Industrial Sector
- Fuel Tank Breaches Expand Scope Of Iran's Cyber Offensive
"Iranian hackers reportedly breached systems that monitor fuel levels in storage tanks serving gas stations around the US, demonstrating yet again the changing nature of modern warfare and Iran's cyber reach beyond its active military engagement with the US and Israel. Threat actors from Iran allegedly exploited automatic tank gauge (ATG) systems that were exposed online and lacked password protections, according to a report published by CNN Friday that cited sources familiar with the incident. Attackers managed to change display readings on the tanks but not the actual levels of fuel in them, according to the report."
https://www.darkreading.com/cyberattacks-data-breaches/fuel-tank-breaches-expand-scope-irans-cyber-offensive
New Tooling
- Lyrie: Open-Source Autonomous Pentesting Agent
"Penetration testing has usually required weeks of manual work, specialized tooling, and teams with narrow skill sets. Lyrie, an open-source autonomous security agent built by OTT Cybersecurity, compresses that process into a command line tool and publishes the entire codebase. The project reached version 3.1.0 this month. The release adds XChaCha20-Poly1305 memory encryption for sensitive threat data, seven new proof-of-concept generators covering prompt injection, auth bypass, CSRF, open redirect, race conditions, secret exposure, and cross-site execution, and three new deep scanners for Rust analysis, taint engine processing, and AI-driven code review. The repository now ships 25 tested commands spanning core security operations, binary analysis, governance, and self-improvement workflows."
https://www.helpnetsecurity.com/2026/05/18/lyrie-ai-autonomous-pentesting-agent/
https://github.com/OTT-Cybersecurity-LLC/lyrie-ai
Vulnerabilities
- Exploit Available For New DirtyDecrypt Linux Root Escalation Flaw
"A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline. "We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.""
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/ - Linux Kernel Flaw Opens Root-Only Files To Unprivileged Users
"Another Linux kernel flaw has handed local unprivileged users a way to peek at files they should never be able to read, including root-only secrets such as SSH keys. The bug affects multiple LTS kernel lines from 5.10 upward, although a fix has already landed – and there is now a proposal for reducing the odds of similar surprises in future. What FOSS analytics vendor Metabase memorably dubbed the strip-mining era of open source security continues. This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials, as the KnightLi blog explains."
https://www.theregister.com/security/2026/05/18/linux-kernel-flaw-opens-root-only-files-to-unprivileged-users/5241950
https://www.knightli.com/en/2026/05/17/ssh-keysign-pwn-cve-2026-46333/
Malware
- SHub Reaper | MacOS Stealer Spoofs Apple, Google, And Microsoft In a Single Attack Chain
"Infostealers targeting macOS have continued to proliferate over the last two years, with threat actors iterating on successful techniques across related malware families. Researchers at Moonlock, Jamf, and Malwarebytes have previously documented the rise of SHub Stealer, including its use of fake application installers and “ClickFix” social engineering. This week, SentinelOne observed a new SHub variant using the build tag “Reaper”. Reaper uses fake WeChat and Miro installers as lures, but what stands out is the way the infection chain shifts its disguise at each stage. The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory. Alongside the previously documented SHub feature set, the build also adds an AMOS-style document theft module with chunked uploads."
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
https://www.bleepingcomputer.com/news/security/shub-macos-infostealer-variant-spoofs-apple-security-updates/
https://hackread.com/reaper-malware-fake-microsoft-domain-macos-passwords/
https://www.theregister.com/security/2026/05/19/do-fear-the-reaper-stealer-swipes-macos-users-passwords-wallets-then-backdoors-them/5242258 - New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here
"Four new malicious npm packages were detected and reported by OX Security in the last 24h, containing infostealer code. One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after. One incriminating evidence that this is a different actor from TeamPCP, is that the Shai-Hulud malware code is an almost exact copy of the leaked source code, with no obfuscation techniques, which make the final version visually different from the original. In our breakdown we show the side by side comparison of the chalk-template Shai-Hulud version with the original source code leak, showing that they are the same."
https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/
https://www.securityweek.com/first-shai-hulud-worm-clones-emerge/
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180 - Click, Install, Compromised: The New Wave Of Zoom-Themed Attacks
"As with most things, change is inevitable - especially for threat actors operating in a rapidly evolving threat landscape. What starts as a familiar Zoom invite can quickly escalate into a full-blown compromise. Recently, the Cofense Phishing Defense Center (PDC) has observed a shift in which traditional credential-harvesting phishing campaigns and familiar social engineering tactics are increasingly being repurposed to deliver more significant threats, including malware and unauthorized remote access."
