[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4J-qqjMfyno_jZWcWGKe-VXqp-R_vnH5VsD_J8VZ3HY":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":59,"social_x":60,"article_count":61,"awareness_links":62,"status":123,"published_at":124,"created_at":125,"updated_at":125,"mastodon_posted_at":126,"executive_summary":127,"tagline":128,"cover_image_url":129},"442102e3-62a7-4aa2-9155-4ddab4d1518f","2026-W21","2026-w21","2026-05-18","2026-05-24","🔥 Supply chain attacks surge as AI accelerates both attack and defense capabilities\n🏦 Critical infrastructure faces elevated risks from NGINX RCE and power grid vulnerabilities\n🔓 BitLocker bypass and Microsoft Defender zero-days expose Windows security gaps\n💰 Ransomware groups target cybersecurity firms in retaliation campaigns\n🌍 Government databases in Uruguay and South Africa leak millions of citizen records\n⚡ Vulnerability exploitation overtakes credential theft as top breach vector for first time","## Vulnerabilities & Exploits\n\n**[Critical NGINX heap buffer overflow actively exploited](https:\u002F\u002Fwww.securityweek.com\u002Fexploitation-of-critical-nginx-vulnerability-begins\u002F)**. CVE-2026-42945 in ngx_http_rewrite_module enables RCE and is being exploited in the wild just days after patch release, affecting 5.7M internet-exposed servers.\n\n**[Microsoft patches two exploited Defender zero-days](https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F)**. CVE-2026-41091 allows privilege escalation while CVE-2026-45498 causes DoS; both added to CISA KEV catalog.\n\n**[BitLocker bypass vulnerability acknowledged by Microsoft](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-shares-mitigation-for-yellowkey-windows-zero-day\u002F)**. YellowKey (CVE-2026-45585) allows attackers to access protected drives via crafted FsTx files on USB or EFI partitions.\n\n**[Drupal SQL injection flaw under active attack](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdrupal-critical-sql-injection-flaw-now-targeted-in-attacks\u002F)**. CVE-2026-9082 in PostgreSQL database abstraction API enables unauthenticated attackers to execute arbitrary SQL commands.\n\n### Key Takeaway\nPatch NGINX, Microsoft Defender, Drupal, and implement TPM+PIN for BitLocker immediately.\n\n## Supply Chain Attacks\n\n**[Shai-Hulud malware compromises 600+ npm packages](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-shai-hulud-malware-wave-compromises-600-npm-packages\u002F)**. Campaign targets @antv ecosystem to steal GitHub, npm, cloud, and CI\u002FCD credentials via Session P2P network.\n\n**[GitHub breach via malicious VS Code extension](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F)**. TeamPCP compromised 3,800 internal repositories through poisoned Nx Console extension, demanding $50,000 for stolen code.\n\n**[Megalodon attack hits 5,561 GitHub repositories](https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F)**. Automated campaign injected malicious CI\u002FCD workflows to steal cloud credentials within six hours.\n\n**[Malicious postinstall hooks found in 700+ repositories](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos)**. Coordinated campaign targeted Packagist and Node.js packages to download Linux binary from attacker infrastructure.\n\n### Key Takeaway\nImplement supply chain security scanning and review all CI\u002FCD workflows for unauthorized modifications.\n\n## Ransomware & Breaches\n\n**[7-Eleven confirms ShinyHunters breach](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang\u002F)**. Attackers stole 600K+ records from Salesforce environment and leaked 9.4GB archive after ransom refusal.\n\n**[WisERP customer records auctioned on dark web](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058212320468193384)**. 1.5 million U.S. ERP customer records allegedly breached and advertised for sale.\n\n**[ShinyHunters targets cybersecurity firm](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2056926203425051080)**. Retaliation attack against firm that advises ransomware victims not to pay.