China-aligned Webworm is deploying two custom backdoors—EchoCreep and GraphWorm—using Discord and Microsoft Graph API as C2 channels to target government agencies in 2025. Abusing trusted cloud platforms for C2 complicates detection and mirrors a growing pattern across Chinese APT operations.
Microsoft identified threat actors poisoning @antv npm packages with the Mini Shai-Hulud payload, which executes on install to harvest credentials from GitHub, AWS, Kubernetes, Vault, npm, and 1Password in Linux CI/CD pipelines.
A year after recommending joint U.S.-South Korean action to fracture the Pyongyang-Moscow military axis, analyst Choong-Koo Lee revisits whether that strategy has gained traction.
Pakistan has committed troops and weapons to Saudi Arabia as the Iran conflict escalates, deepening Riyadh alignment at the cost of Islamabad's historic neutrality. The move sharpens Pakistan's exposure to Iranian retaliation and complicates its simultaneous economic dependence on Tehran.
An unauthenticated command injection vulnerability in a widely used operational technology robot OS allows remote attackers full control over robotic systems without credentials. Exploitable OT robotics flaws in industrial environments carry direct physical disruption potential beyond traditional IT breach impact.
China has constructed a multi-layered censorship and social-control architecture — technical, structural, and rooted in 2,200 years of governance tradition — that analysts describe as functionally leak-proof by 2026.
Beijing's diplomats are lobbying UN bodies and U.S. congressional panels to shape global AI governance norms, with China's vice minister of science appearing at a May 5 UN meeting to champion Chinese-led standards. Winning the standards battle would let China export its regulatory model globally, sidelining U.S.
Both Kyiv and Moscow are actively exploring alternative mediators as frustration with U.S.-led negotiations grows on both sides. Washington's eroding credibility as a neutral broker reduces its leverage over any eventual settlement's terms.
Two Chinese tankers carrying 4 million barrels of Iraqi crude cleared the Strait of Hormuz as an Iran war ceasefire took hold, per shipping data reported May 20, 2026. China's continued energy offtake through the strait signals Beijing is moving quickly to normalize flows and insulate itself from any sanctions fallout.
Microsoft disrupted Fox Tempest's malware-signing-as-a-service operation that weaponized Microsoft's own Artifact Signing infrastructure to certify malicious code, compromising thousands of machines worldwide.
Attackers compromised a maintainer account to publish malicious versions of more than 320 packages across the @antv NPM namespace in the Mini Shai-Hulud campaign.
Threat actor TeamPCP stole 4,000 internal GitHub repositories in a confirmed breach at the world's dominant code-hosting platform. Theft of internal repos risks exposing proprietary tooling, secrets, and supply-chain footholds affecting millions of downstream projects.
Ukrainian cyberpolice and U.S. law enforcement identified an 18-year-old from Odesa operating infostealer malware that compromised 28,000 accounts tied to a California online retailer. The joint attribution signals continued U.S.-Ukraine law enforcement coordination even amid wartime resource strain.
Threat actors brute-forced credentials and circumvented MFA on SonicWall Gen6 SSL-VPN appliances where patches were incompletely applied, then staged ransomware tooling.
Microsoft released a mitigation for CVE-2026-45585, a publicly disclosed zero-day BitLocker security feature bypass scoring CVSS 6.8, after the flaw was named YellowKey and published before a full patch was available.
CISA added seven vulnerabilities to its KEV catalog including CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806, and two others showing active exploitation.
A proof-of-concept exploit for PinTheft, a recently patched privilege escalation flaw, is now publicly available, enabling local attackers to gain root on Arch Linux systems.
Google published working exploit code for a Chromium vulnerability reported 29 months before a patch existed, exposing millions of users. Publishing exploit code ahead of widespread patching inverts responsible disclosure and hands attackers a ready-made weapon.
CVE-2026-46333 (CVSS 5.5), a privilege management flaw dormant nine years in the Linux kernel, lets unprivileged local users execute arbitrary commands as root on default installations. The multi-year detection gap exposes systemic blind spots in open-source kernel auditing across enterprise and cloud infrastructure.
Microsoft is shipping emergency patches for two Defender zero-day vulnerabilities confirmed as actively exploited in the wild. Weaponized flaws in Defender — the default endpoint protection for hundreds of millions of Windows systems — represent high-value, high-reach attack surface.