https://cofense.com/blog/click-install-compromised-the-new-wave-of-zoom-themed-attacks - When Worm Source Code Goes Open Source: The Shai-Hulud Clones Arrive
"Last week the TeamPCP group did something the open source security community has been quietly dreading: they published the source code for the Shai-Hulud worm on GitHub and ran what amounted to a public attack challenge on BreachForums, inviting other actors to take the code and run with it. Days later, the first clones appeared on npm. A single threat actor uploaded four malicious packages from one account: a near-verbatim copy of Shai-Hulud with its own command-and-control infrastructure, three Axios typosquats, and a DDoS botnet payload that conscripts infected machines into a flooding network. All of them are aimed at developers who happen to fat-finger a dependency name."
https://mondoo.com/blog/shai-hulud-clones-arrive-when-worm-source-code-goes-open-source
https://www.darkreading.com/application-security/shai-hulud-worm-clones-spread-code-release - Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
"Oasis Security identified attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region, used to conduct a targeted intrusion campaign against multiple Malaysian organizations. The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration."
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
https://hackread.com/government-backed-hackers-cloudflare-malaysia-espionage/ - Fast16: Pre-Stuxnet Sabotage Tool Was Built To Subvert Nuclear Weapons Simulations
"In April 2026, our peers in SentinelOne published the first public analysis of fast16, a previously undiscovered sabotage framework whose oldest components appear to date from around 2005, approximately two years before Stuxnet first became active. The framework consists of a service binary that embeds an early Lua 5.0 virtual machine, a boot-start filesystem driver that intercepts and patches executable code as it is read from disk, and a rule-driven hook engine that rewrites very specific instruction sequences inside a single, narrowly defined target application."
https://www.security.com/threat-intelligence/fast16-nuclear-sabotage
https://thehackernews.com/2026/05/pre-stuxnet-fast16-malware-tampered.html - NATS-As-C2: Inside a New Technique Attackers Are Using To Harvest Cloud Credentials And AI API Keys
"On May 5, 2026, the Sysdig Threat Research Team (TRT) identified a novel command-and-control (C2) technique in which a threat actor used a NATS server as C2 infrastructure. The Sysdig TRT has dubbed this technique “NATS-as-C2.” Rather than relying on traditional HTTP-based panels or chat platforms, the attacker leveraged infrastructure more commonly associated with modern distributed systems. The Sysdig TRT traced the activity to an extended exploitation attempt involving CVE-2026-33017, an unauthenticated remote code execution (RCE) vulnerability in Langflow that was added to the CISA KEV catalog on March 25, 2026. Over roughly 30 minutes of hands-on activity, the operator at 159.89.205.184 (DigitalOcean) downloaded a Python worker and a Go binary. During this time, the Sysdig TRT captured the threat actor’s payload, exposing their coordination plane: a NATS server at 45.192.109.25:14222 running an authenticated, ACL-enforced instance. The attacker subsequently attempted to escape the container using DirtyPipe and DirtyCreds exploits."
https://webflow.sysdig.com/blog/nats-as-c2-inside-a-new-technique-attackers-are-using-to-harvest-cloud-credentials-and-ai-api-keys - Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop And GammaLoad
"Investigating Gamaredon’s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system. In the absence of public analysis of these malware, this report documents Gamaredon’s GammaDrop and GammaLoad downloader variants, the infrastructure behind them, and the methods used to deliver the spearphishing emails."
https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/
Breaches/Hacks/Leaks
- 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand
"7-Eleven, the world’s largest convenience store chain, has confirmed suffering a data breach after the notorious ShinyHunters hacker group claimed to have stolen information from its systems. The company has started sending out security incident notices revealing that an intrusion into 7-Eleven systems used to store franchisee documents was detected on April 8. According to a notification submitted to the Maine Attorney General’s Office, unspecified personal information has been compromised. The exposed information was provided to the company during franchise applications."
https://www.securityweek.com/7-eleven-data-breach-confirmed-after-shinyhunters-ransom-demand/
https://securityaffairs.com/192336/data-breach/shinyhunters-hack-7-eleven-franchisee-data-and-salesforce-records-exposed.html - A Hotel Check-In System Left a Million Passports And Driver’s Licenses Open For Anyone To See
"A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible. The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in."
https://techcrunch.com/2026/05/15/a-hotel-check-in-system-left-a-million-passports-and-drivers-licenses-open-for-anyone-to-see/
https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html - Millions Impacted Across Several US Healthcare Data Breaches
"Several major data breaches were added to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS) in recent days. All of the breaches were disclosed in recent months, but the number of affected individuals has only been made public now on the HHS breach tracker. The largest incident affects the New York City Health and Hospitals Corporation, which in March disclosed a data breach detected on February 2, 2026. An investigation found that threat actors had access to its systems between November 2025 and February 2026 via a third-party vendor. Exposed information includes personal, health insurance, medical, biometric, and financial information."
https://www.securityweek.com/millions-impacted-across-several-us-healthcare-data-breaches/
General News
- April 2026 Threat Trend Report On APT Groups
"this report covers cyber espionage and covert sabotage activities by Region-led threat groups believed to be supported by the Region. it excludes cybercrime groups that operate for financial gain. based on publicly available analysis over the past month, we categorized threat actors according to the names of their representatives in the ATIP."
