Morning Review in IT Security — May 20, 2026

The cybersecurity landscape continues to face mounting pressure from multiple fronts, with zero-day vulnerabilities commanding record payouts, supply-chain attacks expanding their reach, and major retailers confirming significant data breaches. Today's briefing covers critical developments across vulnerability research, malware distribution, and breach confirmation that demand immediate attention from security teams.

Pwn2Own Berlin 2026 Closes With $1.3 Million in Zero-Day Payouts

The annual Pwn2Own security competition concluded with substantial payouts reflecting the continued value of zero-day exploits in the threat landscape. Cybersecurity researchers demonstrated 47 unique zero-day vulnerabilities targeting major enterprise software and artificial intelligence platforms, collectively earning $1.3 million in bounties. The competition showcased the sophisticated capabilities of security researchers and the critical importance of responsible vulnerability disclosure. Source: Pwn2Own Berlin 2026 Closes With $1.3 Million in Zero-Day Payouts

New Shai-Hulud Malware Wave Compromises 600 npm Packages

A significant supply-chain attack has compromised the open-source ecosystem with threat actors publishing over 600 malicious packages to the Node Package Manager index. The Shai-Hulud campaign represents a substantial escalation in supply-chain threats targeting developers and organizations relying on npm dependencies. The malicious packages leverage infrastructure including domains filev2.getsession.org and t.m-kosche.com to facilitate command and control operations. Source: New Shai-Hulud malware wave compromises 600 npm packages

7-Eleven Confirms Data Breach Claimed by the ShinyHunters Gang

Convenience store chain 7-Eleven has officially confirmed that its systems were compromised in a cyberattack attributed to the ShinyHunters extortion group. The breach, initially claimed last month, represents a significant incident affecting one of the world's largest retail chains. The confirmation underscores the persistent threat posed by organized extortion-focused threat actors targeting major commercial entities. Source: 7-Eleven confirms data breach claimed by the ShinyHunters gang

Breach Entry Point, 2026 DBIR Finds

The 2026 Data Breach Investigations Report from Verizon reveals a critical shift in the threat landscape, with vulnerability exploitation now surpassing stolen credentials as the leading breach entry point. This trend indicates that attackers are increasingly leveraging unpatched systems and zero-day vulnerabilities rather than relying solely on compromised authentication mechanisms. The finding has significant implications for security prioritization and resource allocation across organizations. Source: Breach entry point, 2026 DBIR finds

Today's developments emphasize the evolving nature of cyber threats, from the continued discovery of zero-day vulnerabilities to the expansion of supply-chain attacks and the strategic shift toward exploitation-based breach methodologies. Organizations must prioritize vulnerability management, supply-chain security, and rapid patching protocols to address these emerging threats effectively.