Fox-IT (NCC Group) researchers Yun Zheng Hu and Mick Koomen disclosed that the North Korea-linked Lazarus Group is actively deploying RemotePE, a fully fileless RAT that executes entirely in memory via a three-stage chain using DPAPILoader, RemotePELoader, and Hell's Gate/ETW-patching techniques — leaving zero filesystem artifacts and evading EDR. Initial access begins with Telegram-based social engineering where operators impersonate trading firm employees and lure targets through fake Calendly and Picktime scheduling domains. Neither RemotePELoader nor RemotePE appeared on VirusTotal prior to publication, suggesting the toolset is reserved for high-value targets; Lazarus has stolen approximately $577M in crypto in the first four months of 2026 alone, accounting for 76% of all global crypto theft.

On May 22, 2026 at 22:32 UTC, an attacker with org-level push access to the Laravel-Lang GitHub organization rewrote every git tag across four widely-used PHP localization packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) within a 15-minute window, redirecting all tags to commits in an attacker-controlled fork — without touching any source files visible in the repo UI. The injected src/helpers.php dropper auto-loaded by Composer on every PHP request, fingerprinted the host, reached out to C2 domain flipboxstudio[.]info, and dropped a ~5,900-line cross-platform credential stealer targeting AWS keys, GCP service account JSONs, Azure credentials, Kubernetes/Vault tokens, GitHub tokens, SSH keys, .env files, browser-stored passwords, and cryptocurrency wallet recovery phrases. Packagist removed the malicious versions on May 23; any environment that ran composer install or composer update during the ~15-hour window should be treated as fully compromised and all secrets rotated immediately — this attack is one of four distinct supply-chain campaigns hitting npm, PyPI, and Composer in an 11-day window in May.

CVE-2026-9082, a highly critical (Drupal score 23/25) unauthenticated SQL injection flaw in Drupal's database abstraction API affecting PostgreSQL-backed installations across versions 8.9 through 11.3.9, moved from patch release to active in-the-wild exploitation in under 48 hours. Imperva observed over 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries, with gaming and financial services sites comprising nearly 50% of targets. CISA added the flaw to its KEV catalog on May 22 with a May 27 remediation deadline for federal agencies; defenders should note that sites not on PostgreSQL still require patching due to bundled Symfony and Twig upstream fixes.

The Nitrogen ransomware group posted Foxconn on its dark web leak site on May 11 and Foxconn confirmed the breach on May 12, acknowledging cyberattacks at its facilities in Mount Pleasant, Wisconsin and Houston, Texas that caused roughly 11 days of production disruption. Nitrogen claims to have exfiltrated more than 8TB across 11 million+ files including confidential technical drawings, circuit board layouts, and project documentation tied to Apple, Nvidia, Google, Intel, Dell, and AMD; AppleInsider subsequently confirmed over 30 genuine Apple server schematics from 2025–2026 in the sample set. Nitrogen is believed to be a Conti 2 code offshoot, and researchers at Coveware have flagged a bug in its ESXi encryptor that may make recovery impossible even for paying victims.

A CISA contractor at Nightwing maintained a public GitHub repository named 'Private-CISA' from November 13, 2025 to mid-May 2026 that contained 844MB of files including administrative credentials to three AWS GovCloud servers, plaintext usernames and passwords for dozens of internal CISA systems (including the LZ-DSO DevSecOps environment), access tokens for CISA's internal software artifactory, SSH keys, and internal build/deployment documentation. GitGuardian researcher Guillaume Valadon confirmed the credentials were live; security researcher Philippe Caturegli verified the AWS keys were still valid after the repo was taken down and warned that artifactory access could have enabled supply-chain backdoors in CISA's software builds. Congressional Democrats on the Homeland Security Committee have demanded a classified briefing, and CISA is investigating while stating no compromise has been confirmed — a 48-hour post-removal key validity window remains the most significant unresolved risk.

