2026Microsoft Windows

Public MiniPlasma Exploit Resurrects Four-Year-Old Windows Privilege Escalation

A researcher has released a working exploit (MiniPlasma) for an unpatched 2020 Windows CVE, based on original proof-of-concept code. This exposes organisations still running vulnerable systems to immediate privilege escalation attacks.

highSupply ChainActive

npm Supply Chain Attack: Four Malicious Packages Distributing Infostealers and DDoS Malware

Four typosquatted and cloned npm packages have been discovered delivering infostealer malware and DDoS bot capabilities to developers. The packages exploited common naming conventions and dependency confusion to achieve distribution across thousands of downloads.

18 May 2026npm registry, developers using npm packages

18 May 2026Microsoft Windows, Windows Cloud Files Mini Filter Driver (cldflt.sys)

MiniPlasma 0-Day Exposes Systemic Patching Failure in Windows Cloud Files Driver

Researcher Chaotic Eclipse has released a working exploit for MiniPlasma, a Windows privilege escalation zero-day in the Cloud Files Mini Filter Driver (cldflt.sys) that grants SYSTEM access on fully patched systems. This represents a complete bypass of Windows security controls and poses immediate risk to all affected Windows installations.

18 May 2026Linux kernel (systems running vulnerable rxgk module)

DirtyDecrypt PoC Released: Linux Kernel rxgk LPE Now Weaponised Post-Patch

A proof-of-concept exploit has been released for DirtyDecrypt, a recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module. Attackers with local access can now more easily achieve root-level code execution on affected systems.

18 May 2026Grafana Labs, Grafana Enterprise, Grafana Cloud

Grafana Breach Attributed to Coinbase Cartel: High-Profile Threat Actor Cluster Targeting Observability Infrastructure

Grafana Labs confirmed a data breach attributed to Coinbase Cartel, a cybercriminal group with documented links to ShinyHunters, Scattered Spider, and Lapsus$. The incident targets a critical observability platform used across thousands of organisations for infrastructure monitoring.

highMalwareResolved

Fast16: Archaeological Evidence of State-Sponsored Nuclear Sabotage Predating Stuxnet

Symantec and Carbon Black have analysed the Lua-based Fast16 malware, a pre-Stuxnet cyber sabotage tool designed to corrupt uranium-compression simulations used in nuclear weapons design. The discovery provides historical evidence of advanced persistent threat capabilities targeting critical infrastructure simulation environments.

18 May 2026Nuclear weapons programme simulation systems

highPolicyResolved

Windows 11 May 2026 Security Update Deployment Failure: Systemic Installation Issues Across User Base

Microsoft's May 2026 Windows 11 security update (KB5089549) fails to install on multiple systems, returning 0x800f0922 errors. This prevents security patch deployment on affected machines, leaving them exposed to unpatched vulnerabilities.

18 May 2026Windows 11, Microsoft

mediumPolicyResolved

South Korea's Deepfake Regulation Test: Can Legal Frameworks Outpace Synthetic Media Technology

South Korea will use its upcoming local elections as a live test of deepfake regulations to assess whether legislative controls can effectively prevent malicious synthetic media in political contexts. The outcome will inform global policy approaches to synthetic content threats.

18 May 2026South Korean electoral system, Voters in South Korean local elections

18 May 2026Windows, Linux, VMware +2

Pwn2Own Berlin 2026 rewards $1.3M in zero-days across Windows, Linux, VMware, and AI products

Security researchers demonstrated previously unknown exploits at Pwn2Own Berlin 2026, earning $1.3 million in total bounties across multiple platforms including Windows, Linux, VMware, Nvidia, and AI systems. The event highlights an active market for zero-day vulnerabilities and signals emerging attack surface in AI products.

18 May 2026Multiple vendors (specific products not identified in source)

Pwn2Own Berlin 2026 reveals 47 zero-days: vulnerability disclosure at scale raises questions about coordinated remediation

Security researchers earned $1.3m by demonstrating 47 zero-day exploits at Pwn2Own Berlin 2026. The volume of disclosed vulnerabilities highlights the ongoing gap between vulnerability discovery and vendor patching capacity.

17 May 2026Microsoft 365, Trustifi

Tycoon2FA expands device-code phishing capability, abusing legitimate email infrastructure to compromise Microsoft 365

The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects, enabling credential theft against Microsoft 365 users at scale.

17 May 2026NGINX Plus, NGINX Open Source

NGINX CVE-2026-42945 heap overflow under active exploitation with RCE potential

A heap buffer overflow in NGINX's rewrite module (CVE-2026-42945, CVSS 9.2) is being exploited in the wild days after disclosure, affecting versions 0.6.27 through 1.30.0 and potentially enabling remote code execution or worker process crashes.

CVE-2026-42945

17 May 2026Windows (fully patched systems)

MiniPlasma: Public PoC for Windows Privilege Escalation Zero-Day Raises Immediate Exploitation Risk

A Windows privilege escalation zero-day called MiniPlasma has had a proof-of-concept exploit publicly released, allowing attackers to achieve SYSTEM-level access on fully patched systems. Public PoC availability significantly increases exploitation risk across all affected Windows environments.

17 May 2026Microsoft Azure Backup for AKS

Microsoft's Silent Azure Backup Fix Raises Questions on Vulnerability Disclosure Transparency

A security researcher claims Microsoft quietly patched an Azure Backup for AKS vulnerability without issuing a CVE or acknowledging the original report, whilst Microsoft contests the characterisation and denies making product changes. The dispute highlights tensions in coordinated disclosure practices and raises concerns about undisclosed fixes in cloud infrastructure.

16 May 2026Remote Sunrise Helper for Windows 2026.14

Unauthenticated Directory Enumeration in Remote Sunrise Helper for Windows 2026.14

Remote Sunrise Helper for Windows 2026.14 permits unauthenticated attackers to enumerate files and directories via an improperly secured API or web interface. This PoC demonstrates information disclosure that could facilitate follow-on attacks.