\n\n**[RetoSwap loses $2.7M to protocol flaw](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057244918901342436)**. 7,000 XMR drained due to Haveno protocol vulnerability exploitation.\n\n### Key Takeaway\nSegment Salesforce environments and prepare incident response plans for extortion scenarios.\n\n## APT & Nation-State\n\n**[TeamPCP and LAPSUS$ collaborate on GitHub data](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057136118240284834)**. Joint sale offering of GitHub internal repositories demonstrates threat actor coordination.\n\n**[RondoDox botnet exploits 2018 ASUS flaw](https:\u002F\u002Fhackread.com\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers\u002F)**. CVE-2018-5999 exploitation hijacks over 1 million routers for DDoS attacks despite 8-year-old vulnerability.\n\n**[Banana RAT targets Brazilian banks](https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F)**. SHADOW-WATER-063 uses WhatsApp distribution and QR code replacement for real-time financial fraud.\n\n### Key Takeaway\nPatch legacy network devices and implement behavioral monitoring for financial applications.\n\n## Critical Infrastructure\n\n**[ABB EV charger vulnerabilities disclosed](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-05)**. Three buffer overflow flaws in Terra AC Wallbox enable remote firmware alteration via Bluetooth.\n\n**[Hitachi Energy grid system OpenSSL flaw](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-01)**. GMS600 versions 1.3.0-1.3.1 vulnerable to timing attack enabling TLS decryption.\n\n**[ABB automation runtime session hijacking](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-04)**. B&R Automation Runtime \u003C6.4 allows unauthenticated session hijacking and XSS.\n\n### Key Takeaway\nUpdate industrial control systems immediately and segregate OT networks from internet exposure.\n\n## Data Breaches\n\n**[Uruguay national ID database leaked](https:\u002F\u002Fdarkwebinformer.com\u002Furuguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed\u002F)**. 5.8 million citizen records including national ID numbers allegedly released by LaPampaLeaks.\n\n**[South African Revenue Service claimed by Nullsec](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058214877831762189)**. SARS allegedly breached with data exfiltration claimed by threat actor.\n\n**[Chilean Fire Department VIPER platform breached](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058217725382561879)**. Emergency response system allegedly compromised with internal records exposed.\n\n### Key Takeaway\nImplement data loss prevention controls and encrypt sensitive government databases.\n\n## Law Enforcement Actions\n\n**[1VPNS service seized by international coalition](http:\u002F\u002Foperation-saffron.eu)**. Joint operation by seven countries through Europol seized VPN service used for illegal activities.\n\n**[INTERPOL Operation Ramz arrests 200+ cybercriminals](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finterpol-operation-ramz-seizes-53-malware-phishing-servers\u002F)**. Seized 53 malware and phishing servers across Middle East and North Africa.\n\n### Key Takeaway\nReview third-party VPN usage policies and implement network monitoring for malicious infrastructure.\n\n## References\n\n- https:\u002F\u002Fwww.securityweek.com\u002Fexploitation-of-critical-nginx-vulnerability-begins\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-shai-hulud-malware-wave-compromises-600-npm-packages\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang\u002F\n- https:\u002F\u002Fdarkwebinformer.com\u002Furuguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed\u002F\n- https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F\n- https:\u002F\u002Fwww.verizon.com\u002Fabout\u002Fnews\u002Fbreach-industry-wide-dbir-finds",[13,17,21,24,27,30,34,36,38,40,44,47,50,53,56],{"type":14,"value":15,"context":16},"malware","Shai-Hulud","Supply chain worm targeting NPM packages, steals credentials and API keys for self-propagation",{"type":18,"value":19,"context":20},"cve","CVE-2026-42945","Critical heap buffer overflow in