NightSpire posted new victims on May 25–26 including Egyptian entity basatamfi, Spanish industrial distributor Bresme Madrid, and multiple others, bringing its total claimed victim count to 265 across 52 countries since March 2025. The group, assessed as a rebrand of Rbfs ransomware with likely India-linked operators, achieves initial access primarily via CVE-2024-55591 (FortiOS/FortiProxy auth bypass) and RDP brute force, and has been accelerating toward a RaaS model after publicly inviting affiliates in April 2026. Defenders should note the group's Go-based payload, sub-two-day ransom deadlines, and a pattern of directly emailing victim employees to apply pressure — telemetry also shows 17.7% of victim domains have associated infostealer infection history, suggesting credential theft as a parallel entry vector.

ShinyHunters exploited a vulnerability in Instructure's Free-For-Teacher account mechanism on April 25, 2026, exfiltrating 3.65 TB of data covering approximately 275 million student, teacher, and staff records from 8,809 institutions globally including Harvard, Stanford, Columbia, and Princeton. After Instructure failed to meet the May 6 deadline, ShinyHunters escalated by defacing Canvas login portals at roughly 330 institutions on May 7, knocking the platform offline during final exam periods, before Instructure reportedly reached a ransom agreement on May 11. The breach is the largest educational sector compromise on record and arms threat actors with billions of private messages plus institutional context ideal for precision spear-phishing against students, parents, and faculty — the downstream secondary exploitation risk is high and likely ongoing.

The financially motivated supply-chain threat group TeamPCP (tracked by Google TAG as UNC6780) breached GitHub's internal codebase after a GitHub employee installed a backdoored version of the Nx Console VS Code extension — itself a downstream casualty of the May 11 TanStack npm compromise. The malicious extension was live for only 18 minutes on the Visual Studio Marketplace but harvested credentials for 1Password, AWS, npm, Kubernetes, and GitHub tokens, enabling CI/CD pipeline traversal and exfiltration of roughly 3,800 private repositories. The same campaign also compromised two OpenAI employee devices (triggering macOS code-signing cert rotation), Mistral AI SDKs, and Grafana Labs' codebase — all via the self-replicating Mini Shai-Hulud worm, which has now executed at least seven confirmed supply-chain waves with zero CVEs, operating entirely through OIDC token abuse and stolen maintainer credentials.

On May 22–23, 2026, a threat actor with org-level push access to the Laravel-Lang GitHub organization rewrote every existing git tag across four widely-used Composer packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) to point to attacker-controlled malicious forks — producing over 700 poisoned versions with no safe pin remaining. The injected src/helpers.php dropper auto-executed via Composer's autoload.files directive on every PHP request, beaconing to flipboxstudio[.]info to download a 15-module cross-platform credential stealer that targets AWS/GCP/Azure keys, Kubernetes and Vault secrets, CI/CD tokens, SSH keys, browser passwords, and cryptocurrency wallets, then deletes itself to hamper forensics. Any Laravel or Symfony project that ran composer install or composer update after 2026-05-22 22:32 UTC against the affected packages should treat all accessible secrets as compromised and rotate immediately.

CERT-UA disclosed this week that the Belarus-aligned APT Ghostwriter (UAC-0057 / UNC1151) has been running a sustained phishing campaign since spring 2026 against Ukrainian government entities, using lures impersonating the Prometheus online learning platform — a tool Ukrainian government employees routinely use — sent via previously compromised email accounts. The multi-stage kill chain delivers OYSTERFRESH (a JavaScript dropper displaying decoy documents), which stealthily encodes and writes OYSTERBLUES to the Windows Registry; OYSTERBLUES is then decoded by OYSTERSHUCK and beacons host profiling data (computer name, user, OS version, running processes) back to C2 infrastructure hidden behind Cloudflare using .icu TLD domains. Defenders should restrict wscript.exe execution for standard user accounts as an immediate mitigating control; the use of geofencing and trusted-platform social engineering signals deliberate operational refinement by this group.