https://asec.ahnlab.com/en/93744/ - 201 Arrests In First-Of-Its-Kind Cybercrime Operation In MENA Region
"A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified. Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region. In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized."
https://www.interpol.int/en/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
https://www.bleepingcomputer.com/news/security/interpol-operation-ramz-seizes-53-malware-phishing-servers/
https://thehackernews.com/2026/05/interpol-operation-ramz-disrupts-mena.html
https://therecord.media/more-than-200-arrested-interpol-middle-east-scams
https://cyberscoop.com/interpol-operation-ramz-middle-east-north-africa/
https://www.infosecurity-magazine.com/news/interpol-cybercrime-crackdown-mena/
https://www.helpnetsecurity.com/2026/05/18/interpol-mena-cybercrime-operation-ramz-201-arrests/ - Hacktivists, Ransomware, And a 124% Surge Across DACH
"Hacktivism and ransomware targeting organizations across Germany, Austria, and Switzerland increased 124% in 2025, according to Check Point Exposure Management (based on published attacks on the web and dark web). Three distinct dynamics drove the surge, each with its own logic and its own implications for security teams in 2026."
https://blog.checkpoint.com/exposure-management/hacktivists-ransomware-and-a-124-surge-the-dach-threat-picture/ - The Canvas Breach Proved That Prevention Is No Longer Enough
"Earlier this month, ShinyHunters breached Instructure’s Canvas platform twice within a single week — stealing 3.65 terabytes of data from approximately 275 million users across more than 8,000 institutions. The group defaced login pages at hundreds of schools during final exam periods, forced Canvas offline, and extracted a ransom payment before Congress opened a formal investigation. The attack did not require exotic malware or zero-day exploits. Attackers entered through compromised “Free-For-Teacher” accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them."
https://cyberscoop.com/canvas-breach-saas-security-identity-governance-op-ed/ - AI Is Drowning Software Maintainers In Junk Security Reports
"AI-assisted vulnerability research has exploded, unleashing a firehose of low-quality reports on overworked software maintainers who are wasting hours sifting through noise instead of fixing real problems. Linus Torvalds, the Linux kernel’s creator, says the flood has made the project’s security mailing list “almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”"
https://www.helpnetsecurity.com/2026/05/18/problems-with-ai-assisted-vulnerability-research/
https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633 - The AI Backdoor Your Security Stack Is Not Built To See
"Enterprises deploying LLMs have spent the past two years building defenses around a reasonable assumption: malicious behavior leaves a trace in the input. Scan for suspicious tokens, filter unusual characters, watch for prompt injection patterns. New research from Microsoft and the Institute of Science Tokyo demonstrates that this defensive posture has a blind spot, and the cost of that blind spot could be measured in leaked proprietary data and regulatory exposure."
https://www.helpnetsecurity.com/2026/05/18/metabackdoor-llm-backdoor-attack/
https://arxiv.org/pdf/2605.15172 - AI Shrinks Vulnerability Exploitation Window To Hours
"Time has become organizations’ biggest vulnerability because the gap between vulnerability discovery and exploitation has narrowed to hours, according to Synack’s 2026 State of Vulnerabilities Report. Agentic AI systems that act autonomously across systems introduce new risks that require human expertise to identify and understand. Automated scanning detects known signatures but can miss logic flaws, misconfigurations, and unexpected behavior."
https://www.helpnetsecurity.com/2026/05/18/synack-2025-ai-driven-vulnerability-trends-report/ - When Ransomware Hits, Confidence Doesn’t Restore Endpoints
"Ransomware, supply chain vulnerabilities, insider threats, compliance failures, and software disruptions remain major concerns for security leaders, according to The Ransomware Reality: Zero Days to Recover report by Absolute Security. A survey of 750 CISOs from enterprise organizations with more than 5,000 employees in the United States and the United Kingdom revealed gaps between ransomware frequency, confidence in recovery capabilities, and remediation timelines."
https://www.helpnetsecurity.com/2026/05/18/absolute-security-cisos-ransomware-pressure-report/ - IT Threat Evolution In Q1 2026. Mobile Statistics
"In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged. To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post."
https://securelist.com/malware-report-q1-2026-mobile-statistics/119819/
https://securelist.com/malware-report-q1-2026-pc-iot-statistics/119828/ - Developer Workstations Are Now Part Of The Software Supply Chain
"Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is an ongoing concern and is self-propagating, as seen in attacks like the "mini Shai Hulud" campaigns. That pattern should change how security teams think about the software supply chain."
https://thehackernews.com/2026/05/developer-workstations-are-now-part-of.html
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
หมายเหตุ - อ้างอิง CVSS จาก 
$1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy – congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 – they never slowed down. See you next year! #Pwn2Own… 