NGINX ngx_http_rewrite_module, actively exploited in the wild",{"type":14,"value":22,"context":23},"Mini Shai-Hulud","Self-replicating infostealer worm used by TeamPCP to steal CI\u002FCD credentials, cloud keys, and personal access tokens from developer environments",{"type":18,"value":25,"context":26},"CVE-2026-9082","Critical SQL injection vulnerability in Drupal database abstraction API affecting PostgreSQL",{"type":14,"value":28,"context":29},"WisERP breach","1.5M customer records allegedly breached and auctioned on dark web",{"type":31,"value":32,"context":33},"ip","147.135.11.223","1VPNS infrastructure IP address",{"type":31,"value":35,"context":33},"147.135.36.162",{"type":31,"value":37,"context":33},"147.135.40.102",{"type":31,"value":39,"context":33},"147.135.87.184",{"type":41,"value":42,"context":43},"domain","qq-0732gwh22[.]com","Fake QQ\u002FWeChat installer distribution domain",{"type":14,"value":45,"context":46},"chalk-tempalte","Direct clone of Shai-Hulud worm deployed as malicious NPM package",{"type":41,"value":48,"context":49},"mlcrosoft.co.com","Typo-squatted domain used to host fake WeChat\u002FMiro download pages for Reaper malware distribution",{"type":41,"value":51,"context":52},"hebsbsbzjsjshduxbs.xyz","Attacker gateway server receiving stolen files and hosting backdoor command-and-control endpoint",{"type":41,"value":54,"context":55},"87e0bbc636999b.lhr.life","C2 server for Shai-Hulud malware data exfiltration",{"type":18,"value":57,"context":58},"CVE-2026-45585","YellowKey Windows BitLocker security feature bypass vulnerability","This week marked a fundamental shift in cybersecurity: for the first time in 19 years, vulnerability exploitation overtook stolen credentials as the #1 breach vector. Here's what security teams need to know:\n\n• Critical NGINX flaw exploited within days of disclosure, affecting 5.7M servers\n• Supply chain attacks surge with 600+ npm packages compromised by Shai-Hulud malware\n• GitHub breached via poisoned VS Code extension, 3,800 repositories stolen\n• Microsoft patches two exploited Defender zero-days now on CISA KEV list\n• Government databases in Uruguay and South Africa leak millions of citizen records\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w21\n\n#cybersecurity #infosec #supplychain #vulnerabilitymanagement #threatintelligence","🚨 Game changer: Vulnerability exploitation just overtook stolen credentials as the #1 breach vector for the first time in 19 years. AI is compressing exploit timelines from months to hours while supply chain attacks explode.\n\nFull threat roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w21",52,[63,66,69,72,75,78,81,84,87,90,93,96,99,102,105,108,111,114,117,120],{"slug":64,"title":65},"ai-accelerated-kernel-exploit-demonstrates-new-threat-landscape","AI-Accelerated Kernel Exploit Demonstrates New Threat Landscape",{"slug":67,"title":68},"google-api-key-deletion-delays-create-23-minute-attack-window","Google API Key Deletion Delays Create 23-Minute Attack Window",{"slug":70,"title":71},"memory-corruption-vulnerabilities-in-abb-ev-charging-infrastructure","Memory Corruption Vulnerabilities in ABB EV Charging Infrastructure",{"slug":73,"title":74},"critical-openssl-vulnerability-exposes-grid-management-systems-to-tls-decryption-attacks","Critical OpenSSL Vulnerability Exposes Grid Management Systems to TLS Decryption Attacks",{"slug":76,"title":77},"abb-br-automation-runtime-vulnerabilities-enable-session-hijacking-and-code-injection","ABB B&R Automation Runtime Vulnerabilities Enable Session Hijacking and Code Injection",{"slug":79,"title":80},"microsoft-defender-zero-days-highlight-critical-patch-management-gaps","Microsoft Defender Zero-Days Highlight Critical Patch Management Gaps",{"slug":82,"title":83},"github-breach-via-malicious-vs-code-extension-highlights-supply-chain-risks","GitHub Breach via Malicious VS Code Extension Highlights Supply Chain Risks",{"slug":85,"title":86},"protocol-flaw-exploitation-drains-27m-from-cryptocurrency-exchange","Protocol Flaw Exploitation Drains $2.7M from Cryptocurrency