STORIES LAST WEEK
Apple blocks $2.2 billion in fraud on App Store
Apple blocked $2.2 billion in fraudulent App Store transactions during the last year and rejected more than a billion accounts from being fraudulently created. The company said that by combining human review and machine learning it has created AI models that speed up fraud detection and quickly flag deceptive tactics. Infosecurity Magazine, May 22, 2026
Poisoned VS Code extension exposes GitHub internal repositories
GitHub said a compromised employee device running a poisoned VS Code extension led to internal repository exfiltration, with attacker claims of about 3,800 repos broadly matching its investigation. Developer endpoints remain prime supply chain targets. GitHub Blog, May 20, 2026
Mini Shai-Hulud wave compromises 323 npm packages
npm invalidated every granular access token that bypasses 2FA after Mini Shai-Hulud compromised 323 packages. The response shows registry operators are moving from package cleanup toward token revocation and trusted publishing enforcement. Socket, May 21, 2026
SonicWall Gen6 VPN patch gap leaves MFA bypass open
ReliaQuest found attackers exploiting CVE-2024-12802 on Gen6 SSL VPNs that appeared patched but lacked six manual LDAP fixes. Brute-forced credentials bypassed MFA silently, with one intrusion reaching a file server within 30 minutes. ReliaQuest, May 19, 2026
Drupal SQL injection flaw is now seeing exploit attempts
Drupal raised the risk score for CVE-2026-9082 after exploit attempts appeared in the wild. Anonymous users can trigger SQL injection on PostgreSQL-backed sites, with possible disclosure, privilege escalation, or remote code execution. Drupal.org, May 20, 2026
Attackers start exploiting critical NGINX rewrite module flaw
Researchers saw exploitation of CVE-2026-42945 days after PoC release. The 16-year-old heap overflow can crash NGINX by default and may enable RCE where ASLR is disabled and rewrite rules are exposed. SecurityWeek, May 18, 2026
Critical Cisco Secure Workload API flaw grants site admin access
Cisco fixed CVE-2026-20223 in Secure Workload’s REST APIs, allowing unauthenticated attackers Site Admin access across tenant boundaries. Microsegmentation consoles require quick patching because compromise can expose policy data and alter controls. BleepingComputer, May 21, 2026
Ubiquiti patches critical UniFi OS flaws on exposed management consoles
Ubiquiti fixed remote, low-complexity UniFi OS bugs allowing unauthorized changes, file access, and command injection. Nearly 100,000 exposed endpoints make controller patching urgent for networks using UniFi for switching, cameras, and access control. BleepingComputer, May 22, 2026
CISA orders fixes for exploited Langflow and Apex One flaws
CISA added Langflow and on-prem Trend Micro Apex One flaws to its exploited-vulnerability catalog, setting a June 4 federal deadline. The flaws affect AI workflow tooling and endpoint management paths that can amplify compromise. The Hacker News, May 22, 2026
Microsoft patches two exploited Defender flaws affecting endpoint controls
Microsoft Defender flaws under active exploitation allow local SYSTEM escalation and denial of service. Automatic engine updates should patch most systems, but enterprises need version verification because the affected components also support legacy endpoint products. Help Net Security, May 21, 2026
Claude Code sandbox bypass shows how prompt injection can reach credentials
A researcher detailed two Claude Code network sandbox bypasses that were quietly patched by Anthropic. Chained with prompt injection, they could exfiltrate tokens and environment data, illustrating the need for tightened controls around AI coding agents. SecurityWeek, May 20, 2026
Chinese espionage campaign deploys Showboat against telcos
Researchers linked telecom intrusions to Chinese APTs using Showboat, a Linux post-exploitation framework. Showboat can scan and infect internal LAN devices, making lateral movement hunts more important than perimeter-only detection. Dark Reading, May 21, 2026
Europol dismantles First VPN cybercrime service
Authorities disrupted First VPN, a service used to hide ransomware, fraud, and data theft infrastructure. Investigators seized servers and user data, turning an anonymity layer into leads for worldwide cybercrime cases. Europol, May 21, 2026
U.S. and Canada arrest alleged KimWolf DDoS botnet operator
Authorities charged Jacob Butler with operating KimWolf, a DDoS-for-hire botnet tied to more than a million compromised IoT devices and attacks reaching nearly 30 Tbps. The case reinforces exposed-device hygiene as infrastructure risk. U.S. Department of Justice, May 21, 2026