Exchange",{"slug":88,"title":89},"incomplete-patching-leaves-sonicwall-vpns-vulnerable-despite-mfa","Incomplete Patching Leaves SonicWall VPNs Vulnerable Despite MFA",{"slug":91,"title":92},"indonesian-water-utility-database-breach-exposes-437k-customer-records","Indonesian Water Utility Database Breach Exposes 437K+ Customer Records",{"slug":94,"title":95},"belgian-company-fined-177k-for-failing-to-deactivate-contractor-email-account","Belgian Company Fined €177K for Failing to Deactivate Contractor Email Account",{"slug":97,"title":98},"vpn-service-seized-for-illegal-activities","VPN Service Seized for Illegal Activities",{"slug":100,"title":101},"lapsus-and-teampcp-collaborate-to-sell-github-internal-repositories","LAPSUS$ and TeamPCP Collaborate to Sell GitHub Internal Repositories",{"slug":103,"title":104},"uruguay-government-database-breach-exposes-58m-citizens","Uruguay Government Database Breach Exposes 5.8M Citizens",{"slug":106,"title":107},"bitlocker-zero-day-exposes-critical-need-for-defense-in-depth-encryption","BitLocker Zero-Day Exposes Critical Need for Defense-in-Depth Encryption",{"slug":109,"title":110},"cybersecurity-firms-face-targeted-retaliation-from-threat-actors","Cybersecurity Firms Face Targeted Retaliation from Threat Actors",{"slug":112,"title":113},"uruguay-national-id-database-breach-exposes-58m-citizens","Uruguay National ID Database Breach Exposes 5.8M Citizens",{"slug":115,"title":116},"bitlocker-bypass-vulnerability-exposes-encrypted-data","BitLocker Bypass Vulnerability Exposes Encrypted Data",{"slug":118,"title":119},"ai-accelerated-development-increases-software-supply-chain-attack-surface","AI-Accelerated Development Increases Software Supply Chain Attack Surface",{"slug":121,"title":122},"banking-customers-fall-victim-to-sophisticated-rat-malware-via-social-engineering","Banking Customers Fall Victim to Sophisticated RAT Malware via Social Engineering","published","2026-05-24T05:12:43.509+00:00","2026-05-24T05:14:18.840459+00:00","2026-05-24T05:15:06.223+00:00","### The week in one line\nVulnerability exploitation overtook credential theft as the primary breach vector while supply chain attacks accelerated.\n\n### What happened\nAI is compressing exploit timelines from months to hours while simultaneously fueling massive supply chain campaigns. TeamPCP and other groups are leveraging developer tool compromises to steal code at unprecedented scale.\n\n- NGINX heap buffer overflow CVE-2026-42945 actively exploited within days of disclosure\n- Shai-Hulud malware compromised 600+ npm packages targeting developer credentials\n- GitHub breached via poisoned VS Code extension, 3,800 repositories stolen by TeamPCP\n- Microsoft patched two exploited Defender zero-days added to CISA KEV catalog\n- Uruguay national ID database with 5.8M citizen records allegedly leaked online\n\n### Why it matters for defenders and leaders\nThe threat landscape has fundamentally shifted as AI accelerates both attack development and the creation of vulnerable code. Traditional patch windows are collapsing while supply chain attacks target the core development infrastructure organizations depend on.\n\n- Critical vulnerabilities are being weaponized faster than organizations can patch\n- Developer environments have become high-value targets for stealing intellectual property\n- Government databases worldwide are being systematically breached and monetized\n- Ransomware groups are retaliating against cybersecurity firms that advise against payment\n\n### What to do this week\n- Patch NGINX, Microsoft Defender, and Drupal immediately across all environments\n- Implement supply chain security scanning for all package dependencies and CI\u002FCD workflows\n- Review BitLocker configurations and enable TPM+PIN mode where possible\n- Audit developer tool access and extensions in VS Code and similar platforms\n- Segment critical systems from internet exposure and implement network monitoring","The week AI rewrote attack timelines","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w21-cover.png"]